HIPAA Case Studies

HIPAA Case Studies

Click titles for expansion and compression

St. Elizabeth’s Medical Center in Brighton, Mass., has agreed to pay a $218,400 settlement to federal authorities for what the government is calling “potential violations” of data privacy and security breach notifications rules under HIPAA, including in a relatively rare enforcement area, Internet-based file-sharing services.

The Office for Civil Rights at HHS, which has federal HIPAA privacy and security rule enforcement authority, first received a complaint in November 2012 that members of St. Elizabeth’s workforce used an Internet-based document-sharing application “to store documents containing electronic protected health information (ePHI) of at least 498 individuals without having analyzed the risks associated with such a practice.”

In a separate incident, in August 2014, the hospital reported to HHS that a former workforce member had stored patient-identifiable health records of 595 individuals on a stolen personal laptop and USB flash drive.

According to a recent report on employee Internet usage by the Campbell, Calif.-based security firm Skyhigh Networks, employees at an average healthcare organization use a total of 928 cloud services, many without the knowledge of their IT departments. File-sharing services were among the top five uses of cloud services by healthcare workers in the report.

“Organizations must pay particular attention to HIPAA’s requirements when using Internet-based document-sharing applications,” said Office for Civil Rights Director Jocelyn Samuels. “In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

In addition to the payment, the settlement includes a corrective action plan “to cure gaps in the organization’s HIPAA compliance program raised by both the complaint and the breach.” St. Elizabeth has also reported to the civil rights office a breach of 6,831 lost patients’ identifiable records on paper or film, according to the “wall of shame” list kept by the office for breaches involving 500 or more individuals.

This wasn’t the first Office for Civil Rights enforcement action involving settlement amounts against a provider involving Web-based services, according to Adam Greene, a privacy lawyer with Davis Wright Tremaine in Washington, D.C. But providers need to be aware of the enforcement risks both cases demonstrate, he said.

In April, 2012, a five-physician medical practice, Phoenix Cardiac Surgery, agreed to a $100,000 settlement for failing to have HIPAA-required business associate agreements with providers of their Internet-based calendar and e-mail service.

“Between these two cases,” Greene said, “what it stands for is OCR’s expectation you’re going to have to have a business associate agreement with any cloud-based (service) providers. And you need a risk analysis.”

Greene said the St. Elizabeth settlement was “particularly noteworthy” because the complaints apparently came from the hospital’s own employees.

“So, there appears to be a whistle-blower,” Greene said. “It shows the importance of having a process for hearing concerns from your employees about addressing HIPAA, or they might go to the government instead.”

Since September 2009, when the civil rights office started keeping a public list of breaches involving 500 or more individuals, 1,265 breaches have been reported exposing the records of nearly 135 million people, equal to the populations of California, Florida, Illinois, New Jersey, New York, Pennsylvania and Texas combined.

Adult & Pediatric Dermatology of Concord, MA has agreed to pay a $150,000 HIPAA fine as a result of a HHS Office of Civil Rights (OCR) investigation. The 12 physician practice was investigated by OCR after they reported a loss of an unencrypted thumb drive which contained electronic protected health information (ePHI) of 2,200 individuals.

According to the OCR Resolution Agreement, the investigation revealed:

  • The Covered Entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.
  • The Covered Entity did not fully comply with the administrative requirements of the Breach Notification Rule to have written policies and procedures and train members of its workforce regarding the Breach Notification requirements.
  • On September 14, 2011, the Covered Entity impermissibly disclosed the ePHI of up to 2,200 individuals by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle of one its workforce members.
OCR Director Leon Rodriguez made an interesting comment about Adult & Pediatric Dermatology but all organizations should heed his advice (emphasis added):

“As we say in health care, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens.Covered entities of all sizes need to give priority to securing electronic protected health information.”

In the OCR press release they point out that the organization received the HIPAA fine for not have breach notification policies and procedures

This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act

There are a few very important takeaways from this story.

  • Make sure your organization performs a thorough HIPAA risk assessment. Make sure the risk assessment looks at all sources/systems/devices that contain patient information and ePHI. Document the results of the risk assessment and put together a plan to implement additional safeguards to protect ePHI.
  • Make sure you have an incident response plan in place on what your organization will do in the event of a security breach. The plan should include who will be involved in the event of a breach, what are the steps the incident response team will take to address the breach and actions the team will take to prevent another similar breach from occurring. Make sure the plan is documented and all employees are trained on what they need to do.
  • Encrypt all portable devices that contain ePHI! An organization should look at encrypting laptops, USB drives, thumb drives, tablets, smartphones, etc. Portable devices are easily lost or stolen. Encrypting the data is the best way to protect these devices and minimize the risk of a security breach.

Please give one our consultants a call at (888) 959-0220 or schedule a time to speak with a consultant at your convenience.

Click to Schedule an Appointment


This statement was released on Friday by APDerm in regards to their settlement with HHS.

Statement from Adult and Pediatric Dermatology

December 27, 2013 – Along with protecting our patients’ health and safety, protecting their privacy is our highest priority. In 2011, we were victims of a crime and a computer flash drive was stolen. The stolen information did not include any financial information or sensitive health information. We reached out to every patient that may have been affected and have worked diligently to put measures in place to ensure the safety and security of our patient’s information.

Today’s settlement announcement was as a result of the 2011 incident. We are disappointed with the amount of the settlement given that the flash drive was never used to anyone’s knowledge, nor did it contain financial information that could be used to harm anyone. We have agreed to pay the settlement amount rather than incur the additional costs of a hearing.

Parkview Health System, Inc. has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Parkview will pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program. Parkview is a nonprofit health care system that provides community-based health care services to individuals in northeast Indiana and northwest Ohio.

Read the H.H.S. Press Release for Parkview Health System

Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

Read the H.H.S. Press Release for NYP and CU

Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website