In case you were wondering if HIPAA violations are really enforced, I thought I would bring a few big money settlements to your attention. If you’re not in the healthcare industry, you might be wondering what HIPAA even is. HIPAA stands for the “Health Insurance Portability and Accountability Act” which was passed in 1996. This legislation sets data privacy and security provisions for safeguarding medical records and other identifiable health information.
The rules for ePHI (electronic protected health information) are enforced by the Office for Civil Rights (OCR), and they’ve had a big year in 2017.
Imagine if one of your staff had a mobile device, such as a laptop, iPad, or phone stolen out of their car, and device had ePHI stored on it. That sounds bad enough right? Well for CardioNet, who did the right thing and reported a stolen laptop to the OCR, that was just the beginning of their trouble.
OCR’s investigation into the incident revealed that CardioNet did not have the required policies and procedures in place, including those required for mobile devices. The end result was that CardioNet had to pay a fine of 2.5 million, and implement a corrective action plan.
Vendors who service healthcare providers, who also store or have access to ePHI are required to sign a Business Associates Agreement, basically stating that they will also protect the ePHI.
The Center for Children’s Digestive Health found out the hard way that this is a requirement. They had been using a company called FileFax, Inc., which stored records containing protected health information for them, but did not get a Business Associates Agreement signed with them. The result was a $31,000 fine.
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ccdh/index.html
The Metro Community Provider Network had not conducted a risk analysis of their ePHI environment, and consequently had not implemented any corresponding risk management plans to address the risks and vulnerabilities that might have been identified. The OCR took into consideration that they provide services to mostly low or poverty level income patients and took it easy on them to the tune of $400,000.
https://www.hhs.gov/about/news/2017/04/12/overlooking-risks-leads-to-breach-settlement.html
The Memorial Healthcare System which operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities in South Florida had to pay 5.5 million because they failed to remove user access for an employee that was no longer with the company. The users login credentials were used without detection for an entire year before it was caught.
It’s always a good policy to remove user access rights immediately upon termination, no matter what industry you’re in, but absolutely necessary in the healthcare industry.
You can fine more examples and other great information about compliance here: https://www.hhs.gov/hipaa/newsroom/index.html