What We Can Learn From HIPAA Settlements

A data breach at a business is serious enough, but when it involves a healthcare organization, there are greater ramifications. And when the sensitive nature of patient medical records are jeopardized, it can be costly.

The Health and Human Services’ Office for Civil Rights (OCR) enforces HIPAA privacy and security rules, which safeguard patient medical information. A recent article in healthitsecurity.com took a look at settlements over the past two years, to share five lessons on what was overlooked and how confidential information can be safeguarded better:


  1. Business Associates Can Be Held Liable – If There’s an Agreement.

Any individual or organization doing business with your healthcare organization needs to have an up-to-date business associate agreement. Otherwise, you could be the one held liable for a security breach of protected health information. The Illinois-based Center for Children’s Digestive Health did not have an agreement and settled for $31,000 when it inadvertently disclosed more than 10,000 patient records to a business partner. Similarly, the Women’s Hospital of Rhode Island’s disclosure of over 14,000 patient records to a business partner resulted in a $400,000 settlement.

  1. Strong Audit Controls Help Prevent Incidents.

When a former employee at Memorial Healthcare Systems was given access to the medical records of 80,000 patients due to lack of sufficient audit controls, it resulted in a settlement of $5.5 million for Memorial. Healthcare organizations that monitor use and restrict access to patient data will help to prevent such situations.

  1. Risk Management Plans Protect Against Vulnerabilities.

A failure to employ encryption on laptops and mobile devices resulted in a $3.2 million penalty for Children’s Medical Center of Dallas. Similarly, St. Joseph Health agreed to a $2.1 million settlement for failing to evaluate a new file server. In both cases, a risk analysis would have identified potential vulnerabilities.

  1. HHS Requires Timely Breach Notification.

Organizations must report a data breach to affected individuals and law enforcement agencies within 60 days of discovery of that breach. If the breach affects more than 500 people, the news media also must be alerted. There also are requirements that vary from state to state. The delay of Presence Health’s breach notice cost it $475,000 in an OCR HIPAA settlement, and CoPilot Provider Support Services settled for $130,000 with New York state for its delay.

  1. Basic HIPAA Safeguards Are the Basis for Compliance.

Safeguards fall within three basic categories: technical, physical and administrative. As technology evolves, it’s important for organizations to update their processes and utilize the latest tools. Physical access must be limited, and there must be a thorough assessment of vulnerabilities. Advocate Health settled for $5.5 million for multiple alleged HIPAA violations. In another case, CardioNet’s policies were in draft form, and it settled for $2.5 million for insufficient safeguards.

Have you reviewed your approach to HIPAA compliance? Are employees on all levels properly and regularly trained? To discuss this issue or create a plan for your organization, contact the Ezold Law Firm at 610-660-5585 or complete our online inquiry form.