Over the past two years, the healthcare industry has witnessed some very distressing examples of lax security measures in major hospitals and clinics. In order to shed some light into the severity with which the HHS Office for Civil Rights has lead its recent crackdown on HIPAA compliance, we've included the following four headlines of the biggest cases in HIPAA breaches.
1. Groups Hit with Record $4.8M HIPAA Fine
The New York-Presbyterian Hospital and Columbia University Medical Center paid-out $4.8 million in a settlement after an alleged HIPAA violation (a HIPAA record). The allegation arose after the ePHI of 6,800 patients was found published on Google in 2010. The incident occurred after a Columbia University physician attempted to deactivate his/her own personal computer. That, in combination with lacking server security measures, resulted in the online accessibility of patient PHI.
2. Medical Research Institute to Pay $3.9M in HIPAA Settlement
The Feinstein Institute for Medical Research paid-out $3.9 million in a settlement with the OCR after a reported breach. The incident arose from a stolen laptop with the ePHI of 13,000 patients. This pay-out is considered to be the second largest in HIPAA history. The HHS had this to say, "This case demonstrates OCR's commitment to promoting the privacy and security protections so critical to build and maintain trust in health research."
3. Puerto Rico BCBS Hit with 2nd Largest HIPAA Fine
The HHS Office for Civil Rights fined Triple-S Management Corporation, a Blue Cross and Blue Shield licensee based in Puerto Rico, for multiple breaches that occurred in 2010. The payout included $3.5 million which would go toward a HIPAA compliance corrective action as well as fines. The breach occurred after Triple-S employees left to work at a competing company and downloaded the PHI of 398,000 Blue Shield members.
4. Lahey Pays $850K for 'Widespread' HIPAA Non-compliance
The nonprofit teaching hospital paid $850,000 in a settlement with the HHS, in addition to the adoption of a corrective action plan. The breach occurred in 2011 after Lahey reported a stolen laptop that was taken from an unlocked room. The computer housed the PHI of 599 patients. During its investigation, the OCR found "widespread non-compliance." Lacking security measures including few data maintenance policies, non-implemented HIPAA procedures and no unique usernames were among the issues.
It's no secret that the HHS Office for Civil Right is going after hospitals and healthcare organizations with a fury. Much of this recent buzz has to do with funding of the office's new audit program, whose Phase 2 was launched earlier in March 2016. Hospitals and clinics are now looking for ways to avoid compromising situations and seeking out educational resources on better IT practices for internal healthcare communication.