The HHS’ Office for Civil Rights (OCR) is responsible for enforcing HIPAA regulations, and it is becoming increasingly determined in its efforts. Violations in 2016 averaged at least one per day for the year resulting in a record number of HIPAA settlements. Audits are becoming more frequent, causing health care providers and covered entities to take new measures to ensure the security of PHI and sensitive data. In the event of a security breach, hospitals and healthcare organizations can be liable for multi-million dollar fines and potential criminal charges.
Here are six recent HIPAA violations from 2016 and thus far in 2017.
1. Lincare Inc.
Lincare Inc., the home health provider, had to pay a settlement of $239,800 to the OCR in February of 2016 after the PHI of 278 patients was disclosed. The OCR alleged a general manager in Lincare left the files of patients containing PHI in her former residence after she separated from her spouse and moved out. The OCR discovered Lincare had policies in place that allowed employees to keep files containing PHI in their homes and vehicles, violating HIPAA. Lincare was one of only two organization who were required to pay a civil monetary penalty for a violation of HIPAA, all other organizations who settled in 2016 opted to do so voluntarily.
2. University of Massachusetts Amherst
Last November the University of Massachusetts Amherst (UMass) had to pay a settlement of $650,000 after a malware infection resulting in the impermissible disclosure the PHI of 1,670 patients. As a hybrid entity, UMass is only required to follow some of HIPAA regulations, but they had failed to conduct a HIPAA-compliant risk analysis and implement necessary safeguards. UMass could have received a much higher penalty but the OCR took the university’s finances into account. Along with the fine, they had to implement a corrective plan.
3. St. Joseph Health
St. Joseph Health had to pay out almost $2.1 million after the ePHI of 38,100 patients was made available through search engines due to the organization’s failure to conduct a proper risk analysis, according the OCR. Individuals names, health statuses and diagnoses were some of the information made publicly available. St. Joseph Health will also develop a corrective plan as part of the settlement.
4. Advocate Health Care
Advocate Health Care paid the largest settlement to date for a single entity, of $5.5 million, in August of 2016 for a total of three separate breach reports filed. The breaches compromised the ePHI of almost 4 million patients after unencrypted laptops were stolen and two other incidents involving breaches to a business associate’s network. Advocate was sued several times over the reported breach.
5. Presence Health
Presence Health, a large healthcare system serving Illinois, paid a $475,000 settlement this month, marking the first HIPAA sanction over a delay in breach notification timing. Presence Health did report the breach but did so after the 60 day period allowed by law. The breach was a result of the loss of paper records that included PHI of 386 patients.
6. MAPFRE Insurance
The OCR reach a settlement of $2.2 million with MAPFRE Insurance on January 11th, 2017, related to the 2011 theft of a USB drive that contained the ePHI of 2,209 members. The USB was stolen after it was left overnight in the MAPFRE IT department. The OCR alleged that MAPFRE failed to conduct risk analysis and did not have sufficient safeguards and encryption in place. MAPFRE will be carrying out a corrective plan as part of the settlement.
It is becoming more crucial than ever for organisations to protect sensitive information for the sake of individuals PHI and to protect themselves against the violation penalties. Incidents of ransomware are on the rise, but many HIPAA breaches are caused by employees. The onus is on hospitals and health care systems to ensure all employees and people with access to PHI are fully briefed on the HIPAA regulations, and how to abide by them.
Lua provides HIPAA Compliant Mobile Messaging for healthcare. To read more about HIPAA compliance and Healthcare IT, please visit our blog.