Unfortunately, though the penalties for HIPAA violations can be in the range of millions of dollars, covered entities (CEs) and business associates (BAs) persist in HIPAA non-compliance. These can have potentially devastating consequences for patients if they result in a data breach, as it leaves them vulnerable to financial and healthcare fraud.
In this article, we detail some recent cases of HIPAA violations. They cover a range of scenarios and each invoke a different penalty, but one message is clear: the Office for Civil Rights does not take HIPAA violations lightly.
MD Anderson Cancer Centre, Texas – 35,000 patients
In 2018, the University of Texas’ MD Anderson Cancer Center was fined $4.348 million for violating HIPAA legislation. This staggering settlement is the fourth largest sum ever to be awarded to the OCR for HIPAA violations. MD Anderson was initially investigated for three different data breaches the occurred between 2012-2013, all of which involved the theft or loss of unencrypted mobile electronic devices.
The OCR found that MD Anderson had not updated their encryption policies since 2006, and that even though their own risk analysis showed that their device encryption was lacking, they did nothing to rectify the situation. It meant that over 33,500 patients were put at risk.
Center for Children’s Digestive Health, Illinois – 10,000 patients
The Center for Children’s Digestive Health (CCDH), based in Illinois, was fined $31,000 for failing to have a Business Associate Agreement (BAA) when hiring FileFax Inc.. The latter was hired to store patient records, but as these are clearly PHI, HIPAA required that the CCDH enter a BAA with FileFax. As they failed to do this, the transmission of PHI was considered a HIPAA breach and resulted in a fine in 2017.
Presense Health, Illinois – 836 patients
In 2013, Presense Health – a healthcare network servicing Illinois – experienced a physical breach of PHI. Operating schedules had been removed from one of their facilities and could not be located. This may seem innocuous, but the documents detailed the health records of 836 patients and thus should be treated as a breach of PHI. However, though it was discovered that the documents were missing on the 22ndOctober 2013, the breach was not reported until the 31stJanuary 2014. This far exceeded the 60-day limit stipulated in the Breach Notification Rule, resulting in a $475,000 settlement.
St Joseph Health, California/New Mexico/Texas – 31,800 patients
One important aspect of HIPAA legislation is the requirement to conduct regular risk assessments. These are to highlight any aspect of security or safeguards that are lacking and leave PHI vulnerable. If these risk assessments are not undertaken, it can result in large HIPAA fines – as was the case for St Joseph Health.
The healthcare facility was first investigated in 2012 for a PHI breach. It was found that files created under the meaningful use program were left unencrypted and thus accessible via Google. This was seen as a direct result of a failure to carry out a comprehensive risk assessment and fined St. Joseph Health $2.14 million for the violation. They were also ordered to undertake a corrective action plan.