Unauthorized exposure of protected health information (PHI) is a very serious matter under HIPAA, but it keeps happening. The consequences can include heavy fines. Breaches happen because…
The Health Insurance Portability and Accountability Act is the key law governing privacy in health care. The key provision is that medical providers, insurance companies and others with access to the information are strictly prevented from sharing or publicizing data they know about patients without permission. Additionally, the patient can only allow their records to be shared with a specific acknowledgement that it is OK. Otherwise the assumption is that it is not ok to share medical records of any patient. The legal concept of “willful neglect” is important in proving the guilt of the medical provider. There are 10 prominent settlements to consider for anyone that regularly deals with the healthcare industry.
1. In 2009, the government successfully sued CVC Caremark for a $2.25 million settlement based on a violation of HIPAA. They found that employees had improperly disposed of information that revealed patient health information.
2. In 2013, two New York hospitals, Columbia and New York Presbyterian were fined a total of $4.8 million to settle a HHS lawsuit when the two institutions jointly after their medical records were hacked in 2010. The government found that the hospitals did not do a proper risk assessment and did not have enough protections in place to prevent the data breach. They were required to upgrade systems and defenses for future cyber attacks.
3. In 2014, Parkview Health System paid $800,000 to the government when it violated terms of HIPAA. The company disposed of medical records improperly through the regular waste process. The settlement included a corrective action plan including additional training for staff.
4. In 2015, the University of Massachusetts Hospital was fined $650,000 for violating HIPAA regulations. They were also required to undergo a corrective action plan with staff training. The fine would have been higher but the hospital operated at a loss that year and was given some leniency.
5. In 2013, Prime Medical Services was fined $275,000 for a HIPAA violation that occurred two years earlier. The company operates 23 hospitals in California and officials at its Redding location discussed a patient’s condition and care to local medial without the patient’s permission.
6. In 2015, Lincare Inc. had to pay a $239,800 fine to the government after the company improperly stored and transported the health records of 278 patients. The company is a home health care provider.
7. St. Joseph’s Health settled for a whopping $2.1 million payment when the company accidentally allowed over 38,100 patient health records to be made available through search engines in 2015. Obviously, those records were not permitted to be disclosed by all of the patients.
8. Just this year, in January 2017, MAPFRE Insurance paid a settlement of $2.2 million resulting from the theft of a USB device in 2011. The device contained the medical records of over 2,220 people. The USB was left unsecured overnight in the IT department of the company.
9. Presence Health is a large health network primarily serving the state of Illinois. The company took all of the precautions necessary to protect its information, yet there was still a breach that exposed almost 500 patient records. However, HIPAA requires that any breach is sent to the government within 60 days. Presence exceeded the 60 day notification period and was forced to pay a $475,000 penalty in 2016.
10. Advocate Health Care is one of the largest private hospital networks in the country. In 2016, they were also slapped with the largest ever HIPAA fine in history when the were forced to hand over $5.5 million in fines. The company had to pay when it admitted that unencrypted laptops were stolen and also two other incidents where the company’s network was breached.
SecureNetMD® is a leading software and solutions provider helping healthcare providers with communication technologies. Our custom-tailored, advanced systems can help you steer clear of HIPAA violations. For more information, please contact us.