Dec 7
2020
Crucial Lessons From Past HIPAA Non-Compliance Cases
The Healthcare Insurance Portability and Accountability Act (HIPAA) was adopted in 1996. It seeks to ensure the secure management of healthcare information and outlines guidelines that all healthcare organizations and employees must follow to manage protected healthcare information (PHI). Under HIPAA, PHI is any information that can be used to identify an individual, including:
- Contact information
- Demographic information
- Lab test results
- Insurance information
- Medical history
As technology continues to evolve, the risks facing PHI also grow. It’s now more important than ever for players in the healthcare industry to comply with HIPAA to avoid costly penalties. To understand the significance of HIPAA compliance, it’s best to revisit past cases relating to violations. These cases will provide crucial lessons on how to avoid common HIPAA-related mistakes.
Case #1: Allergy Associates of Hartford, Conn.
Hartford-based Allergy Associates was fined $125,000 after a patient complained to the Department of Health and Human Services about the disclosure of her PHI by a physician at the facility to a reporter. An investigation revealed that the physician disregarded advice from the hospital’s privacy officer not to respond to the media regarding claims that the woman had been turned away from the facility for bringing along her service animal. Following the disclosure, Allergy Associates failed to take any corrective or disciplinary action towards the physician.
Lesson Learned
Allergy Associates should have disciplined the physician besides taking corrective action to prevent similar incidents from occurring. Had it done so, the facility would probably not have been penalized. This highlights why healthcare entities should take immediate remediation action when such incidents occur and hold employees responsible for their behavior. Likewise, employees should be trained on media protocols to ensure that PHI is not intentionally or unintentionally disclosed to the media as it happened with Allergy Associates.
Case #2: West Georgia Ambulance
In 2019, OCR started investigating West Georgia Ambulance after being notified that the company had lost an encrypted laptop containing the PHI of 500 patients. The investigation established that the laptop fell from an ambulance’s rear bumper and wasn’t recovered. Similarly, longstanding non-compliance issues with crucial aspects of HIPAA’S rules were unearthed. For instance, West Georgia Ambulance had failed to undertake employee security awareness training, and neither had the company implemented the HIPAA Security Rule procedures and policies. These violations resulted in a $65,000 fine.
Lessons Learned
The last thing that patients should worry about when seeking healthcare services is their private information’s security. In this case, West Georgia Ambulance failed first to secure its devices and network. By failing to encrypt PHI in the lost laptop, there was a risk that the information would end up in the wrong hands. Likewise, by failing to undertake risk analysis and security awareness training, employees didn’t know what to do when such incidents occur. Therefore, healthcare entities need to take a security-first approach when it comes to data.
Case #3: Advanced Care Hospitalists
An individual purporting to be allied to a company named Doctor’s First Choice offered billing services to Advanced Care Hospitalists. Afterward, a local hospital notified Advanced Care Hospitalists that patient info, including Social Security numbers and names, had been posted on First Choice’s website. The breach affected 400 patients, some of whom reported it to the OCR. Later on, Advanced Care Hospitalists confirmed that more than 9,000 of its patients might have been affected by the breach and thus reviewed its OCR notification.
In the ensuing investigation, it was revealed that Advanced Care Hospitalists didn’t sign an agreement with First Choice for billing services, which is contrary to HIPAA regulations. Besides, the hospital didn’t adopt the recommended policies relating to business associate agreements. Due to these HIPAA violations, it was fined $500,000. The facility was also forced to implement a vigorous corrective action plan, including the adoption of associate agreements and enterprise-wide risk analysis.
Lessons Learned
As you may have noticed, this case involved paying one of the heftiest HIPAA fines. It illustrates the significance of signing business associate agreements with third-party entities that may have access to your PHI. It’s equally important to ensure that your business associates are also HIPAA-compliant. Under HIPAA rules, business associates are individuals or entities that perform activities or actions on your behalf or provide certain services to your organization. You must enter binding agreements with your business associates to ensure that PHI is appropriately safeguarded. With an agreement in place, the business associates will be held responsible for any breaches.
Key Takeaways
Cybercriminals are increasingly targeting healthcare entities because PHI contains valuable data about patients. Therefore, PHI security should be a matter of great concern to healthcare entities. The healthcare industry ought to treat PHI as its most valuable asset. HIPAA compliance goes a long way in ensuring this. From the three cases mentioned above, it’s clear that HIPAA non-compliance not only attracts hefty penalties but also affects a healthcare entity’s reputation.