AXEL Network Products:

AXEL GO - share and store files securely.

LetMeSee - photo sharing app.

  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

AXEL.org

  • Network
  • Technology
  • Applications
  • Blog
  • About
    • Team
    • Press
    • Careers
    • Patents
  • Contact Us
  • Login
    • AXEL Go
    • AXEL Cloud

February 20, 2017

HIPAA Violations – An Open Discussion

An open Discussion on HIPAA.

First, its HIPAA, not “HIPPA” which you see a lot as you navigate an internet search about HIPAA.  If you Google HIPPA, you will find plenty of articles, discussing HIPAA, but spelling it as HIPPA.  You can even find professionally appearing and academic articles spelling it incorrectly.  Second, HIPAA is more than just a privacy law, it deals with document access, insurance coverage, pre-existing conditions, and many other things.  Finally, HIPAA compliance is not impossible or some secret for experts only… it is attainable.  But, first things first, why should you worry about HIPAA?

Look we are all busy, none of us want to read a bunch of legislation written by attorneys which makes almost no sense to non-attorneys; I get it.   When it comes to legal issues, I always find it important to know the real reasons why I should take notice of something.  Large monetary fines and possible prison time seem to get my focus.  The Federal Government issued almost $11.4 million in HIPAA fines before March 1, 2017; paying attention yet?   How about knowing that you can face Federal jail time for wrongful disclosures?  Now that you realize HIPAA is serious, let’s look at the governments’ enforcement activity in 2017.

Just to get your ears perked up, here are some examples of the fines issued by the Federal Government before the end of February 2017:

January 9, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Presence Health agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000.00.

Presence Health discovered that paper-based operating room schedules, which contained the PHI (Protected Health Information) of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.  Making matters worse, Presence Health failed to timely notify each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and the OCR.  This case is a great first case to take notice of, as it addresses both the loss of the medical information and the failure to report the breach.

January 18, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.2 million.

MAPFRE filed a breach report with the OCR indicating that a USB data storage device containing ePHI (electronic Protected Health Information) for 2,209 patients was stolen from its IT department, where the device was left without safeguards. MAPFRE also failed to conduct proper risk analysis, implement risk management plans, and failed to deploy encryption or an equivalent alternative measure on its laptops and removable storages.  This investigation revealed many breaches, across many levels of HIPAA.  Yet, one of its teaching points is about laptop and USB drive security.  Many offices use laptops and USB drives on a daily basis to access and transfer information.  If they contain PHI, they must secure them.

February 1, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a civil money penalty of $3.2 million to Children’s Medical Center of Dallas (Children’s), who paid the fine in full.

Children’s filed a breach report with the OCR indicating the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport.  The device contained the ePHI of approximately 3,800 individuals.  Later, Children’s filed a separate HIPAA Breach Notification Report with the OCR, reporting the theft of an unencrypted laptop from its premises which contained the ePHI of 2,462 individuals.  Again, we see issues with remote devices being compromised.  In a review of OCR violation history, remote device compromises appear to be a majority violator.  Probably a good time to determine if your office had PHI on any remote or removable devices.

February 16, 2017 – Memorial Healthcare System (MHS) paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations.

MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI.  This final case shows that your password protocols must be established and followed.  Of course, the hardest part of protecting your company is protecting it from its employees.  However, there is no excuse for allowing former employees to retain access rights to your data.

These four fines are just the tip of the iceberg when dealing with HIPAA, but together they do shed some light on the many different types of violations your company can face.  Many states now can assert similar level fines upon a party in breach.  Some states even allow private causes of action for damages caused by a breach.  And then, there can be criminal consequences as well.  Now that I have your attention, be sure to check back soon for more on HIPAA.

Filed Under: Health Tagged With: enforcement, ePHI, fines, HHS, HIPAA, HIPPA, medical tech, OCR, protected health information, violation

Primary Sidebar

Recent Posts

  • AXEL News Update
  • AXEL Events
  • Why Digital Sharding is the Future of File Storage
  • The Practical Applications of Web3
  • Archival With the Future in Mind
  • IPFS: Securing Our Privacy Future
  • What Do We Do About Social Engineering?
  • Five Simple Security Tricks
  • IPFS: The InterPlanetary Solution to Small Business Problems 
  • Schools: Our Cybersecurity Blindspot
  • The State of Privacy Laws in 2022
  • The Great Return (Back to the Office)
  • Artificial Intelligence is Here to Stay. How Will That Affect Businesses, Individuals, and Our Privacy?
  • Big Tech is Talking Privacy. What Does That Mean for the Future of Our Data?
  • How Technology Changed Business (And What That Means for the Future of the Industry)
  • Small Business Tech Trends of 2022
  • After the Cyberattack: What Happens to your Data Following a Breach?
  • Has School Surveillance Gone Too Far?
  • What Does Cyberwarfare Look Like? Just Ask Ukraine.
  • National Data Privacy Day: The Internet isn’t Anonymous Anymore
  • AXEL’s Guide to Remote Work
  • How Law Firms Should Handle Cybercrime
  • National Technology Day: How Tech has Changed the Way We Live
  • The World’s Top Hacking Groups – Part 2
  • The World’s Top Hacking Groups – Part 1
  • 2021 Cybersecurity Year in Review
  • INTERVIEW: How COVID Changed the Courtroom (and the Future of Law)
  • Enron, Ethics, and the Fight for Privacy
  • The History and Modern Uses of Encryption
  • Self-Driving Cars are Here. Are Businesses, Consumers, and Lawyers Ready?
  • Cybersecurity Strategies for Small Businesses and Firms
  • Is Virtual Reality the Future? Facebook Thinks So.
  • Devastating Data Breaches – Part 5: Facebook Dismisses Data Security
  • Devastating Data Breaches – Part 4: How Target Changed Credit Cards
  • Devastating Data Breaches – Part 3: The Negligence of Equifax
  • Devastating Data Breaches – Part 2: Marriott’s Merger Misfire
  • Devastating Data Breaches – Part 1: The Hard Fall of Yahoo
  • Everywhere is the New Office: The Rise of Digital Nomads
  • Convenient or Monopolistic? Epic’s Challenge to Apple’s “Walled Garden”
  • The State of Privacy Laws in the United States
  • Big Tech’s Big Secret: Why Google and Apple Want Your Data
  • Data Privacy and Security Increase Profitability in the Cannabis Industry
  • Bitcoin has Entered the Mainstream. Now What?
  • Data Breaches are Here to Stay (For the Unprepared)
  • What the New Infrastructure Bill Means for Tech
  • Shady Schemes and Sinful Scams: The History of Internet Spam
  • Lawyers are the New I.T.: Tech Tips for Legal Professionals
  • For Here or To Go? Remote Work, Hybrid Offices and the Future of the Workplace
  • The Fallout of Edward Snowden and his Leaked Documents, Eight Years Later
  • Another Day, Another Cyberattack: Kaseya Software and the Future of Ransomware

Recent Comments

    Footer

    Sitemap
    © Copyright 2022 Axel ®. All Rights Reserved.
    Terms & Policies
    • Telegram
    • Facebook
    • Twitter
    • YouTube
    • Reddit
    • LinkedIn
    • Instagram
    • Discord
    • GitHub