HIPAA Sanctions Coming in Rapid Order as 2015 Ends

Through mid-December, the HHS Office for Civil Rights has sanctioned six healthcare organizations during 2015 for serious violations of the HIPAA privacy/security rules, imposing large fines and mandated corrective action plans.


Through mid-December, the HHS Office for Civil Rights has sanctioned six healthcare organizations during 2015 for serious violations of the HIPAA privacy/security rules, imposing large fines and mandated corrective action plans.

Four of the sanctions—with considerably larger fines—came after Deven McGraw became deputy director for health information privacy in late June, and three of them have come since late November, including the newest announced on December 14.

In September, OCR levied a $750,000 fine on Cancer Care Group, P.C., an Indianapolis-based oncology radiology practice which in 2012 had unencrypted back-up media holding protected health information stolen from a car and was found to have not conducted risk assessments since HIPAA went into effect. Within a week in November Puerto Rico’s Blue Cross and Blue Shield licensee got socked with a $3.5 million fine for a hacking incident in 2010 and six other breaches; and Lahey Hospital and Medical Center in Massachusetts was fined $850,000 after a laptop was stolen from an unlocked treatment room in 2011. In all these cases, the organizations agreed to complete a comprehensive corrective action plan.

Also See: Hazards Still Lurk for MaineGeneral Following Cyber Attack

On December 14 came a $750,000 HIPAA settlement with the University of Washington Medicine, which also has entered into a corrective action plan. In November 2013, an employee downloaded an email attachment that contained malware and compromised a range of demographic, financial and personal data affecting approximately 91,000 individuals.

OCR’s investigation found that while the U-Washington required affiliated entities to have up-to-date documented risk assessments and to implement safeguards under the HIPAA security rule, the university did not follow-up to ensure the entities were doing so and responding appropriately to potential risks and vulnerabilities, according to OCR.

In a statement sent to media, University of Washington Medicine noted that its EHR was not accessed or affected, the potential breach was limited to a single employee computer, about 90,000 patients were offered protective services, “and after a year of monitoring there have been no reports of any use or compromise of patient information.”

CIO James Fine in the statement said: “We voluntarily agreed with OCR to continue making our information security program even more robust than the one we have today.”

In addition to larger and more frequent sanctions, there is a more subtle change under the McGraw reign. The most recent announcements of settlements include a theme in the headline highlighting a core HIPAA requirement that was not followed and contributed to the breach. These include the need for organization-wide risk analysis, the importance of risk analysis and device and media control policies, and reinforcing lessons for users of medical devices.

“Too often, we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic health record, or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said OCR Director Jocelyn Samuels in a statement. “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”

More for you

Loading data for hdm_tax_topic #care-team-experience...