By Dan Gospe
HIPAA violations are becoming a more common occurrence in medical practices, and are set to become even more common in 2016: OCR, the enforcement end of HIPAA, requested a sizable budget increase for 2016 in order to address increasing concerns of non-compliant practices.
It has become easier and easier to find case studies of violations. From large companies like Blue Cross’s $18.5M fine to the more recent Dental Office fined $12,000 in Kokomo, OCR is getting more heavy-handed on its enforcement of the law, and is levying fines more often than offering corrective guidance.
Below you’ll find three such HIPAA violations, with some ideas on how the violation could have easily been averted if the proper precautions had been made.
1. M.D. Anderson Cancer Center, Boston, June 2012 – Unencrypted Laptop
In 2012, a physician researcher with the M.D. Anderson Cancer Center in Boston had an unencrypted laptop containing 3,621 patient records stolen from his home. The data was exhaustive, containing medical record numbers, names and SSNs, along with clinical information. Records were going back more than 10 years. The final fine was $1.5M for the breach, and could easily have been avoided.
Using built-in encryption with Windows Professional operating systems, this laptop could have been encrypted and the breach would have been completely avoided. Laptops are considered data in motion, and there for must be encrypted to comply with the law.
2. Dr. Joseph Beck DDS, Kokomo, March 2013 – Improper Disposal
This HIPAA violation by Dr. Joseph Beck was found after the dentist illegally disposed of his patient records. 63 boxes containing around 7,000 records was found in a recycling dumpster far from his home in March, 2013.
Not only was patient information rampant in the files, social security numbers, credit cards, and other extensive identifiers were part of the breach. The fine was set for $12,000 for this HIPAA violation – a low number, because the records were found before getting into the wrong hands or being considered “lost”.
Even though online data is much more in focus than paper charts than it was several years ago, it is still very important to realize that HIPAA reaches much farther than your network. Any Patient Information must be shredded or properly disposed of in order to comply with the regulations.
3. Phoenix Cardiac Surgery, Phoenix, April 2012 – Web-hosted Schedule
In this case, a few HIPAA violations within the practice led to a large fine, and more corrective action was needed. Phoenix Cardiac Surgery, a small 5 physician practice in Arizona, was fined $100,000 for using a non-compliant web-based scheduler. During the investigation, the OCR found that there was no risk assessment performed, no policies and procedures, and no HIPAA training for its staff. Civil suits were also incurred by this practice by patients whose information was publicly available online.
There are a few takeaways from this incident. First, if you are putting anything online for remote access, you must make sure the proper security measures are in place – this means, users, passwords, reportability, and a Business Associate Agreement from the company supplying your portal.
Another takeaway of this important case is the absence of a Risk Assessment. The practice had no idea of this risk, or other risks, to their data, as they had never performed an analysis. A Risk Assessment is required to be fully updated on a regular basis, and training must occur yearly so that employees are aware of the standards, policies and procedures for complying with the law.
Closing Thoughts
With OCR’s increased budget plan for 2016, and the cost of fines rising as well, it’s time to take HIPAA seriously. Remember, it isn’t just about complying with a law – keeping your patients’ information secure and well-tended goes directly to patient care! You want your patients to be comfortable in the operatories, but you also need them to be comfortable with you as the stewards of their data. These days, patients are becoming more aware of the laws requirements than many dentists and doctors are – don’t wait to be stumped or reported by a concerned patient. Take steps today! Encryption is easy and cheap, and a risk assessment not only provides a full roadmap of your vulnerabilities, but it serves as a training tool for what is expected, and why its important to keep your data safe.
If you are lost with learning the law, and want to avoid HIPAA violations, then it’s a good idea to get expert help! There are always many, many ways to comply with the law, and there is no “one size fits all solution”, so getting an expert consultation can help show you your needs, and offer different types of solutions which work best for your practice.