Criminal Cyberattacks Against Health Care Providers Are On the Rise

A recent study by Ponemon Institute, the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, concluded that the majority of data breaches are not accidental, but intentional.  These cyberattacks against health care providers cost the U.S. health care system $6 billion a year.  According to the report, the average cost of a data breach for healthcare organizations is more than $2.1 million, and the average cost of a data breach for business associates is more than $1 million. Continue reading

Hospital Liability for Employee HIPAA Breaches

A hospital employee, who has been “HIPAA-trained” and admits to knowing better, accesses his ex-wife’s new boyfriend’s medical records and posts sensitive information on social media.  Is the hospital liable for the employee’s actions?

First, assume that the hospital did nothing wrong.  That requires the assumption that the employee was adequately trained, that the employee’s job required that he have access to this data, and that there was no way to otherwise limit the employee’s access. Continue reading

The Intersection of HIPAA and Negligence: Pharmacist’s Violation Cost Walgreens $1.44 Million

On November 14, 2014, the Court of Appeals of Indiana affirmed a $1.44 million judgment against Walgreens Company based on a HIPAA violation committed by a Walgreens pharmacist. Walgreen Co. v. Hinchy, 2014 WL 6130795 at *1 (Ind. Ct. App. 2014). In Walgreen Co. v. Hinchy, Walgreens’ pharmacist Audra Withers looked up the prescription information of Walgreens’ customer Abigail Hinchy. Withers then used the prescription information of Hinchy for personal reasons, which allegedly included allowing Withers’ husband to use the private information to pressure Hinchy into not asking Withers’ husband for child support. Upon figuring out how Withers’ husband obtained the private information, Hinchy contacted Walgreens’ regional office to report the matter.

During the investigation, Withers admitted to purposely accessing the information for personal use. Walgreens confirmed to Hinchy that a HIPAA violation had occurred. Id. Per Walgreens, “Withers received a written warning and was required to retake a computer training program regarding HIPAA.” Continue reading

HIPAA and Baby Photo Boards

As the NY Times article and related AOL video demonstrate (links below), baby photographs are protected to the same extent as medical records, Social Security Numbers and other types of individually identifiable information. The Health Insurance Portability and Accountability Act (HIPAA) protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. This is known as “protected health information (PHI).” See 45 C.F.R. § 160.103. Continue reading

Non-Profit Health Care System Agrees to $800,000 HIPAA Settlement in Medical Records Dumping Case

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced today that Parkview Health System, Inc. has agreed to pay $800,000 and adopt a corrective action plan to settle potential violations of the HIPAA Privacy Rule based on the handling and disposal of a physician’s medical records. Parkview is a nonprofit health care system that provides community-based health care services to individuals in northeast Indiana and northwest Ohio. Continue reading

Reporting Crimes Against Patients

The HIPAA privacy rules have a number of disclosure exceptions, but those exceptions are only effective when state law also allows the disclosure. When there is no state-law exception, it is irrelevant that HIPAA would allow the disclosure. One such common situation involves crimes against patients. Continue reading

Failure to Erase PHI from Photocopiers leads to $1.2 million HIPAA Settlement for Affinity Health Plan

New York insurer Affinity Health Plan will pay $1.2 million to resolve allegations it breached HIPAA by returning leased photocopiers without deleting all information from the hard drives of the copiers that contained protected data involving 345,000 patients, federal regulators said on Wednesday, August 14. Affinity reported the breach as required by the breach notification rules in the HITECH Act of 2009 and Omnibus Rule released this year.

Affinity learned of the breach from reporters at CBS Evening news, who purchased one of the copiers and discovered ePHI on the hard drives. This is another harsh reminder that copy machines are a frequent source of unsecured PHI that is not generally scrubbed by the health care provider.

Affinity entered into a Corrective Action Plan that addressed their failure to provide physical safeguards outlined in the Security Rule, lack of a proper risk analysis to determine potential vulnerabilities, as well as insufficient policies and procedures applicable to the issue. “This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said Leon Rodriguez, director of HHS’s Office for Civil Rights.

Written by: Stephen Angelette