Anyone handling protected health information (PHI), as defined under HIPAA, accepts a strong obligation to protect it. Transferring or storing it insecurely can be very costly. The Office of Civil Rights (OCR) collected penalties of over a million dollars six times in 2017 for violations. Five of these cases involved failure to protect electronic data.
Telehealth involves the storage and transmission of electronic protected health information (ePHI), and it has to be diligently protected. This requires risk assessments, data protection policies, and procedures that carry them out.
Memorial Healthcare Systems – $5.5 million
The largest assessment, $5.5 million, fell on Memorial Healthcare Systems, which operates six hospitals and other facilities in Florida. Unauthorized employees had access to ePHI through shared login credentials. The reasons for the huge fine included failure to review access controls and examine audit logs. Credentials cannot be shared.
OCR treats breaches severely when it finds that they’re the result of systematic neglect. An organization that suffers a data leak in spite of consistently good security practices might get only recommendations on improving them. One which is negligent, as in this case, could be made to give up a large amount of money and demonstrate improvement in its practices.
Children’s Medical Center of Dallas – $3.2 million
In second place, Children’s Medical Center of Dallas paid a civil penalty of $3.2 million. In 2009, it had lost an unencrypted BlackBerry device at an airport, containing ePHI on 3,800 people. In 2013, it lost an unencrypted laptop with ePHI on 2,462 people. OCR found its failure to encrypt devices that left the office was chronic and detrimental.
HHS’s press release cites CMC of Dallas as having”non-compliance over many years with multiple standards of the HIPAA security rule.” Once again, the failure to fix ongoing problems was a major factor in the amount levied.
CardioNet – $2.5 million
The third largest amount came in the first HIPAA settlement that involved wireless health services. CardioNet, which specializes in cardiac outpatient telemetry had to pay $2.5 million. While investigating the 2012 theft of a laptop from an employee’s car, OCR found CardioNet didn’t have any policies in final form for protecting ePHI. The lack of protection for mobile devices was a special concern. The required corrective action includes creating policies and procedures for protecting portable devices and storage media.
Memorial Hermann Health System – $2.4 million
The case of Memorial Hermann Health System is an odd one, showing that what would normally be acceptable disclosure can be forbidden under HIPAA. It cost MHHS $2.4 million for violating the Privacy Rule, putting it in fourth place.
In 2015, a patient at an MHHS clinic allegedly presented a fraudulent identification card. The staff called the police, who arrested the patient. Then MHHS issued a press release about the arrest, naming the patient. Under HIPAA rules, that’s illegal. The staff didn’t violate HIPAA by notifying the police and naming the accused person, but revealing the name to the public constituted disclosing PHI in the form of the patient’s name. This was the only penalty in the top six that didn’t involve electronic data security.
21st Century Oncology – $2.3 million
The case of 21st Century Oncology, a Florida provider of cancer care services, drew the fifth highest penalty: $2.3 million. This case started with two break-ins to 21 CO’s servers that resulted in the sale of data to an FBI informant. The breaches exposed confidential information on over 2 million people, including names, Social Security numbers, and diagnoses. OCR’s investigation found inadequate security protections and a lack of risk assessment procedures and activity reviews.
In May 2017, 21CO filed for Chapter 11 bankruptcy. It exited Chapter 11 status in January 2018.
MAPFRE – $2.2 million
Finally, MAPFRE Life Insurance Company of Puerto Rico agreed to pay $2.2 million for disclosure of ePHI. The starting incident was the theft of a USB drive from MAPFRE’s IT department. It contained names and Social Security numbers for 2,209 people. The OCR investigation found a lack of risk assessment plans and a failure to encrypt data. HHS reports that MAPFRE didn’t consistently encrypt portable data until almost three years after the theft. Its failure to implement corrective measures, after promising OCR that it would, was a factor in the heavy assessment.
As these cases show, data leaks will draw the attention of the OCR and can mean heavy financial penalties. Any discussion of patient information needs protection against thieves, accidents and even disasters. SecureVideo’s platform supports HIPAA-compliant videoconferencing and includes many features such as encrypted chat and file transfers. Contact us to learn how SecureVideo can help your organization provide secure and quality care to your patients.