Institutional Compliance

Providing independent oversight of the University's Compliance Program

HIPAA Privacy and Breach Notification: Recent Enforcement Actions

Since the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted, health care entities have had HIPAA Breach Notification as a major responsibility, in addition to a long list of other privacy-related obligations.  Violation of any of these obligations could result in sanctions or substantial fines for the entities.

As of April 30, 2017, the Office for Civil Rights (OCR) has settled 50 cases in which health care entities were noncompliant with HIPAA, resulting in more than $70 Million in fines and penalties from breaches and other HIPAA violations. This is in addition to more than 25,000 other cases that OCR has resolved more simply by requiring entities to change their privacy practices and apply corrective actions.

Many of these fines and penalties could have been avoided if the entities had established policies and procedures to ensure it met all regulatory requirements, or if the company’s workforce had followed such policies. Where computer theft or loss was involved, for instance, costly notifications and fines related to a breach could have been avoided if proper encryption had occurred.

To this point, the compliance issues OCR investigated most are (in order of frequency):

  • Impermissible uses and disclosures of protected health information
  • Lack of safeguards of protected health information
  • Lack of patient access to their protected health information
  • Use or disclosure of more than the minimum necessary protected health information
  • Lack of administrative safeguards of electronic protected health information.

As an example, some of the more recent federal enforcement actions include: 

 HIPAA Violation

Fine

Entity Name

  • Theft by employees of patient data resulting in identify fraud
  • Use by employees of an ex-employee’s login – lack of procedures for terminating employee access
  • Lack of reports investigating employee access to electronic systems

$5.5 Million

Memorial Healthcare System of Florida 

  • Failure to encrypt laptop
  • Lack of appropriate physical safeguards
  • Inadequate risk assessment
  • Lack of a required Business Associate Agreement

$5.5 Million

Advocate Health Care of Illinois

  • Lack of appropriate physical safeguards
  • Failure to encrypt laptop and mobile devices
  • Inadequate management of known risks

$3.2 Million

Children’s Medical Center of Dallas

  • Insufficient management of known risks
  • Insufficient institutional oversight
  • Failure to assign a unique user name or number for accessing electronic systems

$2.75 Million

University of Mississippi Medical Center

  • Insufficient management of known risks
  • Failure to encrypt laptop and mobile devices
  • Lack of a Business Associate Agreement with Google Drive

$2.7 Million

Oregon Health and Science University

  • Loss of two unencrypted laptops
  • Insufficient risk analysis and management
  • Lack of established policies and procedures

$2.5 Million

CardioNet of Pennsylvania (now BioTelemetry, Inc.)

Enforcement actions of this type are expected to continue.  The number of facilities receiving enforcement actions is increasing, and fines are getting higher. With each fine levied, there is the opportunity for OCR to hire more staff and/or expand its scope of investigations and audits.

Nonetheless, there is much that you can do to help avoid similar enforcement actions:

  • Make sure your organization’s policies and procedures are up-to-date. 
  • Make sure that your entire workforce learns and follows the HIPAA policies and procedures specific to your organization.
  • Know and respect the privacy rights of patients served by your organization.
  • Protect the privacy and security of all patient information entrusted to you. This includes taking special care to encrypt all electronic devices, including portable devices, that might contain sensitive or protected health information.
  • Report suspected violations or breaches immediately by calling your privacy official.

To learn more about HIPAA enforcement process or what you can do to avoid HIPAA breaches, contact the University of Louisville Privacy Office at (502) 852-3803 or privacy@louisville.edu