HIPAA, the Health Insurance Portability and Accountability Act, is one of the most sweeping regulations in regards to patient confidentiality and electronic records in our nation’s history. The act affects Business Associates (for example, computer technicians and attorneys that may see personally identifiable patient information), Healthcare Providers (doctors and their staff regardless of the business size), Health Care Plans (HMO’s, insurance companies, etc.), and Health Care Clearing Houses (entities that process personally identifiable healthcare information from another entity). This legislation, passed by the United States Congress in 1996, has been revised several times since it was originally enacted and is enforced by the Department of Health and Human Services.

To read a summary of the HIPAA Security rule, visit http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/

HHS has stated that they will increase audits in the upcoming months and years. Below are some real cases of violations and imposed sanctions within the last several years.

Case 1 –
$218,400 – St. Elizabeth’s Medical Center
St. Elizabeth’s Medical Center must pay $218,400 for HIPAA violations through an agreement with the Department of Health and Human Services’ Office for Civil Rights.
In 2012, the OCR received a complaint alleging that the Brighton, Massachusetts-based health center did not analyze the risks of an Internet-based document sharing app, which stored protected health information for almost 500 individuals, according to an announcement from OCR.

Case 2 –
$4.8 million – Columbia University and New York Presbyterian Hospital
Columbia University and New York-Presbyterian Hospital were fined a combined $4.8 million for HIPAA violations when a doctor disconnected his personal computer from the hospital network, leaving patient information vulnerable to discovery through Internet search engines.

Case 3 –
$1.73 million – Concentra Health Services – April 2014
Individuals affected: 870 – A Concentra unencrypted laptop was stolen in November 2011, and according to OCR officials, the healthcare company from 2008 to 2012 failed to manage encryption policies, identify which assets needed to be encrypted and document why encryption was not reasonable for certain cases. In 2008, almost 28 percent of Concentra laptops were not encrypted, and a complete inventory assessment to assess this did not occur until four years later.

Case 4 –
1.7 million – Alaska Department of Health and Human Services – June 2012
Individuals affected: 501 – An unencrypted USB hard drive containing patient information was stolen from a DHSS employee’s car. After conducting an investigation, OCR officials discovered that DHSS had failed to complete a risk analysis, implement adequate security measures and neglected to have security training for its employees and address device encryption.

Case 5 –
$1.7 million – WellPoint – July 2013
Individuals affected: 612,402 – The protected health information, Social Security numbers and demographic data of patients were made accessible to unauthorized users over the Internet for a period of nearly five months. An OCR investigation determined. WellPoint failed to perform an adequate technical evaluation in response to a software upgrade. The managed care company also neglected to implement user verification technology to the Web-based patient database

Case 6 –
$2.25 million – CVS Pharmacy – January 2009
Individuals affected: NA – A 2007 OCR investigation, launched in response to media reports on the topic, found several CVS pharmacies were disposing of protected health information in public dumpsters. In collaboration with OCR, the Federal Trade Commission also launched an investigation into CVS. Officials determined the pharmacy chain did not have adequate policies and safeguards in place to protect patient data and dispose of it in the proper way.

Case 7 –
$4.3 million – Cignet Health Center – October 2010
Individuals affected: 41 – The Maryland-based health center from 2008 to 2009 denied 41 patient requests for their medical records, for which the medical group practice was fined $1.3 million. Moreover, during the investigation into Cignet allegations, the practice subsequently refused to respond to several of OCR’s demands to produce the records and failed to cooperate with investigation requests, OCR officials said. For this, the practice was fined $3 million.

Case 8
$4.8 million – New York Presbyterian Hospital and Columbia University – May 2014
Individuals affected: 6,800 – An OCR investigation discovered the HIPAA breach transpired when a CU physician, who developed applications for NYP and CU, attempted to deactivate a personally owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google. The data was so widely accessible online that the entities learned of the breach after receiving a complaint by an individual who saw the ePHI of their deceased partner, a former NYP patient, online.

Case 9 –
$150,000 – Mental Health Non-Profit – December 2014
In December of 2014, the United States Department of Health and Human Services (HHS) slapped a mental health nonprofit with a $150,000 fine for HIPAA security rule violations. The Alaskan nonprofit failed to follow basic information technology practices, such as updating its software with available patches, using firewalls, and monitoring and identifying threats. Malware entered the nonprofit’s systems, which also used outdated, unsupported software. As a result, the unsecured protected health information of over 2,700 mental health patients was compromised.

In this case, the mental health nonprofit had not conducted a security risk assessment since the 2005 effective date of the HIPAA security rule. As part of the corrective action plan, HHS required the organization to conduct an annual security risk assessment of the potential risks and vulnerabilities of its electronic protected health information systems. Experts consider annual security risk assessments to be a HIPAA security rule best practice. HHS also mandated new security rule policies, general security awareness training, and signed compliance certification forms for all staff.

The federal government’s willingness to fine a five-facility nonprofit that provides care for the uninsured and underinsured does not bode well for larger institutions with greater information technology resources. HHS’s decision also demonstrates that all organizations must review their security rule policies and ensure that they have implemented appropriate safeguards for electronic protected health information. Nonprofits, local governments, and others that rely on outdated systems to maintain patient information must plan to allocate resources for more secure systems. Through HIPAA audits and settlements agreements such as this one, HHS continues to emphasize the need for covered entities to perform accurate and thorough security risk assessments.

Case 10 –
Federal Prison – Joshua Hippler of Longview, TX – March 2014
(See the complete story at http://meredith.worldnow.com/story/28130905/former-hospital-employee-sentenced-for-hippa-violations)
TYLER, TEXAS – A former employee of an East Texas hospital has been sentenced to federal prison for criminal HIPAA violations in the Eastern District of Texas, announced U.S. Attorney John M. Bales.

Joshua Hippler, 30, formerly of Longview, Texas, pleaded guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information and was sentenced to 18 months in federal prison today by U.S. District Judge Leonard Davis.

According to information presented in court, from December 2012 through January 2013, Hippler was an employee of a covered entity under HIPAA, the Health Insurance Portability and Accountability Act. During this time, Hippler obtained protected health information with the intent to use it for personal gain. Hippler was indicted by a federal grand jury on Mar. 26, 2014.

This case was investigated by the U.S. Department of Health and Human Services – Office of Inspector General and the U.S. Postal Inspection Service and prosecuted by Assistant U.S. Attorney Nathaniel C. Kummerfeld.