HIPAA Enforcement is Growing Teeth

The Office of Civil Rights, Department of Health and Human Services recently announced fines against two health care providers for failure to properly implement and follow breach policies for electronic protected health information (ePHI).  In September 2015, an Indiana radiation oncology group agreed to pay a $750,000 fine and implement a corrective action plan after it was investigated and found it the 13-physician group failed to conduct an enterprise-wide risk analysis and did not adopt written policies as required under HIPAA regulations on the removal of ePHI from hardware and removable storage devices.  The group self-reported a breach after an employee’s laptop was stolen from a personal vehicle.  The laptop did not contain ePHI, but backup media in the laptop bag contained unencrypted ePHI including social security numbers, names, and addresses for 55,000 former patients. 

In the second investigation, St. Elizabeth’s Medical Center in Brighton, MA, reached a settlement to pay a $218,500 fine after an investigation revealed the Medical Center used an internet-based document sharing application to store documents that contained ePHI of some 498 patients.  The Medical Center also failed to respond to the known security incident, mitigate harmful effects, and document the incident and outcome of its internal review.  In addition, the Medical Center was fined for a second breach involving ePHI for 595 patients that was improperly stored on a former employee’s laptop and USB flash drive.

OCR continues to increase its enforcement efforts across the nation.  As evidenced by these two recent cases, human error continues to be a significant source of HIPAA violations.  The theft of laptops and external storage devices such as flash drives can and do result in significant exposure.  If your health care facility or practice has not adopted written policies and procedures on the proper management and handling of these devices, you are at risk. 


Goosmann Cyber Law Counsel helps companies protect their property, resources, and name. If you are a business owner and need assistance on how to stop visual hacking or for more information on cyber law, contact the Goosmann Law Firm at info@goosmannlaw.com or call (712) 226-4000.

CONTACT US

Subscribe Our Blog

DISCLAIMER: The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. By visiting this website, blog, or post you understand that there is no attorney client relationship between you and the Goosmann Law Firm attorneys and website publisher. No information contained in this post should be construed as legal advice from Goosmann Law Firm, PLC, or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this Post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.