Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Number Of Health Data Breaches Grew Steadily Over Last Several Years

Posted on October 5, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

New research has found that while the number of patient records exposed per breach has varied widely, the number of health data breaches reported grew substantially between 2010 and 2017.

The study, which was conducted by researchers with Massachusetts General Hospital, was published in JAMA. Its aim was to look at the changes in data breach patterns as EHRs have come into wider use.

The authors analyzed 2,149 reported breaches over the previous seven years. The number of records breached for incident varied from 500 to almost 79 million patient records.

Researchers behind the study put breaches reported in three categories: those taking place at healthcare provider sites, within health plans, and at business associate locations.

One thing that stuck out from among the data points was that over that seven-year period, the number of breaches increased from 199 the first year to 344 in 2017. During that period, the only year that did not see an increase in incident volume was 2015.

Another notable if unsurprising conclusion drawn by the researchers was that while 70% of all breaches took place within provider organizations, incidents involving health plans accounted for 63% of all breached records.

Overall, the greatest number of patient records breached was due to compromised network servers or email messages. However, the top reasons for breaches have varied from year-to-year, the analysis found.

For example, the most common type of breach reported in 2010 was theft of physical records. The most commonly breached type of media that year was laptop computer data storage, followed by paper and film records.

Meanwhile, by 2017 data hacking or other information technology incidents accounted for the largest number of breaches, followed by unauthorized access to or disclosure of patient data. In addition, a large number of breaches could be attributed to compromised network servers or email messages.

The number of patient records exposed differed depending on what media was breached. For example, while the total of 510 breaches of paper and film records impact about 3.4 million patient records, 410 breaches of network servers affected nearly 140 million records.

MD Anderson Fined $4.3 Million For HIPAA Violations

Posted on June 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

An administrative law judge has ruled that MD Anderson Cancer Center must pay $4.3 million to the HHS Office of Civil Rights due to multiple HIPAA violations. This is the fourth largest penalty ever awarded to OCR.

OCR kicked off an investigation of MD Anderson in the wake of three separate data breach reports in 2012 and 2013. One of the breaches sprung from the theft of an unencrypted laptop from the home of an MD Anderson employee. The other two involved the loss of unencrypted USB thumb drives which held protected health information on over 33,500 patients.

Maybe — just maybe — MD Anderson could’ve gotten away with this or paid a much smaller fine. But given the circumstances, it was not going to get away that easily.

OCR found that while the organization had written encryption policies going back to 2006, it wasn’t following them that closely. What’s more, MD Anderson’s own risk analyses had found that a lack of device-level encryption could threaten the security of ePHI.

Adding insult to injury, MD Anderson didn’t begin to adopt enterprise-wide security technology until 2011. Also, it didn’t take action to encrypt data on its devices containing ePHI during the period between March 2011 and January 2013.

In defending itself, the organization argued that it was not obligated to encrypt data on its devices. It also claimed that the ePHI which was breached was for research, which meant that it was not subject to HIPAA penalties. In addition, its attorneys argued that the penalties accrued to OCR were unreasonable.

The administrative law judge wasn’t buying it. In fact, the judge took an axe to its arguments, saying that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” noting that its leaders “not only recognized, but [also] restated many times.” That’s strong language, the like of which I’ve never seen in HIPAA cases before.

You won’t be surprised to learn that the administrative law judge agreed to OCR’s sanctions, which included penalties for each day of MD Anderson’s lack of HIPAA compliance and for each record of individuals breached.

All I can say is wow. Could the Cancer Center’s leaders possibly have more chutzpah? It’s bad enough to have patient data breached three times. Defending yourself by essentially saying it was no big deal is even worse. If I were the judge I would’ve thrown the book at them too.

More Than 1.1 Million Patient Records Breached During Q1 of 2018

Posted on May 14, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Well, this isn’t a pretty picture. According to research by Protenus, roughly 1.3 million patient records were breached between January and March of this year. (The actual number is 1,129,744 records, for those who like to be precise.)

During that quarter, the healthcare industry saw an average of at least one data breach per day, racking up 110 health data breaches during this period, according to the Protenus Breach Barometer.

The researchers found that the single largest breach taking place during Q1 2018 was an intrusion involving an Oklahoma-based healthcare organization. The breach, which exposed patient billing information for 279,856 patients, resulted from an unauthorized third-party gaining access to the health system’s network.

If you assume that the other breaches were also executed by external cyberattackers, think again. According to the data, healthcare staffers represented a far bigger risk of being involved with security violations.

The data suggests that such insiders were most likely to illegally access data on the family members, a problem which accounted for 77.1% of privacy violations in the first quarter of this year. Accessing records on coworkers was the second most common insider-related violation, followed by accessing neighbor and VIP records.

Not only that, Protenus researchers found that if a healthcare employee breaches patient privacy once, there’s a greater than 20% chance they will breach privacy again in three months’ time. Worse, there’s a greater than 54% chance they will do so again in a years’ time. That’s a pretty nasty form of compounding risk.

Not only that, do healthcare institutions catch breaches right away? According to Protenus research, it takes healthcare organizations an average of 244 days to detect breaches once they take place. As readers know, some of these events involve information being exposed to the Internet, offering private information to the public via an unprotected interface. Also pretty ugly, and also a source of lousy PR for the organization.

This research is a sobering follow-up to the company’s year-end report for 2017. Last year, according to Protenus research, there was an average of one health data breach per year in 2017. The 407 incidents it identified affected 5,579,438 patient records.

The largest breach taking place in last year involved a rogue insider, a hospital employee, who inappropriately accessed billing information on 697,800 patients. The rest of the top 10 largest data breaches largely sprang from insider errors.

Wow. If it wasn’t evident already, it’s pretty clear now that healthcare organizations need to tighten up their internal data security measures and training substantially.

While there will always be some folks who want to snoop on celebrity records to find imaging medical information on their ex, and some who plan to sell the information outright, a greater number simply need to be reminded what the rules are. (Or so I assume and fervently hope.)

Texting Patients Is OK Under HIPAA, as long as you…

Posted on March 6, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

OCR Director Severino Makes Policy from the Podium

Speaking at the HIMSS health IT conference in Las Vegas on Tuesday, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), the HIPAA enforcement agency, said that health care providers may share Protected Health Information (PHI) with patients through standard text messages. Providers must first warn their patients that texting is not secure, gain the patients’ authorization, and document the patients’ consent.

In 2013, the HIPAA Omnibus Final Rule allowed healthcare providers to communicate Electronic Protected Health Information (ePHI) with patients through unencrypted e-mail, if the provider informs the patient that their e-mail service is not secure, gains the patient’s authorization to accept the risk, and documents the patient’s consent.

A HIMSS audience member asked Severino why the OCR hasn’t issued similar guidance for text messaging with patients. “I don’t see a difference,” Severino said. “I think it’s empowering the patient, making sure that their data is as accessible as possible in the way they want to receive it, and that’s what we want to do.”

“Wow! That’s a big change,” said Tom Leary, Vice President of Government Relations for HIMSS. “That’s wonderful. Actually, the physician community has been clamoring for clarification on that for several years now. Our physician community will be very supportive of that.”

The 2013 OCR guidance for e-mails,  and Severino’s announcement about text messages, only applies to communications with patients. All HIPAA Covered Entities and Business Associates are still forbidden to use unsecure communications tools to communicate with each other.

Messages sent through free e-mail services are not private. Google’s Gmail Terms of Service, allow Google to “use…reproduce…communicate, publish…publicly display and distribute” your e-mail messages. Health care providers must use encrypted e-mail or secure e-mail systems to communicate ePHI outside of their organizations.

In 2012, a small medical practice was penalized $ 100,000 for sharing patient information through free Internet services, including e-mail.  According to the resolution agreement, Phoenix Cardiac Surgery “daily transmitted ePHI from an Internet-based email account to workforce members’ personal Internet-based email accounts.”

While the OCR may be best-known for its HIPAA enforcement, it has pushed healthcare organizations to lower barriers that have prevented patients from obtaining their medical records. The Omnibus Rule required health care providers to only recover actual costs when providing patients with copies of their records.

In its 2016 guidance, the OCR set a $ 6.50 limit (inclusive of all labor, supplies, and postage) for health care providers “that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI maintained electronically.”

The federal requirement to recover actual costs, or a flat fee of $ 6.50, supersedes state laws that allowed providers to charge for medical record searches and per-page fees. Maine caps the cost at $ 250 for a medical record, far above the federal $ 6.50 flat fee.

 

Health IT and ROI (Release of Information) Vendor Sues HHS Over Patient Records Fees

Posted on January 19, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Now here’s one for the ages – a vendor taking HHS head-on. The vendor, CIOX Health, has sued HHS in an effort to stop the agency from enforcing HIPAA rules limiting how much providers and business associates can charge patient records. While the vendor may not get anywhere, the lawsuit raises the important question of what patient record retrieval should cost.

According to Becker’s Hospital Review, the suit focuses on changes to the privacy law put into place in 2013 and 2016. The article notes that these modifications broadened the type of information providers and BAs must send while capping the fees vendors could charge for doing so. Specifically, the changes made in 2016 require that vendors that the costs associated with record requests for a reasonable or flat rate of about $6.50.

In its complaint, CIOX says the flat fee “was drawn from thin air and bears no rational relationship to the actual costs associated with processing such requests.” It contends that the HIPAA provisions in question established the limits “unlawfully, unreasonably, arbitrarily and capriciously.”

It’s hard to tell whether CIOX will get anywhere (though my guess is “not very far”). Government agencies are all but immovable, and HHS particularly so. I appreciate the spunk involved in filing the suit, the premise of which actually sounds reasonable to me, but I think the company has about as much chance of prevailing as a gnat fighting a combine harvester.

That being said, I think this suit focuses on an important issue, which is that the fee limits imposed by states and the federal government for providing medical records are all over the map. While such limits may be necessary to protect consumers, it’s probably fair to say that they aren’t exactly based on actual estimates of provider and vendor costs.

The truth is, the healthcare industry hasn’t come to grips yet with the cost of delivering healthcare information to patients. After all, while basic information delivered by a portal may be good enough for patients, these aren’t real medical records and they can’t be used as a basis for care.  And delivering an entire medical record can be expensive.

Plus, this issue is really complicated by the number of records requests that healthcare organizations are receiving from parties other than the patient. The number of records request from insurance companies, lawyers, and other third parties has increased dramatically. Not to mention how much of the record these organizations want to get. If it were just patients requesting their records, this question would be much simpler.

I can only think of a few ways to handle this problem, none of which are really satisfactory. For example, HHS or the states could create some sort of system which permits different fees depending on the difficulty of retrieving the information. Providers and business associates could submit their fees to some kind of review board which would approve or reject the proposal. Or perhaps we could just allow vendors to charge whatever the market would bear. None of these sound great to me.

If we want patients to manage their health effectively, they need to be able to share their records, and they must be able to access those records without paying a fortune for the privilege. At the same time, we can’t ask providers and business associates to share records at their own expense. Given the importance of this problem, I think it’s high time that healthcare leaders look for solutions.

HHS HIPAA Breach Wall of Shame Updated

Posted on August 28, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HHS has recently updated the HHS Wall of Shame…I mean the HIPAA Breach Reporting Tool (HBRT). Whatever you want to call the tool, you can find the most updated version here. Here’s a short description from the press release about the updates to the breach notification tool:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today launched a revised web tool that puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved. The HIPAA Breach Reporting Tool (HBRT) features improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents. The tool also helps educate industry on the types of breaches that are occurring, industry-wide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR, which can help industry improve the security posture of their organizations.

The new design is nice and it makes sense to finally archive some of the breaches on the list. How long should we condemn an organization that’s had a breach by having them on the list? Of course, it is still available on the archive.

Since the start of the HIPAA Breach notification tool (October 2009), there have been 1674 breach notifications (only includes breaches of 500 people or more). In just the last 24 months they’ve posted 364 breaches with nearly 28 million individuals affected. I’ll have to get my friends at Qlik to import the data to do more analysis of the data. Here’s a look at the data the tool provides:

The tool includes: the name of the entity; state where the entity is located; number of individuals affected by the breach; the date of the breach; type of breach (e.g., hacking/IT incident, theft, loss, unauthorized access/disclosure); and location of the breached information (e.g., laptop, paper records, desktop computer).

I wish they included more details on what caused the breach and more practical ways to defend against the various breaches. That would make the list a lot more actionable. However, I also understand why that would be a hard task to accomplish.

Just looking over some of the recent breaches, I wasn’t shocked by the number of hacking incidents that are being reported. We’ve widely reported on these types of hacking incidents as well. However, I was pretty shocked by how many of the recent breaches were by email. Once again, I wish I had a lot more information about what actually happened with these email breaches. Looks like HHS collects it when someone files a breach. I guess I understand why they can’t share the individual answers, but it would be nice to have some summary reports of actions taken by those that were breached.

What do you think of HHS’ updates to this tool? Is it useful in helping them reach their goal of making the industry safer? Is there something else they could do with the tool to make it work better? We look forward to reading your thoughts in the comments.

The Petya Global Malware Incident Hitting Nuance, Merck, and Many Others

Posted on July 3, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The Petya Malware (or NotPetya or ExPetya) has really hit healthcare in a big way. The biggest impact on the healthcare IT world was the damage it caused to Nuance, but it also hit Merck and some other healthcare systems. After a shaky start to their communication strategy, Nuance seems to finally at least be updating their customers who saw a lot of downtime from when it first started on June 28 until now. This rogue Nuance employee account has been pretty interesting to watch as well. There’s a lesson there about corporate social media policies during a crisis.

Petya was originally classified as ransomware, but experts are now suggesting that it’s not ransomware since it has no way to recover from the damage it’s doing. It’s amazing to think how pernicious a piece of malware is that just destroys whatever it can access. That’s pretty scary as a CIO and it’s no surprise that Petya, WannaCry, and other malware/ransomware is making CIOs “cry.”

It’s been eye opening to see how many healthcare organizations have depended on Nuance’s services and quite frankly the vast number of services they offer healthcare. It’s been extremely damaging for many healthcare organizations and has them rethinking their cloud strategy and even leaving Nuance for competitors like MModal. I’m surprised MModal’s social team hasn’t at least tweeted something about their services still being available online and not affected by Petya.

I’ll be interested to see how this impacts Nuance’s business. Nuance is giving away free versions of their Dragon Medical voice recognition software to customers who can’t use Nuance’s transcription business. Long term I wonder if this will actually help Nuance convert more customers from transcription to voice recognition. In the past 5 days, Nuance’s stock price has droppped $1.54 per share. Considering the lack of effective alternatives and the near monopoly they have in many areas, I’ll be surprised if their business is severely damaged.

As I do with most ransomware and malware incidents, I try not to be too harsh on those experiencing these incidents. The reality is that it can and will happen to all of us. It’s just a question of when and how hard we’ll be hit. It’s the new reality of this hyper connected world. Adding to the intrigue of Petya is that it seems to have been targeted mostly at the Ukraine and companies like Nuance and Merck were just collateral damage. Yet, what damage it’s done.

Earlier today David Chou offered some suggestions on how to prevent ransomware attacks that are worth considering at every organization. The one that stands out most to me with these most recent attacks is proper backups. Here is my simple 3 keys to effective backups:

Layers – Given all the various forms of ransomware, malware, natural disasters, etc, it’s important that you incorporate layers of backups. A real time backup of your systems is great until it replicates the malware in real time to your backup server. Then you’re up a creek without a paddle. An off site backup is great until your off site location has an issue. You need to have layers of backup that take into account all of the ways your data could go bad, be compromised, etc.

Simple – This may seem like a contradiction to the first point, but it’s not. You can have layers of backups and still keep the approach simple and straightforward. Far too often I see organizations with complex backup schemes which are impossible to monitor and therefore stop working effectively. The KISS principle is a good one with backups. If you make it too complex then you’ll never realize that it’s actually failing on you. There’s nothing worse than a failed backup when you think it’s running fine.

Test – If you’ve never tested your backups by actually restoring them, then you’re playing russian roulette with your data. It’s well known that many backups complete without actually backing up the data properly. The only way to know if your backup really worked is to do a test restore of the data. Make sure you have regularly scheduled tests that actually restore your data to a backup server. Otherwise, don’t be surprised if and when your backup doesn’t restore properly when it’s really needed. Malware events are stressful enough. Knowing you have a good backup that can be restored can soften the blow.

Backups won’t solve all of your problems related to malware, but it’s one extremely important step in the process and a great place to start. Now I’m going to go and run some backups on my own systems and test the restore.

Cost of a Breach, Proper Medical Record Disposal, and Delayed Breach Notifications

Posted on June 22, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time for a quick roundup of HIPAA related tweets from around the Twittersphere. Check out these tweets and we’ll add in a bit of our commentary.


Matt’s correct that it’s not all avoidable, but at $380 per record that’s expensive. Breaches are expensive everywhere, but especially in healthcare. When you look at how insecure various industries are, my guess is that healthcare would be near the top of the list as well. That’s a problem.


I’m with Danika Brinda as well. I have no idea why this is still happening. Are people really that uneducated and naive when it comes to disposal of paper medical records? Hire a company with a great reputation if you’re not sure how to do it properly yourself.


Happens all the time. The fine for the delay is more than the damage of the breach itself. There should be no reason organization’s delay in their efforts to notify patients of a breach. Doing so can be a very expensive prospect. Plus, it’s the right thing to do for the patients.

Hybrid Entities Ripe For HIPAA Enforcement Actions

Posted on February 8, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As some readers will know, HIPAA rules allow large organizations to separate out parts of the organization which engage in HIPAA-covered functions from those that do not. When they follow this model, known as a “hybrid entity” under HIPAA, organizations must take care to identify the “components” of its organization which engage in functions covered by HIPAA, notes attorney Matthew Fisher in a recent article.

If they don’t, they may get into big trouble, as signs suggest that the Office for Civil Rights will be taking a closer look at these arrangements going forward, according to attorneys.  In fact, the OCR recently hit the University of Massachusetts Amherst with a $650,000 fine after a store of unsecured electronic protected health information was breached. This action, the first addressing the hybrid entity standard under HIPAA, asserted that UMass had let this data get breached because it hadn’t treated one of its departments as a healthcare component.

UMass’s troubles began in June 2013, when a workstation at the UMass Center for Language, Speech and Hearing was hit with a malware attack. The malware breach led to the disclosure of patient names, addresses, Social Security numbers, dates of birth, health insurance information and diagnoses and procedure codes for about 1,670 individuals. The attack succeeded because UMass didn’t have a firewall in place.

After investigating the matter, OCR found that UMass had failed to name the Center as a healthcare component which needed to meet HIPAA standards, and as a result had never put policies and procedures in place there to enforce HIPAA compliance. What’s more, OCR concluded that – violating HIPAA on yet another level – UMass didn’t conduct an accurate and thorough risk analysis until September 2015, well after the original breach.

In the end, things didn’t go well for the university. Not only did OCR impose a fine, it also demanded that UMass take corrective action.

According to law firm Baker Donelson, this is a clear sign that the OCR is going to begin coming down on hybrid entities that don’t protect their PHI appropriately or erect walls between healthcare components and non-components. “Hybrid designation requires precise documentation and routine updating and review,” the firm writes. “It also requires implementation of appropriate administrative, technical and physical safeguards to prevent non-healthcare components from gaining PHI access.”

And the process of selecting out healthcare components for special treatment should never end completely. The firm advises its clients review the status of components whenever they are added – such as, for example, a walk-in or community clinic – or even when new enterprise-wide systems are implemented.

My instinct is that problems like the one taking place at UMass, in which hybrid institutions struggle to separate components logically and physically, are only likely to get worse as healthcare organizations consolidate into ACOs.

I assume that under these loosely consolidated business models, individual entities will still have to mind their own security. But at the same time, if they hope to share data and coordinate care effectively, extensive network interconnections will be necessary, and mapping who can and can’t look at PHI is already tricky. I don’t know what such partners will do to keep data not only within their network, but out of the hands of non-components, but I’m sure it’ll be no picnic.

5 Lessons In One Big HIPAA Penalty

Posted on February 2, 2017 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.

The federal Office for Civil Rights just announced a $ 3.2 million penalty against Children’s Medical Center of Dallas.

5 Lessons Learned from this HIPAA Penalty

  1. Don’t ignore HIPAA
  2. Cooperate with the enforcers
  3. Fix the problems you identify
  4. Encrypt your data
  5. Not everyone in your workforce should be able to access Protected Health Information

If you think complying with HIPAA isn’t important, is expensive, and annoying, do you realize you could be making a $3.2 million decision? In this one penalty there are lots of hidden and not-so-hidden messages.

1. A $ 3.2 million penalty for losing two unencrypted devices, 3 years apart.

LESSON LEARNED: Don’t ignore HIPAA.

If Children’s Medical Center was paying attention to HIPAA as it should have, it wouldn’t be out $3.2 million that should be used to treat children’s medical problems. Remember that you protecting your patients’ medical information is their Civil Right and part of their medical care.

2. This is a Civil Money Penalty, not a Case Resolution.

What’s the difference? A Civil Money Penalty is a fine. It could mean that the entity did not comply with the investigation; (as in this case) did not respond to an invitation to a hearing; or did not follow corrective requirements from a case resolution. Most HIPAA penalties are Case Resolutions, where the entity cooperates with the enforcement agency, and which usually results in a lower dollar penalty than a Civil Money Penalty.

LESSON LEARNED: Cooperate with the enforcers. No one likes the idea of a federal data breach investigation, but you could save a lot of money by cooperating and asking for leniency. Then you need to follow the requirements outlined in your Corrective Action Plan.

3. They knew they had security risks in 2007 and never addressed them until 2013, after a SECOND breach.

Children’s Medical Center had identified its risks and knew it needed to encrypt its data as far back as 2007, but had a breach of unencrypted data in 2010 and another in 2013.

LESSON LEARNED: Don’t be a SLOW LEARNER. HIPAA requires that you conduct a Security Risk Analysis AND mitigate your risks. Self-managed risk analyses can miss critical items that will result in a breach. Paying for a risk analysis and filing away the report without fixing the problems can turn into a $ 3.2 million violation. How would you explain that to your management, board of directors, your patients, and the media, if you knew about a risk and never did anything to address it? How will your management and board feel about you when they watch $3.2 million be spent on a fine?

4. There is no better way to protect data than by encrypting it.

HIPAA gives you some leeway by not requiring you to encrypt all of your devices, as long as the alternative methods to secure the data are as reliable as encryption. There’s no such thing.

If an unencrypted device is lost or stolen, you just proved that your alternative security measures weren’t effective. It amazes me how much protected data we find floating around client networks. Our clients swear that their protected data is all in their patient care system; that users are given server shares and always use them; that scanned images are directly uploaded into applications; and that they have such good physical security controls that they do not need to encrypt desktop computers and servers.

LESSON LEARNED: You must locate ALL of your data that needs to be protected, and encrypt it using an acceptable method with a tracking system. We use professional tools to scan networks looking for protected data.

5. Not everyone in your workforce needs access to Protected Health Information.

We also look at paper records storage and their movement. This week we warned a client that we thought too many workforce members had access to the rooms that store patient records. The Children’s Medical Center penalty says they secured their laptops but “provided access to the area to workforce not authorized to access ePHI.”

LESSON LEARNED: Is your Protected Health Information (on paper and in electronic form) protected against unauthorized physical access by your workforce members not authorized to access PHI?

You can plan your new career after your current organization gets hit with a preventable $ 3.2 million penalty, just like Children’s Medical Center. Or, you can take HIPAA seriously, and properly manage your risks.

Your choice.

About Mike Semel
mike-semel-hipaa-consulting
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.