10 Companies That Lost Millions For These Avoidable HIPAA Violations

As Telehealth grows and becomes more relevant to healthcare, so too are the protections around it. Through Telehealth, medical providers are creating, storing, exchanging and deleting Electronic Protected Health Information (ePHI) all the time; but is this safe? Can video streams be tapped without their knowing? Is the information that’s stored online secure? Will PHI end up in the public view? HIPAA regulations have standards to prevent these, but are providers and their associates following them? Here’s what happened to 10 that didn’t.

(These 10 are not in any order and were chosen only to outline the various reasons and amounts for which one can be penalized)

new-york-presbyterian-hospital-cornell-medical-center

 

banner-1

 

 


1) $4.8 Million – New York-Presbyterian Hospital and Columbia University Medical Center
The largest HIPAA settlement at the time, however the OCR had been investigating large scale violations since before this incident in early 2014. The reason this case is so special is because it was a joint breach between NYP and CU by the actions of one CU physician. According to HHS’ report: “The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.” 6,800 people’s sensitive health information released to the internet; this is definitely cause for a hefty fine. After a full investigation sparked by this incident, OCR found these other violations:

  1. Failure to conduct an accurate and thorough risk assessment
  2. (As a result ->) Missing risk management and contingency plans
  3. No implemented policies and procedures for authorizing access to its databases

Print

 

 


2) $445,000 – Presence Health

A significantly smaller fine than the last but still not small, the U.S. Department of Health and Human Services has fined Presence Health for lack of a timely breach notification. (According to the HIPAA Breach Notification Rule, Covered Entities are to notify the affected individuals within 60 days of discovery.)

 

St_Josephs_Hospital_1385486

 

 

 

3) $2.14 Million – St. Joseph Health
A nonprofit yet large network, SJH was served a hefty fine along with a comprehensive corrective action plan. They were reported to have ePHI that was publicly accessible through internet search engines. Other violations include:

  1. Vulnerabilities to the PHI of 31,800 individuals
  2. Implementation of a new server without proper evaluation on environmental and operational changes
  3. While hiring a number of contractors to assess risk, as required by the HIPAA security rule, it was “conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis”.

ummc_logo

 

 

 

4) $2.75 Million – University of Mississippi Medical Center
While aware of the vulnerabilities to its system since 2005, UMMC did nothing and an investigation was sprung when approximately 10,000 individuals ePHI was breached via a stolen laptop. It contained easy access to thousands of patient files. Other violations found include:

  1. Did not implement policies to prevent, detect, contain and correct security violations
  2. Lacked policies on physical safeguards (i.e: for workstations, restricting access to ePHI)
  3. Did not assign unique user information to track and identify identity in information systems
  4. Did not notify individuals of the breach

 

Header_DHSS

 

 

5) $1.7 Million – Alaska Department of Health and Social Services
Choosing this one to show that even a state health division must be careful following HIPAA regulations. There are no exceptions; if you are investigated by the OCR, you are not immune to penalty. In this incident, an unencrypted hard drive containing PHI was stolen from an employee’s car. This sparked an investigation which found violations of:

  1. No risk assessment
  2. Did not implement security measures
  3. Neglected to have security training

 

cbk

6) $4.3 Million – Cignet Health Center
OCR had investigated Cignet for refusing 41 patient requests for their medical records. A violation that resulted in a $1.3 Million fine. This wasn’t the only one Cignet committed. They were also in violation of refusing OCR’s request for records / refusing to cooperate overall. (Fined $3 million for this)

 

 

imgres

 

 

7) $650,000 – Catholic Health Care Services of the Archdiocese of Philadelphia
Due to the theft of an employee’s mobile device containing PHI of nursing home residents, CHCS was fined over half a million dollars. The company is a provider to six nursing facilities but it had neglected to cover these HIPAA rules:

  1. Encrypt any ePHI that is created, received, maintained, etc.
  2. Conduct an enterprise-wide risk analysis
  3. Have a contingency plan
  4. Train staff on security measures

 

raleigh-orthopaedic-new

 

 


8) $750,000 – Raleigh Orthopedic Clinic, P.A. of North Carolina
This hefty fine was simply the result of not having a Business Associate Agreement (BAA). This is a section of HIPAA that many are finding they cannot disregard. Raleigh Orthopedic had disclosed the information of over 17,000 patients to a potential partner without signing a BAA / without protecting their patients’ information from misuse and improper disclosure. While it may seem easy to overlook, its consequences are no light matter.

 

NMHClogo294

 

 

9) $1.55M – North Memorial Health Care of Minnesota
Just to underscore the importance of a BAA, here is another fine issued by the OCR. This fine was particularly expensive because they had released the information of almost 300,000 patients. In the end they had overlooked two major cornerstones of HIPAA rules: a. BAA b. Enterprise-wide risk assessment.

 

uwmed

 

 

10) 750,000 – University of Washington Medical
Because an employee opened up an email containing malicious malware, the ePHI of 90,000 individuals was compromised. In addition to this, the OCR fined them for not having procedures to prevent, detect, contain and correct such violations. With this relatively miniature fine (though not at all miniature on its own), they must now include a corrective plan with annual reports on their compliance efforts.


The Takeaway

The main reason to follow HIPAA regulations so closely is to protect our patients, clients and ourselves. Privacy and confidentiality in this day is increasingly cherished and we have to work to secure that. For those of you that need another reason, these penalty examples are for you. For those that are genuinely concerned, don’t worry; just take action. The theme in these incidents is repetitive and preventable:

  • Have a signed BAA with anyone handling your PHI
  • Guard your mobile devices and encrypt them
  • Implement security policies and procedures

Click here for more information on BAAs

Click here for summaries on the HIPAA Security Rule

 

Why More States Should Encourage Telemedicine in Schools

For some of the same reasons telemedicine is being welcomed into hospitals, prisons or private practices, we are finding that it’s also gaining popularity with schools. Moving past those general reasons why, here’s what makes telemedicine in schools particularly special:

resized_250499-telemedicine03_18-22228_t635Image from ArkansasOnline: Rural Arkansas schools to go telemedicine route

 

It keeps kids on campus and in classrooms!

Kids get scrapes, sniffles and sneezes as surely as the sun rises every day and while many schools have an onsite nurse, only some are permitted to independently administer medication. The difference in permission depends on licensure and state certification which Registered Nurses (RN) are given and Licensed Practical Nurses (LPNs) are not. This important detail factors into why Telemedicine in school matters.

(Quick difference between the two types of nurses)
RN: 2-4 year college degree and exam in the state they work. Allowed to perform various medical activities and make decisions about how and when to treat injuries or illnesses.
LPN: High school diploma, nursing program and exam for a license. Their actions must be supervised by an RN or doctor.

According to Deb Group that specializes in occupational skin care and hand hygiene, there are 164 million lost school days per year from students in K-12. Missing school puts students at a disadvantage. Each day that a student misses school means 7.5 hours of catch up in addition to the hours they already have. It’s burdensome and overwhelming, and we haven’t even considered that the day they missed was a test prep day.

So let’s consider the case of an asthmatic child enrolled in a school with LP nurses. The child is wheezing and gasping for air and seeks the nurse for help. The LPN recognizes this as an asthma attack and has access to asthma medication, however laws are preventing the LPN from administering them. The child at this point can be in desperate need with the remedy readily available, but only a doctor or RN is permitted to provide medication.

In this time sensitive situation the LPN is only authorized to call an ambulance and/or the legal guardian and wait. By the time they finally arrive, the condition may have worsened causing the student to lose the rest of the day and maybe another for recovery.

How having Telemedicine helps

If the school had implemented telemedicine, the LPN could have contacted an offsite doctor or RN to show them the child and ask about the appropriate steps to take. Seeing the child, the doctor or RN would then be able to make a diagnosis and authorize the LPN to act on their behalf (while they supervise) and treat the child in-need right then. Telemedicine is not just beneficial to helping kids with asthma. A similar scenario could be played out if it were a stomachache, headache, earache, fever, strep throat – you name it.

This is not to say that secure video conferencing can end all mid-day visits to the family doctor’s office. Instead this should be seen as a frontline solution that can help treat kids right away – at school, and back in classrooms so they don’t fall behind.

Here are the states that already authorize Medicaid reimbursement for telemedicine services in schools. Does Medicaid offer reimbursements for telemedicine in your state?sln_jan4_graph

The Telehealth Resource You Need

screen-shot-2016-12-27-at-2-49-53-pm

Image from Telehealth Resource Centers

If you’ve been looking for information on Telehealth (what it’s about, reimbursement details, legal information, implementation strategies, etc.) Telehealth Resource Centers can help. TRC is a great resource because it stays up to date and addresses several fundamental questions that arise with this new technology. Examples include:

  • “What is the recommended process for introducing Telemedicine at a remote site?”
  • “How should the local community be informed of available Telemedicine services?”
  • “How do I know if a pilot test has been successful?”
  • “What needs to be included in a protocol for a live, interactive session?”

And these are just a few of many questions that they provide solutions on. As you know, different states can have varying laws; TRC covers that too. To find your own Telehealth Resource Center check here.

They also go above and beyond by conducting free webinars and posting the slides / recordings in case you missed it. It is really an excellent resource on all things Telehealth.

Decoding HIPAA’s Security Rule

man_looking_at_stack_of_papersPhoto by IBM Archives

In an earlier article we wanted to know the simple differences between the HIPAA Privacy Rule and the HIPAA Security Rule. (Check it out here if you haven’t seen it yet).

It’s a simple distinction, but what’s not simple is what’s actually in the Security Rule. So if you want to know the important facts of HIPAA’s Security Rule without going crosseyed over their documentation, give this summary a read.

Quick recap: The Security Rule was established to ensure that all Covered Entities have implemented safeguards to protect the confidentiality of ePHI while maintaining its integrity and availability to authorized individuals. This is done through three general safeguards.

We’ve summarized each of those safeguards for you here:

Technical

Physical

Administrative

The 9 Standards for HIPAA’s Administrative Safeguards

HIPAA’s definition on Administrative Safeguards: “Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” HHS.gov Continue reading “The 9 Standards for HIPAA’s Administrative Safeguards” »

The First Major Mental Health Legislation in Nearly a Decade – Ready to be Signed by President Obama


Talks about how to improve mental health have long been swept under the rug and kept there, however earlier this year the House of Representatives changed that by introducing the 21st Century Cures Act. The bill emphasizes a parity between mental and physical health and has included grants to increase the number of existing mental health practitioners. Continue reading “The First Major Mental Health Legislation in Nearly a Decade – Ready to be Signed by President Obama” »

Medicare’s Latest Reason to Not Reimburse You

readmissions-article

Beginning October 1, 2012, the Centers for Medicare & Medicaid Services (CMS) entered a program which required them to reduce payments to Inpatient Prospective Payment System (IPPS) hospitals with excessive readmissions. The goal was to promote lasting care for patients before sending them home and to end the “revolving door” of readmissions. A very honorable goal, but maybe not the only one. Continue reading “Medicare’s Latest Reason to Not Reimburse You” »

The First Standalone Telehealth Bill, Spearheaded by Bipartisan Teamwork

house-floor-800x400In the coming days the Senate will be voting on S.2873, or more commonly known as the ECHO (“Expanding Capacity for Health Outcomes”) Act sponsored by Sen. Orrin Hatch [R-UT] and Sen. Brian Schatz [D-HI]. If passed, this bill would require HHS (Health and Human Services) and HRSA (Health Resources and Services Administration) to study technology-enabled collaborative learning and capacity building models. In other words, they have to study the uses and capabilities of Telehealth technologies and determine its ability to improve patient care and provider education.

Why is this important? Continue reading “The First Standalone Telehealth Bill, Spearheaded by Bipartisan Teamwork” »

Donald Trump Just Got Elected President. What Does This Mean for Telehealth?

1

There’s a lot of uncertainty going around about what the results of this election mean for the nation; healthcare being a major focus. While it’s difficult to determine what will happen with healthcare overall, you can be assured that Telehealth will always be a growing and relevant part of our lives.

Continue reading “Donald Trump Just Got Elected President. What Does This Mean for Telehealth?” »

Were you considering using WebRTC? Here’s why you shouldn’t.

Waiting for WebRTC, in the style of Waiting for Godot

WebRTC vs. Native apps; The former just isn’t ready.
WebRTC is built on a great and ambitious concept: browser-based, Real-Time Communications (RTC) that is free for any developer to implement. Google released WebRTC as an open source project in 2011 and in the years since, it has attracted contributors and private businesses that have developed on that foundation. Yet five years later, it’s still often referred to as being “in its infancy”, and has yet to be fully supported across all major browsers. Check it out here: Continue reading “Were you considering using WebRTC? Here’s why you shouldn’t.” »