HIPAA Violations Add Up

Health Care|Risk Advisory/Internal Audit

By Eric Fair

The Health Insurance Portability and Accountability Act (HIPAA) Final Rule provides patients with an abundance of rights with respect to confidential health information; however, it can also allow for disclosure of such information needed for patient care and other critical circumstances. This Final Rule provides safeguards to ensure the confidentiality, integrity and availability of electronic protected health information (ePHI). However, conformance surrounding the privacy of sensitive data has been a common issue, as detailed by the breaches below:

  • Advocate Health Care Reports Second-Biggest HIPAA Breach
    On July 15, 2013, Advocate Health Care reported that four unencrypted computers were stolen from an administrative building in Park Ridge, Illinois. Approximately 4 million patients were affected by this breach, since confidential data, which included, addresses, dates of birth, names and social security numbers, were accessible. Clinical data containing health insurance data, medical, diagnoses and record numbers were also contained on the computers. The Senior VP and Chief Marketing Officer at Advocate Health Care stated that the computers were password-protected, but not encrypted. Additionally, the Advocate Health Care representative indicated that Advocate Health Care recently began sending letters to affected patients offering a full year of credit monitoring at no cost.
  • Affinity Health Plan To Pay HHS $1.2M Over Patient Data Breach
    New-York-based Affinity Health Plan will pay the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) approximately $1.2 million as part of a patient data breach and violation of HIPAA. CBS Evening News purchased a photocopier previously leased by Affinity and determined confidential medical data was never removed from the hard drive. Approximately 344,579 patients may have been affected by the breach.
  • Idaho State University Settles HIPAA Security Case for $400,000
    Idaho State University has agreed to pay $400,000 to the HHS OCR to settle alleged violations of the HIPPA final rule. This resulted from the breach of unsecured electronic protected health information of nearly 17,500 patients at ISU’s Pocatello Family Medicine Clinic. Specifically, the data was unsecured for at least 10 months, due to disabled firewall protection, exposing servers maintained by ISU.

It is very likely that the fines and penalties noted in the above examples far exceed the cost of compliance that was ignored in these cases. Organizations should take great care to ensure that the appropriate safeguards are met and controls are in place to protect their systems and data. Without such controls, it could only be a matter of time before your organization winds up the subject of a similar story.

If you have any questions or concerns about your organization’s compliance with the HIPAA final rule, please feel free to contact Eric Wright at 412-697-5328 or at ewright@schneiderdowns.com.

© 2013 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.


You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.