Tuesday, 23 January 2018 11:54

2017 HIPAA Cases: Here's the message Featured

Written by

At the start of each new year, it is always good to look back at federal settlements under the Health Insurance Portability and Accountability Act (HIPAA).  That is how you know matters most to the Feds in terms of privacy enforcement.

From 2017,  here is a short list of key messages:

  • It’s your job to understand HIPAA requirements.
  • Execute Business Associate Agreements with vendors and independent contractors with potential access to private health information.
  • Don’t rest easy because you have security policies; you also need to manage security processes for daily vigilance.
  • If you do experience a breach, report to the Feds in a timely manner.
  • Be sure to monitor activity on your databases.

Now let’s take these one by one, with examples illustrating each point.

Understanding HIPAA requirements:

In a case involving CardioNet, a provider of remote mobile monitoring of heart patients, the Feds said that a lack of understanding of HIPAA creates risk.  CardioNet paid the cost of such ignorance in a $2.5 million settlement, stemming from a laptop stolen from an employee’s vehicle, and containing private health information.  Read the Press Release.

  • Business Associate Agreements:

In April, the Feds put out a news alert with the headline, No Business Associate Agreement? $31K Mistake.

It’s was as if to say “Gotcha”  -- albeit in a small settlement by HIPAA standards.  The case involved a children’s digestive health center.  As the Feds were investigating one of the center’s Business Associates, they discovered the absence of a Business Associate agreement, which was the health center’s responsibility to execute. Read the Resolution Agreement and Corrective Action Plan - PDF.

  • Security management:

In a case involving unauthorized access to health information,  Memorial Healthcare System (MHS) paid the Feds $5.5 million to settle potential violations.  Private health information had been impermissibly accessed and disclosed through login credentials of a former employee of an affiliated physician’s office.  For a year’s time, the unauthorized access took place on a daily basis -- and without detection due to a failure to monitor of database activity.  Read the Resolution Agreement.

  • Timely breach response:

A case involving Children’s Medical Center of Dallas (Children’s) stemmed from impermissible disclosure of unsecured, electronic health information and non-compliance with HIPAA standards over many years, according to the Feds. The Feds issued a notice to Children’s, which included instructions for how Children’s could file a request for a hearing. Children’s did not request a hearing. Children’s paid a civil penalty of $3.2 million, and the Feds called out the issue of timely response. Read the Press Release.

  • Monitor databases:

This is essential to HIPAA compliance.  In a case resulting in a $2.3 million settlement,  the Federal Bureau of Investigation (FBI) notified  21st Century Oncology, Inc. (21CO)

on two separate occasions that patient information was illegally obtained by an unauthorized third party.  Evidence included 21CO patient files purchased by an FBI informant. Among other things, the Feds determined that 21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Read the News Release.

The vast majority of HIPAA cases are resolved through corrective action plans that the Feds monitor.  While that means no fine, you'll still have the Feds hovering over you for a while.

Read 527 times Last modified on Friday, 02 February 2018 13:52


  • Comment Link Sherry Wednesday, 18 July 2018 18:51 posted by Sherry

    Hello there, just became alert to your blog through Google,
    and found that it is really informative. I'm going
    to watch out for brussels. Iwill appreciate if you continue tthis inn future.

    A lot of people will be benefited from your writing.

  • Comment Link Doyle Wednesday, 18 July 2018 18:40 posted by Doyle

    You could certainly see your skills within the
    work you write. The arenaa hopes for even more passionnate writers like you who
    are not afraid to mention how they believe. Alll the time go after your heart.

  • Comment Link Jason Wednesday, 18 July 2018 18:06 posted by Jason

    I do not even know how I ended up here,but I thought this post was great.
    I don't know whoo you are but certainly you're going tto a famous blogger if you are not already ;) Cheers!

  • Comment Link Adidas NMD Runner PK Black Peach/Pink Wednesday, 18 July 2018 17:06 posted by Adidas NMD Runner PK Black Peach/Pink

    I抦 impressed, I need to say. Really hardly ever do I encounter a weblog that抯 each educative and entertaining, and let me inform you, you will have hit the nail on the head. Your concept is outstanding; the problem is one thing that not sufficient individuals are talking intelligently about. I'm very blissful that I stumbled throughout this in my search for one thing relating to this.

  • Comment Link ultra boost Wednesday, 18 July 2018 13:32 posted by ultra boost

    A lot of thanks for your own work on this site. My aunt takes pleasure in doing investigations and it is easy to understand why. Most of us notice all about the powerful form you make important steps through the website and even recommend contribution from other ones about this issue plus our daughter is without a doubt becoming educated a great deal. Take pleasure in the remaining portion of the new year. You are performing a powerful job.

  • Comment Link Eleonore Nerbonne Wednesday, 18 July 2018 11:19 posted by Eleonore Nerbonne

    Enjoyed looking at this, very good stuff, thanks. "The fox knows many things, but the hedgehog knows one big thing." by Archilocus.

  • Comment Link Cletus Fickett Wednesday, 18 July 2018 11:03 posted by Cletus Fickett

    Some really prize articles on this site, bookmarked.

  • Comment Link Ferdinand Banville Wednesday, 18 July 2018 09:05 posted by Ferdinand Banville

    It's a pity you don't have a donate button! I'd most certainly donate to this superb blog! I suppose for now i'll settle for bookmarking and adding your RSS feed to my Google account. I look forward to new updates and will share this site with my Facebook group. Chat soon!

  • Comment Link Noma Wandless Wednesday, 18 July 2018 08:03 posted by Noma Wandless

    There is noticeably a bundle to know about this. I assume you made certain nice points in features also.

  • Comment Link Natosha Capelo Wednesday, 18 July 2018 07:47 posted by Natosha Capelo

    Well I really enjoyed studying it. This post procured by you is very constructive for proper planning.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

10 Step HIPAA Plan

  • Step 1: Confirm you are a covered entity +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Provide leadership +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Document processes, findings, and actions +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    Toolkit on 45 implementation specifications
  • Step 6: Manage and mitigate risks +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Prevent breaches +

    What's Inside:
    • Form for reporting brief notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Communicate with patients +

    What's Inside:
    FOR ALL:
    Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    Professionals' guide covering 2013 updates on communications.

    Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Update or execute Business Associate Agreements (BAAs) +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Attest to Compliance with Security Objectives +

    What's Inside:
    • Tip sheets
    • Short videos
    • Overviews

    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1


Member Access