The fear of a HIPAA breach keeps doctors and other health care providers up at night.  Two recent HIPAA fines are going to lead to more sleepless nights for doctors, insurers and hospitals.

HHS’s Office of Civil Rights (OCR) recently announced (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/childrens) a $3.2 million civil monetary penalty against a children’s hospital in Texas related to multiple HIPAA violations over several years. The fine was for breaches involving the theft of an unencrypted blackberry and, a few years later, an unencrypted laptop. The large fine was due in part to the OCR’s determination that the facility failed to act even after breaches were experienced and failed to implement security measures recommended by two third parties.

A Florida hospital agreed to pay $5.5 million as part of a resolution agreement (https://www.hhs.gov/sites/default/files/memorial-ra-cap.pdf) after two employees inappropriately accessed patient information such as names, dates of birth and social security numbers and later sold the PHI.  The OCR was particularly critical of the hospital’s failure to regularly review audit logs and access reports as required under the HIPAA Security Rule.

Key Takeaways:

• Portable devices such as cell phones, iPads and laptops should be encrypted and password protected.
• When an investigation or risk analysis identifies a security risk, health care providers should address the risk and not stick their heads in the sand.
• Health care providers should regularly perform audits to determine if employees or others are accessing medical records without authorization.