Biggest HIPAA violations of 2018

In 2002, the US Department of Health and Human Services (HHS) published the final form of its Standards for Privacy of Individually Identifiable Health Information, or “Privacy Rule,” as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Office for Civil Rights (OCR), which is part of HHS, implements and enforces the Privacy Rule via civil fines and voluntary compliance activities.

“A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being,” the HHS stated. “The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.”

Despite national standards to protect health data by covered entities, violations of the Privacy Rule—or HIPAA violations—routinely make headlines. Many of these violations serve as cautionary tales to be taken to heart when guarding your patient information.

Here are four notable HIPAA violations that occurred in 2018.

Cyberattacks

In October 2018, Anthem, Inc., a licensee of Blue Cross and Blue Shield, agreed to pay the OCR a record-breaking $16 million and take corrective action after a series of cyber-attacks—dating as early as 2014—resulted in the biggest US health-data breach ever. The breach affected almost 79 million people, and exposed names, Social Security numbers, dates of birth, medical identification numbers, addresses, email addresses, and employment information. After thorough investigation, the OCR found that Anthem did not conduct a company-wide risk analysis, lacked sufficient procedures to regularly review information system activity, didn’t identify and respond to security problems, and failed to implement minimum controls to block cyber-attackers from getting access to electronic protected health information (ePHI).

Filming of ABC television documentary

In September 2018, the OCR settled for a collective $999,000 against Boston Medical Center, Brigham and Women's Hospital, and Massachusetts General Hospital for violating the privacy of patient health information by allowing crews on premises to film an ABC television network documentary series without first receiving patient authorization. Incredulously, this HIPAA violation is the second involving an ABC medical documentary. As part of a corrective action plan, each of these hospitals will undergo workforce training regarding OCR’s guidance on disclosures to film and media.

Unencrypted devices

In June 2018, the OCR was awarded $4.3 million in a case against the University of Texas MD Anderson Cancer Center, which involved the theft of an unencrypted laptop and the loss of two unencrypted USB drives. The hardware contained ePHI of more than 33,500 individuals. As a part of their legal defense, MD Anderson argued that it did not need to encrypt the devices, which contained data for “research” that was not covered by the Privacy Rule.

Unauthorized access

In February 2018, Fresenius Medical Care North America (FMCNA), a product and service provider to more than 170,000 patients with chronic kidney disease, agreed to pay a $3.5 million fine to the OCR. This settlement covered five different breaches, including off-site removal of hardware storing ePHI, failure to address security issues, provision of unauthorized access to ePHI, failure to encrypt ePHI, and dereliction in performing adequate risk analyses. In addition to the cash settlement, FMCNA must complete a risk-analysis and risk-management plan, educate its workforce, revise policies and procedures regarding security controls, and formulate an encryption report.

On a final note, such large cash settlements could threaten the solvency of certain health-care institutions. But that doesn’t matter to the HHS. The OCR enforces HIPAA regardless of whether a covered entity is solvent or going bankrupt. In other words, Privacy Rule violations are serious, and there is no escaping the long arm of HIPAA if a provider lets data get loose.