The Top 7 HIPAA Settlements of 2016
HIPAA breaches can have a drastic and lasting effect on medical practices and healthcare organizations. Patient trust can be broken, public reputation can be irreparably damaged, and the financial impact can certainly be severe. That's why utilizing HIPAA-compliant applications, including those in the cloud, in addition to performing an enterprise-wide risk assessment is imperative.
2016 had its fair share of HIPAA breaches that resulted in sizable settlements levied by the Office for Civil Rights (OCR) — including the largest settlement to-date.
Here are the top seven HIPAA settlements of the year.
1. North Memorial Health Care — $1.55 Million
Who: North Memorial Health Care, a not-for-profit health care system in Minnesota.
Initial breach: An unencrypted laptop containing electronic personal health information (ePHI) was stolen from a business associate's vehicle.
Patients affected: 9,497+
OCR Findings: North Memorial failed to have a valid business associate agreement on file prior to giving their business associate access to the hospital's database which contained the ePHI of nearly 290,000 patients. North Memorial also failed to perform a risk assessment.
Resolution: North Memorial must pay a $1.55 million settlement and develop a risk analysis and risk management plan as well as train employees on related policies and procedures.
2. St. Joseph Health — $2.14 Million
Who: St. Joseph Health (SJH), a nonprofit integrated Catholic health care delivery system serving Northern and Southern California as well as Texas and New Mexico.
Initial breach: PDF files containing ePHI were publically available on Google and other search engines for approximately one year. SJH's server had a default setting that allowed files to be shared with anyone with an internet connection.
Patients affected: 31,800
OCR Findings: SJH failed to perform risk analysis evaluations following the implementation of the new server.
Resolution: SJH must pay a $2.14 million settlement and adopt a three-year corrective action plan.
3. New York Presbyterian Hospital — $2.2 Million
Who: New York Presbyterian Hospital (NYP) is a nonprofit university hospital in New York City.
Initial breach: Patients' PHI was disclosed during the filming of the ABC television series, NY Med.
Patients affected: 2
OCR Findings: The ABC crew filmed the death of one patient and filmed another patient who was in distress prior to obtaining consent from the patients.
Resolution: NYP must pay a $2.2 million settlement and undergo a two-year monitoring period.
4. Oregon Health & Science University — $2.7 Million
Who: Oregon Health & Science University (OHSU), which includes two hospitals and a public university in Portland, Oregon.
Initial breach: There were multiple violations including reports of two unencrypted laptops and the theft of an unencrypted thumb drive.
Patients affected: 3000+
OCR Findings: During their investigation and in addition to the prior breaches, OCR found that OHSU was using a cloud-based server that contained the ePHI of 3000+ individuals. OHSU did not have a valid business associate agreement on file.
Resolution: OHSU was ordered to pay a $2.7 million settlement and adopt a three-year corrective action plan.
5. University of Mississippi Medical Center — $2.75 Million
Who: The University of Mississippi Medical Center (UMMC) is an academic medical center in Jackson, Mississippi.
Initial breach: A password-protected laptop was stolen from the medical intensive care unit of UMMC.
Patients affected: 10,000
OCR Findings: OCR found that UMMC was storing ePHI on a network drive. The drive was password-protected, but used only a generic username and password, resulting in wireless network users potentially gaining easy access to the files.
Resolution: UMMC must pay a $2.75 million settlement and adopt a three-year corrective action plan.
6. Feinstein Institute for Medical Research — $3.9 Million
Who: Feinstein Institute for Medical Research is a biomedical research institute in Manhasset, New York. It is also a subsidiary of Northwell Health, Inc., a large health system serving the same area.
Initial breach: A laptop, containing ePHI of research participants, was stolen from an employee's car.
Patients affected: 13,000
OCR Findings: Feinstein data safeguards and procedures regarding how employees access ePHI were insufficient as was their process to identify security vulnerabilities and weaknesses.
Resolution: Feinstein was ordered to pay a $3.9 million settlement and adopt a three-year corrective action plan to correct deficiencies in its HIPAA compliance program.
7. Advocate Health Care Network — $5.55 Million
Who: Advocate Health Care Network is the largest fully-integrated health system in Illinois.
Initial breach: Advocate Medical Group, a subsidiary of Advocate Health Care Network, reported three separate breaches in 2013. Two breaches were related to the theft of four desktop computers and a laptop containing ePHI. The third breach resulted when an unauthorized third party accessed the network of an Advocate business associate.
Patients affected: Approximately 4 million
OCR Findings: Advocate failed to conduct a thorough risk analysis, provide reasonable safeguards for ePHI, and did not have a valid business associate agreement on file.
Resolution: Advocate Health Care Network was ordered to pay a $5.55 million settlement — the largest settlement to-date against a single entity — and adopt a two-year corrective action plan.
Follow MEDictate on LinkedIn and never miss a post. Or visit us here to learn more about our industry-changing voice recognition software and revenue cycle management solutions.
What do you think about these settlements? Too harsh or justified? Please join the conversation below.