on May 02, 2014
Data breaches involving inadequate electronic Personal Health Information ("ePHI") data security accounted for nearly 80 percent of enforcement actions by the Office of Civil Rights (“OCR”) in the past year. Consider the following recent actions:
- WellPoint, Inc. agreed to pay $1.7 million to settle claims related to a lack of security safeguards in an online application database which left the ePHI of hundreds of thousands of individuals accessible over the internet;
- Affinity Health Plan agreed to pay $1.2 million when it was discovered that the ePHI of several hundred thousand individuals was left on the hard drive of a copy machine that was not wiped clean after use;
- Idaho State University agreed to pay OCR $400,000 to settle a breach investigation involving a disabled computer firewall that left the ePHI of approximately 17,500 patients unsecured for at least 10 months;
- A dermatology practice in Massachusetts was fined $150,000 for losing a thumb drive containing unencrypted ePHI on nearly 2,200 patients, and for failing to have conducted a risk and vulnerability analysis, failing to have developed and implemented a security management process and failing to have written policies and procedures in place to train staff members, all of which are required by the HIPAA Security implementation standards; and,
- Concentra Health Services agreed to settle with OCR regarding the theft of an unencrypted laptop containing patient ePHI. This settlement was in the amount of $1,725,220.
To avoid enforcement by the OCR, providers, entities, and Business Associates of HIPAA covered entities should take immediate steps to either conduct the required risk analysis or update a previous analysis and resulting security management plan, as well as breach notification policies and procedures. Health care clients are strongly encouraged to be proactive and evaluate their vulnerabilities with a thorough data security risk analysis.
David E. Schweighoefer, Partner, Health Care Practice Group