Several HIPAA violation cases in the past year involved poor decisions and behavior on the part of health care industry employees.
HIPAA violations in 2018 raked in a record $28.7 million in enforcement fines. While certainly massive, it’s important to note this total includes the whopper fine levied against Anthem. In that one HIPAA violation case, HHS penalized the insurer to the tune of $16 million, the largest HIPAA settlement ever.
Regulators expect health care providers to conduct accurate and thorough risk assessments. Any gaps in security that threatens the confidentiality, integrity or availability protected health information (PHI) is likely to draw negative attention from the U.S. Department of Health and Human Service’s Office for Civil Rights (OCR), namely in the form of HIPAA violation fines and penalties. This includes gaps in employee treatment and handling of PHI.
For that reason, health care providers need to pay close attention to risks and vulnerabilities relative to the employee base. Several of 2018’s OCR enforcements demonstrate just how common it is for associates to open a company up to for a potential violation.
Below are few examples of HIPAA violations stemming from poor employee judgement :
- Filefax, Inc., a medical records provider, settled for $100,000 after OCR found the company had left PHI in an unlocked truck. The company actually shut its doors during the course of the investigation
- The University of Texas MD Anderson Cancer Center was ordered to pay a $4.3 million penalty after the OCR investigated three data breaches. One involved the theft of an unencrypted laptop from the home of an employee; another the loss of two unencrypted USB thumb drives.
- In another HIPAA violation case, Boston Medical Center, Brigham and Women’s Hospital and Massachusetts General Hospital were fined nearly $1 million in total for inviting ABC television crews onto their premises to film a documentary series. Because they did not first obtain patient authorization, the decision resulted in pretty steep HIPAA violation fines.
Training and awareness activities can go a long way toward mitigating the risks presented by employees. Talk with SIMBUS360 today about how your organization can deploy simple, engaging and affordable training programs to keep the HIPAA violation penalties at bay.
(Source: HHS.gov)