6. Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices
One of the most effective methods of preventing data breaches is to encrypt PHI. Breaches of encrypted PHI are not reportable security incidents unless the key to decrypt data is also stolen. Encryption is not mandatory under HIPAA Rules, but it cannot be ignored. If the decision is taken not to use encryption, an alternative, equivalent security measure must be used in its place.
Recent settlements for the failure to safeguard PHI include:
Children’s Medical Center of Dallas – $3.2 million civil monetary penalty for failing to take action to address known risks, including the failure to use encryption on portable devices.
Catholic Health Care Services of the Archdiocese of Philadelphia– $650,000
settlement for the failure to use encryption, the failure to conduct an enterprise wide risk analysis, and to manage risks.
7. Exceeding the 60-Day Deadline for Issuing Breach Notifications
The HIPAA Breach Notification Rule requires covered entities to issue notifications of breaches without unnecessary delay, and certainly no later than 60 days following the discovery of a data breach. Exceeding that time frame is one of the most common HIPAA violations, which has seen two penalties issued this year:
Presence Health – $475,000 settlement for delaying the issuing of breach
notifications by a month.
CoPilot Provider Support Services Inc. – $130,000 settlement with NY Attorney General for delayed breach notifications.
8. Impermissible Disclosures of Protected Health Information
Any disclosure of protected health information that is not permitted under the HIPAA Privacy Rule can attract a financial penalty. This violation category includes disclosing PHI to a patient’s employer, potential disclosures following the theft or loss of unencrypted laptop computers, careless handling of PHI, disclosing PHI unnecessarily, not adhering to the ‘minimum necessary’ standard, and disclosures of PHI after patient
authorizations have expired.
Settlements for impermissible disclosures of PHI include:
Memorial Hermann Health System – $2.4 million settlement for disclosing a
patient’s PHI in a press release.
New York Presbyterian Hospital – $2,200,000 penalty for filming patients without consent.
Massachusetts General Hospital– $515,000 penalty for filming patients without consent.
Luke’s-Roosevelt Hospital Center – $387,000 settlement for careless handling of PHI/Disclosure of a patient’s HIV status to their employer.
Brigham and Women’s Hospital– $384,000 penalty for filming patients without consent.
Boston Medical Center – $100,000 penalty for filming patients without consent.