By Cathrine A. Hunter, Esq.
On August 4, 2016, the U.S. Department of Health and Human Services issued the largest fine to date to the tune of $5.55 Million for violations of the Health Insurance Portability and Accountability Act (HIPAA).
Did you know that all health care providers, health plans and health care clearinghouses (“covered entities”) that create, receive, maintain or transmit protected health information are required to comply with HIPAA’s Privacy, Security, Breach Notification and Enforcement Rules?
In addition, any of the business associates and subcontractors hired by these covered entities are also held to the same strict HIPAA compliance standards.
Advocate Health Care Network, the largest health care system in Illinois with more than 250 treatment locations and 12 hospitals, did not know the requirements of the HIPAA Rules and suffered the consequences when it was fined $5.55 Million and ordered to adopt a corrective action plan.
Did you know that HIPAA requires an executed business associate agreement with any potential business partner who has access to protected health information?
Raleigh Orthopaedic Clinic of North Carolina did not know this when they handed over protected health information for 17,300 patients to a potential business partner within first executing a business associate agreement and has been fined $750,000 by HIPAA in April 2016.
North Memorial Health Care of Minnesota also did not know this and was fined $1.55 million by HIPAA on March 16, 2016.
Did you know that HIPAA requires all electronic protected health information be kept under specific password encryption?
Feinstein Institute for Medical Research, a not-for-profit in New York learned this when a laptop computer containing the electronic protected health information of approximately 13,000 patients was stolen from an employee’s car and has been fined $3.9 million by HIPAA on March 17, 2016.
Lahey Hospital and Medical Center, a not-for-profit teaching hospital affiliated with Tufts Medical School in Massachusetts also learned this when a laptop computer containing 599 patients’ protected health information was stolen from an unlocked treatment room during the overnight hours and was fined $650,000 on November 25, 2015.
Do you know what the largest HIPAA fine is to date?
New York and Presbyterian Hospital and Columbia University do to the tune of $4.8 million on May 7, 2014. A physician employed by one developed applications for both and when attempting to deactivate a personally-owned computer server on the network, it resulted in electronic protected health information being accessible on internet search engines.
Did you know that HIPAA requires all protected health information be protected with appropriate administrative, physical and technical safeguards?
Triple-S Management Corporation of Puerto Rico learned this at the cost of $3.5 million fine by HIPAA on November 30, 2015, for failing to implement such procedures.
Did you know that an employer must educate and prevent its employees from accessing suspect emails containing malicious malware under HIPAA?
The University of Washington Medicine learned this at the tune of $750,000 on December 14, 2015, when an employee downloaded an email attachment that contained malware and rendered the protected health information of 90,000 individuals accessible.
For more information regarding HIPAA, please contact Cathrine A. Hunter, Esq. with Woodward, Pires & Lombardo, P.A. at 239-649-6555 or visit www.wpl-legal.com.