Some of the Worst HIPAA Violations from 2020
Privacy is largely valued in the modern world. That is because information about a person largely affects their lives externally, with regard to how they are treated and internally, with how they view themselves. That is why there are several layers of regulations surrounding data protection in the United States. These include Fair Credit Reporting Act (FCRA), Sarbanes-Oxley (SOX), EU Safe Harbor Rules, Gramm-Leach-Bliley (GLB), and the Health Insurance Portability and Accountability Act (HIPAA).
This section of the page will largely focus on HIPAA, and different repercussions regarding the violation of the HIPAA law. These cases explore various ways in which people have consciously and unconsciously misused, mishandled, and breached data privacy. These could either be through merely texting, losing files, or premeditated and malicious access of restricted data.
$150,000 Fine Out of Neglect
In 2011, a dermatologist lost a flash drive that contained Protected Health Information of patients from APDerm, which was the place that the private practitioner worked in. While the flash drive did not contain sensitive health or financial information, the settlement still surmounted to 150 million dollars due to HIPAA fines. It was said by the Office of Civil Rights that the firm was unable to appropriately evaluate the risks to storing electronic Protected Health Information and thus, has violated the HIPAA Breach Notification Rule that requires healthcare covered entities to deploy training and policies that prevent this type of neglect.
Be Wary of Where Electronic Protected Health Information Is Stored
The nature of electronic Protected Health Information is that it can easily spread around the more that it is passed on to different covered entities/healthcare providers and third parties or business associates and subcontractors. Moreover, this type of data is difficult to destroy and prove that all of its copies have been destroyed. Hence, HIPAA is particularly strict about electronic health information that is illegally obtained, placing the burden on healthcare providers for not implementing proper safeguards to prevent the actualization of such risks.
This was the same story for a cardiac monitoring vendor, who is presumably a business associate of a covered entity, that lost a laptop that contained hundreds of electronic records of patients. Upon investigation, the vendor settled with the Office for Civil Rights for about 2.5 million dollars.
Wrong Faxing of Patient Information
Several healthcare facilities have a practice of sending patient information through faxing. An incident regarding this has put the hospital in hot water as an office manager mistakenly sends the requested patient information of a patient with HIV to the patient’s employer instead of the patient’s new urologist. This has caused the patient to be treated differently at his workplace and none of the manager and urologist’s apologies have done anything to make the patient any less angry.
After being reported to the Office for Civil Rights, the aftermath of the incident was a warning and a mandate to regularly train employees for HIPAA protocols. Luckily, training is as accessible as a mere google search for companies that offer HIPAA training and certification. Moreover, it is less taxing than having to deal with legal repercussions.
Anthem’s Multi-Million Dollar Settlement
Health insurance company Anthem that is based in Indianapolis experienced a cyberattack during 2014 through phishing emails which helped hackers gain access to the network of the company. The hackers were able to access the customer database and steal consumer data namely identification information such as: names, contact information, birthdates, health insurance and social security numbers.
After being investigated by the Office for Civil Rights, it was found that the company had multiple HIPAA violations that amounted to a 16 million dollar fine from HIPAA and resulted in a 115-million-dollar class action lawsuit. After five years of investigation, the total amount of payment that Anthem has given for penalties, damages, and losses has cumulatively been 179.2 million dollars. This by far has been the most expensive HIPAA violation to be recorded.
Texas Hospital’s Worker Jailed for Wrongful Disclosure
On rare instances, violation of HIPAA protocols could lead to criminal charges over the more common settlements. Oftentimes, criminal charges are not involved with HIPAA violations are usually not premeditated with the intent to harm and are often just a byproduct of neglect or the lack of appropriate safeguards. However, around 2014, a worker named Joshua Hippler got sentenced to 18 months in jail for wrongfully disclosing pertinent, Protected Health Information with the intent to use it for personal gain. Joshua worked in a Texas hospital but was arrested in Georgia where he was eventually found with the patient medical information that he stole.
UCLA Surgeon Illegally Accessed Medical Records
Around 2010, a criminal charge was filed against a healthcare worker. Huping Zhou was working at the UCLA School of Medicine in 2003 when he received a notice of dismissal from his license as a surgeon in China. It might be due to this that the ex-surgeon started to illegally obtain the medical records of his co-workers, superiors, and other patients in the UCLA Health System which included celebrities such as Drew Barrymore and Tom Hanks.
He pleaded guilty with 4 counts of misdemeanor regarding reading confidential medical information, and Zhou was recorded to have violated HIPAA regulations for a total of 323 times in less than a month. This sentenced him to 4 months in federal prison with a 2 thousand dollar fine.
This is when ignorance of HIPAA protocols comes in handy, as, Mr. Zhou’s attorney claimed that he wasn’t aware that reading these Protected Health Information could land him in jail. This statement is only further evidence by the Attorney’s office claiming that there was no proof that Mr. Zhou had done anything to the information. Hence, it is important to subscribe to HIPAA compliance training as healthcare professionals are going to be subject to penalties without them knowing – if unaware of these types of laws.
That’s when MP1 Solution comes in handy!
Ohio Therapist Sentenced to Jail
From around 2013 to 2014, ProMedica Bay Park Hospital employee Jamie Knapp illegally obtained electronic Protected Health Information of about 596 patients from the hospital. While she was actually authorized to access some of these patients’ health information, the therapist went on her way to view information of other respiratory patients without the necessary information. It was said during the trial that the motive could have been that these sets of information were sought by the therapist for obtaining and/or using intravenous or IV drugs.
Britney Spears Involved in HIPAA Case
The famous performer’s 2008 meltdown was a topic of interest for most of the people around the world, especially that Britney Spears was sent to UCLA medical center’s psychiatric function. However, privacy laws are as significant to public figures as they are to ordinary individuals and unfortunately viewing these records unauthorized would subject workers to HIPAA-related repercussions. That was exactly what happened to a total of 19 employees, including 6 doctors in UCLA Medical Center when they peeked at Britney Spears’ medical records for no valid or authorized reason.
Unfortunately, this was not the first incident of breach as a similar breach happened to Britney Spears’ health information in 2005 after the birth of her first son at UCLA Santa Monica.
These employees were eventually fired for snooping.
Premera Blue Cross’ Failure to Conduct Risk Analysis
A cyber attack on Premera Blue Cross, a health insurance company, was undetected for approximately 9 months. This involved the breach of an exact number of 10,466,692 individuals acquired by those that hacked into Premera’s database. Upon investigation by the Office for Civil Rights, it was discovered that the breach was caused by multiple cases of noncompliance to HIPAA regulations as well as the failure to deploy appropriate risk management and audit controls such as sufficient safeguards towards hardware and software control within their systems.
The health insurance company had to pay approximately 7 million dollars to settle and resolve this case – including all of the plan to address and correct HIPAA noncompliance. More than this, the company had to pay an additional 10 million dollars to address a class action lawsuit for the 74 million dollars’ worth of breach.
This offense is recorded to be one of the highest fined violations of HIPAA regulations in history.
Offensive Facebook Comments Alerted HIPAA
A medical technician for Onslow Memorial Hospital was fired over a Facebook comment. After a now-deceased patient, Autumn Sharp and her children were brought to the hospital, articles regarding the crash sprung up all around social media. Distraught over the numerous vehicle accidents in their city, Olivia, the Onslow Memorial Hospital’s employee commented on one of the articles that the patient should have worn her seatbelt and even disclosed to other people that she was in the emergency room when the family was brought into the hospital.
The intent was to inform and warn people about safety precautions. Unfortunately, the comment also broke Protected Health Information by disclosing these details to the public. Olivia was then fired by the hospital for these comments.
Lack of Business Associate Agreement from a Third-Party Company
Normally, before engaging the services of third parties where the said party would have access to Protected Health Information, they must first sign a Business Associate Agreement that binds these two parties to HIPAA regulations. What happened to an orthopedic clinic in 2016 was the exact opposite. As the clinic acquired the services of a vendor to convert X-Ray films into software and then extract silver from the used films. The one problem with this procedure though, was that the two parties violated HIPAA regulations by not getting into a BAA and were therefore fined for about 750 thousand dollars and were required to set up a Corrective Action Plan to prevent further violations.
Firing Due to HIPAA Violation
An employee of Washington State medical center obtained more than 600 Protected Health Information that involved information ranging from the dates October 2013 throughout March 2017, and was fired for doing so. It was reported that this worker has viewed pertinent identifying information such as: addresses, phone and social security numbers, health conditions, etc. This breach was exposed by the healthcare facility when it was conducting their regular auditing.
Unintentional Gossip Violating HIPAA Protocols
HIPAA training and certification is not only important to deter employees from accessing Protected Health Information without proper authorization when they have ill motivations, but also to just generally watch themselves in conversations. The University of Iowa fired an employee for casually talking to her coworker about the pregnancy of a female student and it being the child of a prominent student-athlete.
Though said employee was already trained with the necessary HIPAA regulations regarding protecting pertinent health information, it seemed as if that the employee was overwhelmed with happiness and told one nearby coworker of the pregnancy.
Televised Media, Death, and HIPAA Violations
It seems as if HIPAA violations could very well extend to television as well. A New York hospital had to pay about 2.2 million dollars in fines and settlements for allowing a TV series called NY Med to film two hospital patients without asking them for permission. What makes it worse is that throughout the duration of said filming, one of the patients died and the hospital was found to have given the show unrestrained access where the protection of this information became impossible to do.
Moving Forward
Because of notable violations and a heavy regard for patient privacy, HIPAA has promised stricter auditing programs and mechanisms to prevent voluntary or involuntary data breaches. The sad part about breach of privacy is, although damages can sometimes be paid for through hundreds of thousands or millions of dollars in settlement, the damage cannot be reversed. Patients have already had information about themselves, their health, and their identity – and in some cases, their finances – in other people’s memories.
It is why preventing breaches from happening is very important. The best thing that companies could do is enroll in extensive HIPAA training to mitigate these risks.