Oregon Health & Sciences University is notifying some 4,000 patients regarding a breach. This is the third time since 2009 that the facility has had such a breach – every time involved a lost or stolen and unencrypted laptop or portable device.
This cannot be stressed too highly. Covered entities and business associates MUST MUST MUST encrypt portable devices. It’s a simple and inexpensive step, and it makes a world of difference in whether a breach is reportable or manageable.
Even here in our great Magnolia State, problems arise. UMMC has issued a public breach notice regarding a lost laptop.
The University of Connecticut Health Center has announced a breach affecting some 1,400 patients.
I’ve prepared a few HIPAA updates in newsletter form in the past for use with my clients and to provide general information about HIPAA and related privacy matters. It’s only just occurred to me to put those here on the website, so I’ll do so now.
FYI – I’ll be publishing a newsletter in the next couple of days giving some information about the new rules published by OCR on January 17th. It’ll be a humdinger.
In another of what is becoming a growing list of identity theft cases involving HIPAA-protected PHI, three people in Florida pleaded guilty in federal court to charges relating to an identity theft operation which involved paying a hospital employee and her husband to snoop through literally hundreds of thousands of patient records to mine prospects for lawyer and chiropractor solicitation.
Back in November 2012, a laptop owned by a medication company, Omnicell, was stolen from one of its employees’ cars. The result? The unencrypted PHI of more than 68,000 patients at three different providers is loose in the wild.
The Department of Health and Human Services is expanding its OCR HIPAA enforcement with a recent fine levied against a small hospice provider in Idaho. According to the OCR press release, the hospice program was the victim of the theft of an unencrypted laptop computer containing the records of some 441 patients. The resulting fine is $50,000.
As reported by surfky.com news, the Kentucky Cabinet for Health and Family Services has notified more than 1,000 Medicaid beneficiaries of a potential breach of PHI.
A couple of years ago, a reporter doing a story on landfills in Massachusetts stumbled on non-shredded PHI just sitting in the open in the landfill. He reported the information to authorities, which led to the investigation of four pathology practices and a billing company. Now, there has been a settlement related to this breach.
From http://www.healthcareinfosecurity.com/state-settles-hipaa-case-for-140000-a-5411
In 2010, the four pathology groups quickly worked to cooperate with the investigation, which ultimately showed that the billing company used by all four practices had improperly disposed of the records by sending them to a landfill without shredding or otherwise destroying the records. The Attorney General in Massachusetts completed its investigation and found the situation worthy of fines. After some negotiation, the practices and the now-defunct billing company agreed to a fine of $140,000.
OCR has issued express guidance on the proper disposal of paper-based PHI, particularly with regard to landfills. Be sure to read that info before entering into any agreements with any billing companies or waste disposal companies and require that those contractors follow the OCR-approved procedures.
Two new cases highlight the seriousness of HIPAA. One results in criminal conviction after prosecution by the US Attorney’s Office; the other results in a $3M fine before prosecution.
