Organizations that run afoul of HIPAA can be fined up to $1.5 million per violation. Anthem, Inc paid the highest fine on record in 2016–a staggering $16 million.
HIPAA regulations are enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR). This month, OCR began investigating eleven non-compliance complaints.
Three of these HIPAA cases are particularly newsworthy. First, CVS Caremark is in hot water for its second HIPAA violation in two years.
Then, Hackers breached the Penn Foundation’s security system and compromised over 700 patients’ data.
And, finally, identity thieves targeted the Dental Center of Westport Group’s patient data. The thieves then used that data to target DCW’s patients in a phishing scam.
In addition to new investigations, class-action lawsuits are moving their way through the courts. This month, four lawsuits have been filed against Scripps Health over a security breach.
The Mayo Clinic faces three lawsuits against an employee who violated HIPAA rules. The Mayo Clinic terminated the employee in question. But, the institution will still be liable for HIPAA non-compliance.
What Is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It is a federal law that regulates healthcare organizations. These include:
- Health plans
- Medical practices
- Local and state health departments
- Third parties that use patient data
HIPAA protects patients’ private health information (PHI). The law mandates procedures and standards that keep PHI private, so organizations can only share the information with a patient’s express consent.
Under HIPAA, organizations must grant patients access to their own PHI within 30 days of a request. HIPAA prevents organizations from creating undue barriers to this access.
HIPAA also sets cybersecurity standards. Healthcare organizations must meet these standards when storing PHI digitally. HIPAA also regulates how healthcare organizations must file taxes.
Department of Health and Human Services
The Department of Health and Human Services enforces HIPAA regulations. Specifically, the Office for Civil Rights (OCR) investigates HIPAA violation complaints. All HIPAA violation reporting goes through the OCR.
The OCR can impose fines and other penalties.
If an organization violates a patient’s privacy, the patient cannot sue most of the time. Instead, the patient must file a HIPAA violation complaint with OCR.
But, patients can file a class-action suit over a HIPAA violation in some circumstances. If a healthcare organization violates state law, or if it violates a different federal law that protects private data, a patient may have a private cause of action. This legally allows the patient to file a lawsuit.
CVS Caremark Violates HIPAA (Again)
OCR started investigating CVS Caremark for a HIPAA violation on June 28th, 2021. A CVS associate compromised the PHI of 2,324 individuals.
This act of non-compliance involves either unauthorized access or unauthorized disclosure of patient data. In this case, the data was on paper and film.
While the case is still ongoing, it wouldn’t be the first time CVS Caremark failed to meet HIPAA standards. In 2009, CVS paid a $2.25 million fine for non-compliance. At the time, CVS staff had thrown away labeled prescription bottles in insecure dumpsters.
CVS Caremark has a notable pattern of HIPAA violations. In 2020, CVS neglected to prevent theft. Thieves stole 21,289 CVS patients’ private information, due to the pharmacy’s negligence.
OCR has investigated over 200 complaints against CVS Caremark in the past ten years. This current investigation is ongoing. We will update you as we learn more.
Class-Action Suits Against Scripps Health
Harmed patients have filed four lawsuits against Scripps Health. Scripps Health is a multi-faceted health system in San Diego, California. On June 1st, 2021, Scripps Health notified patients of a security breach.
Hackers attacked and shut down Scripps Health’s database for an entire month. The hackers stole 147,000 patients’ personal information.
Harmed patients have filed lawsuits against Scripps Health alleging negligence. Because Scripps Health did not protect patients’ data effectively, it may be liable for damages.
The affected class of patients filed the lawsuit in the San Diego Superior Court. Californian patients are protected by both HIPAA and the Confidentiality of Medical Information Act (CMIA).
Class action lawsuit settlements are different from HIPAA violation fines.
CMIA is a law that grants patients a private cause of action. So, patients can sue healthcare organizations directly when an organization violates their privacy rights.
Patients must prove the security breach damaged them. In one case, the delays caused by the security breach delayed a patient’s surgery, which increased his suffering. The delay also cost the patient his job, as he was let go for missing too much work.
Dental Patients Compromised by Phishing
On April 28th, dental patients were affected by a security breach.
On that date, malicious actors targeted the Dental Center of Westport Group (DCW)’s patient email list. Patient’s undisguised email addresses are private identifying information. To comply with HIPAA, healthcare organizations must keep patient email addresses confidential.
A week later, the actors sent DCW patients emails purporting to be from DCW. This phishing scam used patients’ personal information.
DCW learned of the incident on May 13th, 2021. Patient data may have been exposed as early as June 1st, 2014. DCW notified patients of the security breach on June 27th, 2021.
The dental practice hired a forensic cybersecurity firm to investigate the incident and prevent further violations. OCR determined that 2,175 patients’ information was exposed by the breach. DCW recommended that patients monitor all incoming emails for signs of phishing.
In the notice, DCW said it’s open to addressing any questions or concerns. It’s not clear yet what the ultimate impact on patients will be.
Penn Foundation Posts Breach Notification
The Penn Foundation is a non-profit behavioral health organization. At the end of June, it notified patients of a security breach. The breach affected 768 patients.
In February, hackers locked many Penn Foundation employees out of their workstations. Hackers also prevented staff from accessing the servers. Penn Foundation hired a cybersecurity firm to investigate the incident.
Currently, no patients have reported any negative impact from the breach. The OCR’s investigation of the breach is ongoing.
In the meantime, the Penn Foundation gave patients security recommendations. It also set up a toll-free number for patients to call with questions.
Mayo Clinic Privacy Lawsuits
Three lawsuits against the Mayo Clinic are moving forward this month. The lawsuits allege that Ahmad Alsughayer, a surgery resident at Mayo Clinic, violated HIPAA multiple times. He accessed PHI without authorization.
Mayo Clinic terminated Alsughayer after it investigated the incident. Alsughayer unlawfully accessed 1,614 patients’ personal data. The FBI is currently pressing criminal charges against the former resident.
But, the court may hold Mayo Clinic itself liable for non-compliance. Harmed patients filed the lawsuit in Minnesota. The Minnesota Health Records Act (MHRA) grants patients a private cause of action.
In this case, patients claim one cause of action is the Mayo Clinic’s negligence. Mayo Clinic did not implement all privacy options available in its Electronic Health Records system.
Further OCR Investigations
OCR opened eleven investigations this month. In addition to the HIPAA cases detailed above, eight more complaints were filed. The OCR opened HIPAA cases against these eight healthcare organizations this month:
- Coastal Family Health Center
- CentraCare Health System
- PracticeMax Inc
- Francisco Palaban MD
- Dermatology Group of Arkansas
- Ankle and Foot Physicians and Surgeons PLLC
- Fairbanks Cancer Care Physicians P.C.
- The Recovery Project LLC
Each of these healthcare organizations failed to meet HIPAA regulations. Each HIPAA violation affected 500+ patients. Hackers attacking poorly-secured servers caused the vast majority of the violations.
What is HIPAA Training?
HIPAA training is a set of lessons in HIPAA compliance. HIPAA training gives healthcare organizations a resource to ensure that they meet regulatory standards.
HIPAA training covers:
- How to optimize cybersecurity to protect stored data from hackers
- How to maintain patient privacy when you transfer PHI
- How to secure patient consent to share information
- How to implement HIPAA-compliant policies and best practices
- How to secure physical documents and other media containing PHI
- How to enforce HIPAA compliance among all staff
Training includes procedures and tools. Frequently, organizations must update software tools to stay compliant. HIPAA standards evolve as threats do.
Training includes information that enables organizations to abide by state privacy laws as well as HIPAA. Different HIPAA training courses emphasize different processes, tools, and solutions.
It’s wise to choose a HIPAA Violations training course that addresses the barriers to compliance that are the most common in your sub-field. You may also choose from online, in-person, and combined training options.
What Is HIPAA Certification?
HIPAA certification is a credential that tells patients a business meets HIPAA compliance standards. The OCR doesn’t grant this credential. Instead, third parties can certify an organization as HIPAA compliant.
Healthcare organizations can earn HIPAA certification by passing HIPAA training courses. Or, an evaluator can examine an organization’s security and privacy practices. Then, that evaluator can certify a practice.
Don’t Procrastinate on HIPAA Compliance: Avoid HIPAA Violations
HIPAA compliance is mandatory. Yet, many healthcare organizations find themselves caught off-guard when hackers breach their security, or when an employee accidentally exposes private information.
The best way to prevent a HIPAA violation is to build prevention into every aspect of your practice. HIPAA training empowers that building. No matter what problems your practice is solving, there’s a HIPAA compliance course that meets your needs.