Gazelle Consulting

2018’s Most Interesting HIPAA Violation Cases

2018’s Most Interesting HIPAA Violation Cases
Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches. Over the years, we’ve watched as the OCR first targeted massive healthcare companies like Anthem and companies involved in egregious violations. But now more than ever, we see a wide variety of businesses receiving fines for violations that are more commonplace. We’ve collected some of the most shocking breach incidents in 2018 for your compliance pleasure.

Hospital Worker and Member of the Vice Lords Gang Harassess Victim’s Family Members

In late 2015 and early 2016, the Vice Lords Gang and their associates carried out a witness tampering scheme in Eastern Detroit. The gang knew that 3 shooting victims had been treated at a specific medical center in Detroit, and that the brother of one of their members was an employee there. The hospital worker, at the behest of the Vice Lords, illegally accessed a database containing PHI (Protected Health Information) of every patient that had been treated at that medical center and gathered names, addresses, and phone numbers of the shooting victims family members. The hospital worker then provided this information to the Vice Lords who attempted to use the information to harass the victims’ families and prevent them from cooperating with investigators. While the medical center did not face any consequences for this breach of patient information, the employee who disclosed the PHI to the Vice Lords was prosecuted for Fraud and Abuse in 2018. (Read More)

$100,000 Fine for Filefax, Even After They Closed Their Doors

Back in 2015 (apparently, a bad year for data privacy), Filefax was up and operating as a medical record storage, transport, and delivery vendor. However, their privacy practices left much to be desired, and the OCR received an anonymous tip that a Filefax employee was selling patient records on the side. After initiating an investigation, the OCR also found that patient records belonging to a FileFax client were being stored in a dumpster outside of the FileFax office. With the OCR breathing down their neck, FileFax closed its doors amid scrutiny and ongoing investigations. However, the OCR spent 3 years pursuing this fine and in 2018 after liquidation of all FileFax’s business assets, the OCR finally collected $100,000 in fines from the receiver of FileFax’s assets. (Read more)

Unauthorized Filming of Trauma Reality Show at 3 Boston Hospitals

Three Boston-area hospitals involved in the filming of the trauma reality show “Save My Life: Boston Trauma” have paid a total of $1 million in fines to the OCR after allowing film crews to film patients at their facilities without consent. The ABC film crew was also given complete access to the hospital, including rooms where medical records were stored. This is not the first time a real life trauma show has violated patient privacy rights. In 2016, NY Presbyterian hospital allowed the Dr. Oz show to film at their facility, which resulted in the wife of a man who had passed away, seeing herself on TV as the doctor notified her of her husband’s death. These exploitative TV shows and the hospitals violating the rights of vulnerable individuals need to be held accountable. (Read more)

$16 Million Anthem Payment for Phishing Attack

Back in time… the year is… 2015. Data is falling out of everyone’s pockets and into the greedy hands of the dark web. At Anthem, hackers deployed a phishing campaign to capture passwords and user IDs of Anthem employees. The hackers were able to steal ePHI of nearly 79 million individuals, including names, security numbers, medical IDs, email addresses, and employment information, making this the largest data breach in history. Unfortunately, Anthem lacked even a moderately developed compliance program and had failed to implement the basics including a risk assessment, information system activity review, and a process for responding to security incidents. For shame! OCR Director Roger Severino commented that, “the largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” as he frantically stuffed $16 million dollars into a giant money sack. (Read more)
So what have we learned? Well for one, the OCR takes about 3 years to resolve incidents including investigation, lawsuit, and fines. So we might have to wait until 2021 for the year 2018 to reveal its secrets. Will all this enforcement activity result in fewer violations and fines or will the OCR continue to be supplied with egregious violations from negligent companies? Stay tuned to find out!
Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Popular Posts

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • The Specter of HIPAA Enforcement

    Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What if patient records get lost or deleted?

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • What is the Purpose of HIPAA?

    What is the purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!