2018 was a year of serious HIPAA Enforcement.
Between the Vice Lords Gang, FileFax, and Anthem, there was no shortage of HIPAA cases.
Since 2003 the establishment of the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches. The OCR first targeted massive healthcare companies like Anthem, as well as companies involved in egregious violations.
But now more than ever, we see a wide variety of businesses receiving fines for violations that are much more commonplace. We’ve collected some of the most shocking breach incidents in 2018 for your compliance pleasure.
Hospital Worker and Member of the Vice Lords Gang Harassess Victim’s Family Members
In late 2015 and early 2016, the Vice Lords Gang and their associates carried out a witness tampering scheme in Eastern Detroit. The gang knew that 3 shooting victims had been treated at a specific medical center in Detroit, and that the brother of one of their members was an employee there.
The hospital worker, at the behest of the Vice Lords, illegally accessed a database containing PHI (Protected Health Information) of every patient that had been treated at that medical center and gathered names, addresses, and phone numbers of the shooting victims family members. The hospital worker then provided this information to the Vice Lords who attempted to use the information to harass the victims’ families and prevent them from cooperating with investigators.
While the medical center did not face any consequences for this breach of patient information, the employee who disclosed the PHI to the Vice Lords was prosecuted for Fraud and Abuse in 2018. (Read More)
$100,000 Fine for Filefax, Even After They Closed Their Doors
Back in 2015 (apparently a bad year for data privacy), Filefax was up and operating as a medical record storage, transport, and delivery vendor. However, their privacy practices left much to be desired.
The OCR received an anonymous tip that a Filefax employee was selling patient records on the side. After initiating an investigation, the OCR also found that patient records belonging to a FileFax client were being stored in a dumpster outside of the FileFax office. With the OCR breathing down their neck, FileFax closed its doors amid scrutiny and ongoing investigations.
The OCR spent 3 years pursuing this fine, and in 2018, after liquidation of all FileFax’s business assets, the OCR finally collected $100,000 in fines from the receiver of FileFax’s assets. (Read more)
Unauthorized Filming of Trauma Reality Show at 3 Boston Hospitals
Three Boston-area hospitals involved in the filming of the trauma reality show “Save My Life: Boston Trauma” have paid a total of $1 million in fines to the OCR after allowing film crews to film patients at their facilities without consent. The ABC film crew was also given complete access to the hospital, including rooms where medical records were stored.
This is not the first time a real life trauma show has violated patient privacy rights. In 2016, NY Presbyterian hospital allowed the Dr. Oz show to film at their facility, which resulted in the wife of a man who had passed away seeing herself on TV as the doctor notified her of her husband’s death.
These exploitative TV shows and the hospitals violating the rights of vulnerable individuals need to be held accountable. (Read more)
$16 Million Anthem Payment for Phishing Attack
Let’s warp back in time… the year is… 2015. Data is falling out of everyone’s pockets and into the greedy hands of the dark web.
At Anthem, hackers deployed a phishing campaign to capture passwords and user IDs of Anthem employees. The hackers were able to steal ePHI of nearly 79 million individuals, including names, security numbers, medical IDs, email addresses, and employment information, making this the largest data breach in history.
Unfortunately, Anthem lacked even a moderately developed compliance program and had failed to implement the basics including a risk assessment, information system activity review, and a process for responding to security incidents. For shame!
OCR Director Roger Severino commented that, “the largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” as he frantically stuffed $16 million dollars into a giant money sack. (Read more)
Takeaways
So what have we learned from all these violations?
Well for one, the OCR takes about 3 years to resolve incidents including investigation, lawsuit, and fines. So we might have to wait until 2021 for the year 2018 to reveal its secrets.
Will all this enforcement activity result in fewer violations and fines, or will the OCR continue to be supplied with egregious violations from negligent companies? Stay tuned to find out!
Does this talk of enforcement give you compliance anxiety? Gazelle Consulting can make HIPAA compliance feel like a delightful bound through a grassy savanna. Give us a call at (503) 389-5666 (no lions please!)