2015’s Biggest HIPAA Settlements {Plus How to Avoid the Same Expensive Outcome}

Since 2003, the Office for Civil Rights (OCR) has been cracking down on healthcare organizations in an attempt to maintain the privacy and security of patients’ personal health information.

2015 was a big year for the OCR. They handed out four, six-figure HIPAA-related settlements. Here are the details of each and how you can avoid similar expensive outcomes. 

1. Cornell Prescription Pharmacy - $125,000

Who:  Cornell Prescription Pharmacy, located in Denver, Colorado, is an independent pharmacy specializing in compounded medications and hospice care services.

Violation:  A local news outlet claimed the pharmacy was improperly disposing of PHI-containing documents, including leaving them in an “unlocked, open container on Cornell’s premises.”

Patients affected: 1,610

Findings: Cornell violated the HIPAA Privacy Rule by failing to implement written policy and procedures as well as failing to provide employee training on those policies and procedures.

Resolution:  Cornell was ordered to pay $125,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.

2. St. Elizabeth’s Medical Center - $218,400

Who: St. Elizabeth’s Medical Center (SEMC) is a 252-bed tertiary care hospital located in Brighton, Massachusetts.

Violation: SEMC workers reported that an internet-based document sharing application was being used to store documents containing electronic protected health information (ePHI) for at least 498 patients. The application was utilized before it could be evaluated for potential HIPAA violations.

Additionally, SEMC reported a breach of unsecured ePHI affecting 595 patients. The breach involved a former SEMC employee’s personal laptop and USB flash drive.

Patients affected: Over 1,000

Findings: SEMC failed to “timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome.”

Resolution: SEMC was ordered to pay $218,400 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.

3. Cancer Care Group, P.C. - $750,000

Who: Cancer Care Group, P.C. is a radiation oncology private physician practice located in Indiana.

Violation: A laptop bag was stolen from an employee’s car, containing a computer and unencrypted backup media. The media contained extensive ePHI, including names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of current and former patients.

Patients affected: 55,000

Findings: Cancer Care failed to conduct a thorough risk analysis after the breach first occurred. Also, they failed to implement written policies regarding how electronic media containing ePHI should be handled when removed from the facility.  

Resolution: Cancer Care was ordered to pay $750,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.

4. Lahey Hospital and Medical Center - $850,000

Who: Lahey Hospital and Medical Center is a nonprofit teaching hospital located in Burlington, Massachusetts. It is affiliated with Tufts Medical School.

Violation: A laptop, connected to a portable CT scanner, was stolen from an unsecured treatment room. The laptop contained patients’ radiological images and PHI.   

Patients affected: 599

Findings: Lahey was found to be non-compliant on several counts, including failure to conduct a thorough risk analysis of all of its ePHI, failure to physically safeguard a workstation, and failure to implement written policies and procedures regarding the safeguarding of ePHI.

Resolution: Lahey was ordered to pay $850,000 and provide OCR with a comprehensive, enterprise-wide risk analysis, corresponding risk management plan, and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.

Avoid Similar Outcomes

Many of these violations could have been avoided if a thorough HIPAA risk assessment had been conducted, along with implementation of written policy and procedure guidelines.

Just like the organizations above, you could be at risk and not even realize it. Here are a few HIPAA resources that will help you avoid those substantial fines and penalties:

Have you completed your risk assessment or HIPAA policies and procedures? Please join the conversation below.