HIPAA Breaches: Size Doesn't Necessarily Matter
The U.S. Department of Health and Human Services Office of Civil Rights (OCR) made headlines this month with a record $5.55 million HIPAA settlement reached with Advocate Health Care System, Illinois’ largest health care system with 12 acute care hospitals. That settlement dealt with three different data breaches that compromised more than four million individual patient records.
Since announcing the Advocate settlement, the OCR has made a special effort to let the health care world know that neither a smaller-sized breach nor a smaller-sized organization will be protected from OCR scrutiny. The OCR announced a new initiative giving special attention to smaller breaches – i.e. those involving protected health information (PHI) of fewer than 500 individuals. In its August 18 announcement, the OCR advised that its regional offices will increase their efforts "to identify and obtain corrective action to address entity and systemic noncompliance" related to smaller breaches.
The OCR’s announcement regarding its new "smaller-sized" breach initiative referred to the following “recent” settlements involving smaller reported breaches:
- Hospice of Northern Idaho – $50,000 settlement in 2013 as a result of 2010 theft of unencrypted laptop computer from an employee’s car, with electronic PHI (ePHI) of 441 individuals.
- QCA Health Plan of Arkansas – $250,000 settlement in 2014 following a 2012 theft of unencrypted laptop computer from an employee’s car, with ePHI of 148 individuals.
- St. Elizabeth’s Medical Center– $218,400 settlement in 2015. Massachusetts hospital’s 2012 report of workforce members using an Internet-based document sharing application to store ePHI of at least 498 individuals plus 2014 breach of ePHI on a former workforce member’s personal laptop and USB flash-drive.
- Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) – $650,000 settlement in July 2016 after theft of unencrypted iPhone of employee, with ePHI from 412 residents of six nursing homes for which CHCS was providing management and information technology services.
One of the most frequent risk factors for special attention from the OCR is that the organization failed to assess its risks – particularly with unencrypted ePHI on mobile devices – and to adopt reasonable precautions. It’s also clear from recent settlements and the recent “no break for small breaches” announcement that the OCR is looking closely at breaches involving IT system intrusions (e.g., hacking) and those involving business associates’ activities.
Monetary settlements announced in connection with OCR settlements are frequently dwarfed by the costs of the accompanying mandated corrective actions, and by the costs to reputation and disruptions to operations that accompany a data breach. Giving attention now to risk analysis and preventative measures, and to contracts with business associates, can greatly reduce the significant risks organizations face.