HIPAA Breach Case Studies
by ClinicNerds

Precipitating Event:  Unencrypted laptop and backup disks stolen from employee cars

Quote From The Legal Agreement
real name changed to XYZ Health

minor modifications for readibility

Interpreting the HIPAA Police

Quote that sends a message:

Says that PHI is leaving XYZ Health’s facility. There should be policies and procedures for PHI that stays in the facility. There should be policies and procedures for PHI that leaves the facility.

Ask Yourself: Are employees allowed to leave the clinic with PHI?

Quote that sends a message:

Says that managers are responsible for setting and enforcing policies. An unwritten policy is still a policy. Managers were aware that this PHI was leaving the facility and was in personal vehicles.

Ask Yourself: Does your clinic have unwritten rules or polices?

Additional Comments

The source documents for this case study mention the word 'encryption' eight times.

The BIG DISCONNECT: The expectations of the HIPAA Police do not at all reflect the realities of the healthcare industry. The HIPAA Police have the expectation that all computer devices are encrypted. (Computer storage has encryption enabled)

The reality of most healthcare organizations is that they are concerned, intimidated or worried about turning on encryption. They correctly fear that they will lose data, lose productivity, or will have interrupted workflows. We call this Encryption Anxiety and are working to help relieve it. The expectation that every computer is encrypted is disconnected from the reality that most computers are NOT encrypted. ClinicNerds intend to help close this gap.

Obligations During HIPAA Probation
  • Conduct a new risk assessment
  • Develop a new risk management plan
  • Rewrite policies and procedures for off-site storage, transport and security of computer devices
  • Encrypt computer devices with PHI
  • Provide evidence that new policies and procedures have been implemented
  • Provide signed statements from each employee that they have received training on the new policies and procedures
  • Implement a new monitoring program

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.

Case Study Factsheet

XYZ Health is a not-for-profit home health and hospice provider in five states in the Pacific Northwest.

Case ID

Fine Amount

Corrective Action Plan (CAP) ?
Yes, 3 Years

Precipitating Event
Unencrypted laptop and backup disks stolen from employee cars

HIPAA Police Office
HHS Region 10 - Seattle

{ end case study CS-2008-07-16 }