HIPAA Breach Case Studies
by ClinicNerds

Precipitating Event:  Celebrity patients claimed XYZ Hospital employees snooping in records and selling to the paparazzi.

Quote From The Legal Agreement
real name changed to XYZ Hospital

minor modifications for readibility

Interpreting the HIPAA Police

Quote that sends a message:

The snooping is, of course, bad but the HIPAA Police are saying that not having a way of knowing if employees are snooping is also a HIPAA violation. XYZ Hospital got in trouble because they were not checking if employees were snooping.

Ask Yourself: Do you have automated reports that show medical record access?

Quote that sends a message:

Of course snooping is a HIPAA violation. But the snooping went on for 4 years without being recognized.

Ask Yourself: Are you checking if employees are snooping in paper or electronic medical records?

Quote that sends a message:

Sanctions (or punishments) must be documented and enforced.

Ask Yourself: If your employee violates a policy, is there a documented sanction or consequence.

Additional Comments

XYZ Hospital is a big sprawling health systems with many computer systesm, buildings, locations and thousands of employees. It is a lot of work to train and monitor all these moving parts.

Automated reports with intelligent algorithms is one way to address the complexity of large health systems. Random, unannounced inspections (that do not interrupt workflows) are equally effective.

Like checking out a book at the public library, small practices using paper medical records need check out procedures to ensure that snooping is not occurring.

Obligations During HIPAA Probation
  • Review and revise all HIPAA policies and procedures.
  • Retrain the entire workforce to follow the new policies and procedures.
  • Document santion policies and procedures and include in retraining.
  • During retraining, each member of the workforce shall sign a document that states they understand and will follow the new policies and procedures.
  • Designate an Independent Montior (individual or entity) to be a monitor to review XYZ Hospital's compliance with this CAP.
  • The Independent Monitor documents a plan to review XYZ Hopsital's compliance. The HIPAA Police review and comment on the monitor plan.
  • The Independent Monitor has unfettered access (including unannouced inspections and interviews) and writes semi-annual reports about XYZ Hospital's compliance.

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.

Case Study Factsheet

XYZ Hospital System in California

Case ID

Fine Amount

Corrective Action Plan (CAP) ?
Yes, 3 Years

Precipitating Event
Celebrity patients claimed XYZ Hospital employees snooping in records and selling to the paparazzi.

HIPAA Police Office
HHS Region 9 - San Francisco

{ end case study CS-2011-07-06 }