HIPAA Breach Case Studies
by ClinicNerds

Precipitating Event:  During an office relocation, 57 unencrypted computer hard drives were stolen from a network data closet.

Quote From The Legal Agreement
real name changed to XYZ Health Insurance

minor modifications for readibility

Interpreting the HIPAA Police

Quote that sends a message:

Unlike patient medical records, customer service calls are not an obvious example of PHI. PHI comes in many forms.

Ask Yourself: Does your clinic record data that is not an obvious example of PHI?

Quote that sends a message:

The closet had good physical security suggesting that the thieves were insiders. But the disk drives were not encrypted. Note that encoding for audio/video is not secure like encryption. The words encoded and encryption sound similar but are different.

Ask Yourself: Has your clinic considered biometric locks for sensitive rooms?

Additional Comments

Though the press release mentioned encrypted once ('57 unencrypted computer hard drives'), very surprised to see that the Corrective Action Plan does not mention any variation of the word encryption.

While encryption is usually assumed to be part of a risk management policy, the HIPAA Police usually mention it several times in the documents. Not sure if this was deliberate, was part of the legal negotiation, or was a rare oversight. In order to get the PHI, thieves had to listen to each phone call. The drudgery of listening to all those calls could have been a factor.

Security camera footage, which is usually stored on disk for a few days, is another type of overlooked PHI.

Obligations During HIPAA Probation
  • The CAP length is just 450 days - not the usual three years. Suggests that XYZ Health Insurance had pretty good HIPAA compliance documentation prior to the precipitating incident.
  • Conduct a new risk assessment
  • Must rewrite risk management plan along with the policies and procedures.
  • Must retrain the entire workforce.
  • Designate a monitor that a. conducts unannounced site visits to failities housing portable devices; b. Interviews with a random sample of 25 members of workforce who use portable devices

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.

Case Study Factsheet

XYZ Health Insurance in Tennessee

Case ID

Fine Amount

Corrective Action Plan (CAP) ?
Yes, 450 Days

Precipitating Event
During an office relocation, 57 unencrypted computer hard drives were stolen from a network data closet.

HIPAA Police Office
HHS Region 4 - Atlanta

{ end case study CS-2012-03-13 }