HIPAA Breach Case Studies
by ClinicNerds
Back

Precipitating Event:  The physician practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible


Quote From The Legal Agreement
real name changed to XYZ Small Practice

minor modifications for readibility


Interpreting the HIPAA Police

Quote that sends a message:

No matter how large or small, every medical practice must designate a person to be in charge of HIPAA. ClinicNerds nicknamed this person the 'HIPAA Lifeguard' but the HIPAA Police call it a privacy or security or compliance official.

Ask Yourself: Has your clinic designated and documented a HIPAA Lifeguard?


Quote that sends a message:

No matter how large or small, every medical practice must conduct a risk assessment.

Ask Yourself: Has your clinic conducted and documented a risk assessment?


Quote that sends a message:

It is important to understand your 'software stack.' All the tools used by the workforce to get their job done. Some tool providers are 'mere conduits' while others store your PHI and thus need a Business Associate Agreement (BAA).

Ask Yourself: Do you know all the (electronic) places where your PHI travels?


Additional Comments

One message that is loud and clear is that the HIPAA Police will fine small practices. XYZ Small Practice is a small practice. Just two locations in the same town and two doctors/owners.


This fine is also sending us some mixed messages. For a small practice, a $100,000 is pretty harsh. But the HIPAA Probation period is just 1 year, not the usual 3 years. This small practice had made little effort to comply with HIPAA. Maybe that is the reason for the mixed messages.


The legal agreement was signed in April 2012 but the improper activity occurred as far back as 2005. The length of the investigation and the size of the fine points to a contentious, drawn out legal negotiation. Legal fees probably exceeded the fine amount. Many small practices could not afford over $200k in unplanned expenses.


XYZ Small Practice has two locations. Each location needs a HIPAA Lifegurd. Each location needs a documented risk assessment. Each location needs location specific training.


Obligations During HIPAA Probation
  • Must designate a privacy official
  • Conduct a risk assessment
  • Develop a risk management plan that documents policies and procedures.
  • Train the workforce and have each member of the workforce sign a document which states that they received the training, understand it, and will abide by the new policies and procedures.
  • Review all business partners and sign Business Associate Agreements where necessary.
  • Annual reviews and updates to all above.

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.


Case Study Factsheet

XYZ Speciality Small Practice in Phoenix

Case ID
CS-2012-04-11

Fine Amount
$100,000

Corrective Action Plan (CAP) ?
Yes, 1 Year

Precipitating Event
The physician practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible

HIPAA Police Office
HHS Region 10 - Seattle (seems like Region 9 SF should have handled)

{ end case study CS-2012-04-11 }