HIPAA Breach Case Studies
by ClinicNerds

Precipitating Event:  USB hard drive stolen from employee car.

Quote From The Legal Agreement
real name changed to State Health Agency

minor modifications for readibility

Interpreting the HIPAA Police

Quote that sends a message:

Federal investigators flew to the state, drove to the site, and knocked on the door. Beyond the confusing nature of HIPAA, perhaps there was some beligerence in the state health agency. Not unusual for state's rights proponents to ignore the feds. But it is hard to ignore them when they are at the front door and they will be there all week investigating.

Ask Yourself: Are turf battles and political beefs worth $1.7 million in fines and three year HIPAA probation?

Quote that sends a message:

'Encryption anxiety' is a common technical concern. ClinicNerds will help NerdSecure (encrypt) any computer or computer device.

Ask Yourself: Do you have an inventory of every computer and computer device?

Quote that sends a message:

The precipitating incident occurred in October 2009. The resolution agreement was signed June 2012. The probation lasts 3 years to June 2015. These investigations and probations drag on for years.

Ask Yourself: Could your small practice survive with federal investigators disrupting your business for 5+ years?

Additional Comments

A USB hard drive, about the size of a wallet, was stolen and ended up costing $1.7 million in fines. That is a very expensive hard drive.

Taking an inventory of every computer and computer device is a task in our risk assessment in the HIPAA Lifeguard app. You have to know what you have so you know what you are protecting.

It is strange that this state health agency had not even bothered to conduct a risk analysis. Maybe they were stretched thin, overworked, understaffed, remote outpost...

This case underscores the confusing nature of HIPAA explanations. The state government, which also has HIPAA enforcement authority, was not even HIPAA compliant.

HHS at the federal level had to investigate and fine it's little brother HHS at the state level. The Department of Health and Human Services (HHS) exists at the federal level and the state level. Most of the United States have their own state version of HHS. This case is a bit unusual in that the federal HHS investigated and fined a state HHS. So the state paid a fine to the feds. Then the feds turn around and give subsidies to the states. Odd use of our tax dollars.

Obligations During HIPAA Probation
  • Must designate a privacy official
  • Must conduct a risk assessment
  • Must document policies and procedures in a risk management plan
  • Must train the entire workforce and get signed statements that they understand and will obey

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.

Case Study Factsheet

A State Healthcare Agency in the Northwest

Case ID

Fine Amount

Corrective Action Plan (CAP) ?
Yes, 3 Years

Precipitating Event
USB hard drive stolen from employee car.

HIPAA Police Office
HHS Region 10 - Seattle

{ end case study CS-2012-06-25 }