HIPAA Breach Case Studies
by ClinicNerds
Back

Precipitating Event:  Unencrypted Laptop stolen while lecturing in Asia. (Note: normally we quote and parse the Resolution Agreement with HHS but in this case, the press release from XYZ Hospital was more informative. So we use the hospital's press release as the case study's prime source.)


Quote From The Legal Agreement
real name changed to XYZ Hospital

  • 67 participants in somatic tinnitus modulation research, and
  • One participant in pulsatile tinnitus research.
Dr. XXXXX reported the theft to police in South Korea.

minor modifications for readibility


Interpreting the HIPAA Police

Quote that sends a message:

The pateint data went back 22 years to 1988. It is important to understand all the PHI Hotspots but also the data within the PHI Hotspots (probably a spreadsheet). HIPAA fines are prorated based on the number of patients affected. The $1.5m fine was so large becuase of the large number of patients affected. Another thing to consider is de-identifying the data.

Ask Yourself: Do you have databases or spreadsheets with ancient data?


Quote that sends a message:

This statement is irrelevant. The HIPAA Police do not care - and it is hard to prove either way - if the data was actually read or used.

Ask Yourself: Have you left paper or electronic patient data exposed?


Quote that sends a message:

This LoJack tracking device sounds impressive but it did not help XYZ Hospital avoid a $1.5m fine. Encryption, strong passwords and automatic screen locks are the features that the HIPAA Police trust and cost nothing additional.

Ask Yourself: Are your vendors making slippery claims that their products are 'Fully HIPAA Compliant'?


Additional Comments

When a US based doctor is asked to lecture in Asia, it is safe to assume that this doctor is world renown. Prior to the trip, the doctor thought that precautions were taken with this LoJack for Laptops device. Unfortunately, the trip turned into a huge and costly embarrassment.


Note below some of the requried actions stated in the Corrective Action Plan. We'll skip items 1-5 because they have been discussed before but items 6-8 were new statements from the HIPAA Police:


"6. Procedures that specify the proper functions to be performed using workstations that access XYZ Hostpital PHI, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access PHI;"


"7. Provisions to track the receipt and removal of hardware and electronic media, including portable devices, that contain XYZ Hospital PHI into and out of XYZ Hospital’s facility(s), and the movement of these items within XYZ Hospital’s facility(s);"


(The above two points are why the HIPAA Lifeguard App requires that a clinic floorplan be included in the risk assessment.)


"8. Mechanism(s) to encrypt and decrypt portable devices that contain XYZ Hospital PHI to allow access only to those persons or software programs that have been granted access rights;"


There is not such thing as 'HIPAA comliant', but these three things, if documented in a HIPAA Notebook, will get you close: encryption, strong passwords and automatic screen locks. ClinicNerds calls this 'NerdSecured.'


Obligations During HIPAA Probation
  • Review and revise all existing policies and procedures.
  • 30/60/120 day deadlines for sending revisions to HHS.
  • Distribute and retrain entire workforce. Get signed statement from each worker that they understand and will follow the revised policies and procedures.

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.


Case Study Factsheet

XYZ Hospital in Massachusetts

Case ID
CS-2012-09-13

Fine Amount
$1,500,000

Corrective Action Plan (CAP) ?
Yes, 3 Years

Precipitating Event
Unencrypted Laptop stolen while lecturing in Asia. (Note: normally we quote and parse the Resolution Agreement with HHS but in this case, the press release from XYZ Hospital was more informative. So we use the hospital's press release as the case study's prime source.)

HIPAA Police Office
HHS Region 1 - Boston

{ end case study CS-2012-09-13 }