HIPAA Breach Case Studies
by ClinicNerds

Precipitating Event:  Internet firewall disabled on server.

Quote From The Legal Agreement
real name changed to XYZ Hospital System

minor modifications for readibility

Interpreting the HIPAA Police

Quote that sends a message:

To save money, some folks try to run their own server, but forget simple configurations like enabling the firewall.

Ask Yourself: Do you ever check the configurations on modems, routers or servers?

Quote that sends a message:

Many universities and large healthcare systems have dozens of smaller, satellite offices.

Ask Yourself: Who is managing your far flung locations?

Additional Comments

In a hospital, it is a full time job to manage the I/T of all the departments located physically withing the main hospital building or campus. In this case, there were also 29 smaller clinics spread throughout the state. Each location needs local management.

XYZ Hospital System disagreed with HHS about which locations for which it is responsible, from a HIPAA point of view. There are a lot of business models with shared resources. Make sure that contracts clearly state who is responsible for what. e.g. Shared surgery centers or seeing patients at another clinic

During HIPAA Probation, XYZ Hospital System has to do a GAP Analysis. This is a new request from HHS. It shows that XYZ Hospital System had a decent compliance plan at their main location, but was weak on the periphery.

Obligations During HIPAA Probation
  • Of the 29 remote clinics, determine which are HIPAA covered entities.
  • Conduct a risk assessment and risk management plan
  • Conduct a full review of all I/T systems
  • Conduct a GAP analysis showing I/T systems that depart from policies and procedures
  • Annual reports updating all above

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.

Case Study Factsheet

XYZ University Hospital in the Northwest

Case ID

Fine Amount

Corrective Action Plan (CAP) ?
Yes, 2 Years

Precipitating Event
Internet firewall disabled on server.

HIPAA Police Office
HHS Region X - Seattle

{ end case study CS-2013-05-13 }