HIPAA Breach Case Studies
by ClinicNerds
Back
The names of the organization have been concealed as we are focusing on the lessons learned; not mudslinging.

Scroll down for introductory text.

12
Category: Internet or Website Mistake
Patient Testimonials
Small Physical Therapy Practice
11
Category: Internet or Website Mistake
Disabled Firewall Reveals PHI
XYZ Hospital System
10
Category: Missing Business Associate Agreement
Missing Biz Assoc Agreement
XYZ Small Practice
9
Category: Stolen Computer Device
Warning To Small Practices
XYZ Small Hospice
8
Category: Stolen Computer Device
Laptop Stolen On Asia Trip
XYZ Hospital
7
Category: Stolen Computer Device
USB Hard Drive Stolen From Car
State Health Agency
6
Category: Internet or Website Mistake
Public Can See Office Schedule
Small Practice
5
Category: Stolen Computer Device
Computer Hard Drives Stolen
Health Insurance
4
Category: Employee Mistake or Malfeasance
Snooping in Medical Records
XYZ Hospital
3
Category: Employee Mistake or Malfeasance
Forgot Patient Records On Subway
Hospital
2
Category: Disposal of PHI
Pill Bottles in Open Dumpster
Pharmacy
1
Category: Stolen Computer Device
Stolen Laptops & Backup Drives
Home Health Provider
{"CS-2016-02-01"=>{"additional_comments"=>["These HIPAA investigations and probations drag on for years. Most last over 5 year. Plus the healthcare organization pays its own legal fees.", "Have a look at those first 3 obligations during HIPAA probation. HHS is making them try to erase something from the internet, which does not forget. This means asking search engines like Google, Yahoo, AOL, etc to remove content. Guessing that this small PT practice has no idea how to accomplish these tasks.", "It would still be a violation if there were just full face photographs, without the names. Facial images are one of those 18 identifiers that turn regular information into Protected Health Information."], "ccc_links"=>{"NerdSecured"=>"NerdSecured Policy", "phi-checkout"=>"PHI Checkout Policy"}, "cs_factsheet"=>{"cap"=>"Yes, 3 Years", "fine_amt"=>"$25,000", "hipaa_police"=>"HHS Pacific Region San Francisco", "long_desc"=>"XYZ Physical Therapy Practice in California", "precipitating_event"=>"Patient testimonials without HIPAA-compliant authorizations."}, "hipaa_probation_obligations"=>["Removal of PHI from XYZ Physical Therapy Practice Website. 1. Within 10 days of the Effective Date of this Agreement, XYZ Physical Therapy Practice shall remove from its website, and all its affiliated web domains, any PHI for which it has not obtained a valid authorization from the individual who is the subject of the PHI, or their personal representative.", "Within 10 days of the Effective Date of this Agreement, XYZ Physical Therapy Practice shall also use its best efforts to remove all cached versions of its website from the Internet that contain this PHI. If XYZ Physical Therapy Practice is unable to remove all cached versions within 30 days of the Effective Date of this Agreement, XYZ Physical Therapy Practice shall provide HHS with documentation explaining its “best efforts” and the reason that the PHI remains accessible on the Internet.", "XYZ Physical Therapy Practice’s compliance with this corrective action will be based on HHS’ review and approval of the documentation explaining its “best efforts” and the reason that this PHI remains accessible.", "Within 60 days of the Effective Date of this Agreement, XYZ Physical Therapy Practice shall notify any individual, or the individual’s personal representative, whose PHI was disclosed by XYZ Physical Therapy Practice on the website without a valid authorization, that their PHI has been breached.", "Within 30 days, conduct a risk assessment and send to HHS.", "Within 30 days, document policies and procedures to safeguard PHI.", "Policies and procedures should include: A description of uses and disclosures for which XYZ Physical Therapy Practice is required to obtain an individual’s authorization, including for posting on CPT’s website and/or social media pages.", "Wait for review and approval from HHS.", "Within 30 days of response from HHS, implement all policies and procedures via training sessions.", "During training, all employees must sign and date a form that states that they understand and will follow all of the policies and procedures."], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"XYZ Physical Therapy Practice", "quote_paragraphs"=>["On August 8, 2012, the HHS Office for Civil Rights (OCR) received a complaint alleging that XYZ Physical Therapy Practice was impermissibly disclosing Protected Health Information (PHI) on its website. Specifically, the complaint alleged that XYZ Physical Therapy Practice had impermissibly disclosed numerous individuals’ Protected Health Information (PHI), when it posted patient testimonials, including full names and full face photograph images, to its website without obtaining valid, HIPAA-compliant authorizations.", "On January 15, 2013, OCR notified XYZ Physical Therapy Practice of its investigation regarding its compliance with the Privacy Rule. OCR’s investigation indicated that the following conduct occurred:", "A. XYZ Physical Therapy Practice failed to reasonably safeguard PHI. B. XYZ Physical Therapy Practice impermissibly disclosed PHI. C. XYZ Physical Therapy Practice failed to implement policies and procedures with respect to PHI that were designed to comply with the requirements with regard to authorization."], "quote_snippets"=>[{"quote_snip"=>"On August 8, 2012", "quote_comment"=>"This case started in the summer of 2012. The Resolution Agreement was signed on February 01, 2016. The HIPAA Probation lasts an additional 3 years to February 2019.", "quote_question"=>"Do you want the HIPAA Police in your business for nearly 7 years?"}, {"quote_snip"=>"posted patient testimonials, including full names and full face photograph images, to its website without obtaining valid, HIPAA-compliant authorizations", "quote_comment"=>"ClinicNerds estimates that over 200,000 small healthcare practices in the USA have this same HIPAA violation.", "quote_question"=>"Does your website have patient testimonials with proper HIPAA-compliant authorizations?"}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Internet or Website Mistake</span>", "url_text"=>"Patient Testimonials<br><span class=\"tiny-text\">Small Physical Therapy Practice</span>"}, "CS-2013-05-13"=>{"additional_comments"=>["In a hospital, it is a full time job to manage the I/T of all the departments located physically withing the main hospital building or campus. In this case, there were also 29 smaller clinics spread throughout the state. Each location needs local management.", "XYZ Hospital System disagreed with HHS about which locations for which it is responsible, from a HIPAA point of view. There are a lot of business models with shared resources. Make sure that contracts clearly state who is responsible for what. e.g. Shared surgery centers or seeing patients at another clinic", "During HIPAA Probation, XYZ Hospital System has to do a GAP Analysis. This is a new request from HHS. It shows that XYZ Hospital System had a decent compliance plan at their main location, but was weak on the periphery."], "ccc_links"=>{"NerdSecured"=>"NerdSecured Policy", "phi-checkout"=>"PHI Checkout Policy"}, "cs_factsheet"=>{"cap"=>"Yes, 2 Years", "fine_amt"=>"$400,000", "hipaa_police"=>"HHS Region X - Seattle", "long_desc"=>"XYZ University Hospital in the Northwest", "precipitating_event"=>"Internet firewall disabled on server."}, "hipaa_probation_obligations"=>["Of the 29 remote clinics, determine which are HIPAA covered entities.", "Conduct a risk assessment and risk management plan", "Conduct a full review of all I/T systems", "Conduct a GAP analysis showing I/T systems that depart from policies and procedures", "Annual reports updating all above"], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"XYZ Hospital System", "quote_paragraphs"=>["The HHS Office for Civil Rights (OCR) opened an investigation after XYZ Hospital System notified HHS of the breach in which the PHI of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by XYZ Hospital System. OCR’s investigation indicated that XYZ Hospital System’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. XYZ Hospital System also failed to assess the likelihood of potential risks occurring.", "XYZ Hospital System operates 29 outpatient clinics and is responsible for providing health information technology systems security at those clinics."], "quote_snippets"=>[{"quote_snip"=>"disabling of firewall protections at servers", "quote_comment"=>"To save money, some folks try to run their own server, but forget simple configurations like enabling the firewall.", "quote_question"=>"Do you ever check the configurations on modems, routers or servers?"}, {"quote_snip"=>"XYZ Hospital System operates 29 outpatient clinics and is responsible for providing health information technology systems security", "quote_comment"=>"Many universities and large healthcare systems have dozens of smaller, satellite offices.", "quote_question"=>"Who is managing your far flung locations?"}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Internet or Website Mistake</span>", "url_text"=>"Disabled Firewall Reveals PHI<br><span class=\"tiny-text\">XYZ Hospital System</span>"}, "CS-2017-04-14"=>{"additional_comments"=>["The investigation started in August of 2015 but the resolution agreement was signed April 2017. The HIPAA Probation lasts 2 years till April 2019. These investigations and HIPAA probations take 5 years, on average.", "Many case studies have an obvious precipitating event like a stolen laptop. This case does not mention a precipitating event. It is likely that an anonymous call/report was given to HHS regarding this incident. Could have been a disgrunted/former employees, ex in a relationship, or competitor. This case involved very specific/inside information."], "ccc_links"=>{"NerdSecured"=>"NerdSecured Policy", "phi-checkout"=>"PHI Checkout Policy"}, "cs_factsheet"=>{"cap"=>"Yes, 2 Years", "fine_amt"=>"$31,000", "hipaa_police"=>"HHS Region 5 - Chicago", "long_desc"=>"XYZ Medical Practice in Illinois", "precipitating_event"=>"None stated - probably anonymous report (disgruntled ex?) to HHS."}, "hipaa_probation_obligations"=>["Develop, maintain and revise as necessary, policies and procedures to comply with HIPAA. Provide written proof to HHS within 60 days.", "HHS will review the policies and procedures and make recommendations.", "Distribute copies of the policies and procedures to all members of the workforce.", "Provide training to all members of the workforce. Submit signed and dated copies for every member of the workforce that they received training.", "Update the policies and procedures annually and more frequently if appropriate.", "Within 30 days and annually, provide HHS with the following: (a) the names of all business associates and/or vendors that create, receive, maintain or transmit PHI on behalf of XYZ Medical Practice, and (b) copies of the business associate agreements that XYZ Medical Practice maintains with such vendors."], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"XYZ Medical Practice", "quote_paragraphs"=>["XYZ Medical Practice is a small, for-profit health care provider that operates a pediatric subspecialty practice in seven clinic locations across Illinois.", "On August 13, 2015, HHS initiated a compliance review of XYZ Medical Practice to determine whether XYZ Medical Practice's disclosure of protected health information (PHI) to Filefax, Incorporated, a third-party vendor that stored inactive paper medical records for patients of XYZ Medical Practice, was permissible under HIPAA.", "HHS's investigation revealed that XYZ Medical Practice failed to obtain satisfactory assurances from Filefax, in the form of a written business associate agreement, that Filefax would appropriately safeguard the PHI that was in Filefax's possession or control.", "XYZ Medical Practice impermissibly disclosed the PHI of at least 10,728 individuals to Filefax when XYZ Medical Practice transferred the PHI to Filefax without obtaining Filefax's satisfactory assurances, in the form of a written business associate agreement."], "quote_snippets"=>[{"quote_snip"=>"a small, for-profit health care provider", "quote_comment"=>"This is just one of many small healthcare providers that have been fined by HHS.", "quote_question"=>"Could your practice afford a $31k fine and four plus years of HHS in your business?"}, {"quote_snip"=>"form of a written business associate agreement", "quote_comment"=>"If you give PHI to a third-party vendor, there must be a signed business associate agreement.", "quote_question"=>"Have you gone through all of your third-party vendors?"}, {"quote_snip"=>"third-party vendor that stored inactive paper medical records", "quote_comment"=>"Some practices, that use paper medical records, mistakenly think that HIPAA does not apply to them.", "quote_question"=>"Do you mistakenly think that HIPAA does not apply to you?"}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Missing Business Associate Agreement</span>", "url_text"=>"Missing Biz Assoc Agreement<br><span class=\"tiny-text\">XYZ Small Practice</span>"}, "CS-2013-01-02"=>{"additional_comments"=>["This was a seminal prosecution for the HIPAA Police. With this violation, the HIPAA Police were putting on notice, every small practice. In prior HIPAA violations, the number of patients affected exceed 500. Hope you got the notice! If no, act now!", "The Corrective Action Plan was unusual. It seems like XYZ Small Hospice had done a risk-assessment and did have a risk management plan. Normally the HIPAA Police force the violator to do those things. In this case they did not. The HIPAA Police just said to make sure to investigate and report any breaches. Very unusual.", "For XYZ Small Hospice, the person who signed the Resolution Agreement has the title 'Interim Executive Director.' Not hard to see that the previous executive director decided to spend more time with the family.", "In case you missed it: a tiny hospice provider had one laptop stolen with just 441 patient records and they paid a HIPAA fine of $50,000. Please re-read that sentence a few times - make sure it sinks in. Hospitals got the message but, for some reason, nearly every small practice is still not HIPAA compliant."], "ccc_links"=>{"NerdSecured"=>"NerdSecured Policy", "phi-checkout"=>"PHI Checkout Policy"}, "cs_factsheet"=>{"cap"=>"Yes, 2 Years", "fine_amt"=>"$50,000", "hipaa_police"=>"HHS Region 10 - Seattle", "long_desc"=>"XYZ Small Hospice in Idaho", "precipitating_event"=>"Stolen Laptop with just 441 patient records."}, "hipaa_probation_obligations"=>["XYZ Small Hospice shall, upon receiving information that a workforce member may have failed to comply with its Privacy and Security policies and procedures, promptly investigate the matter. If XYZ Small Hospice, after review and investigation, determines that a member of its workforce has failed to comply with its Privacy and Security policies and procedures, XYZ Small Hospice shall notify HHS in writing within 30 days."], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"XYZ Hospice", "quote_paragraphs"=>["On February 16, 2011, the HHS Office for Civil Rights (OCR) received notification from XYZ Small Hospice regarding the theft of a laptop computer containing the protected health information (PHI) of 441 individuals. On July 22, 2011, OCR notified XYZ Small Hospice of OCR’s investigation regarding XYZ Small Hospice’s compliance with the Privacy, Security, and Breach Notification Rules.", "[Editorial Note: This is a short case study because the conclusion is simple and obvious: <b>With this case, the HIPAA Police put every small practice in America on notice. One laptop, containing just 441 patient records cost this tiny clinic $50,000.</b>]"], "quote_snippets"=>[{"quote_snip"=>"a laptop computer containing the PHI of 441 individuals", "quote_comment"=>"Let's be clear and concise: THIS COULD HAPPEN TO EVERY PRACTICE IN AMERICA.", "quote_question"=>"Do you have one unencrypted laptop with a few hundred patient records on it? Do you want to write a check for $50,000 to the government?"}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Stolen Computer Device</span>", "url_text"=>"Warning To Small Practices<br><span class=\"tiny-text\">XYZ Small Hospice</span>"}, "CS-2012-09-13"=>{"additional_comments"=>["When a US based doctor is asked to lecture in Asia, it is safe to assume that this doctor is world renown. Prior to the trip, the doctor thought that precautions were taken with this LoJack for Laptops device. Unfortunately, the trip turned into a huge and costly embarrassment.", "Note below some of the requried actions stated in the Corrective Action Plan. We'll skip items 1-5 because they have been discussed before but items 6-8 were new statements from the HIPAA Police:", "\"6. Procedures that specify the proper functions to be performed using workstations that access XYZ Hostpital PHI, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access PHI;\"", "\"7. Provisions to track the receipt and removal of hardware and electronic media, including portable devices, that contain XYZ Hospital PHI into and out of XYZ Hospital’s facility(s), and the movement of these items within XYZ Hospital’s facility(s);\"", "(The above two points are why the HIPAA Lifeguard App requires that a clinic floorplan be included in the risk assessment.)", "\"8. Mechanism(s) to encrypt and decrypt portable devices that contain XYZ Hospital PHI to allow access only to those persons or software programs that have been granted access rights;\"", "There is not such thing as 'HIPAA comliant', but these three things, if documented in a HIPAA Notebook, will get you close: encryption, strong passwords and automatic screen locks. ClinicNerds calls this 'NerdSecured.'"], "ccc_links"=>{"NerdSecured"=>"NerdSecured Policy", "phi-checkout"=>"PHI Checkout Policy"}, "cs_factsheet"=>{"cap"=>"Yes, 3 Years", "fine_amt"=>"$1,500,000", "hipaa_police"=>"HHS Region 1 - Boston", "long_desc"=>"XYZ Hospital in Massachusetts", "precipitating_event"=>"Unencrypted Laptop stolen while lecturing in Asia. (Note: normally we quote and parse the Resolution Agreement with HHS but in this case, the press release from XYZ Hospital was more informative. So we use the hospital's press release as the case study's prime source.)"}, "hipaa_probation_obligations"=>["Review and revise all existing policies and procedures.", "30/60/120 day deadlines for sending revisions to HHS.", "Distribute and retrain entire workforce. Get signed statement from each worker that they understand and will follow the revised policies and procedures."], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"XYZ Hospital", "quote_paragraphs"=>["On February 19, 2010, a laptop belonging to a physician affiliated with the XYZ Hospital was stolen while the physician was lecturing in South Korea. The laptop belonged to Dr. XXXXXX, a neurologist with a particular focus on ringing in the ears, or tinnitus. To date, XYZ Hospital has determined that data owned by XYZ Hospital on Dr. XXXXX’s laptop contained demographic and health information of approximately 3,526 patients treated by Dr. XXXXX at XYZ Hospital between February 3, 1988 and February 16, 2010, and of a small number of participants in research conducted by Dr. XXXXX at XYZ Hospital who were not also Dr. XXXXX’s patients, as follows:<br><ul><li>67 participants in somatic tinnitus modulation research, and</li><li>One participant in pulsatile tinnitus research.</li></ul> Dr. XXXXX reported the theft to police in South Korea.", "XYZ Hospital has no indication that the information on the stolen computer has actually been accessed or inappropriately used. The computer was password protected and contained a tracking device commonly referred to as “LoJack.” The tracking device contacted LoJack on March 9 when the stolen computer was connected to the internet in South Korea. LoJack was able to monitor the computer’s configuration and on-line use, and determined that: 1.) A new operating system was installed on the computer following the theft, and 2.) Software needed to access most of the information about affected XYZ Hospital individuals had not been reinstalled.", "On April 9 it was determined that it was unlikely that continued monitoring of the computer would lead to its retrieval, and a command was sent by LoJack to the computer permanently disabling the hard drive and rendering any information, including information about affected Mass. Eye and Ear individuals contained on the hard drive, permanently unreadable."], "quote_snippets"=>[{"quote_snip"=>"3,526 patients treated by Dr. XXXXX at XYZ Hospital between February 1988 and February 2010", "quote_comment"=>"The pateint data went back 22 years to 1988. It is important to understand all the PHI Hotspots but also the data within the PHI Hotspots (probably a spreadsheet). HIPAA fines are prorated based on the number of patients affected. The $1.5m fine was so large becuase of the large number of patients affected. Another thing to consider is de-identifying the data.", "quote_question"=>"Do you have databases or spreadsheets with ancient data?"}, {"quote_snip"=>"has no indication that the information on the stolen computer has actually been accessed or inappropriately used", "quote_comment"=>"This statement is irrelevant. The HIPAA Police do not care - and it is hard to prove either way - if the data was actually read or used.", "quote_question"=>"Have you left paper or electronic patient data exposed?"}, {"quote_snip"=>"computer was password protected and contained a tracking device commonly referred to as LoJack.", "quote_comment"=>"This LoJack tracking device sounds impressive but it did not help XYZ Hospital avoid a $1.5m fine. Encryption, strong passwords and automatic screen locks are the features that the HIPAA Police trust and cost nothing additional.", "quote_question"=>"Are your vendors making slippery claims that their products are 'Fully HIPAA Compliant'?"}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Stolen Computer Device</span>", "url_text"=>"Laptop Stolen On Asia Trip<br><span class=\"tiny-text\">XYZ Hospital</span>"}, "CS-2012-06-25"=>{"additional_comments"=>["A USB hard drive, about the size of a wallet, was stolen and ended up costing $1.7 million in fines. That is a very expensive hard drive.", "Taking an inventory of every computer and computer device is a task in our risk assessment in the HIPAA Lifeguard app. You have to know what you have so you know what you are protecting.", "It is strange that this state health agency had not even bothered to conduct a risk analysis. Maybe they were stretched thin, overworked, understaffed, remote outpost...", "This case underscores the confusing nature of HIPAA explanations. The state government, which also has HIPAA enforcement authority, was not even HIPAA compliant.", "HHS at the federal level had to investigate and fine it's little brother HHS at the state level. The Department of Health and Human Services (HHS) exists at the federal level and the state level. Most of the United States have their own state version of HHS. This case is a bit unusual in that the federal HHS investigated and fined a state HHS. So the state paid a fine to the feds. Then the feds turn around and give subsidies to the states. Odd use of our tax dollars."], "ccc_links"=>{"NerdSecured"=>"NerdSecured Policy", "phi-checkout"=>"PHI Checkout Policy"}, "cs_factsheet"=>{"cap"=>"Yes, 3 Years", "fine_amt"=>"$1,700,000", "hipaa_police"=>"HHS Region 10 - Seattle", "long_desc"=>"A State Healthcare Agency in the Northwest", "precipitating_event"=>"USB hard drive stolen from employee car."}, "hipaa_probation_obligations"=>["Must designate a privacy official", "Must conduct a risk assessment", "Must document policies and procedures in a risk management plan", "Must train the entire workforce and get signed statements that they understand and will obey"], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"State Health Agency", "quote_paragraphs"=>["The Office for Civil Rights (OCR) received a Breach Report from the State Health Agency dated October 30, 2009. The document indicated that a portable electronic storage device potentially containing protected health information (PHI) was stolen from the vehicle of a State Health Agency computer technician on or about October 12, 2009.", "On January 8, 2010, OCR notified the State Health Agency that it will be conducting an investigation. On various dates, OCR received State Health Agency's written responses, policies, procedures, information regarding training activities, and documentation related to compliance with the Privacy and Security Rules. On June 17-18, 2010, OCR conducted a site visit to interview selected State Health Agency workforce members. OCR also received information from State Health Agency through email and telephone contacts throughout this investigation.", "As a result of its investigation, OCR determined that State Health Agency had not 1) completed a risk analysis; 2) implemented sufficient risk management measures; 3) completed security training for State Health Agency workforce members; 4) implemented device and media controls; and 5) addressed device and media encryption."], "quote_snippets"=>[{"quote_snip"=>"OCR conducted a site visit to interview selected State Health Agency workforce members", "quote_comment"=>"Federal investigators flew to the state, drove to the site, and knocked on the door. Beyond the confusing nature of HIPAA, perhaps there was some beligerence in the state health agency. Not unusual for state's rights proponents to ignore the feds. But it is hard to ignore them when they are at the front door and they will be there all week investigating.", "quote_question"=>"Are turf battles and political beefs worth $1.7 million in fines and three year HIPAA probation?"}, {"quote_snip"=>"(had not) implemented device and media controls and (had not) addressed device and media encryption", "quote_comment"=>"'Encryption anxiety' is a common technical concern. ClinicNerds will help NerdSecure (encrypt) any computer or computer device.", "quote_question"=>"Do you have an inventory of every computer and computer device?"}, {"quote_snip"=>"received a Breach Report .. dated October 30, 2009", "quote_comment"=>"The precipitating incident occurred in October 2009. The resolution agreement was signed June 2012. The probation lasts 3 years to June 2015. These investigations and probations drag on for years.", "quote_question"=>"Could your small practice survive with federal investigators disrupting your business for 5+ years?"}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Stolen Computer Device</span>", "url_text"=>"USB Hard Drive Stolen From Car<br><span class=\"tiny-text\">State Health Agency</span>"}, "CS-2012-04-11"=>{"additional_comments"=>["One message that is loud and clear is that the HIPAA Police will fine small practices. XYZ Small Practice is a small practice. Just two locations in the same town and two doctors/owners.", "This fine is also sending us some mixed messages. For a small practice, a $100,000 is pretty harsh. But the HIPAA Probation period is just 1 year, not the usual 3 years. This small practice had made little effort to comply with HIPAA. Maybe that is the reason for the mixed messages.", "The legal agreement was signed in April 2012 but the improper activity occurred as far back as 2005. The length of the investigation and the size of the fine points to a contentious, drawn out legal negotiation. Legal fees probably exceeded the fine amount. Many small practices could not afford over $200k in unplanned expenses.", "XYZ Small Practice has two locations. Each location needs a HIPAA Lifegurd. Each location needs a documented risk assessment. Each location needs location specific training."], "ccc_links"=>{"NerdSecured"=>"NerdSecured Policy", "phi-checkout"=>"PHI Checkout Policy"}, "cs_factsheet"=>{"cap"=>"Yes, 1 Year", "fine_amt"=>"$100,000", "hipaa_police"=>"HHS Region 10 - Seattle (seems like Region 9 SF should have handled)", "long_desc"=>"XYZ Speciality Small Practice in Phoenix", "precipitating_event"=>"The physician practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible"}, "hipaa_probation_obligations"=>["Must designate a privacy official", "Conduct a risk assessment", "Develop a risk management plan that documents policies and procedures.", "Train the workforce and have each member of the workforce sign a document which states that they received the training, understand it, and will abide by the new policies and procedures.", "Review all business partners and sign Business Associate Agreements where necessary.", "Annual reviews and updates to all above."], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"XYZ Small Practice", "quote_paragraphs"=>["From July 3, 2007 until February 6, 2009, XYZ Small Practice posted over 1,000 separate doctor appointments (PHI) on a publicly accessible, Internet-based calendar;", "From September 1, 2005 until November 1, 2009, XYZ Small Practice daily transmitted PHI from an Internet-based email account to workforce members’ personal Internet-based email accounts.", "From July 3, 2007 until December 3, 2009, XYZ Small Practice permitted the entity providing the Internet-based calendar application to receive, store, and maintain PHI on its behalf without obtaining satisfactory assurances in a business associate agreement with the entity.", "From September 1, 2005 (when XYZ began sending PHI by email) until April 16, 2009, XYZ Small Practice failed to identify a security official;", "From September 1, 2005 (when XYZ began sending PHI by email) until November 30, 2009, XYZ Small Practice failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the PHI held by XYZ Small Practice."], "quote_snippets"=>[{"quote_snip"=>"failed to identify a security official", "quote_comment"=>"No matter how large or small, every medical practice must designate a person to be in charge of HIPAA. ClinicNerds nicknamed this person the 'HIPAA Lifeguard' but the HIPAA Police call it a privacy or security or compliance official.", "quote_question"=>"Has your clinic designated and documented a HIPAA Lifeguard?"}, {"quote_snip"=>"failed to conduct an accurate and thorough (risk) assessment", "quote_comment"=>"No matter how large or small, every medical practice must conduct a risk assessment.", "quote_question"=>"Has your clinic conducted and documented a risk assessment?"}, {"quote_snip"=>"without obtaining satisfactory assurances in a business associate agreement", "quote_comment"=>"It is important to understand your 'software stack.' All the tools used by the workforce to get their job done. Some tool providers are 'mere conduits' while others store your PHI and thus need a Business Associate Agreement (BAA).", "quote_question"=>"Do you know all the (electronic) places where your PHI travels?"}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Internet or Website Mistake</span>", "url_text"=>"Public Can See Office Schedule<br><span class=\"tiny-text\">Small Practice</span>"}, "CS-2012-03-13"=>{"additional_comments"=>["Though the press release mentioned encrypted once ('57 unencrypted computer hard drives'), very surprised to see that the Corrective Action Plan does not mention any variation of the word encryption.", "While encryption is usually assumed to be part of a risk management policy, the HIPAA Police usually mention it several times in the documents. Not sure if this was deliberate, was part of the legal negotiation, or was a rare oversight. In order to get the PHI, thieves had to listen to each phone call. The drudgery of listening to all those calls could have been a factor.", "Security camera footage, which is usually stored on disk for a few days, is another type of overlooked PHI."], "ccc_links"=>{"NerdSecured"=>"NerdSecured Policy", "phi-checkout"=>"PHI Checkout Policy"}, "cs_factsheet"=>{"cap"=>"Yes, 450 Days", "fine_amt"=>"$1,500,000", "hipaa_police"=>"HHS Region 4 - Atlanta", "long_desc"=>"XYZ Health Insurance in Tennessee", "precipitating_event"=>"During an office relocation, 57 unencrypted computer hard drives were stolen from a network data closet."}, "hipaa_probation_obligations"=>["The CAP length is just 450 days - not the usual three years. Suggests that XYZ Health Insurance had pretty good HIPAA compliance documentation prior to the precipitating incident.", "Conduct a new risk assessment", "Must rewrite risk management plan along with the policies and procedures.", "Must retrain the entire workforce.", "Designate a monitor that a. conducts unannounced site visits to failities housing portable devices; b. Interviews with a random sample of 25 members of workforce who use portable devices"], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"XYZ Health Insurance", "quote_paragraphs"=>["On October 5, 2009, XYZ Health Insurance employees discovered a theft of computer equipment from a network data closet located at a location in Chattanooga, TN. The stolen items included 57 hard drives containing encoded electronic data. The data on the hard drives consisted of over 300,000 video recordings and over 1 million audio recordings.", "The network data closet contained the encoded computer hard drives that were stolen. The network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock.", "The hard drives in the network data closet were part of a system which recorded and stored audio and video recordings of customer service calls. The hard drives that were stolen contained data which included the protected health information of health plan members, such as member names, member ID numbers, diagnosis codes, dates of birth, and social security numbers. XYZ Health Insurance's internal investigation confirmed that the PHI of 1,023,209 individuals was stored on the hard drives."], "quote_snippets"=>[{"quote_snip"=>"a system which recorded and stored audio and video recordings of customer service calls", "quote_comment"=>"Unlike patient medical records, customer service calls are not an obvious example of PHI. PHI comes in many forms.", "quote_question"=>"Does your clinic record data that is not an obvious example of PHI?"}, {"quote_snip"=>"closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock", "quote_comment"=>"The closet had good physical security suggesting that the thieves were insiders. But the disk drives were not encrypted. Note that encoding for audio/video is not secure like encryption. The words encoded and encryption sound similar but are different.", "quote_question"=>"Has your clinic considered biometric locks for sensitive rooms?"}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Stolen Computer Device</span>", "url_text"=>"Computer Hard Drives Stolen<br><span class=\"tiny-text\">Health Insurance</span>"}, "CS-2011-07-06"=>{"additional_comments"=>["XYZ Hospital is a big sprawling health systems with many computer systesm, buildings, locations and thousands of employees. It is a lot of work to train and monitor all these moving parts.", "Automated reports with intelligent algorithms is one way to address the complexity of large health systems. Random, unannounced inspections (that do not interrupt workflows) are equally effective.", "Like checking out a book at the public library, small practices using paper medical records need check out procedures to ensure that snooping is not occurring."], "ccc_links"=>{"NerdSecured"=>"", "phi-checkout"=>""}, "cs_factsheet"=>{"cap"=>"Yes, 3 Years", "fine_amt"=>"$865,500", "hipaa_police"=>"HHS Region 9 - San Francisco", "long_desc"=>"XYZ Hospital System in California", "precipitating_event"=>"Celebrity patients claimed XYZ Hospital employees snooping in records and selling to the paparazzi."}, "hipaa_probation_obligations"=>["Review and revise all HIPAA policies and procedures.", "Retrain the entire workforce to follow the new policies and procedures.", "Document santion policies and procedures and include in retraining.", "During retraining, each member of the workforce shall sign a document that states they understand and will follow the new policies and procedures.", "Designate an Independent Montior (individual or entity) to be a monitor to review XYZ Hospital's compliance with this CAP.", "The Independent Monitor documents a plan to review XYZ Hopsital's compliance. The HIPAA Police review and comment on the monitor plan.", "The Independent Monitor has unfettered access (including unannouced inspections and interviews) and writes semi-annual reports about XYZ Hospital's compliance."], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"XYZ Hospital", "quote_paragraphs"=>["On June 5, 2009 HHS began investigations of two separate complaints from celebrity patients alleging that their medical information was appearing in the press without their permission.", "(i) During a couple periods in 2005 and 2008, numerous XYZ Hospital workforce members repeatedly and without a permissible reason examined the protected health information of XYZ Hospital patients.", "(ii) During the period 2005-2008, a workforce member of XYZ Hospital employed in the office of the Director of Nursing repeatedly and without a permissible reason examined the protected health information of many patients.", "(iii) During the period 2005-2008, XYZ Hospital did not provide and/or did not document the provision of necessary and appropriate HIPAA training for all members of its workforce to carry out their function within the XYZ Hospital.", "(iv) During the period 2005-2008, XYZ Hospital failed to apply appropriate sanctions and/or document sanctions on workforce members who impermissibly examined protected health information.", "(v) During the period from 2005-2009, XYZ Hospital failed to implement security measures sufficient to reduce the risks of impermissible access to protected health information by unauthorized users to a reasonable and appropriate level."], "quote_snippets"=>[{"quote_snip"=>"failed to implement security measures sufficient to reduce the risks of impermissible access to protected health information by unauthorized users", "quote_comment"=>"The snooping is, of course, bad but the HIPAA Police are saying that not having a way of knowing if employees are snooping is also a HIPAA violation. XYZ Hospital got in trouble because they were not checking if employees were snooping.", "quote_question"=>"Do you have automated reports that show medical record access?"}, {"quote_snip"=>"repeatedly and without a permissible reason examined the protected health information of XYZ Hospital patients", "quote_comment"=>"Of course snooping is a HIPAA violation. But the snooping went on for 4 years without being recognized.", "quote_question"=>"Are you checking if employees are snooping in paper or electronic medical records?"}, {"quote_snip"=>"failed to apply appropriate sanctions and/or document sanctions", "quote_comment"=>"Sanctions (or punishments) must be documented and enforced.", "quote_question"=>"If your employee violates a policy, is there a documented sanction or consequence."}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Employee Mistake or Malfeasance</span>", "url_text"=>"Snooping in Medical Records<br><span class=\"tiny-text\">XYZ Hospital</span>"}, "CS-2011-02-14"=>{"additional_comments"=>["XYZ Hospital was forced to implement a temporary ban on removing any PHI from the facility, until the new policies and procedures were in place.", "<i>Random inspections</i> of people, places and things is a interesting detail required in the Monitoring Plan: <br><ol><li>unannounced site inspections of XYZ’s locations/departments/practices</li><li>interviews with any members of the workforce who use PHI</li><li>interviews with any members of the workforce involved in implementing the safeguards</li><li>inspection of a sample of laptops and USB flash drives that contain PHI and are under the control of workforce members to ensure that such devices satisfy all applicable requirements of the Policies and Procedures</li><li>inspection of relevant documents and interviews with workforce members for the purpose of confirming consistent training, implementation, and enforcement of the Policies and Procedures among workforce members</li></ol>", "The tone of the language in these legal documents (from early 2011) is, not aggressive, but increasingly cautionary and urgent."], "ccc_links"=>{"NerdSecured"=>"NerdSecured Policy", "phi-checkout"=>"PHI Checkout Policy"}, "cs_factsheet"=>{"cap"=>"Yes, 3 Years", "fine_amt"=>"$1,000,000", "hipaa_police"=>"HHS Region 1 - Boston", "long_desc"=>"XYZ Hospital is in Massachusetts", "precipitating_event"=>"Self-reported: Employee reported that she left the patient records on the subway train."}, "hipaa_probation_obligations"=>["Shall prohibit any member of its workforce from physically removing PHI from the premises until they have received training on the new policies and procedures", "Revise the policies and procedures to safeguard PHI", "Include reasonable protections for such PHI from any intentional or unintentional uses or disclosures", "Retrain the entire workforce including signed statements that they understand and will abide by the new policies and procedures", "Designate a new person to Monitor the policies and procedures", "The Monitor shall document a monitoring plan (see below for interesting details)"], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"XYZ Hospital", "quote_paragraphs"=>["(1) On March 6, 2009, an XYZ employee removed from the XYZ premises documents containing protected health information (\"PHI\"). The XYZ employee removed the PHI from the XYZ premises for the purpose of working on the documents from home. The documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients.\n", "(2) On March 9, 2009, while commuting to work on the subway, the XYZ employee removed the documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the XYZ employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals.\n"], "quote_snippets"=>[{"quote_snip"=>"employee removed from the premises documents containing protected health information", "quote_comment"=>"Some employees should be able to leave with PHI. Other employees should not be allowed to leave with PHI. Everybody must know what they are permitted to do.", "quote_question"=>"Do your policies allow <i>some</i> employees to leave the premises with PHI?"}, {"quote_snip"=>"documents were not in an envelope and were bound with a rubber band", "quote_comment"=>"Interesting that they point out details like the envelope and rubber band. Paper medical records need to be physically safeguarded.", "quote_question"=>"For paper medical records, what are your policies and procedures?"}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Employee Mistake or Malfeasance</span>", "url_text"=>"Forgot Patient Records On Subway<br><span class=\"tiny-text\">Hospital</span>"}, "CS-2009-01-16"=>{"additional_comments"=>["A year later, another large pharmacy chain had this exact same pill bottles in open dumpster breach of PHI, though the fine was $1,000,000. The details are nearly identical so, to save time, a separate case study was not written up."], "ccc_links"=>{"NerdSecured"=>"NerdSecured Policy", "phi-checkout"=>"PHI Checkout Policy"}, "cs_factsheet"=>{"cap"=>"Yes, 3 Years", "fine_amt"=>"$2,250,000", "hipaa_police"=>"HHS Region 1 - Boston", "long_desc"=>"XYZ Pharmacies is a retail pharmacy chain headquartered in Rhode Island.", "precipitating_event"=>"Local TV news reported that pharmacy was dumping pill bottles in open dumpster."}, "hipaa_probation_obligations"=>["Each XYZ Pharmacy location must designate a privacy official", "Develop, maintain, and revise, as necessary, uniform, written policies and procedures", "Revise the administrative and physical safeguards for the disposal of all PHI. Final disposal requires shredding, destroying or otherwise making such PHI unreadable or indecipherable.", "Each new employee must get policies within 10 days", "Require each member of their workforce who receives the Policies and Procedures to submit a written or electronic compliance certification stating that the particular workforce member has received, read, understood, and agreed to abide by the Privacy Policies and Procedures", "Enforce appropriate sanctions (which may include re-training or other instructive corrective action) against employees, who have access to PHI, including the disposal of PHI, including supervisors and managers, who fail to comply with the safeguards policies and procedures provided", "Submit a written description of their plan to monitor internally their compliance with the Privacy Policies and Procedures"], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"XYZ Pharmacies", "quote_paragraphs"=>["(a) On several occasions between July 2006 and May 2007, some XYZ retail pharmacies disposed of PHI in open dumpsters potentially accessible to persons who were not authorized members of the XYZ Pharmacies' workforce.", "(b) The policies and procedures establishing physical and administrative safeguards that the XYZ Pharmacies adopted and implemented from April 2003 until November 2006 for their disposal of PHI were not adequately designed to appropriately and reasonably safeguard PHI.", "(c) The XYZ Pharmacies did not maintain a sanctions policy for members of their workforces who failed to comply with the policies and procedures.", "(d) From April 2003 through November 2006, while the XYZ Pharmacies provided and documented their provision of training, the training and/or documentation of the provision of necessary and appropriate training for the members of their workforces regarding the disposal of PHI was not sufficient to ensure that appropriate workforce members knew how to dispose of PHI consistent with the Privacy Rule."], "quote_snippets"=>[{"quote_snip"=>"disposed of PHI in open dumpsters", "quote_comment"=>"Understand the lifecycle of all of your PHI. PHI is created, maintained, then destroyed.", "quote_question"=>"How are your PHI disposal policies and procedures?"}, {"quote_snip"=>"did not maintain a sanctions policy", "quote_comment"=>"If a policy is not enforced, it is not a policy. If a policy is not applied to everybody (e.g. management) then it breeds resentment.", "quote_question"=>"Who enforces your policies?"}, {"quote_snip"=>"was not sufficient to ensure", "quote_comment"=>"This pharmacy chain did all of the recommended HIPAA actions, but, in the opinion of the HIPAA police, they did not do enough. The message is do not just go through the motions. Take a conservative approach that avoids any gray areas.", "quote_question"=>"Are you giving lip service to some policies and procedures?"}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Disposal of PHI</span>", "url_text"=>"Pill Bottles in Open Dumpster<br><span class=\"tiny-text\">Pharmacy</span>"}, "CS-2008-07-16"=>{"additional_comments"=>["The source documents for this case study mention the word 'encryption' eight times.", "The BIG DISCONNECT: The expectations of the HIPAA Police do not at all reflect the realities of the healthcare industry. The HIPAA Police have the expectation that all computer devices are encrypted. (Computer storage has encryption enabled)", "The reality of most healthcare organizations is that they are concerned, intimidated or worried about turning on encryption. They correctly fear that they will lose data, lose productivity, or will have interrupted workflows. We call this <b>Encryption Anxiety</b> and are working to help relieve it. The expectation that every computer is encrypted is disconnected from the reality that most computers are NOT encrypted. ClinicNerds intend to help close this gap."], "ccc_links"=>{"NerdSecured"=>"NerdSecured Policy", "phi-checkout"=>"PHI Checkout Policy"}, "cs_factsheet"=>{"cap"=>"Yes, 3 Years", "fine_amt"=>"$100,000", "hipaa_police"=>"HHS Region 10 - Seattle", "long_desc"=>"XYZ Health is a not-for-profit home health and hospice provider in five states in the Pacific Northwest.", "precipitating_event"=>"Unencrypted laptop and backup disks stolen from employee cars"}, "hipaa_probation_obligations"=>["Conduct a new risk assessment", "Develop a new risk management plan", "Rewrite policies and procedures for off-site storage, transport and security of computer devices", "Encrypt computer devices with PHI", "Provide evidence that new policies and procedures have been implemented", "Provide signed statements from each employee that they have received training on the new policies and procedures", "Implement a new monitoring program"], "lifeguard_concept"=>"", "lifeguard_task"=>"", "name_changed_to"=>"XYZ Health", "quote_paragraphs"=>["(1) On or about December 30, 2005, protected health information (PHI) on four backup tapes and two optical disks were left unattended overnight in the personal vehicle of an employee of XYZ Health and were stolen. The employee took the disks and tapes from XYZ Health, pursuant to a practice followed at the time by the XYZ Health I/T Staff with the knowledge of some of XYZ Health managers. The PHI on the tapes and disks was not encrypted.\n", "(2) On the following dates, laptops containing PHI were left unattended and were stolen from members of the workforce of XYZ Health: <br>(a) September 29, 2005 <br>(b) December 7, 2005 <br>(c) February 27, 2006 <br>(d) March 3, 2006 <br>The PHI on the stolen laptops were not encrypted."], "quote_snippets"=>[{"quote_snip"=>"left unattended overnight in the personal vehicle of an employee", "quote_comment"=>"Says that PHI is leaving XYZ Health’s facility. There should be policies and procedures for PHI that stays in the facility. There should be policies and procedures for PHI that leaves the facility.", "quote_question"=>"Are employees allowed to leave the clinic with PHI?"}, {"quote_snip"=>"with the knowledge of some of XYZ Health managers", "quote_comment"=>"Says that managers are responsible for setting and enforcing policies. An unwritten policy is still a policy. Managers were aware that this PHI was leaving the facility and was in personal vehicles.", "quote_question"=>"Does your clinic have unwritten rules or polices?"}], "root_cause_category"=>"<span class=\"tiny-text\">Category: Stolen Computer Device</span>", "url_text"=>"Stolen Laptops & Backup Drives<br><span class=\"tiny-text\">Home Health Provider</span>"}}

Each week a new case study will be posted.


Lessons Learned

Many graduate schools use the "case study" as a teaching method. It is in this vein that the HIPAA Breach Case Studies have been developed to use real world stories to gain better understanding.

The HIPAA Police (a.k.a. Health & Human Services Office of Civil Rights) are the federal agents that enforce the HIPAA rules. With each investigation and prosecution of a healthcare organization, the HIPAA Police are sending us very clear messages and instructions. These case studies tease out and highlight the messages from the HIPAA Police.


These case studies show that the top cause of HIPAA violations is stolen unencrypted computer devices. Usually laptops stolen from an employee’s car. So far, nobody has been fined for a stolen laptop that was encrypted. ClinicNerds have several guides to get over "encryption anxiety."


These case studies help busy healthcare professionals to interpret those messages from the HIPAA Police and to take action to prevent them in their healthcare organization.

Some HIPAA infractions are just criminal behavior by bad guys. We skip those cases as there is nothing for us to learn. Our case studies cover good people that made (mostly) honest mistakes. HIPAA is so complex that it can trip up people that are trying to do the right thing.