HIPAA Breach Case Studies
by ClinicNerds
Back

Precipitating Event:  Stolen Laptop with just 441 patient records.


Quote From The Legal Agreement
real name changed to XYZ Hospice

minor modifications for readibility


Interpreting the HIPAA Police

Quote that sends a message:

Let's be clear and concise: THIS COULD HAPPEN TO EVERY PRACTICE IN AMERICA.

Ask Yourself: Do you have one unencrypted laptop with a few hundred patient records on it? Do you want to write a check for $50,000 to the government?


Additional Comments

This was a seminal prosecution for the HIPAA Police. With this violation, the HIPAA Police were putting on notice, every small practice. In prior HIPAA violations, the number of patients affected exceed 500. Hope you got the notice! If no, act now!


The Corrective Action Plan was unusual. It seems like XYZ Small Hospice had done a risk-assessment and did have a risk management plan. Normally the HIPAA Police force the violator to do those things. In this case they did not. The HIPAA Police just said to make sure to investigate and report any breaches. Very unusual.


For XYZ Small Hospice, the person who signed the Resolution Agreement has the title 'Interim Executive Director.' Not hard to see that the previous executive director decided to spend more time with the family.


In case you missed it: a tiny hospice provider had one laptop stolen with just 441 patient records and they paid a HIPAA fine of $50,000. Please re-read that sentence a few times - make sure it sinks in. Hospitals got the message but, for some reason, nearly every small practice is still not HIPAA compliant.


Obligations During HIPAA Probation
  • XYZ Small Hospice shall, upon receiving information that a workforce member may have failed to comply with its Privacy and Security policies and procedures, promptly investigate the matter. If XYZ Small Hospice, after review and investigation, determines that a member of its workforce has failed to comply with its Privacy and Security policies and procedures, XYZ Small Hospice shall notify HHS in writing within 30 days.

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.


Case Study Factsheet

XYZ Small Hospice in Idaho

Case ID
CS-2013-01-02

Fine Amount
$50,000

Corrective Action Plan (CAP) ?
Yes, 2 Years

Precipitating Event
Stolen Laptop with just 441 patient records.

HIPAA Police Office
HHS Region 10 - Seattle

{ end case study CS-2013-01-02 }