HIPAA Breach Case Studies
by ClinicNerds

Precipitating Event:  None stated - probably anonymous report (disgruntled ex?) to HHS.

Quote From The Legal Agreement
real name changed to XYZ Medical Practice

minor modifications for readibility

Interpreting the HIPAA Police

Quote that sends a message:

This is just one of many small healthcare providers that have been fined by HHS.

Ask Yourself: Could your practice afford a $31k fine and four plus years of HHS in your business?

Quote that sends a message:

If you give PHI to a third-party vendor, there must be a signed business associate agreement.

Ask Yourself: Have you gone through all of your third-party vendors?

Quote that sends a message:

Some practices, that use paper medical records, mistakenly think that HIPAA does not apply to them.

Ask Yourself: Do you mistakenly think that HIPAA does not apply to you?

Additional Comments

The investigation started in August of 2015 but the resolution agreement was signed April 2017. The HIPAA Probation lasts 2 years till April 2019. These investigations and HIPAA probations take 5 years, on average.

Many case studies have an obvious precipitating event like a stolen laptop. This case does not mention a precipitating event. It is likely that an anonymous call/report was given to HHS regarding this incident. Could have been a disgrunted/former employees, ex in a relationship, or competitor. This case involved very specific/inside information.

Obligations During HIPAA Probation
  • Develop, maintain and revise as necessary, policies and procedures to comply with HIPAA. Provide written proof to HHS within 60 days.
  • HHS will review the policies and procedures and make recommendations.
  • Distribute copies of the policies and procedures to all members of the workforce.
  • Provide training to all members of the workforce. Submit signed and dated copies for every member of the workforce that they received training.
  • Update the policies and procedures annually and more frequently if appropriate.
  • Within 30 days and annually, provide HHS with the following: (a) the names of all business associates and/or vendors that create, receive, maintain or transmit PHI on behalf of XYZ Medical Practice, and (b) copies of the business associate agreements that XYZ Medical Practice maintains with such vendors.

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.

Case Study Factsheet

XYZ Medical Practice in Illinois

Case ID

Fine Amount

Corrective Action Plan (CAP) ?
Yes, 2 Years

Precipitating Event
None stated - probably anonymous report (disgruntled ex?) to HHS.

HIPAA Police Office
HHS Region 5 - Chicago

{ end case study CS-2017-04-14 }