For one covered entity, violations of the HIPAA Security and Breach Notification Rules ended up costing them over $2.15 million! The covered entity has already paid the full civil monetary penalty (CMP) and did not contest the Office for Civil Rights (OCR) Notice of Proposed Determination.
So, what exactly lead to the $2.15 million CMP?
- On August 22, 2013, the entity submitted a breach report to OCR stating that it's Health Information Management Department had lost paper records containing the protected health information (PHI) of 756 patients.
- The entity's internal investigation determined that an additional three boxes of patient records were also lost during the previous year; however, this additional loss of PHI and affected individuals were not reported until June of 2016.
- OCR's investigation was initiated following a media report that disclosed the PHI of the covered entity's patient. A reporter had shared a photograph of the entity's operating room screen containing the patient's medical information on social media.
- It was also determined that two employees had accessed this patient's electronic medical record without a job-related purpose.
- On February 19, 2016, the entity submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients' records since 2011.
OCR's investigation revealed that the covered entity failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members' access to patient ePHI to the minimum necessary to accomplish their job duties.
This $2.15 million penalty is an important reminder that an effective implemented compliance program with enforceable policies and procedures, an initial and reviewed or updated security risk analysis, a timely breach determination, mitigation, and notification procedures are not optional for healthcare organizations.