We’re past the halfway point of 2017. And in the world of health IT, there have already been a plethora of HIPAA settlements.
Here are the nine that have occurred during the first six months of this year.
Chicago, Illinois-based Presence Health agreed to pay a $475,000 HIPAA settlement. In 2013, the health system found paper operating room schedules containing 836 patients’ protected health information went missing. However, Presence failed to notify the patients, media outlets and OCR, within 60 days of discovering the breach.
In January, MAPFRE Life Insurance Company of Puerto Rico agreed to pay $2.2 million and implement a corrective action plan. In 2011, MAPFRE reported a USB device was stolen from its IT department. The breach impacted 2,209 individuals.
Children’s Medical Center of Dallas paid $3.2 million for failing to comply with HIPAA due to two data breaches in 2010 and 2013.
Hollywood, Florida-based Memorial Healthcare System paid a $5.5 million HIPAA settlement. MHS reported the PHI of 115,143 people had been disclosed to office staff.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
Metro Community Provider Network, a federally qualified health center based in Englewood, Colorado, agreed to pay $400,000. In 2011, a hacker allegedly accessed MCPN employees’ email accounts, thus acquiring 3,200 people’s ePHI. In January 2012, MCPN filed a breach report with OCR. But OCR claimed MCPN didn’t conduct a proper risk analysis until February 2012.
The Center for Children’s Digestive Health in Park Ridge, Illinios, paid $31,000 to settle potential HIPAA violations. CCDH stored records containing PHI with FileFax, a business associate. Though the organizations started their relationship in 2003, they couldn’t produce a business associate agreement prior to October 2015.
In April, CardioNet, a wireless health services provider, agreed to implement a corrective action plan and pay $2.5 million. Back in 2012, CardioNet reported to OCR that an employee’s laptop, which contained 1,391 individuals’ information, was stolen from a parked car outside the employee’s house. Additionally, OCR found CardioNet didn’t have the proper risk analysis processes in place when the theft occurred.
In May, Houston, Texas-based Memorial Hermann Health System agreed to pay $2.4 million. In 2015, an MHHS patient showed staff an allegedly fraudulent identification card. The patient was arrested for using the card. However, MHHS published a press release about the incident, and the patient’s name was included in the title of the document.
St. Luke’s-Roosevelt Hospital Center, which operates the Institute for Advanced Medicine (formerly Spencer Cox Center for Health), paid $387,200 to settle potential HIPAA violations. OCR found a Spencer Cox Center employee impermissibly disclosed a patient’s PHI to the patient’s employer via fax rather than the requested post office box. On top of that, Spencer Cox Center was responsible for a related breach that occurred nine months before the fax incident.
Photo: Ildo Frazao, Getty Images
