The Los Angeles Daily News, on July 7, 2011, posted an Associated Press article outlining another HIPAA breach. Specifically, UCLA Health Services (UCLA-HS) entered into an agreement with the Office of Civil Rights (OCR), the division of the US Department of Health and Human Services empowered to enforce HIPAA violations. The UCLA-HS settlement with the OCR was $865,500. This is material because the maximum fine for HIPAA had been $250,000. However, the recently enacted Health Information Technology for Economic and Clinical Health (HITECH) Act increased that maximum penalty to $2.25 million, as illustrated by some recent notable cases:
- $1 million against Rite Aid and its affiliates
- $1 million against Massachusetts General Hospital
- $2.25 million against CVS
Beyond the financial penalties, there also can be the following negative ramifications: civil action, brand equity erosion, customer attrition, and even imprisonment. HITECH also expanded who must comply with HIPAA. Originally, only covered entities (e.g., hospitals, doctors, insurance providers) had to comply with HIPPA, but post HITECH, most recipients of PHI from covered entities also are covered. So downstream service providers (i.e., business associates) also must comply.
Interestingly, many of these breaches result from good employees doing bad things. For example, a health care professional, with legitimate access to their patients’ records, decides it might be interesting also to review personal health information for patients not under their care – such as celebrities. Covered entities are responsible for protecting PHI, including the actions of their employees. Thus, it would be prudent for entities who receive PHI to revisit their HIPAA programs, including policies, procedures, and audit logs; and because the weakest link in a HIPAA program often is the human element, revisit training and awareness. Look for increased enforcements as regulators aggressively levy fines.
SecureState recommends that organizations receiving PHI become intimately familiar with all of the security and privacy requirements they are subject to in order to understand exactly what they must do to provide adequate protection for PHI, as well as the consequences of noncompliance.