If you thought HHS’s bark about cracking down on HIPAA breaches was worse than its bite, think again. Some very high-profile healthcare organizations have spent copious amounts of money this year to atone for their privacy-violating sins. Read on to learn more.

Electronic Records

According to a US Department of Health & Human Services press release, New York and Presbyterian Hospital (NYP) and Columbia University (CU) recently agreed to a $4.8 million settlement regarding “charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network.” This is the largest HIPAA settlement to date.

The two organizations have a working arrangement in which CU faculty members serve as attending physicians at NYP. Thus, they use a shared data network and firewall. Unfortunately, as a result of inadequate technical safeguards, a server deactivation by a CU employee caused the ePHI of 6,800 individuals to become accessible via Internet search engines. That ePHI included patient statuses, vital signs, medications, and lab results.

NYP and CU learned of the breach after someone found the ePHI of a deceased partner (a former NYP patient) online. An investigation by the HHS Office for Civil Rights (OCR) found that the entities not only inappropriately disclosed ePHI on the Internet, but also they made no efforts prior to the breach to ensure the security of their servers or software. Additionally, neither NYP or CU conducted a risk analysis or developed a risk management plan. And “NYP failed to comply with its own policies on information access management.”

NYP paid $3.3 million of the settlement, and CU paid the remaining $1.5 million. Both organizations have committed to implementing a comprehensive corrective action plan.

Christina Heide, acting deputy director of health information privacy for OCR, said, “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

And making data security central requires encryption. According to this HHS press release, Concentra Health Services agreed to pay $1,725,220 in April of this year to settle potential breach charges after an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center (one of Concentra’s facilities). After a thorough investigation, the OCR found that Concentra’s encryption “efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization.”

Susan McAndrew, former deputy director of health information privacy for OCR, said, “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.” That’s why all of WebPT Member data is encrypted and stored in a HIPAA-compliant Tier III-Certified facility complete with digital video surveillance, biometric screening, round-the-clock guards, and a defensible perimeter—just to be safe. Plus, we use a 256-bit SSL encryption for customer interfaces. And as a recipient of the TRUSTe Certified Privacy badge, we employ strict password guidelines to ensure login security. In other words, WebPT Members have a lot less to worry about when it comes to HIPAA compliance.

Paper Records

There is plenty of room for paper mistakes, too. According to this article, Parkview Health System—a non-profit community health system in Indiana—recently agreed to an $800,000 settlement for possible HIPAA violations that took place five years ago.

After taking custody of a retiring physician’s medical records in an effort to help the doctor transition her patients to new providers (and decide whether to purchase a piece of the physician’s practice), Parkview “left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician's home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.” Apparently, the employees who left the boxes knew that the physician was not home at the time.

Luckily, it does not appear that any unauthorized person viewed the patients’ protected health information (PHI). However, Parkview is still paying dearly for its blunder—although the dollar amount isn’t that surprising to experts. According to Kate Borten, president of The Marblehead Group, a security and privacy consulting firm, "this breach was a failure of common sense.” Borten went on to say that the monetary ramifications aren’t shocking, considering that HHS has been warning about cracking down on HIPAA breaches for some time.

As part of Parkview’s settlement, the organization agreed to implement a comprehensive electronic health record system—“that is more secure than a paper record system”—and to conduct extensive employee training.

This isn’t the first time OCR has slapped organizations with hefty fines due to improper paper record-handling. In 2010, Rite Aid Corp. paid a $1 million fine after disposing of prescription information in dumpsters. CVS Caremark reached a $2.25 million settlement in a similar case in 2009. According to OCR’s latest annual breach report, paper records were involved in 23% of major health data breaches (those affecting more than 500 people) and 61% of smaller breaches in 2012.

But safeguarding PHI is critical whether that PHI is in electronic or paper format. In the same article cited above, Dan Berger, CEO of the security consulting firm Redspin, said, “The most important thing is to build a culture around the privacy and security of patient information. It's not just a 'culture of compliance,' which sounds a little Draconian. We prefer a 'culture of respect for our patients,' including the privacy of their health information."


So how do you build a culture around privacy and security? According to compliance expert Tom Ambury, it all starts with a solid plan. Check out his post on the subject here.

Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans - Regular BannerSuppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans - Small Banner
  • articleAug 2, 2012 | 4 min. read

    HIPAA Compliance in the PT Clinic

    Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. The Health Insurance Portability and Accountability Act  ( HIPAA ) is as dense as it is important. But for any healthcare provider handling private personal health information , which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know. First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act …

  • articleAug 16, 2012 | 5 min. read

    HIPAA Devices: 2 Myths Debunked, 1 Proved True

    Today's blog post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. So, you probably remember a few weeks ago we wrote a pretty comprehensive overview on how you can ensure HIPAA compliance in your clinic . We covered everything from HIPAA basics to continuing education and training. In case you didn’t have a chance to read it , here’s a refresher: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title …

  • Digital Critical: Data Protection, Password Security, and Computer Safeguards Image

    articleDec 9, 2015 | 10 min. read

    Digital Critical: Data Protection, Password Security, and Computer Safeguards

    In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR —that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud.  With this new …

  • articleJul 11, 2013 | 5 min. read

    HIPAA Final Omnibus Ruling: How Does it Apply to You?

    Curious as to how the  new rules  included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013. The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas: 1. Privacy, Security, and Breach Notification …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice Image

    articleSep 28, 2015 | 11 min. read

    The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice

    September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors: Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms …

  • ICD-10 FAQs Image

    articleFeb 28, 2015 | 6 min. read

    ICD-10 FAQs

    We recently hosted a webinar focused on helping PTS, OTs, and SLPs prepare for the ICD-10 switch. We got a lot of questions—so many, in fact, that we decided to organize the most common ones into an easy-to-reference blog post. Read on to find the answers to all your burning ICD-10 queries. Don’t see your question? Post it in the comments section below, and we’ll find you an answer. Does ICD-10 affect CPT codes? According to this …

  • Sink or Swim: How Well Do You Know HIPAA? [Quiz] Image

    articleAug 30, 2016 | 1 min. read

    Sink or Swim: How Well Do You Know HIPAA? [Quiz]

    The threat of a HIPAA violation or breach is almost as scary as the thought of dangling your feet into a murky lake. (I mean, who really knows what lurks in dark water? Yikes!) That’s why we created this HIPAA quiz—to help you figure out how well you can navigate even the sketchiest of situations. And while we can’t promise that you won’t ever run into a lake monster, we can certainly say you’ll come out the …

  • Pro-Bono Work: The Good, The Bad, and The Billing Image

    articleJul 20, 2015 | 7 min. read

    Pro-Bono Work: The Good, The Bad, and The Billing

    We’re all taught at a young age that it’s better to give than to receive. This saying helps children develop perspective, and even as adults, few people would argue against the moral truth of this simple axiom. In fact, I’m betting this statement really speaks to the empathetic nature of rehab therapists. Unfortunately, though, when you’re running a business (for the purposes of this blog, I’m referring to a private practice outpatient therapy clinic), you really need …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.