If you thought HHS’s bark about cracking down on HIPAA breaches was worse than its bite, think again. Some very high-profile healthcare organizations have spent copious amounts of money this year to atone for their privacy-violating sins. Read on to learn more.

Electronic Records

According to a US Department of Health & Human Services press release, New York and Presbyterian Hospital (NYP) and Columbia University (CU) recently agreed to a $4.8 million settlement regarding “charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network.” This is the largest HIPAA settlement to date.

The two organizations have a working arrangement in which CU faculty members serve as attending physicians at NYP. Thus, they use a shared data network and firewall. Unfortunately, as a result of inadequate technical safeguards, a server deactivation by a CU employee caused the ePHI of 6,800 individuals to become accessible via Internet search engines. That ePHI included patient statuses, vital signs, medications, and lab results.

NYP and CU learned of the breach after someone found the ePHI of a deceased partner (a former NYP patient) online. An investigation by the HHS Office for Civil Rights (OCR) found that the entities not only inappropriately disclosed ePHI on the Internet, but also they made no efforts prior to the breach to ensure the security of their servers or software. Additionally, neither NYP or CU conducted a risk analysis or developed a risk management plan. And “NYP failed to comply with its own policies on information access management.”

NYP paid $3.3 million of the settlement, and CU paid the remaining $1.5 million. Both organizations have committed to implementing a comprehensive corrective action plan.

Christina Heide, acting deputy director of health information privacy for OCR, said, “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

And making data security central requires encryption. According to this HHS press release, Concentra Health Services agreed to pay $1,725,220 in April of this year to settle potential breach charges after an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center (one of Concentra’s facilities). After a thorough investigation, the OCR found that Concentra’s encryption “efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization.”

Susan McAndrew, former deputy director of health information privacy for OCR, said, “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.” That’s why all of WebPT Member data is encrypted and stored in a HIPAA-compliant Tier III-Certified facility complete with digital video surveillance, biometric screening, round-the-clock guards, and a defensible perimeter—just to be safe. Plus, we use a 256-bit SSL encryption for customer interfaces. And as a recipient of the TRUSTe Certified Privacy badge, we employ strict password guidelines to ensure login security. In other words, WebPT Members have a lot less to worry about when it comes to HIPAA compliance.

Paper Records

There is plenty of room for paper mistakes, too. According to this article, Parkview Health System—a non-profit community health system in Indiana—recently agreed to an $800,000 settlement for possible HIPAA violations that took place five years ago.

After taking custody of a retiring physician’s medical records in an effort to help the doctor transition her patients to new providers (and decide whether to purchase a piece of the physician’s practice), Parkview “left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician's home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.” Apparently, the employees who left the boxes knew that the physician was not home at the time.

Luckily, it does not appear that any unauthorized person viewed the patients’ protected health information (PHI). However, Parkview is still paying dearly for its blunder—although the dollar amount isn’t that surprising to experts. According to Kate Borten, president of The Marblehead Group, a security and privacy consulting firm, "this breach was a failure of common sense.” Borten went on to say that the monetary ramifications aren’t shocking, considering that HHS has been warning about cracking down on HIPAA breaches for some time.

As part of Parkview’s settlement, the organization agreed to implement a comprehensive electronic health record system—“that is more secure than a paper record system”—and to conduct extensive employee training.

This isn’t the first time OCR has slapped organizations with hefty fines due to improper paper record-handling. In 2010, Rite Aid Corp. paid a $1 million fine after disposing of prescription information in dumpsters. CVS Caremark reached a $2.25 million settlement in a similar case in 2009. According to OCR’s latest annual breach report, paper records were involved in 23% of major health data breaches (those affecting more than 500 people) and 61% of smaller breaches in 2012.

But safeguarding PHI is critical whether that PHI is in electronic or paper format. In the same article cited above, Dan Berger, CEO of the security consulting firm Redspin, said, “The most important thing is to build a culture around the privacy and security of patient information. It's not just a 'culture of compliance,' which sounds a little Draconian. We prefer a 'culture of respect for our patients,' including the privacy of their health information."


So how do you build a culture around privacy and security? According to compliance expert Tom Ambury, it all starts with a solid plan. Check out his post on the subject here.

Suppressing Sticker Shock: How to Handle Your Patients High-Deductible Health Plans - Regular BannerSuppressing Sticker Shock: How to Handle Your Patients High-Deductible Health Plans - Small Banner
  • articleJul 11, 2013 | 5 min. read

    HIPAA Final Omnibus Ruling: How Does it Apply to You?

    Curious as to how the  new rules  included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013. The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas: 1. Privacy, Security, and Breach Notification …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • Digital Critical: Data Protection, Password Security, and Computer Safeguards Image

    articleDec 9, 2015 | 10 min. read

    Digital Critical: Data Protection, Password Security, and Computer Safeguards

    In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR —that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud.  With this new …

  • articleAug 2, 2012 | 4 min. read

    HIPAA Compliance in the PT Clinic

    Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. The Health Insurance Portability and Accountability Act  ( HIPAA ) is as dense as it is important. But for any healthcare provider handling private personal health information , which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know. First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • articleAug 16, 2012 | 5 min. read

    HIPAA Devices: 2 Myths Debunked, 1 Proved True

    Today's blog post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. So, you probably remember a few weeks ago we wrote a pretty comprehensive overview on how you can ensure HIPAA compliance in your clinic . We covered everything from HIPAA basics to continuing education and training. In case you didn’t have a chance to read it , here’s a refresher: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title …

  • The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice Image

    articleSep 28, 2015 | 11 min. read

    The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice

    September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors: Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms …

  • Be Safe, not Sorry: HIPAA-Compliant Email Marketing for Private Practice Image

    articleMar 25, 2015 | 6 min. read

    Be Safe, not Sorry: HIPAA-Compliant Email Marketing for Private Practice

    Few tech inventions have endured the way email has. We’ve been checking our virtual inboxes for decades, and the basic concept hasn’t really evolved—you send emails; you get emails. According to this email marketing stats infographic , 95% of online consumers use email, and 91% of them check their accounts once a day. If we surveyed those email-checkers, they’d probably tell us that the bulk of their received messages look a lot like the snail mail taking …

  • Ransomware and Malware: 7 Simple Ways to Protect Your Practice from Hacks Image

    articleNov 28, 2017 | 7 min. read

    Ransomware and Malware: 7 Simple Ways to Protect Your Practice from Hacks

    I hate to say it, but your patients’ protected information could be at risk—that is, if you’re not taking the proper precautions to keep it secure. Every day, hackers and cyber criminals use malicious software (a.k.a. “malware”) to target businesses and individuals around the world. Malware has many incarnations—including computer worms, annoying pop-ups, and Trojan horses—but the term generally refers to any software that’s installed without the user’s knowledge or consent. And last year, we saw a …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.