If you thought HHS’s bark about cracking down on HIPAA breaches was worse than its bite, think again. Some very high-profile healthcare organizations have spent copious amounts of money this year to atone for their privacy-violating sins. Read on to learn more.

Electronic Records

According to a US Department of Health & Human Services press release, New York and Presbyterian Hospital (NYP) and Columbia University (CU) recently agreed to a $4.8 million settlement regarding “charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network.” This is the largest HIPAA settlement to date.

The two organizations have a working arrangement in which CU faculty members serve as attending physicians at NYP. Thus, they use a shared data network and firewall. Unfortunately, as a result of inadequate technical safeguards, a server deactivation by a CU employee caused the ePHI of 6,800 individuals to become accessible via Internet search engines. That ePHI included patient statuses, vital signs, medications, and lab results.

NYP and CU learned of the breach after someone found the ePHI of a deceased partner (a former NYP patient) online. An investigation by the HHS Office for Civil Rights (OCR) found that the entities not only inappropriately disclosed ePHI on the Internet, but also they made no efforts prior to the breach to ensure the security of their servers or software. Additionally, neither NYP or CU conducted a risk analysis or developed a risk management plan. And “NYP failed to comply with its own policies on information access management.”

NYP paid $3.3 million of the settlement, and CU paid the remaining $1.5 million. Both organizations have committed to implementing a comprehensive corrective action plan.

Christina Heide, acting deputy director of health information privacy for OCR, said, “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

And making data security central requires encryption. According to this HHS press release, Concentra Health Services agreed to pay $1,725,220 in April of this year to settle potential breach charges after an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center (one of Concentra’s facilities). After a thorough investigation, the OCR found that Concentra’s encryption “efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization.”

Susan McAndrew, former deputy director of health information privacy for OCR, said, “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.” That’s why all of WebPT Member data is encrypted and stored in a HIPAA-compliant Tier III-Certified facility complete with digital video surveillance, biometric screening, round-the-clock guards, and a defensible perimeter—just to be safe. Plus, we use a 256-bit SSL encryption for customer interfaces. And as a recipient of the TRUSTe Certified Privacy badge, we employ strict password guidelines to ensure login security. In other words, WebPT Members have a lot less to worry about when it comes to HIPAA compliance.

Paper Records

There is plenty of room for paper mistakes, too. According to this article, Parkview Health System—a non-profit community health system in Indiana—recently agreed to an $800,000 settlement for possible HIPAA violations that took place five years ago.

After taking custody of a retiring physician’s medical records in an effort to help the doctor transition her patients to new providers (and decide whether to purchase a piece of the physician’s practice), Parkview “left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician's home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.” Apparently, the employees who left the boxes knew that the physician was not home at the time.

Luckily, it does not appear that any unauthorized person viewed the patients’ protected health information (PHI). However, Parkview is still paying dearly for its blunder—although the dollar amount isn’t that surprising to experts. According to Kate Borten, president of The Marblehead Group, a security and privacy consulting firm, "this breach was a failure of common sense.” Borten went on to say that the monetary ramifications aren’t shocking, considering that HHS has been warning about cracking down on HIPAA breaches for some time.

As part of Parkview’s settlement, the organization agreed to implement a comprehensive electronic health record system—“that is more secure than a paper record system”—and to conduct extensive employee training.

This isn’t the first time OCR has slapped organizations with hefty fines due to improper paper record-handling. In 2010, Rite Aid Corp. paid a $1 million fine after disposing of prescription information in dumpsters. CVS Caremark reached a $2.25 million settlement in a similar case in 2009. According to OCR’s latest annual breach report, paper records were involved in 23% of major health data breaches (those affecting more than 500 people) and 61% of smaller breaches in 2012.

But safeguarding PHI is critical whether that PHI is in electronic or paper format. In the same article cited above, Dan Berger, CEO of the security consulting firm Redspin, said, “The most important thing is to build a culture around the privacy and security of patient information. It's not just a 'culture of compliance,' which sounds a little Draconian. We prefer a 'culture of respect for our patients,' including the privacy of their health information."

So how do you build a culture around privacy and security? According to compliance expert Tom Ambury, it all starts with a solid plan. Check out his post on the subject here.

Suppressing Sticker Shock: How to Handle Your Patients High-Deductible Health Plans - Regular BannerSuppressing Sticker Shock: How to Handle Your Patients High-Deductible Health Plans - Small Banner
  • Digital Critical: Data Protection, Password Security, and Computer Safeguards Image

    articleDec 9, 2015 | 10 min. read

    Digital Critical: Data Protection, Password Security, and Computer Safeguards

    In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR —that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud.  With this new …

  • The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice Image

    articleSep 28, 2015 | 11 min. read

    The Essential Guide to Disaster-Proofing Your PT, OT, or SLP Practice

    September is Disaster Recovery Month, which makes it a perfect time to think about disaster-proofing your practice. If you’re ready to skip this blog because you don’t think a disaster will impact your practice, consider the following factors: Not all disasters are city-wide events, and a disaster of any scale could destroy your practice. These events come in all shapes and sizes, from the sprinklers going off in your clinic and destroying your equipment, to snow storms …

  • articleAug 2, 2012 | 4 min. read

    HIPAA Compliance in the PT Clinic

    Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. The Health Insurance Portability and Accountability Act  ( HIPAA ) is as dense as it is important. But for any healthcare provider handling private personal health information , which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know. First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • articleAug 16, 2012 | 5 min. read

    HIPAA Devices: 2 Myths Debunked, 1 Proved True

    Today's blog post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. So, you probably remember a few weeks ago we wrote a pretty comprehensive overview on how you can ensure HIPAA compliance in your clinic . We covered everything from HIPAA basics to continuing education and training. In case you didn’t have a chance to read it , here’s a refresher: US Congress established the Health Insurance Portability and Accountability Act in 1996. They implemented Title …

  • articleJul 11, 2013 | 5 min. read

    HIPAA Final Omnibus Ruling: How Does it Apply to You?

    Curious as to how the  new rules  included in the HIPAA Final Omnibus Ruling apply to you and your clinic? Here, we provide a breakdown of what's in store for your practice starting September 23, 2013. The American Medical Association (AMA) published some great information to help physicians navigate this new ruling, which also applies to rehab therapists. According to the AMA, providers should focus most heavily on these three areas: 1. Privacy, Security, and Breach Notification …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • 6 Common HIPAA Compliance Issues to Avoid Image

    articleNov 12, 2015 | 3 min. read

    6 Common HIPAA Compliance Issues to Avoid

    I’m going to turn the lights down low, burn a few candles, play some Norah Jones, and slip into something a little less comfortable: Health Insurance Portability and Accountability Act compliance ( yeah, baby ). Okay, so maybe it’s not the sexiest of topics, but familiarizing yourself with the most common HIPAA compliance issues helps keep your practice in the know—and out of the jailhouse. So, let’s strip it down, shall we? First Things First If you …

  • 10 Tips for Social Media Compliance Image

    articleDec 29, 2015 | 3 min. read

    10 Tips for Social Media Compliance

    Your patients are using social media to inform decisions about their own health care, so as a smart healthcare provider, you should be using social media, too. But because of non-compliance concerns, you also must be judicious with its use. Social media is anything but private —and it's practically permanent. Once you put something on the Internet, chances are really, really good it will exist there forever. You may think you deleted that tweet or picture, but …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.