If you thought HHS’s bark about cracking down on HIPAA breaches was worse than its bite, think again. Some very high-profile healthcare organizations have spent copious amounts of money this year to atone for their privacy-violating sins. Read on to learn more.

Electronic Records

According to a US Department of Health & Human Services press release, New York and Presbyterian Hospital (NYP) and Columbia University (CU) recently agreed to a $4.8 million settlement regarding “charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network.” This is the largest HIPAA settlement to date.

The two organizations have a working arrangement in which CU faculty members serve as attending physicians at NYP. Thus, they use a shared data network and firewall. Unfortunately, as a result of inadequate technical safeguards, a server deactivation by a CU employee caused the ePHI of 6,800 individuals to become accessible via Internet search engines. That ePHI included patient statuses, vital signs, medications, and lab results.

NYP and CU learned of the breach after someone found the ePHI of a deceased partner (a former NYP patient) online. An investigation by the HHS Office for Civil Rights (OCR) found that the entities not only inappropriately disclosed ePHI on the Internet, but also they made no efforts prior to the breach to ensure the security of their servers or software. Additionally, neither NYP or CU conducted a risk analysis or developed a risk management plan. And “NYP failed to comply with its own policies on information access management.”

NYP paid $3.3 million of the settlement, and CU paid the remaining $1.5 million. Both organizations have committed to implementing a comprehensive corrective action plan.

Christina Heide, acting deputy director of health information privacy for OCR, said, “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

And making data security central requires encryption. According to this HHS press release, Concentra Health Services agreed to pay $1,725,220 in April of this year to settle potential breach charges after an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center (one of Concentra’s facilities). After a thorough investigation, the OCR found that Concentra’s encryption “efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization.”

Susan McAndrew, former deputy director of health information privacy for OCR, said, “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.” That’s why all of WebPT Member data is encrypted and stored in a HIPAA-compliant Tier III-Certified facility complete with digital video surveillance, biometric screening, round-the-clock guards, and a defensible perimeter—just to be safe. Plus, we use a 256-bit SSL encryption for customer interfaces. And as a recipient of the TRUSTe Certified Privacy badge, we employ strict password guidelines to ensure login security. In other words, WebPT Members have a lot less to worry about when it comes to HIPAA compliance.

Paper Records

There is plenty of room for paper mistakes, too. According to this article, Parkview Health System—a non-profit community health system in Indiana—recently agreed to an $800,000 settlement for possible HIPAA violations that took place five years ago.

After taking custody of a retiring physician’s medical records in an effort to help the doctor transition her patients to new providers (and decide whether to purchase a piece of the physician’s practice), Parkview “left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician's home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.” Apparently, the employees who left the boxes knew that the physician was not home at the time.

Luckily, it does not appear that any unauthorized person viewed the patients’ protected health information (PHI). However, Parkview is still paying dearly for its blunder—although the dollar amount isn’t that surprising to experts. According to Kate Borten, president of The Marblehead Group, a security and privacy consulting firm, "this breach was a failure of common sense.” Borten went on to say that the monetary ramifications aren’t shocking, considering that HHS has been warning about cracking down on HIPAA breaches for some time.

As part of Parkview’s settlement, the organization agreed to implement a comprehensive electronic health record system—“that is more secure than a paper record system”—and to conduct extensive employee training.

This isn’t the first time OCR has slapped organizations with hefty fines due to improper paper record-handling. In 2010, Rite Aid Corp. paid a $1 million fine after disposing of prescription information in dumpsters. CVS Caremark reached a $2.25 million settlement in a similar case in 2009. According to OCR’s latest annual breach report, paper records were involved in 23% of major health data breaches (those affecting more than 500 people) and 61% of smaller breaches in 2012.

But safeguarding PHI is critical whether that PHI is in electronic or paper format. In the same article cited above, Dan Berger, CEO of the security consulting firm Redspin, said, “The most important thing is to build a culture around the privacy and security of patient information. It's not just a 'culture of compliance,' which sounds a little Draconian. We prefer a 'culture of respect for our patients,' including the privacy of their health information."


So how do you build a culture around privacy and security? According to compliance expert Tom Ambury, it all starts with a solid plan. Check out his post on the subject here.

Suppressing Sticker Shock: How to Handle Your Patients High-Deductible Health Plans - Regular BannerSuppressing Sticker Shock: How to Handle Your Patients High-Deductible Health Plans - Small Banner
  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • How to Deal with a Patient Data Breach (and Avoid One in the First Place) Image

    articleOct 15, 2019 | 7 min. read

    How to Deal with a Patient Data Breach (and Avoid One in the First Place)

    With electronic storage of protected health information (“PHI”) becoming more common, healthcare providers are rightly concerned about ensuring their data and security systems are not breached, and developing an established course of action in the event that their systems are breached.  The most important security precaution that a provider can have in place is a stable system for breach prevention. Otherwise, navigating the field to ensure there are no breaches can be difficult.  Do not place your …

  • Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements Image

    articleOct 10, 2019 | 6 min. read

    Protecting Patient Data: Lessons Learned from the Anthem and Equifax Data Breach Settlements

    Before 2015, data breaches were mostly confined to retail businesses. However, as more patient information becomes digitized, big data breaches are becoming more common in health care. And hackers don’t discriminate; they target organizations of all types and sizes, ranging from big hospitals to small private practices. So, is there anything a small-to-medium-sized physical therapy practice can do to reduce the risk of a data breach? Performing a HIPAA risk assessment is an excellent first step.  No …

  • 4 Tactics to Reduce Business Associate HIPAA Risk  Image

    articleSep 5, 2019 | 6 min. read

    4 Tactics to Reduce Business Associate HIPAA Risk

    Here’s a scenario I hope you never have to face: your small physical therapy practice hires a third-party billing company to manage your billing operations. Then, that billing company experiences a massive data breach affecting more than 1,000 of your patients. Because the billing company didn’t have an information security or compliance program in place, it was not aware of the breach for more than six months. Unfortunately, the billing company also did not have insurance, so …

  • HIPAA Q&A: Fulfilling Patient Records Requests and Authorizations for Releasing PHI  Image

    articleOct 30, 2019 | 10 min. read

    HIPAA Q&A: Fulfilling Patient Records Requests and Authorizations for Releasing PHI

    Under the HIPAA Privacy Rule , patients have several rights regarding their medical records, including a right to access, a right to amend, and, in some circumstances, a right to restrict disclosures of their protected health information (PHI). Understanding and complying with those rights is an important component of quality patient care. Furthermore, The DHHS Office for Civil Rights (OCR) is spotlighting the importance of these rights with its Right of Access Initiative. In September, OCR stood …

  • Digital Critical: Data Protection, Password Security, and Computer Safeguards Image

    articleDec 9, 2015 | 10 min. read

    Digital Critical: Data Protection, Password Security, and Computer Safeguards

    In the past five years, the way rehab therapists perceive—and use—information technology in their clinics has changed dramatically. We used to manage our files with stationary computers and back-room servers we could only access within the office. Now, our teams are mobile, and we use tablets, laptops, and phones to access the powerful cloud applications—including the WebPT EMR —that help us do our jobs. Essentially, the servers of yesteryear have migrated to the cloud.  With this new …

  • Does the New California Consumer Privacy Act Apply to Your Physical Therapy Practice? Image

    articleOct 4, 2019 | 6 min. read

    Does the New California Consumer Privacy Act Apply to Your Physical Therapy Practice?

    I’m sure by now you’ve heard a rumor that California has enacted the most impactful privacy rule in the nation. Maybe you also heard that California’s privacy rule applies to California residents—and that it does not apply to medical information. And perhaps you’ve wondered if the rule applies to your practice, but you haven’t had time to look into it. Lucky for you, WebPT has created this handy FAQ to educate you about the California Consumer Privacy …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • articleAug 2, 2012 | 4 min. read

    HIPAA Compliance in the PT Clinic

    Today's post comes from WebPT copywriters Charlotte Bohnett and Erica Cohen. The Health Insurance Portability and Accountability Act  ( HIPAA ) is as dense as it is important. But for any healthcare provider handling private personal health information , which you promised to protect as part of the Health Information Privacy Rule, there are a few things you must know. First, a little background information on HIPAA: US Congress established the Health Insurance Portability and Accountability Act …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.