May 20, 2018

May 18, 2018

Subscribe to Latest Legal News and Analysis

Attempting To Avoid The High Cost Of A Reported HIPAA Breach

Preventing unintended or unauthorized disclosure of protected health information is an ever-present goal of all covered entities and business associates. However, protective firewalls and electronic data security measures are not enough to avoid a potentially costly penalty or settlement amount in the event of a breach. In order to defend against assessment of civil money penalties or a negotiated settlement payment, it is important to develop and implement policies, and to train personnel relating to those policies. Such measures are also required to comply with the terms of most cybersecurity insurance policies, or risk a carrier’s denial of coverage at a time when it may be needed the most. 

In the last 24 months, 349 breaches of unsecured protected health information affecting 500 or more individuals have reported to the Secretary of the Department of Health and Human Services, Office for Civil Rights. Nearly 175 of those breaches occurred in 2017 alone, affecting over 3.2 million individuals in just seven months. From January to July this year, the OCR entered into settlement resolutions related to reported HIPAA breaches for a combined total of approximately $17 million. In 2016, the OCR entered into settlement agreements requiring payment of approximately $48.2 million to resolve reported breaches. 

Three of the largest settlement amounts paid this year resulted from failure to develop and implement policies to prevent, report and correct breaches. In February, OCR announced that Memorial Healthcare System paid $5.5 million and agreed to implement a corrective plan to terminate former users’ right of access and to review records of system activity. In April, OCR announced that CardioNet paid $2.5 million and agreed to a corrective plan involving risk analysis and risk management procedures designed to address the possibility of theft. In May, OCR announced that Memorial Hermann Health System agreed to pay $2.4 million and adopt a corrective action plan implementing training of its workforce on impermissible use of PHI. 

These outcomes demonstrate the importance of being proactive and implementing policies concerning preventing and responding to a breach whether from a malicious external attack or an inadvertent human error from within. Educating and training personnel to recognize whether and how a breach has occurred and how to respond appropriately are important risk management elements of any cybersecurity plan. Executives and employees alike need to be informed about who is authorized to access PHI, what to do if PHI is disclosed, and how to take swift, corrective action, including self-reporting, in the event of a breach. 

© Copyright 2018 Dickinson Wright PLLC


About this Author

Kimberly J. Ruppel, Business Litigation Attorney, Dickinson Wright Law Firm, automotive industry
Member and Practice Department Manager

Co-lead discovery counsel for Ford Motor Company in a multi-billion dollar ERISA stock drop putative class action brought by 401k plan participants.

Lead counsel for IndyMac Bank in a jury trial in Oakland County Circuit Court involving claims that a negligent real estate appraiser was partly responsible for the bank's damages arising from a mortgage default.

Billee Lightvoet Ward, Healthcare Law Attorney, Dickinson Wright Law Firm
Of Counsel

Ms. Ward specializes in healthcare compliance, corporate law and commercial transactions. She represents hospitals, physician practices, dental groups, and other practitioners as well as medical device manufacturers, clinical research organizations and other healthcare-related entities in corporate, transactional and regulatory matters. Ms. Ward advises new and established businesses on legal and operational issues including entity structure and formation, corporate governance, owner relations, mergers and acquisitions, contractual arrangements and other business matters. She regularly provides assistance and counsel regarding:

  • Entity formation and governance

  • Drafting and implementation of Bylaws, Operating Agreements, Shareholder Agreements, Buy-Sell Agreements and Deferred Compensation Agreements

  • Mergers and acquisitions involving physician practices, dental practices, hospitals and other healthcare providers and suppliers

  • Clinically integrated networks, joint ventures and other integration structures

  • Equipment and real estate leasing arrangements

  • Employment of licensed professionals and other clinical and non-clinical personnel

  • Medical Director and other administrative services agreements

  • Physician recruitment and retention