May 24, 2022

Volume XII, Number 144

Advertisement
Advertisement

May 23, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

HIPAA Breaches: Size Doesn't Necessarily Matter

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) made headlines this month with a record $5.55 million HIPAA settlement reached with Advocate Health Care System, Illinois’ largest health care system with 12 acute care hospitals. That settlement dealt with three different data breaches that compromised more than four million individual patient records. 

Since announcing the Advocate settlement, the OCR has made a special effort to let the health care world know that neither a smaller-sized breach nor a smaller-sized organization will be protected from OCR scrutiny. The OCR announced a new initiative giving special attention to smaller breaches – i.e. those involving protected health information (PHI) of fewer than 500 individuals. In its August 18 announcement, the OCR advised that its regional offices will increase their efforts "to identify and obtain corrective action to address entity and systemic noncompliance" related to smaller breaches. 

The OCR’s announcement regarding its new "smaller-sized" breach initiative referred to the following “recent” settlements involving smaller reported breaches:

  • Hospice of Northern Idaho – $50,000 settlement in 2013 as a result of 2010 theft of unencrypted laptop computer from an employee’s car, with electronic PHI (ePHI) of 441 individuals. 
  • QCA Health Plan of Arkansas – $250,000 settlement in 2014 following a 2012 theft of unencrypted laptop computer from an employee’s car, with ePHI of 148 individuals. 
  • St. Elizabeth’s Medical Center – $218,400 settlement in 2015. Massachusetts hospital’s 2012 report of workforce members using an Internet-based document sharing application to store ePHI of at least 498 individuals plus 2014 breach of ePHI on a former workforce member’s personal laptop and USB flash-drive. 
  • Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) – $650,000 settlement in July 2016 after theft of unencrypted iPhone of employee, with ePHI from 412 residents of six nursing homes for which CHCS was providing management and information technology services. 

One of the most frequent risk factors for special attention from the OCR is that the organization failed to assess its risks – particularly with unencrypted ePHI on mobile devices – and to adopt reasonable precautions. It’s also clear from recent settlements and the recent “no break for small breaches” announcement that the OCR is looking closely at breaches involving IT system intrusions (e.g., hacking) and those involving business associates’ activities. 

Monetary settlements announced in connection with OCR settlements are frequently dwarfed by the costs of the accompanying mandated corrective actions, and by the costs to reputation and disruptions to operations that accompany a data breach. Giving attention now to risk analysis and preventative measures, and to contracts with business associates, can greatly reduce the significant risks organizations face. 

© Copyright 2022 Armstrong Teasdale LLP. All rights reserved National Law Review, Volume VI, Number 244
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Diane E. Felix, health care attorney, Armstrong Teasdale, law firm
Partner

Diane Felix has focused her practice on representation of health care providers, with a significant portion of that practice involving long-term care facilities. Her representation of providers has included Medicaid and Medicare reimbursement matters, licensure and certification issues, Certificate of Need matters, preparation and negotiation of contracts, (including admission agreements, professional services agreements, leases and purchase agreements) and operational questions (involving issues such as consent to treatment, confidentiality of records and ADA compliance).

314-342-8001
Aarthi Krishnamurthy, Armstrong Teasdale, Corporate, Health Care
Associate

Aarthi Krishnamurthy is an associate in Armstrong Teasdale’s Corporate Services practice group where she focuses almost exclusively on health care law. In her practice, she counsels institutional and non-institutional clients in response to legal and business challenges and opportunities in the rapidly-evolving U.S. health care system. 

Working primarily with physicians, independent contractors, principal investigators, physician groups and health and medical insurance providers, Aarthi implements feasible compliance programs to meet government regulatory standards that are in-line...

314.342.4126
Daniel C. Nelson, Armstrong Teasdale Law firm, Litigation Attorney
Partner

Dan Nelson is an accomplished trial attorney working in the area of commercial litigation and information security and privacy law. In both state and federal courts, he represents plaintiffs and defendants in commercial cases including matters involving trade secrets, contracts, securities, corporate governance and legal malpractice. Dan has tried over 40 cases to verdict.

314-552-6650
Advertisement
Advertisement
Advertisement