Are you taking HIPAA seriously? REALLY seriously, and not just providing lip service? The great thing about HIPAA is that it clearly lays out rules and standards for handling patient data. The consequences are dire for lax adherence, or lackadaisical implementation of standards and best practices. Just consider these examples, compiled courtesy of www.healthdatamanagement.com .
Just a couple of weeks ago, Advocate Health Care was fined a whopping $5.55 million dollars. In Advocate’s case, they actually notified the OCR—The US Government department of Health and Human Services’s Office of Civil Rights about problems they found, way back in 2013. The fine was due to several infractions discovered, including leaving an unencrypted laptop in an unlocked vehicle overnight
Columbia University along with the New York Presbyterian Hospital were fined $4.8 million in 2014 after it was found that HIPAA protected patient information on 6,800 patients was accessible simply via an internet search via Google or other search engines!
Cignet Health did not cooperate with the OCR and ended up paying heavily for it; to the tune of $4.3 million. Rather than being fined for not protecting access to patient data, in Cignet’s case, they denied dozens of patients their HIPAA enforced right to their own medical data, and refused to cooperate with OCR’s attempts to investigate the complaints.
Perhaps a repeat offender, New York Presbyterian Hospital found itself infamous and unfortunate after it paid another $2.2 million fine earlier this year, this time for willingly participating in a television series, “NY Med.” In this case, giving the Disney-owned ABC network television producers “virtually unfettered access” according to the OCR, led to the recording of two hospital patients without their authorization. In a statement, the hospital maintains they didn’t violate HIPAA but wanted “closure.”
Down in Puerto Rico, the Blue Cross-Blue Shield affiliate, Triple S Management Corporation found itself in hot water after ex-employees working for a competitor—but without authorization or knowledge of the competitor’s leadership, downloaded almost 400,000 patient records into the competitor’s systems! The competitor notified Triple S, and Triple S notified the OCR. Triple S was also in trouble for sending mail to policy holders with protected information printed on the outside of the mailing envelope.
The Internet of Things (IoT) holds great promise for patient care both in the institution and in the home. As product developers and entrepreneurs realize the potential that this enabling technology brings to health care, wellness, and health care consumers, it is important to properly protect patient data at all times. To keep this from becoming wickedly complex, building upon an existing yet innovative platform can help one stay out of the press for the wrong reasons, showing up on the “Worst fines ever” list.