If This Does Not Convince You Of The Importance Of HIPAA Compliance, Nothing Will

By: Richard Sheinis, Esq.

Two medical providers recently paid large settlements to the Department of Health and Human Services’ Office for Civil Rights because of HIPAA violations. Both involved thefts of laptops, an issue I see with some regularity. In one case, The Feinstein Institute for Medical Research in Manhasset, L.I., a research arm for Northwell Health, agreed to pay $3.9 million after it acknowledged in 2012 that a laptop containing health data for 13,000 patients was stolen from an employee’s car. The laptop was password protected, but it was not encrypted. HHS stated, “Feinstein’s security management process was limited in scope, incomplete and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity.”

In the second case, North Memorial Health Care is paying $1.55 million because a laptop was stolen from a locked car belonging to an employee of a North Memorial bill collecting vendor. The laptop was password protected, but the data of over 9,000 patients was not encrypted. North Memorial did not have a business associate agreement with the vendor, although such an agreement was required by HIPAA.

I have seen it over and over where the large fines imposed by HHS are not the result of the incident itself, i.e. theft of a laptop which contains ePHI, but the fact that when HHS reviewed the incident they found the medical provider failed to meet basic HIPAA compliance requirements. I will keep beating this issue like a drum. If you are subject to HIPAA, take the time to do a HIPAA risk analysis, implement a risk management program, and comply with the rest of the HIPAA regulations. Spending money on compliance will be a lot less expensive than spending money to settle with HHS.