The Office for Civil Rights of the Department of Health and Human Services issued fines for HIPAA violations, but state fines for HIPAA violations can also be issued by state Attorneys General, and the number of fines being issued is increasing.
The Massachusetts Attorney General’s office has been particularly active and has already issued HIPP violation fines. A number of HIPAA data breaches in the state of Massachusetts have been reported in recent months and action is being taken to make sure covered entities are held accountable for not implementing the safeguards required by the HIPAA Security Rule.
One month after Boston’s Beth Israel Deaconess Medical Center reached a settlement with the Mass. AG, another fine has been issued, this time to the Boston Children’s Hospital which has been ordered to pay $40,000.
The fine was for a security incident in which PHI was exposed as a result of the theft of a laptop containing encrypted PHI. The laptop was stolen from a physician’s can and PHI was potentially accessible via the email account. In the email was an attachment containing the unencrypted PHI of over 2,000 patients. The data included Social Security numbers, medical record numbers, surgical treatments, diagnoses of illnesses and patient names and dates of birth. In total the data of 2,159 patients were affected by the data breach.
According to Boston Children’s Hospital, it did have a policy in place to encrypt the data on all of its laptops, although in this instance, the laptop had not received the security update. The fine was issued for a lack of controls over PHI and its response to the data breach was also criticized. It is alleged to have downplayed the seriousness of the incident and underestimated the number of individuals affected.
The Health Insurance Portability and Accountability Act aims to introduce a minimum standard in the United States to ensure that PHI is properly safeguarded. States are able to impose their own rules and regulations covering data security and can introduce legislation that raises the standard further.
In Massachusetts, for instance, following a data breach, all organizations must take steps to mitigate any damage caused, and are thus required to offer credit protection monitoring services to the victims without charge. While Boston Children’s Hospital issued breach notification letters, it failed to offer these services. This increased the state fines for HIPAA violations that were issued.
With the $100,000 fine to Beth Israel and this latest $40,000 fine, healthcare organizations are being sent a message. Improve data security or pay the price.