Spears Legal Technology

Disclaimer

This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

A Sampling of HIPAA Fines and How They Could Have Been Avoided

Yesterday I posted a terrific article from Krystyna Monticello of Legal Health Information Exchange that discussed Affinity Health’s $1.2M settlement after improperly disposing of photocopiers that contained PHI.

At the bottom of that same article Krystyna summarizes a number of recent data breach settlements and the causes behind the breaches. It deserves its own post and should serve as a warning to any HIPAA covered entity or business associate responsible for storing or handling PHI.


  • How These Breaches and Fines Could Have Been Avoided:
  • (1) Address need for encryption for everything with PHI, (laptops, mobile devices, photocopiers.)
    • Idaho Hospice ($50K)
    • Providence Health ($100K)
    • Mass Eye/Ear ($1.5M)
    • Alaska DHSS ($1.7M)

  • (2) Dispose of ePHI properly
    • CVS ($2.25M)
    • Rite Aid ($1M)

  • (3) Do not remove PHI or ePHI from your facilities without assessing the risks and safeguarding it
    • Mass General ($1.5M)

  • (4) Choose your Business Associates' wisely (and have written BAAs with them)
    • BCBS Tennessee ($1.5M)
    • Arizona Cardiologists ($100K)

  • (5) Conduct COMPLETE risk assessments that address all ePHI no matter where it may be located (and update them as needed)
    • BCBS Tennessee ($1.5M)
    • Idaho State ($400K)
    • Arizona Cardiologists ($100K)
    • Wellpoint ($1.7M)

  • (6) Have written policies (and actually implement them)
    • Rite Aid ($1M)
    • CVS ($2.25M)
    • Cignet Maryland ($4.3M)
    • Mass General ($1.5M)

  • (7) COOPERATE with OCR!
    • Cignet Maryland ($4.3 million)



blog comments powered by Disqus