HIPAA Violations have been making headlines recently, and for good reason. Fines for violations can be crippling to companies, and the more mobile our data becomes, the greater the risk for security breech. According to the Health and Human Services website, as of September 30, 2019 the OCR has settled or imposed a civil money penalty in 66 cases resulting in a total dollar amount of $102,766,582.00. The majority of these violations came from national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
Roger Severino, director of the Office of Civil Rights (OCR) says that theft and loss are constant threats, and encryption is a very easy way to protect patient protected information. Just recently, the University of Rochester Medical Center (URMC) settled a suit over a stolen unencrypted laptop from 2017 and a stolen flash drive from 2010. The fine– $3 million. According to the U.S. Department of Health & Human Services, URMC did report the information breech, but then the OCR discovered that URMC failed to conduct an adequate risk assessment or implement any security measures like encryption or data controls, to minimize the risk of future violations. “When covered entities are warned of their deficiencies, but fail to fix the problem,” says Severino, “they will be held fully responsible for their neglect.”
The Texas Health and Human Services Commission (TX HHSC) has also been fined $1.6 million for HIPPA violations according to a news release last week. In this case, the protected information of over six thousand patients, including name, addresses and social security numbers, were openly viewable over the internet when an internal application at the organization was being moved from one server to another.