Two recent updates to the ClinicNerds website to report:
- New HIPAA Breach Case Study about a small practice in Illinois that was fined $31,000 because they did not have a Business Associate Agreement with a third-party document storage company. The medical practice was storing paper medical records at this off-site location without ensuring that the document storage company was safeguarding the patient data. Note that this case was resolved just a few months ago (April 2017), though practice will be on HIPAA probation for two years till April 2019. It is very typical for these HIPAA investigations and probations to last 4 or 5 years.
- New article in the series Crushing Kim with HIPAA. This sixth article in the series discusses the meaningless terms ‘HIPAA Compliant’ and/or ‘HIPAA Certified.’ There are many shady salesmen, consultants, and instructors that make the false and meaningless claim that their product or service is HIPAA Compliant. When you hear this phrase, ClinicNerds encourages you to say: ‘Who says it is HIPAA compliant?’
Earlier this week, I posted the ninth case study on HIPAA Breaches. Why was this case important? The healthcare organization that got fined is a small hospice in the Northwest. The precipitating event was one stolen laptop that was not encrypted. The laptop contained a few hundred (441) patient records. The fine was $50,000.
Every small practice in the country has the same essential risks or vulnerabilities. An unencrypted laptop with a spreadsheet of all the practice’s patients.
An unencrypted laptop, with a few hundred patient records, is stolen and results in a $50,000 fine.
Over on ClinicNerds HIPAA Breach Case Studies, just published a new case study about a doctor whose laptop was stolen while lecturing in Asia. Though some precautions were taken, the laptop had unencrypted patient data going all the way back to 1988. The laptop was stolen in South Korea, but the US Government, HHS, levied a multi-million dollar HIPAA fine. Link: Unencrypted Laptop stolen while lecturing in Asia
Just uploaded to ClinicNerds a new article in the series: HIPAA Breach Case Studies. This article is about a small clinic (two locations) that was accidentally posting their appointments on an internet calendar that was visible to the whole internet. In addition to paying their own legal fees, the practice had to pay a HIPAA fine of $100,000 and agree to a one year HIPAA probation. Here is a link to the case study.