Since January 2014 protected health information data breaches affecting more than 24,000 individuals in Massachusetts have been reported to the Secretary of Health and Human Services and the Office for Civil Rights. These breaches occurred because data was left unsecured and went missing due to theft or loss. While these data breaches may pale in comparison to data breaches at TJX and Target, which affected consumers’ personal credit and debit card information, breaches of protected health information include very sensitive information and can include anything from patients’ Social Security numbers and addresses to dates of exams, and even medical imaging.
Back in November of 2012 Women and Infants Hospital of Rhode Island reported that it was missing 19 unencrypted back-up tapes from its Prenatal Diagnostic Centers in Providence and New Bedford. The missing tapes included patients’ names, dates of birth, Social Security numbers, dates of exams, physicians’ names and ultrasound images. 12,127 Massachusetts residents were affected by this breach. Women and Infants Hospital of Rhode Island realized that the tapes were missing in April 2012, but did not report the breach until November 2012. There are strict data breach reporting rules for “covered entities” under HIPAA, and because of a lack of employee HIPAA training and internal policies, the breach was not reported in time. Now Women and Infants Hospital of Rhode Island has agreed to pay $150,000 to settle the data breach allegations; $110,000 civil penalty, $25,000 for attorney’s fees and legal costs, and $15,000 to be used by the Attorney General’s office for education on protection of personal and protected health information.
In another example a breach was reported earlier this year by UMass Memorial Medical center, where an employee potentially used protected patient data to open credit cards and cellphone accounts. This breach potentially affected four patients, however UMass Memorial Medical Center reported the breach to 2,400 of its patients.
Under the HITECH Act effective February 18, 2009 civil and criminal enforcement provisions of the HIPAA rule were strengthened. Penalty minimums were increased, and a maximum penalty of $1.5 million was put into place for all violations of an identical provision. All of these factors add up to one thing, that better education around HIPAA and protecting patient information can prevent these types of breaches, and save the covered entities thousands of dollars in ensuing civil penalties, criminal charges and the painful process of having to report breaches publicly.