Topics
Reimbursement
Elevance, UnitedHealth among insurers accused of alleged price fixing
Elevance, UnitedHealth among insurers accused of alleged price fixing
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
CommonSpirit, University of Utah Health team on access
CommonSpirit, University of Utah Health team on access
Capital Finance
Cigna nixes speculation of a Humana merger
Cigna nixes speculation of a Humana merger
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Labor expenses continue to challenge hospitals
Labor expenses continue to challenge hospitals
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Denials top reason for eroding provider-payer relationship
Denials top reason for eroding provider-payer relationship
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
UAB, Press Ganey launch certificate program for healthcare leaders
UAB, Press Ganey launch certificate program for healthcare leaders
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
University Hospitals expanding with $3.2 million donation
University Hospitals expanding with $3.2M donation
Compliance & Legal
Johnson and Johnson sues HRSA for blocking 340B plan
J&J sues HRSA for blocking 340B plan
Policy and Legislation
Planned Parenthood, other groups decry executive power in House bill
Planned Parenthood, other groups decry House bill
Community Benefit
AMA pushes for stricter standards for hospital charity care policies
AMA pushes for stricter standards for hospital charity care policies
Accountable Care
NAACOS pushes ACO REACH extension after $1.54B in savings
NAACOS pushes ACO REACH extension
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Almost a quarter of Americans underinsured, survey finds
Survey: Almost a quarter of Americans underinsured
Patient Engagement
HHS, Illinois reach agreement on disability rights laws
HHS, Illinois reach agreement on disability rights
Pharmacy
Express Scripts, Caremark, OptumRx fight back in lawsuit against FTC 
Express Scripts, Caremark, OptumRx sue FTC 
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth prescribing of controlled drugs extended through 2025
Telehealth prescribing of controlled drugs extended
Mergers & Acquisitions
Cardinal Health set to acquire two companies for combined $3.9B
Cardinal Health set to acquire two companies for combined $3.9B
View more
Jul 17, 2015 More on Risk Management

Massachusetts HIPAA fine shows the financial risk in healthcare breaches

Beyond potential fines are the price of making sure the hospital is in compliance and the unquantifiable cost of the loss of reputation and trust.

Susan Morse, Executive Editor

Photo of St. Elizabeth Medical Center from Wikipedia.

Recent high profile alleged HIPAA violations are a shot across the bow to providers on the financial risk of security breaches.

This month, a Massachusetts hospital settled a HIPAA complaint by agreeing to pay $218,000 for permitting employees to use a Web-based file-sharing application to store patients' protected health information, according to the Department of Health and Human Services.

Beyond the cost of the fine to St. Elizabeth's Medical Center in Brighton, Massachusetts is the price of making sure the hospital is in compliance and the unquantifiable cost of the loss of reputation and trust, according to Attorney Matt Fisher, who specializes in HIPAA as co-chairman of Mirick O'Connell's Health Law Group in Worcester, Mass.

"The other side that's hard to quantify, is what is the financial hit towards reputation and trust?" Fisher said. "I always see figures that say 30 percent of patients say they would switch providers if their provider suffers a breach."

[Also: Anthem hit with huge data breach]

However, the biggest single factor he sees in HIPAA violations is insider snooping.

"Insider snooping is recognized as the largest cause of celebrity breaches," Fisher said.

This goes to another well-publicized case, that of an ESPN reporter tweeting the medical records of NFL player Jason Pierre-Paul.

The photo of the medical record showed the right index finger had been amputated. This was after it was reported the player had been injured in a fireworks accident over July 4th.

[Also: Fines are few, but healthcare data breaches aren't]

Jackson Memorial Hospital in Miami, where the surgery took place, announced it would aggressively investigate whether an employee leaked the medical chart, according to The Daily News.

While the employee could be subject to criminal liability, the hospital could also be held responsible, according to Fisher. There's the threat of a potential lawsuit, as well as a HIPAA violation.

The amount of such a fine in a HIPAA case would be hard to estimate, he said.

"Really, there's no rhyme or reason to the fines imposed by Office of Civil Rights," he said. "The best guess is looking at the size of the organization and how much of a financial hit that financial organization can absorb. I've seen fines of $125,000 up to multi-millions."

In another insider snooping case, in July 2011, the University of California at Los Angeles Health System agreed to settle an alleged HIPAA violation at a cost of $865,500. Two celebrities had filed separate complaints saying employees of the health system repeatedly and without medical reason looked at their health information, according to a published source.

The largest settlement to date has been a whopping $4.8 million fine paid by New York-Presbyterian Hospital and Columbia University Medical Center, after a single physician accidentally deactivated an entire computer server, resulting in electronic patent health information being posted on Internet search engines, according to Healthcare IT News.

The fine settled allegations of HIPAA violations for the information of 6,800 patients winding up online in 2010. The data was so widely accessible that the entities learned of the breach after receiving a complaint by an individual who saw the information online.

Like Healthcare Finance on Facebook

The fines send a clear message by the Department of Health and Human Services for providers to secure their records.

"It's cheaper to figure out what to do to become compliant," Fisher said, though added some hospitals may be reluctant to make that investment.

"It's always tough to spend resources where they don't see a return on the investment," Fisher said. "Putting money (into compliance) saves money in the future."

He recommends facilities monitor and audit access to electronic records to make sure hospital and staff are in good compliance with security rules.

Violations can be levied even in instances, such as with the recent St. Elizabeth Medical Center case, there is no indication that patient data has been viewed or misused.

Getting into compliance is a matter of following rules and regulations that should already be in place, said Fisher, who writes a blog on these issue.

"Putting compliance in place shouldn't be hundreds of thousands of dollars," Fisher said. "Yet resolving the complaint is coming at a cost beyond the fine. The financial impact goes beyond any fine imposed by the government."

Twitter: @SusanMorseHFN

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.