HIPAA Breach: 20 Years of Hard Labor

January 23, 2014

20 years of hard labor doesn’t always mean prison. In this case it means an outside monitor of security and privacy practices for 20 years as a settlement for a breach of over 22,000 patient records. This is in addition to the $2.5 million dollar fine and the bad public relations. What would it have take to prevent this? A comprehensive privacy and security program, including better management of mobile devices such as laptops. A few thousand dollars per year and some staff training would have protected them from the dire penalties even if they did have a breach. Willful neglect is when you know what you should do but choose to ignore it.

Strangely there are still many organizations ignoring their responsiblities and hoping that nothing bad happens. We have been working with the health insurance industry which is struggling with their nowfound responsibilites under the HIPAA Omnibus Rule which became effective on September 23, 2013. Carriers are covered entities which makes them responsibile for the actions of their general agents who in turn are responsible for the actions of their carriers. Yet our view is that 80% are not HIPAA compliant at this time.

Rebecca Herold, CISSP, CIPP/US, CIPP/IT, CISM, CISA, FLMI, www.theprivacyprofessor.com is our privacy and security partner Rebecca created and managed the information security and privacy program at Principal Financial Group throughout the 1990’s, and trained all the personnel, agents and brokers, including those who sold and supported their Long Term Care Insurance products. In the process she did risk assessments on over 200 business associates who were insurance agents and producers. Only a handful of larger companies approached total compliance and the vast majority were not compliant at all.

IIt is now 2014, the HIPAA Omnibus Rule is in effect, HHS/OCR is serious about enforcement, and it is time to get compliant. For further information contact Jack@compliancehelper.com or go to our website at www.compliancehelper.com

Here is the complete article:

Accretive Health settles FTC allegations of lax security for consumer information

Winston & Strawn LLP

Steven Grimes

Medical billing firm Accretive Health Inc. will launch an information security program aimed at protecting consumer information as part of a recent settlement with the U.S. Federal Trade Commission. The FTC had previously alleged that the firm had violated the FTC Act due to its failure to provide adequate security for consumer information it collected and maintained. Accretive Health has agreed to measures including the designation of an employee to coordinate and be accountable for the information security program and the identification of internal and external risks for areas such as employee training, network and software design, and prevention and detection of attacks. Under the terms of the agreement, Accretive Health also will design and implement safeguards to control any risks identified and to regularly test the safeguards’ effectiveness. Additionally, Accretive Health agreed to initial and biennial third-party auditing of their security measures and to maintain those records and make them available to the FTC upon request. The settlement will be in effect for 20 years. Accretive Health had faced charges that it created unnecessary risk of unauthorized access or theft by transporting laptops in a manner that made them vulnerable to theft, failing to restrict access to and copying of personal information, failing to ensure that information for which there was no longer a business need was removed from the laptops, and using consumers’ personal information in training sessions with employees and failing to remove that information following training. Alleged security issues at Accretive Health drew attention following a July 2011 incident where an Accretive Health laptop containing over 600 files of data with information related to 23,000 patients was stolen from an employee’s car.


Back to News