The Office of Civil Rights (OCR) has had a busy year enforcing the HIPAA Privacy and Security Rules. They’ve handed out several six-figure settlements due to the improper disclosure or handling of both personal health information (PHI) and electronic PHI (ePHI).Here are details of the top seven incidents, including two significant data breaches from 2015 that are still pending settlement. Â Click here for a PDF of the slideshow.Steph Weber is a freelance writer hailing from the Midwest. She writes about healthcare, finance, and small business, but finds her passion for the medical field growing in sync with the ever-changing healthcare laws.Â
Cornell Prescription Pharmacy, a Denver-based pharmacy specializing in compounded medications, was ordered to pay $125,000 due to improper disposal of paper medical records.
St. Elizabeth’s Medical Center (SEMC), a 252-bed community hospital located in Brighton, Mass., agreed to a $218,400 settlement in July of this year. The settlement involved breaches occurring in 2012 and 2014.
Cancer Care Group, P.C., a privately-owned radiation oncology group with more than 20 facilities in Central Indiana, was ordered to pay $750,000 in August 2015, due to failure to properly secure ePHI.
Lahey Hospital and Medical Center, a nonprofit teaching hospital located in Burlington, Mass. associated with Tufts University, agreed to an $850,000 settlement in November 2015.
Triple-S Management Corporation (TSS), an insurance holding company and the largest medical insurance provider in San Juan, Puerto Rico, was ordered to pay $3.5 million due to multiple HIPAA breaches over the past five years.
This breach, reported in March 2015, involved a coordinated cyber-attack on the IT system of Anthem, which has several health insurance companies in its umbrella. The hackers, who have yet to be identified, accessed PHI of approximately 78 million current and former members and employees.
Similar to the Anthem cyber-attack, Premara Blue Cross also reported a breach of their IT systems in March 2015. It’s believed the sophisticated attack, affecting 11 million members, began in 2014, but Premara didn’t become aware of the issue until January 2015.
