HIPAA Blog

[ Thursday, February 15, 2024 ]

 

Employers can be Blamed for Bad Employees: I don't know of any HIPAA covered entity or legitimate business associate that actively pursues bad data policies.  Hospitals don't intentionally violate their patients' data privacy; physician offices don't operate with the goal of stealing their patient's data and selling it to hackers.  And when hackers do gain access and steal data, they usually encrypt the data and hold it hostage, forcing the HIPAA covered entity or business associate to pay to get the data back.  Thus, the hospitals and physicians and business associates are, in fact, victims of the bad guys.

But even though you're the victim of a bad actor, HIPAA requires covered entities to have taken reasonable steps to keep those bad actors out; failing to do so is a punishable offense.  NYC's Montefiore Medical Center learned that lesson the hard way, to the tune of $4,750,000.  Montefiore first learned about their issue from the police; someone has stolen the identity of one of their patients.  Monetfiore's investigation uncovered that one of its employees stole the data of over 12,000 patients and sold it to ID thieves.  Stealing data was not the employee's job; in fact, it was against Montefiore's policies and employee handbook.

So, Montefiore was the victim of a bad employee.  However, the ensuing investigation brought into question whether Montefiore had done enough proactively to discover, deter, and prevent the thefts from occurring in the first place.  

The linked press release is actually a pretty good compendium of OCR guidance and information for entities that are subject to HIPAA to check out whether your security posture is such that you, too, could be a victim of a hacker and also have to pay a big OCR fine.  If you can't produce a hard-copy document of your most recent security risk analysis, and can't show how your organization has adopted "recognized security practices," you are much more likely to be paying OCR someday.

Jeff [3:20 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template