Lessons from Texas Hospital Data Breach: Don’t Let This Happen to You

Imagine this: You’re the CEO of a hospital who just found out you have to notify 277,000 patients that their protected health information has been compromised in one of the largest HIPAA privacy breaches to date.

Now imagine you’re the document shredding vendor who was responsible for destroying the microfilms with the confidential patient information, however, for some reason, the microfilms were not actually destroyed as agreed in your contract with the hospital and instead some were actually found in public locations.

Both of these situations are very real for Texas Health Harris Methodist Fort Worth hospital and Shred-It, the vendor it hired to destroy old medical records. They are both liable and face steep fines and penalties under the HIPAA Privacy, Security, Enforcement and Breach Notification Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The Department of Health and Human Services (HHS) has stepped up investigations of HIPAA violations. In 2012, the HHS settled with five covered entities (healthcare providers, etc.) for amounts ranging from $50,000 to $1.7 million. Until recently, the HIPAA Privacy and Security Rules have focused on health care providers, hospitals, health plans and other entities that process health insurance claims. However, the HIPAA Omnibus Rule that went into effect this year expands many of the requirements to business associates of these entities, including vendors and subcontractors who have access to protected health information.

Not sure if your company is in compliance with the new law? Read my previous blog post to learn more about the HIPAA Omnibus Rule, and contact me if you have questions about safeguarding protected health information. Our information security and compliance team can provide risk assessments, security training and guidance on HIPAA and HITECH.

Download our healthcare data breaches white paper for additional information.