The Department of Health and Human Services reports that almost 30 million individuals’ personal health information has been compromised in a security breach. In the last year alone, HIPAA-covered entities and business associates have paid a total of $3.7 million to settle HIPAA violations.
While HIPAA privacy and security breaches can be extremely expensive, there’s also state privacy laws to consider. In fact, Stanford Hospital and Clinics may be required to pay out $4.1 million as a result of a class action settlement. The settlement comes after Stanford Hospital and Clinics violated California’s medical privacy law in 2010.
How Did Stanford Hospital and Clinics Violate California’s Medical Privacy Law?
In 2010, the medical group’s business associate, Multi-Specialty Collection Services, posted 20,000 patients’ protected health information (PHI) on Student of Fortune, a website that helps students with their homework. The confidential information, which was contained in a spreadsheet, remained on the website for almost an entire year. While the confidential information didn’t include social security numbers, patient names and diagnoses were involved.
Stanford Hospital and Clinics claimed the information was encrypted and sent to Multi-Specialty Collections Services. According to the medical group, Multi-Specialty Collection Services was responsible for protecting the patient information, however, this is the medical group’s fifth HIPAA breach to date. More importantly, 4 out of 5 HIPAA breaches resulted from stolen unencrypted laptops.
After Stanford Hospital and Clinics notified the patients, a class action lawsuit was filed against the medical group and its business associate. Shana Springer, one of the 20,000 patients, filed the 4class action lawsuit in September 2011.
“It should be no surprise that when patients are treated at Stanford’s facilities, they expect that their private medical information will be kept confidential and will not be disclosed to anyone without their authorization,” Shana’s original complaint explained. Unfortunately, the patients’ private medical information wasn’t as confidential as they thought.
How Can HIPAA-Covered Entities Protect Patients’ ePHI?
According to HIPAA, covered entities must follow these steps:
- 1. Conduct a risk analysis: Identify all ePHI and determine the risks and vulnerabilities to ePHI.
- 2. Mitigate the Risks: Develop a plan to mitigate the risks and vulnerabilities to ePHI, then implement safeguards.
- 3. Update Policies and Procedures: Update policies and procedures on a regular basis to ensure HIPAA compliance.
Stanford Hospital and Clinics experienced 4 data breaches as a result on unencrypted laptops. If the medical group conducted a risk analysis and implemented appropriate safeguards, including encryption, those data breaches wouldn’t have occurred. It’s absolutely critical to encrypt all ePHI stored on company devices.
To learn more about Stanford Hospital and Clinic’s latest data breach, give us a call at (415) 963-9900 or send us an email at firstname.lastname@example.org. Tech Officers can help you ensure state privacy law and HIPAA compliance.