The document summarizes examples of HIPAA violations that resulted in monetary penalties for healthcare providers, as well as tips for protecting electronic protected health information (ePHI). Several examples are given of violations that led to penalties between $1.5 million to $4.8 million, usually involving unencrypted laptops, servers, or storage devices containing ePHI being lost or stolen. Overall, 88% of violations involved unauthorized access to or disclosure of ePHI, while 49% involved physical theft of unencrypted electronic equipment containing ePHI. The document recommends steps providers can take to protect ePHI such as encrypting all devices, prioritizing security, keeping policies updated, and conducting self-audits.

1. HIPAA VIOLATIONS
HOW THEY HAPPEN; WHAT THEY COST
$4,800,000
A lack of “technical
safeguards” caused
ePHI to become
searchable on the
internet when a
physician tried to
deactivate a
personally-owned
computer server
from the network.
$1,975,220
The theft of an
unencrypted laptop
led to a wider
investigation that
discovered the
provider was aware
of the “critical risk” of
unencrypted laptops,
desktops, tablets and
other devices, but did
not mitigate that risk.
$1,700,000
Among other
violations, the
provider failed to
have “technical
safeguards” in place
to verify the identity
of the individual
seeking access to
ePHI.
$1,700,000
A portable
electronic storage
device “possibly”
containing ePHI was
stolen from a user’s
vehicle, initiating a
wider investigation.
$1,500,000
A total of 57
unencrypted
computers
were stolen
from a provider’s
leased facility.
PHYSICAL
THEFT OF
ELECTRONIC
EQUIPMENT
WITH
UNPROTECTED
DATA
(disc drives,
desktops, laptops,
and smartphones not
encrypted and/or not
password-protected)
%
88INVOLVE ELECTRONIC
PROTECTED HEALTH
INFORMATION
(ePHI)
UNAUTHORIZED ACCESS/
DISCLOSURE
PHYSICAL LOSS
OF ELECTRONIC
EQUIPMENT
(not encrypted
and/or not
password-protected)
OTHER
COMBINATION
49%
16%
14%
12%
9%
Examples of recent provider settlements with HHS’s Office of Civil Rights because of HIPAA breaches of ePHI:
HOW THEY HAPPEN
WHAT THEY COST
(including not encrypted and/or not
password-protected electronic equipment)
HOW TO PROTECT YOURSELF
COLLECT AND ORGANIZE KEY DOCUMENTS
ENCRYPT EVERYTHING, NOT JUST THE DATA STORED ON SERVERS
MAKE SECURITY A PRIORITY, SYSTEM-WIDE
KEEP YOUR POLICIES UP TO DATE
ESTABLISH AND DOCUMENT TRAINING AND TESTING REGIMENS
ESTABLISH A DISASTER RECOVERY PLAN
CONDUCT ROUTINE SELF-AUDITS
REVIEW THE COMPLETE OCR HIPAA AUDIT PROTOCOL REGULARLY
www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
DOWNLOAD THE FULL HIPAA COMPLIANCE CHECKLIST
www.diagnotes.com/hipaa-compliance-checklist
Diagnotes® is a HIPAA-compliant communication platform that helps healthcare
organizations improve communication among providers, patients and staff. To learn more
about how Diagnotes can help solve your communication challenges, visit our website
at www.diagnotes.com or call 317-395-7080.
116,000+