Hospital hit with $100K HIPAA bill

'Hospitals must put in place and enforce reasonable technological and physical security measures'
By Erin McCann
11:12 AM

HIPAA breaches not only take a hit to your organization's reputation and can result in an administrative nightmare. They can also cost a pretty penny, as one Boston-based hospital is realizing this month. 

Beth Israel Deaconess Medical Center will now pay $100,000 to the state of Massachusetts after one of its physicians failed to follow the hospital's laptop encryption policy and an unencrypted laptop was stolen. 

Learn on-demand, earn credit, find products and solutions. Get Started >>

The laptop, which contained the protected health information of nearly 4,000 BIDMC patients and employees, was not hospital issued, state officials pointed out, but the hospital was aware the physician was using the laptop. 

[See also: Group slapped with $6.8M HIPAA fine.]

What's more, the theft occurred in May 2012, and the hospital did not notify patients of the HIPAA data breach until three months following the event. Federal HIPAA regulations require that covered entities notify those affected no more than 60 days following breach discovery

The $100,000 settlement includes a $70,000 civil penalty, $15,000 in attorney fees and associated costs and a $15,000 payment to educational programs related to protecting personal health information. 

"The healthcare industry's increased reliance on technology makes it more important than ever that providers ensure patients' personal information and protected health information is secure," Massachusetts Attorney General Martha Coakley said in a Nov. 21 statement. "To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures."

This is not the first time the state of Massachusetts has come down hard on privacy offenders. 

[See also: Groups hit with record $4.8M HIPAA fine.]

Just this past July, the state slapped a Rhode Island hospital with a $150,000 settlement after  it allegedly failed to safeguard patient information. The Women's & Infants Hospital of Rhode Island notified 14,000 of its patients – some 12,000 of them from Massachusetts – that it had lost 19 unencrypted back-up tapes containing Social Security numbers, dates of birth and medical information. 

Patient privacy offenders don't just face state penalties, however. There's also a laundry list of associated costs that go into the price tag of a data breach. 

Healthcare organizations and business associates can expect to hand over, on average, $810,000 per security breach, with some reports estimating an average economic impact of a whopping $2.4 million per breach. 

[See also: Healthcare data breaches on the rise, with potential $7B price tag.]

To date, some 41 million people have had their protected health information compromised in reportable HIPAA privacy or security breaches, according to data from the Department of Health and Human Services.