Here are five HIPAA settlement agreements reached in the tail end of 2015 and in 2016 thus far.
1. In 2012, CompletePT Pool & Land Physician Therapy in Los Angeles posted online patient testimonials including full names and photos. HHS' Office for Civil Rights received a complaint alleging the physical therapy practice did not receive proper authorization to disclose protected health information. The practice agreed to pay $25,000 to settle the HIPAA violation allegations. CompletePT Pool & Land Physician Therapy will also implement a corrective action plan and report compliance efforts for a one-year period.
2. Lahey Hospital and Medical Center in Burlington, Mass., agreed to pay $850,000 to settle potential HIPAA violations with HHS' Office of Civil Rights for a 2011 data breach. In August 2011, a laptop that accompanied a portable CT scanner was stolen from an unlocked treatment room. The laptop operated the scanner and produced images for Lahey's radiology information system and picture archiving and communication system. The hard drive on the laptop contained protected health information of 599 individuals.
3. Lincare, a respiratory care company based in Clearwater, Fla., was ordered to pay $239,800 in civil monetary penalties in relation to a HIPAA violation. On Feb. 3, an HHS Administrative Law Judge ruled in favor of the OCR's action to seek civil monetary penalties. The OCR began an investigation following a complaint that a Lincare employee removed documents containing protected health information from the company's office, left the information exposed and then abandoned it.
4. Insurance holding company Triple-S, based in San Juan, Puerto Rico, will settle HIPAA violation allegations by paying HHS a $3.5 million fine. HHS' Office of Civil Rights started investigations into Triple-S after the payer reported multiple breach notifications. The OCR's investigations determined widespread noncompliance throughout Triple-S' subsidiaries, such as failing to implement appropriate safeguards to protect beneficiaries' protected health information, disclosing more PHI than necessary to carry out mailings and failing to conduct accurate and thorough risk analyses, among others.
5. University of Washington Medicine, based in Seattle, agreed to settle HIPAA violation allegations. The settlement includes a $750,000 payment, a corrective action plan and yearly reports on UW Medicine's HIPAA compliance efforts. In 2013, HHS' Office for Civil Rights launched an investigation into UW Medicine after the health system reported a data breach affecting approximately 90,000 individuals. A UW Medicine employee had downloaded an email attachment containing malicious malware, which compromised the organization's IT system.