Researchers at the University of Houston discovered a survey study had been breached. Large number of surveys poured in, with batches arriving in two-minute intervals. Other signs of a breach included suspicious responses, unusual email addresses and patterns, responses from outside the United States, and missing contact information.
As new privacy laws and regulations are put forth on both the state and federal levels, every covered entity should work with competent counsel to develop policies and procedures for breach preparedness, avoidance, and response that is compliant with applicable laws and regulations.
The Office for Civil Rights usually has much less patience and understanding when the covered entity or business associate has not adopted required HIPAA policies and procedures, has not properly trained and retrained its employees (no less often than once per year), failed to conduct required periodic enterprise-wide risk assessments, or failed to investigate and report a breach timely.
With ransomware attacks a continuing threat to hospitals and health systems, the Office for Civil Rights is warning that, in addition to all the other headaches, such incidents could be considered a data breach under HIPAA.
Oregon Health & Science University in Portland has agreed to settle potential Health Insurance Portability and Accountability Act violations with a $2.7 million fine after an investigation by the Office for Civil Rights found “widespread and diverse problems” at OHSU.
The large data breaches that compromise the protected health information of thousands of people are the ones that receive all the attention, but the smaller violations of the Health Insurance Portability and Accountability Act can be just as harmful, if not more so, to those involved.