Recently, a low-level administrator in Texas' Harris County Hospital District inappropriately downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions onto a flash drive. The drive was then stolen. Now, as investigators look into the incident, it seems likely that the administrator violated HIPAA law when she downloaded the data, which includes total files on the patients. Under HIPAA, the District could face a $100 fine per violation (though a $25,000 per year cap applies).
In response to the theft, the District has announced that it will allow patients affected by the breach to enroll in credit protection programs at its expense. Meanwhile, it has tightened up policies and procedures regarding the use of transportable media devices like flash drives, a spokesperson said.
The question now is whether the District will face HIPAA repercussions. Generally speaking, the federal government has done little to impose HIPAA fines. However, HHS recently fined Seattle's Providence Health & Services $100,000 for allowing unencrypted electronic protected health information to be lost or stolen in 2005 and 2006. The backup tapes, optical disks and laptops in question contained data on more than 386,000 patients.
To learn more about this incident:
- read this Houston Chronicle article
Related Articles:
Seattle health system will pay $100K HIPAA fine
Tenet warns of potential data theft
VA pledges better data security
Johns Hopkins investigates data breach