HIPAA…. the lurking threat to every specialty pharmacy.
That’s a provocative statement….. but one that rings all too true.
Each year we hear of yet another SP that gets targeted for a HIPAA violation that, more often than not, has resulted in costly fines.
The news report below details yet another lawsuit for a HIPAA violation by a leading specialty pharmacy. Best efforts to prevent all data breaches are nearly impossible to guarantee….. but they can be useful in mitigating the scope of the breach and even the fines that are assessed.
Here are some factoids that are worth remembering…..
· The largest HIPAA fine paid in the past five years was $16 million by Anthem due to insufficient ePHI Access Controls.
· The smallest fine last year, $65,000, was paid this past December by an ambulance company.
· A $100,000 fine was assessed on a company that had closed a year prior.
· The largest fine paid by a pharmacy, $125,000, was for failure to properly dispose of paper records containing PHI.
· Between 2009 and 2018 there have been 2,546 healthcare data breaches (involving more than 500 records). Those breaches have resulted in the theft/exposure of 189,945,874 healthcare records. That equates to more than 59% of the population of the United States.
· Fines and consequences can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.
· The Office for Civil Rights, a division of the Department of Health and Human Service (HHS), is responsible for HIPAA oversight.
Top 10 Most Common HIPAA Violations
1. Keeping Unsecured Records
2. Unencrypted Data
4. Loss or Theft of Devices
5. Lack of Employee Training
6. Gossiping / Sharing PHI
7. Employee Dishonesty
8. Improper Disposal of Records
9. Unauthorized Release of Information
10. 3rd Party Disclosure of PHI (e.g., Business Associate)
Florida Pharmacy Services Sued Over HIPAA Violations
The Middle District of Florida has filed a case against BioPlus Specialty Pharmacy Services. The case is related to disclosure of data protected by the Health Insurance Portability and Accountability Act (HIPAA).
The plaintiff was a customer of the defendants; the complaint explained that as a result she provided Personally Identifiable Information (PII) and Personal Health Information (PHI) to the defendant pharmacy. This information included her name, address, and other information.
The complaint said that the defendant was obligated under HIPAA to protect this information which it utilized to process and fulfill pharmacy needs. However, the defendant reported that its network was subject to a data breach and the information was retrieved by an outside party.
The plaintiff accuses the defendant of maintaining insufficient network security and failing to timely notify the potential class of victims of the data breach.
The plaintiff is seeking class certification and suing for negligence and declaratory judgment. They are represented by Morgan & Morgan and Markovits, Stock, & DeMarco LLC.