The University Medical Center (UMC) in Las Vegas is in hot water after it was discovered that at least one hospital employee has been leaking personal information of accident victims to local attorneys so that the lawyers could solicit the patients as clients. The breach of patient data violates federal HIPAA (Health Insurance Portability and Accountability Act) guidelines and could result in fines up to $1.5 million.
According to an article from the Las Vegas Review-Journal, the potential HIPAA fines are divided into four categories with a total maximum of $1.5 million:
- If the hospital shows it didn’t know about security leaks, even though it made a good-faith effort to ferret them out, it faces fines of $100 to $50,000 per violation.
- If the violation resulted from a reasonable cause with no willful neglect, the hospital could be fined $1,000 to $50,000 for each offense.
- If federal officials determine the hospital was negligent but fixed the problems within 30 days, the fines would run $10,000 to $50,000 per violation.
- If it takes longer than 30 days, the fines start at $50,000.
The hospital received fairly high marks from a county auditor for HIPAA compliance, but with a few notable flaws. The auditor identified issues with patient records being left unattended, outgoing email with sensitive information being transmitted without encryption, and no record of what information was disclosed to third-parties in some cases. Any of these data protection weaknesses could come back to haunt UMC both with the federal investigation and fines, as well as with any subsequent civil suits arising from the breach of confidentiality.
Health and medical institutions like UMC would benefit from using tools to enforce data security policies and monitor and restrict the data that is sent to networked printers or saved to removable media, and software that can scan and filter outbound email to ensure sensitive information is not transmitted unencrypted.