$200K New York HIPAA Fine Issued by Attorney General
A $200,000 fine has been issued for an alleged New York HIPAA violation perpetrated by a Buffalo-based behavioral health and social services nonprofit, Arc of Erie County. This is one of a series of HIPAA fines being levied by state Attorneys General, which have become increasingly common over the past few years.
HIPAA has historically been enforced by federal regulators from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Many HIPAA fines are still levied and issued by OCR each year. Any HIPAA violation that is reported to OCR has the potential to launch a federal HIPAA investigation.
However, in recent years a new precedent of HIPAA enforcement being levied on a state-by-state basis has become increasingly common–targeting unconventional organizations in the process. As a nonprofit, Arc of Erie County offers behavioral health and social services to people with developmental disabilities.
Arc of Erie Country, and other behavioral health and social services organizations like it, are considered covered entities under HIPAA regulation. A covered entity is any health care provider who creates protected health information (PHI) over the course of patient treatment. PHI is any demographic information that can be used to identify a patient, including name, address, date of birth, medical records, insurance ID info, and more.
An investigation into Arc of Erie County found that PHI had been illegally accessible to the public since 2015–a HIPAA violation that affected 3,751 patients.
“The Arc of Erie County’s work serves our most vulnerable New Yorkers — and that comes with the responsibility to protect them and their sensitive personal information,” said New York State Attorney General, Barbara Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”
With more and more organizations being targeted for HIPAA fines in response to data breaches, this New York HIPAA settlement is only a sign of a trend that’s sure to continue. Behavioral health professionals are at particular risk of data breaches and HIPAA fines because of the sensitive nature of the PHI that they encounter every day.
Avoiding violations like the ones that led to this New York HIPAA fine are essential to keeping your patients’ sensitive health care data safe, especially if this trend in state-level HIPAA enforcement is to continue in the years ahead.
If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure. Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!