Test YOUR HIPAA Knowledge!

Case: https://www.linkedin.com/pulse/hipaa-danielle-kelley-msw-msj-candidate-840ecA diagnostic medical imaging services provider based in Franklin, Tennessee was notified- by FBI- that one of its FTP servers was publicly accessible, allowing search engines to index and expose the protected health information (PHI) of over 300,000 customers. This sensitive data included names, birth dates, Social Security numbers.

The company notified its customers affected by the breach 147 days later.

Is this a HIPAA violation?

a) No. Company – not under HIPAA

b) No

c) Yes

Answer: Yes

OCR fine: $3 million

Reason: Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules were violated. Under the HIPAA’s Breach Notification Rule, covered entities are required to notify affected individuals without unreasonable delay, and no later than 60 calendar days after discovering a breach of unsecured protected health information (PHI). Medical imaging companies are covered entities. Also, according to 45 CFR § 164.404(c), the notification must be written in plain language and include: five key elements to ensure transparency and compliance.

What actually happened in this real HIPAA case:

The server was configured to allow anonymous connections to a shared directory containing files with patients' protected health information (PHI), including names, addresses, dates of birth, and Social Security numbers. Due to the lack of access controls, these files were indexed by search engines and could be found by the public with simple Internet searches. Even after the server was taken offline, patient information remained accessible online.

In addition to paying $3 million in penalties, the medical imaging company agreed to invest a corrective action plan, which included conducting an enterprise-wide risk analysis and implementing comprehensive policies and procedures to comply with HIPAA regulations .​