How To Get Fined $500k+ For Sloppy Paperwork

Home/Insights & Impact/How To Get Fined $500k+ For Sloppy Paperwork

How To Get Fined $500k+ For Sloppy Paperwork

In September, a Rhode Island hospital agreed to pay $550,000 in fines for what could be viewed as sloppy paperwork. They were investigated by the U.S. Department of Health and Human Services Office of Civil Rights (OCR) following the loss of unencrypted backup tapes that contained patient data. The fines resulted because this hospital failed to update the Business Associate Agreement it had in place with their IT service provider.

Several points to make in response to this latest HIPAA enforcement action:

  1. HHS-OCR is no longer messing around with enforcement threats. They are under political pressure to actually enforce, and they are. Even small organizations are now being investigated and heavily fined.
  2. Documentation and effort are critical for avoiding what happened to this hospital. OCR wants to see that a “reasonable” effort has been made to document steps taken to protect PII (security assessment, awareness training, policies & procedures, etc.). Without it, you will be on thin ice if an investigation occurs.
  3. If you use an IT service provider to manage data backup, there should be no (good) reason why they are not encrypting the sensitive information. The reality is that most do not, especially when the data is backed up to tape. Insist they do, or at least ask them to explain why they are not.

More details on this story can be found here.

About the Author:

Joe McGrattan oversees strategy and business development for Triple Helix. For nearly three decades, he has been helping companies leverage technology and their data to conduct business more effectively in a digital economy. This includes building strategic-level alliances with non-tech professional services firms whose clients are demanding more information management and technology-related guidance from them. Joe’s blog contributions focus on business-oriented advice to companies on how to take advantage of their data to run smarter, faster, leaner and more securely. He can be reached at or found on LinkedIn.