Enforcement of Alleged HIPAA Breaches

Posted by Catherine Cownie Adam Freed on Monday, February 2, 2015

On January 5, 2015, the Indiana Attorney General reached a settlement with a former dentist over alleged violations of both state law and the Health Insurance Portability and Accountability Act (“HIPAA”).  According to news reports, the dentist’s license to practice dentistry had been revoked in 2011 for allegations of fraudulent billing.  In 2013, the former dentist hired a third-party company to dispose of his former patients’ records.  Shortly after that, 63 boxes containing sensitive patient information were discovered in a church dumpster.  The boxes of records contained information including patient names, social security numbers, contact information, and medical histories.  The records pertained to over 5,600 patients treated between 2002 and 2007.  This was the first such enforcement action by the Indiana Attorney General.  The settlement required the former dentist to pay $12,000. 

This is an indication that the government will continue to step up its enforcement of alleged HIPAA breaches.  In order to stay in compliance with the requirements of HIPAA, dentists and other health care providers must have an adequate written HIPAA compliance plan in place and have business associate agreements with any subcontractors.  Subcontractors, such as the company hired by the dentist in the above described case, must also have adequate compliance plans in place to maintain the privacy and security of protected health information.  One of the most important things to remember is that it is not enough to simply have a written compliance plan—covered entities and business associates must actually comply with the safeguards contained in their plans.  Covered entities contemplating the retention of a subcontractor should confirm that safeguards are in place prior to disclosing protected health information to such subcontractors.