Does inadvertent disclosure of protected health information keep you up at night?  It should.  Unlawful disclosure, or allowing unauthorized access to protected health information, case be costly.

Since 2009, 65,000 breach reports, where protected health information is exposed or wrongfully accessed, have been filed with Health and Human Services Office of Civil Rights.  The vast majority of these breaches do not lead to any type of formal enforcement action.  But the Office of Civil Rights has collected more than $15 million through its enforcement activities.  For example, the Alaska Department of Health and Social Services, paid $1.7 million due to a stolen USB device containing the personal health information of approximately 2,000 patients.  The University of Idaho was zinged with a $400,000 fine due to a breach at a number of clinics.  The latter case involved a firewall at a family practice clinic that was disabled for over 10 months, leading to the breach of protected health information for 17,500 patients.

According to Leon Rodriguez, Director of Office of Civil Rights, “risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program.  Proper security measures and policies help mitigate potential risk to patient information.”

So, prevention is the key.  But if you have a breach, early notification to HHS is also important.  As is early notification to your attorney.  The vast majority of breaches do not lead to any type of enforcement action and even the most egregious situations are typically resolved with some sort of resolution agreement.