Another State Fine for a HIPAA Security Breach: HIPAA & HITECH Act Blog by Jonathan P. Tomes

JonTomesAs we’ve previously noted in this blog, the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“DHHS”), the Federal Trade Commission (“FTC”), and the Department of Justice (“DOJ”) (for criminal violations) are not the only entities enforcing HIPAA. Various state agencies and professional organizations have also done so.

Recently, the New York Attorney General fined the Arc of Erie County $200,000 for having violated the HIPAA Security Rule by failing to secure the electronic protected health information (“EPHI”) of its clients. For two and a half years, unauthorized personnel from overseas had accessed EPHI on its website.

Arc of Erie County is a Buffalo-based not-for-profit that provides services to people with developmental disabilities and their families. The client data that was exposed included full names, Social Security numbers, gender, race, primary diagnosis codes, IQs, insurance information, addresses, phone numbers, dates of birth, and ages. Upon searching the internet with any search engine, unauthorized persons could and did find a results page with links to spreadsheets with clients’ sensitive information. The webpage was intended only for internal use and was supposed to be protected by a log-in requirement. The report also found that unknown individuals outside the country had accessed the links with the sensitive information on many occasions. Arc did notify affected clients and purchase one-year of LifeLock to protect them against identity theft, or the fine might have been greater.

Besides the fine, the settlement required Arc to implement a corrective action plan (“CAP”) to conduct a thorough risk analysis of security risks and vulnerabilities of all electronic equipment and data systems and to submit a report of those findings to the Attorney General’s Office within 180 days of the settlement. The organization must also review and revise its policies and procedures based on the results of the assessment and notify the Attorney General’s Office of any action that it takes.

The takeaway from this blog item is that just avoiding a DHHS or other federal action doesn’t mean that you are home free. More and more state agencies and other entities are enforcing HIPAA―all the more reason to get compliant and stay compliant.

Alice here. If you need help getting and staying HIPAA compliant, we invite you to consider using the compliance tools by Jon Tomes available on our website at As always, thanks for reading Jon’s blog, including this one about another state fine for a HIPAA security breach, and remember to contact us if you need HIPAA compliance help. Make sure that you conduct a thorough written risk analysis of your website and your EPHI. Also, make sure that your policies and procedures address all of the issues that arise in your risk analysis. If you need help with drafting/updating/implementing your policies on this and other issues, you can find the help that you need in the book by Jonathan P. Tomes, The Complete HIPAA Policies and Procedures Guide, with its accompanying CD of sample policies that you can easily make your own, available at Finally, make sure that you train all of your workforce on the policies and procedures that apply to each workforce member and keep good written documentation of that training. Keep all of your written documentation of HIPAA compliance in a handy place so that you can hand all of it to the feds or state officials or professional credentialing organizations whenever they come to call. We recommend Jon’s Your Happy HIPAA Book to do just that. It’s available at You may want to keep two sets of HIPAA compliance records in case the feds take one and you need another for a state or other agency.

Also, please note that Jon Tomes is presenting a live webinar tomorrow, Thursday, September 13, 2018, at 10:00 am PDT, 01:00 pm EDT, for 60 minutes on the topic HIPAA Breach Notification Rule – What you must do to Comply.” Breach notification to the individual and to DHHS is a key component of HIPAA compliance. Failing to do it properly can result in a seven-figure civil money penalty and is one of the key issues that DHHS audits for in the ongoing Phase II audits. You can sign up for the webinar through Online Compliance Panel at


seo by: k.c. seo