Atlantic.Net Blog

Public Park PHI Featured on HIPAA Wall of Shame

Sam Guiliano
by Atlantic.Net (86posts) under HIPAA Compliant Hosting

This article looks at major HIPAA breaches last year and how your organization can avoid serving as an example of “what not to do” by the federal government. Note that some of these organizations were not directly responsible, as was true of a hospital in Fort Worth, Texas, that trusted the wrong shredding service with its files.

The topics we will cover include:

  • What is the Wall of Shame?
  • Most prominent 2013 cases
  • Analysis – Health records in a public park??
  • Tips to avoid the Wall
  • New business associate stipulations.

What is the Wall of Shame?

Everyone in healthcare wants to avoid the HHS Office of Civil Rights’ Wall of Shame, where cases of noncompliance involving 500+ people are posted. However, some organizations that are reported by patients or audited by Health & Human Services are granted that ignoble designation.

The OCR has kept a running list of these high-volume HIPAA offenses for the past five years (although the list is somewhat absurd because it’s chronologically backwards, so the featured companies on the Wall of Shame are the first organizations that were in violation of the law in 2009).

Most prominent 2013 cases

Stephanie D. Willis and Kimberly Gold of Health Law & Policy Matters reported on the biggest breaches of 2013 early in the year. They also provided tips to stay compliant yourself.

The skinny

Last year, more than 150 breaches of 500+ patients’ records were published on the OCR website. All told, the Wall of Shame indicates that healthcare firms were responsible for the exposure of 6.8 million Americans’ protected health information (PHI).

Largest 2013 HIPAA breaches

Although there were a total of 160 large-scale breaches, the most devastating ones were concentrated at the top. In fact, seven out of every eight exposed patient records (88%) were the result of the five largest breaches:

  • Advocate Health and Hospitals Corporation – 4.0 million
  • Horizon Blue Cross Blue Shield of New Jersey – 840,000
  • AMHC Healthcare Inc. – 729,000
  • Texas Health Harris Methodist Hospital Fort Worth – 277,000
  • Indiana Family & Social Services Administration – 188,000.

Analysis – Health records in a public park??

Healthcare regulations protect the privacy and security of patients, but their mandates represent sources of stress and frustration for providers. Essentially, HIPAA seems to be a public means to control the private sector. However, the last item on that list suggests that the federal government is at least making an effort to adequately control public sector security under HIPAA as well.

Three of the above cases had to do with lack of encryption. Devices or computer files were stolen that contained unencrypted medical records.

The other two cases were the fault of business associates (more on their responsibility below). One accidentally sent PHI to the incorrect recipient through a coding mistake.

The other did not properly dispose of microfiches of patient records, and this incident was kind of bizarre because it involved a public park. Texas Health Harris Methodist Hospital Fort Worth announced earlier this year that microfiche that it had transferred to Shred-it for destruction was found in a local park by an uninvolved party on May 11. Microfiche was found in “two other public areas” as well, per a report published in Note that although Shred-it was responsible in this case because they did not handle the microfiche as defined within their agreement with Texas Health Fort Worth, and although the health records were ones for patient appointments that occurred from 1980 to 1990, the hospital still made the Wall of Shame.

Tips to avoid the Wall

Three major lessons learned from the top five HIPAA breaches of last year include the following, according to Willis and Gold (basically rectifying all the mistakes made):

  1. Always encrypt (as with our self-encrypting storage) – Note that in one case, the healthcare company had encrypted all the laptops but not its desktops, and the latter were breached. The problem is with unencrypted data: theft of encrypted data is not considered a violation.
  2. Know the location of records – If PHI goes to the wrong place (as with the coding error incident above), you can conduct a risk assessment per 45 C.F.R. 164.402(2) if you know the party to which the data was incorrectly sent.
  3. Require evidence from those who destroy – You want a documented policy of disposal procedures for hard-copy patient records. Get verification from the organization to reduce your liability if they don’t hold up their end of the bargain.

New business associate stipulations

You may be aware that the HIPAA Final Omnibus Rule that went into effect last fall change the playing field for covered entities and business associates. Business associates now have both contractual obligations to their covered entities and legal obligations to the federal government. In other words, your protection as a covered entity is enhanced by the government placing more pressure on business associates.

Learn more today about HIPAA Compliant Hosting and Cloud Hosting with Atlantic.Net!

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G2.1GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom