The bottom line: The OCR fines will bring more lawsuits, more fines, and more embarrassing press unless hospitals take compliance, risk assessments and incident planning seriously, "Human error will not excuse the institution,” Bradfield said. “Once onsite, OCR will not limit itself to the circumstances of the particular event but will range more broadly to other areas of HIPAA compliance."

In a related story, Wellpoint will pay a $100,000.00 fine because it did not report a security breach that may have released the personal information of up to 32,000 members.  Wellpoint will also be required to pay up to $50,000.00 to each affected member for any losses related to the security breach. Wellpoint was fined because they waited months before notifying Indiana officials about the security breach, not for the security breach itself.  "This case should be a teaching moment for all companies that handle consumers personal data; If you suffer a data breach and private information is inadverntly posted online, then you must notify the attorney general's office and consumers promptly", Attorney General Greg Zoeller said.  "Early warning helps minimize the risk that consumers will fall victim to identity theft." 

The PPACA mandates that doctors and hospitals maintain extensive medical records which are transparent to anyone who has authorization to view the files, especially the patient, yet charges the healthcare provider to provide the utmost in security for these files, especially the patient, yet charges the healthcare provider to provide the utmost security for these files.  as a healthcare provider, you can be fined for not disclosing the Electronic Merical Records (EMR) to all other pertinent healthcare providers, insurance  adjusters, and patient authorized interested parties (attorneys).  You can also get fined for disclosing the patients medical records to any unauthorized persons or agencies, if the records get stolen or hacked.

As the person ultimately reponsible for the security of your patients medical records, you should have a policy in place, in writing, on how your office handles the security of these medical records.  Doing so will not automatically mean that your patient's medical records will not get stolen or released to unauthorized persons, but it  will help to minimize the chances of an occurence.

All of the security breaches so far reported are due to low tech thefts or errors.  A stolen computer with patient files on the hard drive, a disgruntled employee releasing medical records, and human error in storage have been typical culprits of patient files being compromised. Diligence and training of staff seem to be the surest way to minimize the risk of your patients medical records being compromised.  This is truly a case of  where "an ounce of prevention is worth a pound of cure".