This week we get in the Halloween spirit and share some scary stories that make you have those compliance nightmares.

Tech Support Company loses your encrypted PHI backup! They know HIPAA, right?

An IT company takes a backup of practice’s server that contained over 8000 patient files and records — spanning 8 years. Backup hard drive was not encrypted and taken to the IT company’s office to ship to a backup vendor. They LOST the HARD DRIVE somewhere along the way.

The doctor’s office realizes they have no HIPAA BAA with the IT company and had no idea that they didn’t make HIPAA security a top priority.

Passwords on a doctor’s stored on laptop – like ON the laptop!

Tech picks up doctor’s laptop for repair. Back at the office they open it and find 18 passwords taped to inside of the computer. Every single login he has to use was taped inside. Including the encryption key!

IT company terrified about the security controls the office is doing on their own. What more can they do to manage HIPAA Security for the doctor?

I am important so you should give me what I want right now!

Collection agency rep gets a call from a client – the doctor called directly, not their staff. The doctor had an account number for a patient they want the collection agency to look up some information for them.

No big deal until the collection agency rep realizes the account isn’t for any patient this doctor sees or has treated. The doctor wants information on a patient from ANOTHER doctor’s office they have as a client.

The rep does the right thing: Explain that an authorization is required from the patient to disclose anything according to HIPAA. They can call to get the other CE office to authorize the release or get authorization directly from the patient to the collection agency if there is some reason that is needed.

Doctor goes ballistic – I am important, give me what I want attitude. Rep sticks to their HIPAA guns and doesn’t disclose.

Doctor calls the VP of the collection agency with the complaint. The VP GIVES THE INFORMATION TO THE DOCTOR.

Be careful who you hang out with on Facebooooook!

A woman’s medical record was posted to a FB group called “Team No Hoes.” The info included her info along with her syphilis diagnosis.

When the lawsuit was filed it mentioned that one of the employees involved was the woman’s ex-boyfriend!  HIPAA Privacy rules will probably come up in THAT lawsuit!

Is Facebook really not reality!

Employee of a medical center posted a photo of a patient’s medical record with all identifying info visible. The comment with the photo. “Funny but this patient came in to cure her VD and get birth control.”

When FB comments said the employee’s post was a HIPAA violation the employee said

It will be a real patient that sues the hospital!  Wonder how many times the HIPAA Compliance Officers have had to hear this one over and over in their sleep!  It is probably like they are being haunted!!!

Happy Halloween!