2018 Reflections

By Jason Silverstein, COO, PHIflow

With 2018 in the rear-view mirror, we’ve taken some time to reflect on key events of the last 12 months as we look ahead to 2019. Whether or not your organization actually experienced a data breach last year, it is very likely that breaches and privacy concerns were more top of mind than ever before. Let’s take a look at key events from 2018 and in our next post, we’ll dive into our predictions for 2019.


January: Lets begin! We started the year off with an Allscripts ransomware attack that paralyzed major health systems and medical practices.


February: The State of Colorado officially proposes a new 30-day breach reporting guideline, the first privacy-focused legislation of the year.


March: Office for Civil Rights (OCR) Director Roger Severino spoke at HIMSS and swore there will be “no slowdown in our enforcement efforts” and that OCR is “still looking for big, juicy and egregious HIPAA cases.”  Well, he wasn’t lying!


April: We saw a $418K fine levied against Virtua Medical Group in NJ, but this wasn’t a fine from OCR.  It was from the NJ Attorney General’s office. This isn’t the first time we saw state regulatory extension of HIPAA or HITECH enforcement and it certainly won’t be the last.


May: Alexa, are you HIPAA Compliant? Time will tell, but as Amazon expands the digital assistant’s role in healthcare, the story of a major industry player announcing a focus on HIPAA compliance is a step in the right direction!


June: A HHS administrative judge rules against MD Anderson leading to a $4.3M settlement with OCR for multiple HIPAA violations. MD Anderson admitted to not updating encryption policies since 2006 - cancer research data is still PHI!


July: The State of California, already a state with some of the strictest privacy laws in the US, announces a GDPR-style privacy law update.


August: Cyber security advisory firm Coalfire announces that Healthcare IT security is “the worst of any sector” when it comes to external security posture. Is this really news though?


September: Three Boston-based hospitals were implicated in a $999K OCR settlement for allowing an ABC film crew to film patients for a TV series.


October: OCR announces it’s largest HIPAA settlement ever, $16M, with Anthem.


November: HHS releases RFI seeking public input on improving HIPAA rules.


December: No BAA? Pay up! OCR announced $500K and $111K settlements against two organizations for each missing a single BAA!


2018 ushered in more than $25M in OCR fines, its biggest year ever, bringing total fines and settlements to over $100M since 2008.  The last 3 years account for more than $68M.


Do you see a trend here?


Ask yourself some key questions and take steps to keep your organization out of the headlines in 2019:


Is your BAA house in order?

Do you know your breach notification times?

What does security incident mean to your organization?

Are your BAA’s properly managed?


Stay tuned for our next post, Predictions for 2019!


PHIflow is a data and technology company combining artificial intelligence and legal expertise to help companies understand their HIPAA Business Associate Agreement (BAA) risks and requirements.

2019 © Copyright PHIflow LLC. All Rights Reserved.

Legal & Security

Terms of Service

Privacy Policy


530 7th Avenue, M1, New York, NY 10018

(212) 840-8870