Are HIPAA Fines Real?

They Weren't for a Long Time.  That All Changed in Late 2013.

More than a decade went by with little mention of fines because there was a lack of clarity in the government as to who and how to enforce.  But at the end of 2013, all of that changed dramatically.  The U.S. government enacted the Omnibus Rule.  In a nutshell, this rule finally empowered a government agency - the Office for Civil Rights (OCR) - to actively seek out and fine HIPAA violations.

Since that time, the government has demonstrated that it will not discriminate, assessing extremely steep financial penalties for everyone, ranging from massive health systems to small practices.  They have not even been shy about fining other government entities, universities and non-profits.

Further, the government has hired an army of HIPAA investigators and is actively working with state's attorney general offices to train local personnel as well.  It's a different situation today.

A Range of Violations and Penalties from 2016

Advocate Health Care (Downers Grove, Ill):  $5.5 million and corrective action plan

  • Nearly 4 million people with compromised ePHI data

  • Stolen laptops from an office and, in a separate instance, laptop stolen from an employee's vehicle.  Each laptop had ePHI stored locally on the laptop’s hard drive

  • Data breach when a business associate accessed Advocate’s network

 

Feinstein Institute for Medical Research (Manhasset, N.Y.): $3.9 million and corrective action plan

  • ePHI breach of nearly 13,000 patients and research participants

  • Stolen laptop from an employee's car

  • The OCR “determined Feinstein's security management processes to be incomplete and insufficient to address potential risks and vulnerabilities of electronic PHI, including failure to restrict access to unauthorized users and a lack of policies and procedures to govern the removal of laptops out of its facilities.” (Becker’s Health IT & CIO Review, March 18, 2016)

 

Raleigh Orthopaedic Clinic (Raleigh, NC): $750,000 and corrective action plan

  • Breach of 17,300 patient’s PHI

  • Failure to execute a business associate agreement prior to turning over patient's’ PHI to a potential business partner

 

Adult & Pediatric Dermatology, P.C. (Concord, MA): $150,000 and corrective action plan

  • The 12-physician pediatric and adult dermatology practice group lost an unencrypted flash drive containing protected health information

  • The thumb drive contained information from roughly 2,200 patients

© 2019 iCoreConnect Inc. All rights reserved.

Terms of Use.
End User License Agreement

888.810.7706