Are HIPAA Fines Real?
They Weren't for a Long Time. That All Changed in Late 2013.
More than a decade went by with little mention of fines because there was a lack of clarity in the government as to who and how to enforce. But at the end of 2013, all of that changed dramatically. The U.S. government enacted the Omnibus Rule. In a nutshell, this rule finally empowered a government agency - the Office for Civil Rights (OCR) - to actively seek out and fine HIPAA violations.
Since that time, the government has demonstrated that it will not discriminate, assessing extremely steep financial penalties for everyone, ranging from massive health systems to small practices. They have not even been shy about fining other government entities, universities and non-profits.
Further, the government has hired an army of HIPAA investigators and is actively working with state's attorney general offices to train local personnel as well. It's a different situation today.
A Range of Violations and Penalties from 2016
Advocate Health Care (Downers Grove, Ill): $5.5 million and corrective action plan
Nearly 4 million people with compromised ePHI data
Stolen laptops from an office and, in a separate instance, laptop stolen from an employee's vehicle. Each laptop had ePHI stored locally on the laptop’s hard drive
Data breach when a business associate accessed Advocate’s network
Feinstein Institute for Medical Research (Manhasset, N.Y.): $3.9 million and corrective action plan
ePHI breach of nearly 13,000 patients and research participants
Stolen laptop from an employee's car
The OCR “determined Feinstein's security management processes to be incomplete and insufficient to address potential risks and vulnerabilities of electronic PHI, including failure to restrict access to unauthorized users and a lack of policies and procedures to govern the removal of laptops out of its facilities.” (Becker’s Health IT & CIO Review, March 18, 2016)
Raleigh Orthopaedic Clinic (Raleigh, NC): $750,000 and corrective action plan
Breach of 17,300 patient’s PHI
Failure to execute a business associate agreement prior to turning over patient's’ PHI to a potential business partner
Adult & Pediatric Dermatology, P.C. (Concord, MA): $150,000 and corrective action plan
The 12-physician pediatric and adult dermatology practice group lost an unencrypted flash drive containing protected health information
The thumb drive contained information from roughly 2,200 patients