Authorities have become more strict in enforcing healthcare rules, and this has led to more frequent and costly fines for HIPAA violations. The Office for Civil Rights (OCR) has amassed total of $15m in fines in just the first seven months of 2016. Security and privacy will continue to be main concerns in 2017. This is why managed service providers and IT consultants remain the go-to experts for preventing disaster.
Violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) can lead to sanctions, civil money penalties and even criminal penalties. The law protects patient information and medical records and ensures healthcare providers comply with security and privacy rules. Here’s a few reasons why HIPAA is so important, both to medical professionals and patients:
- HIPAA prevents identity theft, by ensuring medical providers do not disclose patient information;
- Patients have complete, unrestricted access to a copy of their personal medical records;
- HIPAA protects patient confidentiality and ensures that every healthcare institution has a compliance department.
HIPAA fines start from a minimum of $100 per violation and go up to $50,000 per violation, when the infraction happened unknowingly. The fines are a minimum of $50,000 for cases of willful neglect, and cap at an annual $1.5 million. If we look back just a few years, we can find cases where organizations paid millions in fines. It’s cases like these that show the ever-growing importance of business continuity strategies and data breach prevention.
Below we’ve rounded up some of the most costly HIPAA fines paid in history.
Advocate Health Care (AHC) Settles Penalties for $5.5m
One of the latest cases settled by the OCR is also the most costly payment ever recorded. Advocate Health Care Network (Advocate) has agreed to a settlement of $5.5m in 2016 after an investigation showed it has failed to protect patient data. Apparently, AHC lost data for almost 4 million patients in 2013. It looks like one of its employees left an unencrypted laptop in an unlocked car overnight. The company did not conduct a risk assessment of its system and implement basic safety protocols for electronic records safety.
New York-Presbyterian Hospital and Columbia University Pay $4.8m
The New York Presbyterian Hospital and Columbia University, who share a data network together, also had to settle a case for the incredible amount of $4.8m. The two institutions lost vital information for thousands of its patients during a data breach in 2014. According to authorities, a physician attempted to deactivate a personal computer server on the network containing patient data. Because of a lack of technical safeguards, patient’s records ended up on internet search engines. Data for 6,800 individuals was disclosed, including patient status, vital signs, medications, and laboratory results. The entities learned of the breach after a complaint by an individual who found the records for their deceased partner, on the internet, shows a press release by the HHS.
Cignet Health Found Guilty of Willful Neglect, Pays $4.3m in Fines
In 2010, the OCR found that Cignet Health of Prince George’s County, Maryland, violated patient’s rights after it failed to respond to requests for medical records. The company paid $1.3m for HIPAA violations that occured in 2008 and 2009. It looks like 41 patients asked for their health records and did not receive a response. Healthcare institutions must provide patients with their records within 30 days from the date of the request. The company also failed to cooperate with the Office for Civil Rights during the investigation, and ended up getting another $3m in fines for willful neglect, shows the OCR.
Triple-S Pays $3.5m For Multiple Data Breaches
The Triple-S Management Corporation found itself in triple trouble after multiple complaints were launched about non-compliance with HIPAA regulations. The insurance holding settled on behalf of its subsidiaries based in San Juan, Puerto Rico, in 2015. They agreed to pay $3.5m and begin corrective measures for the issues found, shows the U.S. Department of Health and Human Services (HHS).
University of Mississippi Medical Center Settles for $2.75m
The University of Mississippi Medical Center had to settle for multiple HIPAA violations in 2016. An investigation started in 2013 showed that a password-protected laptop was missing from the medical center’s intensive care unit. Apparently, the laptop had been stolen by a patient. The investigation revealed that the drive was vulnerable to unauthorized access via wireless network. Users could access an active directory of an estimated 10,000 patients with a generic username and password. The total bill for the University was $2.75m.
Make Sure You’re Not The Next Record Breaker
All these cases and many more show exactly how important compliance is in regulated industries. There is no excuse for neglecting to implement policies that can prevent privacy violations or downtime.
When it comes to compliance standards, there is no one size fits all. This is why companies must always watch out for their best interest and partner with IT professionals that can handle risk assessments and management in their field.
We’ve put together a comprehensive guide with compliance resources, so you can avoid hefty fines like the ones above!