The penalties for violating HIPAA
Almost two-thirds of data breaches involved a business associate.
Meaning that you delegated a covered function or activity to someone,
and that someone messed up. So pick your partners carefully. Some of the
largest breaches reported to HHS have involved business associates. As a
result, the final omnibus rule expanded many of the requirements to
business associates and greatly enhanced the government’s ability to
enforce the law.
What sort of penalties are we talking about? Check out this chart with fines levied in years past:
Looking at this chart we can conclude that HHS does not like people storing unencrypted PHI on mobile devices. What we don’t see yet are fines levied against business associates. 2014 is the first year where business associates will be audited and fined. Smart money says that the first fines levied against business associates will be passed down toward the end of this year.
If this article makes you nervous, then this might be a good time to revisit your organization’s HIPAA compliance program. The good news is that not every PHI breach ends in a fine. If you can show that you have made a reasonable effort to comply with HIPAA then you may not be dinged.
What sort of penalties are we talking about? Check out this chart with fines levied in years past:
| Entity Fined | Fine | Violation |
|---|---|---|
| CIGNET | $4,300,000 | Online database application error. |
| Alaska Department of Health and Human Services | $1,700,000 | Unencrypted USB hard drive stolen, poor policies and risk analysis. |
| WellPoint | $1,700,000 | Did not have technical safeguards in place to verify the person/entity seeking access to PHI in the database. Failed to conduct a tech eval in response to software upgrade. |
| Blue Cross Blue Shield of Tennessee | $1,500,000 | 57 unencrypted hard drives stolen. |
| Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates | $1,500,000 | Unencrypted laptop stolen, poor risk analysis, policies. |
| Affinity Health Plan | $1,215,780 | Returned photocopiers without erasing the hard drives. |
| South Shore Hospital | $750,000 | Backup tapes went missing on the way to contractor. |
| Idaho State University | $400,000 | Breach of unsecured ePHI. |
| Shasta Regional Medical Center | $275,000 | Inadequate safeguarding of PHI from impermissible uses and disclosures. |
| Phoenix Cardiac Surgery | $100,000 | Internet calendar, poor policies, training. |
| The Hospice of Northern Idaho | $50,000 | Breach of unsecured ePHI. Unencrypted laptop stolen, no risk analysis. |
Looking at this chart we can conclude that HHS does not like people storing unencrypted PHI on mobile devices. What we don’t see yet are fines levied against business associates. 2014 is the first year where business associates will be audited and fined. Smart money says that the first fines levied against business associates will be passed down toward the end of this year.
If this article makes you nervous, then this might be a good time to revisit your organization’s HIPAA compliance program. The good news is that not every PHI breach ends in a fine. If you can show that you have made a reasonable effort to comply with HIPAA then you may not be dinged.
Comments
Post a Comment