Noncompliance with HIPAA can cost healthcare organizations dearly. If regulators discover willful violations of HIPAA Rules, multi-million-dollar fines are possible.
Fines for Noncompliance with HIPAA Rules
The Department of Health and Human Services’ Office for Civil Rights is the primary enforcer of HIPAA Rules and investigates all data breaches that impact more than 500 individuals. When a data breach is experienced, the breached entity will be required to provide evidence to OCR that the breach was not a result of the failure to comply with HIPAA Rules.
If insufficient documentation can be provided to demonstrate compliance, a full audit could be conducted to determine whether there has been willful neglect of HIPAA Rules. While HIPAA Rules are discovered to have been violated financial penalties may be considered appropriate. OCR increased the number of financial penalties it issued in 2015 and 2016 with several multi-million dollar fines issued.
2016/2017 HIPAA Fines and Settlements
Year | Covered Entity | Penalty Amount | Penalty Type | Reason |
2017 | Memorial Hermann Health System | $2,400,000 | Settlement | Careless Handling of PHI |
2017 | St. Luke’s-Roosevelt Hospital Center Inc. | $387,000 | Settlement | Unauthorized Disclosure of PHI |
2017 | The Center for Children’s Digestive Health | $31,000 | Settlement | Lack of a Business Associate Agreement |
2017 | Cardionet | $2,500,000 | Settlement | Impermissible Disclosure of PHI |
2017 | Metro Community Provider Network | $400,000 | Settlement | Lack of Security Management Process |
2017 | Memorial Healthcare System | $5,500,000 | Settlement | Insufficient ePHI Access Controls |
2017 | Children’s Medical Center of Dallas | $3,200,000 | Civil Monetary Penalty | Impermissible Disclosure of ePHI |
2017 | MAPFRE Life Insurance Company of Puerto Rico | $2,200,000 | Settlement | Impermissible Disclosure of ePHI |
2017 | Presense Health | $475,000 | Settlement | Delayed Breach Notifications |
2016 | University of Massachusetts Amherst (UMass) | $650,000 | Settlement | Failure to Manage Security Risks |
2016 | St. Joseph Health | $2,140,500 | Settlement | Failure to Conduct Risk Analysis |
2016 | Care New England Health System | $400,000 | Settlement | Lack of a Business Associate Agreement |
2016 | Advocate Health Care Network | $5,550,000 | Settlement | Multiple HIPAA Violations |
2016 | University of Mississippi Medical Center | $2,750,000 | Settlement | Multiple HIPAA Violations |
2016 | Oregon Health & Science University | $2,700,000 | Settlement | Lack of a Business Associate Agreement |
2016 | Catholic Health Care Services of the Archdiocese of Philadelphia | $650,000 | Settlement | Failure to Safeguard ePHI |
2016 | New York Presbyterian Hospital | $2,200,000 | Settlement | Filming Patients without Authorization |
2016 | Raleigh Orthopaedic Clinic, P.A. of North Carolina | $750,000 | Settlement | Lack of Business Associate Agreement |
2016 | Feinstein Institute for Medical Research | $3,900,000 | Settlement | Impermissible Disclosure of PHI |
2016 | North Memorial Health Care of Minnesota | $1,550,000 | Settlement | Lack of a Business Associate Agreement |
2016 | Complete P.T., Pool & Land Physical Therapy, Inc. | $25,000 | Settlement | Impermissible Disclosure of PHI |
2016 | Lincare, Inc. | $239,800 | Civil Monetary Penalty | Failure to Safeguard PHI |
Compliance with HIPAA Rules will not mean a healthcare organization will prevent all breaches, but it will ensure that penalties for noncompliance with HIPAA Rules will be avoided.
Class Action Lawsuits
The Ponemon Institute/IBM Security’s annual cost of a data breach study suggests the average cost of a data breach is now $3.62 million, with the cost per record calculated to be $380 for the healthcare industry.
Using the Ponemon Institute’s figures as a guide, the massive data breaches of 2015 – Anthem’s 78.8 million record breach; the 10 million record breach at Excellus BlueCross BlueShield; and the 11 million record breach at CareFirst BlueCross BlueShield – would see breach mitigation costs of $29.9 billion for Anthem, $4,1 billion for CareFirst, and $3,8 billion for Excellus.
A class action lawsuit, where every victim of the breach only received $100 in restitution, would see Anthem have to cover a bill of $8 billion.
Fortunately for Anthem, the cost of resolving the class action lawsuits were nowhere near that high, but they were still considerable and broke records. Several class action lawsuits were filed in the wake of the breach, and the consolidated lawsuit has now been settled for $113 million, which was the largest ever settlement over a data breach in the United States. The settlement will be used to pay for breach victims to be provided with two years of credit monitoring services.
Compliance with HIPAA Rules will not stop lawsuits from being filed after a data breach, but it will be harder for plaintiffs to prove there has been negligence.
Improvements to Security
Security must be improved after a data breach is experienced. The vulnerability that was exploited to gain access to data must be addressed, and new security controls will need to be implemented. Many companies have found that the cost of making such improvements are substantially higher after a data breach than if the same solutions were implemented prior to a breach. Post-breach is not the best time to be negotiating contracts with cybersecurity firms. The breached entity will be at a considerable disadvantage.
If healthcare organizations make reasonable efforts to ensure that HIPAA Rules are followed, and they invest in appropriate security solutions, data breaches can be prevented and financial penalties from regulators will be avoided.