Noncompliance With HIPAA: Costs for Healthcare Organizations

Noncompliance with HIPAA can cost healthcare organizations dearly. If regulators discover willful violations of HIPAA Rules, multi-million-dollar fines are possible.

Fines for Noncompliance with HIPAA Rules

The Department of Health and Human Services’ Office for Civil Rights is the primary enforcer of HIPAA Rules and investigates all data breaches that impact more than 500 individuals. When a data breach is experienced, the breached entity will be required to provide evidence to OCR that the breach was not a result of the failure to comply with HIPAA Rules.

If insufficient documentation can be provided to demonstrate compliance, a full audit could be conducted to determine whether there has been willful neglect of HIPAA Rules. While HIPAA Rules are discovered to have been violated financial penalties may be considered appropriate. OCR increased the number of financial penalties it issued in 2015 and 2016 with several multi-million dollar fines issued.

2016/2017 HIPAA Fines and Settlements

Year Covered Entity Penalty Amount Penalty Type Reason
2017 Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
2017 St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
2017 The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement
2017 Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
2017 Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
2017 Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
2017 MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
2017 Presense Health $475,000 Settlement Delayed Breach Notifications
2016 University of Massachusetts Amherst (UMass) $650,000 Settlement Failure to Manage Security Risks
2016 St. Joseph Health $2,140,500 Settlement Failure to Conduct Risk Analysis
2016 Care New England Health System $400,000 Settlement Lack of a Business Associate Agreement
2016 Advocate Health Care Network $5,550,000 Settlement Multiple HIPAA Violations
2016 University of Mississippi Medical Center $2,750,000 Settlement Multiple HIPAA Violations
2016 Oregon Health & Science University $2,700,000 Settlement Lack of a Business Associate Agreement
2016 Catholic Health Care Services of the Archdiocese of Philadelphia $650,000 Settlement Failure to Safeguard ePHI
2016 New York Presbyterian Hospital $2,200,000 Settlement Filming Patients without Authorization
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000 Settlement Lack of Business Associate Agreement
2016 Feinstein Institute for Medical Research $3,900,000 Settlement Impermissible Disclosure of PHI
2016 North Memorial Health Care of Minnesota $1,550,000 Settlement Lack of a Business Associate Agreement
2016 Complete P.T., Pool & Land Physical Therapy, Inc. $25,000 Settlement Impermissible Disclosure of PHI
2016 Lincare, Inc. $239,800 Civil Monetary Penalty Failure to Safeguard PHI

 

Compliance with HIPAA Rules will not mean a healthcare organization will prevent all breaches, but it will ensure that penalties for noncompliance with HIPAA Rules will be avoided.

Class Action Lawsuits

The Ponemon Institute/IBM Security’s annual cost of a data breach study suggests the average cost of a data breach is now $3.62 million, with the cost per record calculated to be $380 for the healthcare industry.

Using the Ponemon Institute’s figures as a guide, the massive data breaches of 2015 – Anthem’s 78.8 million record breach; the 10 million record breach at Excellus BlueCross BlueShield; and the 11 million record breach at CareFirst BlueCross BlueShield – would see breach mitigation costs of $29.9 billion for Anthem, $4,1 billion for CareFirst, and $3,8 billion for Excellus.

A class action lawsuit, where every victim of the breach only received $100 in restitution, would see Anthem have to cover a bill of $8 billion.

Fortunately for Anthem, the cost of resolving the class action lawsuits were nowhere near that high, but they were still considerable and broke records. Several class action lawsuits were filed in the wake of the breach, and the consolidated lawsuit has now been settled for $113 million, which was the largest ever settlement over a data breach in the United States. The settlement will be used to pay for breach victims to be provided with two years of credit monitoring services.

Compliance with HIPAA Rules will not stop lawsuits from being filed after a data breach, but it will be harder for plaintiffs to prove there has been negligence.

Improvements to Security

Security must be improved after a data breach is experienced. The vulnerability that was exploited to gain access to data must be addressed, and new security controls will need to be implemented. Many companies have found that the cost of making such improvements are substantially higher after a data breach than if the same solutions were implemented prior to a breach. Post-breach is not the best time to be negotiating contracts with cybersecurity firms. The breached entity will be at a considerable disadvantage.

If healthcare organizations make reasonable efforts to ensure that HIPAA Rules are followed, and they invest in appropriate security solutions, data breaches can be prevented and financial penalties from regulators will be avoided.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news