HIPAA Penalties are Punitive, but Rare

HIPAA fines can run in the millions.
HIPAA fines can run in the millions.

When it comes to compliance in heavily regulated industries, a single simple misstep can cause a ton of problems and generate a significant fine. That’s particularly true in healthcare, where the protection of private patient information is paramount. Per HIPAA (Health Insurance Portability and Accountability Act) if anyone in a healthcare organization (and that includes anyone in a firm that is deemed to be a business associate) exposes patient information your organization can be made to pay.

The potential liability provides significant motivation to be compliant, and in a $3 trillion industry , very few entities actually receive these fines. In the past eight years only 36 resolution agreements have been announced by US Department of Health and Human Services (HHS), though the frequency of those cases is on the uptick in 2016. HHS announced seven fines in the first half of 2016, after fining only five companies in all of 2015 and six in 2015.

The list of settlements and resolutions agreements is available here. If you’re responsible for your company’s compliance, even in a non-healthcare industry, it is worth reviewing and sharing examples with your people, almost any of whom can trigger violations.

Some takeaways from the list of recent fines:

  • Being held liable for the failure of business associates should be sobering to anyone engaged in the healthcare industry. You’re responsible for the people you do business with.
  • There are many ways to expose patient information. A fine of over a million dollars resulted from a healthcare provider returning photocopiers containing accessible patient information to an equipment leasing company without deleting all the patient data.
  • A $2.2 million settlement with New York Presbyterian Hospital resulted from patient privacy being violated during the filming of “NY Med”, a reality show on ABC.
  • You may have to pay for the crime of others. A $650,000 fine was generated as a result of the theft of an employee’s unsecure cell phone, which enabled access to patient data.

What’s striking about many of these actions is how innocuously they started. There was no intent, just sloppiness. The details and list of actions would serve as a reminder to employees in many industries as to the importance of compliance, as well as the damage that can be done if security protocols are not faithfully adhered to.