ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

HIPAA Violations: Highest Fines for HIPAA Violations of Privacy Rule

Updated on March 12, 2014
HIPAA violations can be costly to your business
HIPAA violations can be costly to your business

HIPAA violations, intentional or not, can cost your organization up to US$ 1 million in fines. Knowing the kind of violations of HIPAA regulations that are occurring will give you a head start and help you avoid the same mistakes in your organization. Individuals are also advised to understand the laws in order to prevent their rights from been infringed upon. These violations are avoidable if care is taken to understand the HIPAA regulations and adhere to them.

What is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law that was passed by the US Congress in 1996 to ensure the continued access to health insurance as well as the protection of the privacy of individual health information.

The law makes it possible for an individuals to carry their health information from one employer to the next without occasioning a lapse in coverage. There are also administrative provisions within the law that that seek to streamline the management of health information by moving from a manual to electronic health information system.

Other provisions of the law protect an individual’s personal health information by restricting access and ensuring security of the records.

Understanding HIPAA

Understanding HIPAA regulations

HIPAA aims at improving the management of personal health information so as to make it easily transferable in the case of change of jobs. Another goal of the act is to streamline the administration of health information and reduce costs in the process.

To better understand the law, it can be divided into four major components:

  • Safeguards against discrimination, reduction of exclusions due to pre-existing conditions and expressly prohibits any form of discrimination
  • Standardization of formats, codes and IDs in the healthcare industry
  • Privacy policy ensures that personal health information is not disclosed to unauthorized parties
  • Security policy ensures that the personal health information that is stored electronically or by any other means is safe and cannot be accessed by unauthorized parties.

What HIPAA Violations are most common?

The recent hefty fine that was imposed on a Puerto Rican insurance company is a good example of the seriousness of HIPAA violations. The company paid $6.8 million as settlement for a HIPAA violation. The most common HIPAA violations include:

  • Disclosing patient information without authority
  • Failing to safely secure information thereby making it accessible to unauthorized individuals
  • Releasing of more information than is required
  • Denying patients access to their personal health information
  • Disclosing information that has an expired authorization date -- continued disclosure of personal health information after the prescribed expiration period for authorization is explicitly prohibited under the HIPAA regulations.

Resolution Agreements for Settlement of HIPAA Violations

When a breach occurs, the offending party may settle with the HHS to make corrective actions within a specified period. This settlement also includes a payment to the HHS and gives the party a chance to fully comply with the regulations of face the full penalties specified in the law.

The resolution agreements are not concessions by the HHS that a violation did not occur, but are meant to avoid the expense and burden of formal investigation and proceedings. Agreements are also not admissions of liability by the parties. Settlements can be anything from $100,000 to millions of dollars as the following examples show:

  • Affinity Health Plan paid $1.2 million for a breach of protected health information. In this incident Affinity had leased photocopiers but did not erase the hard drives on returning them to the leasing company. This incident was brought to light by a CBS Evening News investigative team that came across the photocopiers in the cause of gathering information for their story. Over 300,000 records covered under the HIPAA privacy rule were breached in the incident.
  • Adult & Paediatric Dermatology of Concord, MA paid $ 150,000 as settlement for a violation of HIPAAs Privacy, Security and Breach Notification Rules. In this incident that occurred in October 2011, a thumb drive containing ePHI records of over 2,200 patients was stolen from the car of an employee of the company. The thumb drive was never recovered and the company reported the matter as per HIPAA requirements. An initial investigation revealed that the company did not follow the HIPAA rules for privacy, security and Breach Notification
  • WellPoint Inc., a managed care company operating from Indiana, settled with the HHS-OCR for $ 1.7 million for a breach of individually identifiable health information in its databases. The Resolution Agreement was related to the measures the company had failed to take to ensure that their web-based application was secure and that unauthorized parties could not gain access to electronic protected health information (ePHI).
  • Shasta Regional Medical Center (SRMC) paid $275,000 to the HHS-OCR as a settlement in their Resolution Agreement after an investigation revealed that they had disclosed a patient’s information without authorization. The violation involved the disclosure of an Affected Party’s personal health information in an interview with the Los Angeles Times, transmitting the information via email and correspondence without authorization.

In the above cases, in addition to the Resolution Amount paid to the HHS-OCR, the agreement also specified that a Corrective Action Plan (CAP) was to be developed in implemented within one year of the signing of the agreement.

HIPAA Resolution Agreement Amounts

Resolution Amount
Idaho State University
Breach of the ePHI of 175,000 people, did not implement enough security measures
$ 400,000
Massachusetts Eye & Ear Assoc.
Loss of unencrypted laptop containing patient prescriptions and clinical information
$ 1,000,000
Alaska DHHS
Loss of USB hard drive containing ePHI, did not take enough measures to ensure compliance with HIPAA
$ 1,500,000
BCBST, Tennessee
Over 50 hard drives with encrypted ePHI of over 1 million employees stolen. It was the first HITECH breach.
$ 100,000
Phoenix Cardiac Surgery
Failed to implement the required policies and safeguards to protect the ePHI of patients
$ 100,000
Cignet Health
In the first ever Civil Money Penalty, the company was penalized for failing to give 41 employees access to their medical records
$ 4,300,000
HIPAA violation penalties and resolution amounts (source: US DHHS)


    0 of 8192 characters used
    Post Comment

    • profile image

      Steve Everett 16 months ago

      My son's doctor released lab results to his company and they fired him. Do we have any recourse against the doctor?

    • profile image

      Vincent Smith 2 years ago

      a nurse at the nursing home I'm at told her husband that I had threatened her and he came to the nursing home and he came in my room and threatened to kick my ass I ask him to leave my room and he said he would get me when i got out of the nursing home and then the next night the nurse practitioner that was seeing me came in my room and said I had stolen a piece paper that was left on my bed when she was in my room a month ago and called the police and they searched my room and didn't find the paper and alot of other things have happened since I got put in this nursing home I can't sleep my anxiety level is very high and I have very high blood pressure I can't believe this has happened I have alot of other health issues and am not doing well at all please help

    • gitachud profile image

      David Gitachu 3 years ago from Nairobi, Kenya

      Sorry about that Robert -- that is clearly a violation under HIPAA. Are you going to take any legal action against the facility?

    • profile image

      Robert 3 years ago

      Buffalo New York free clinic. This nurse told the whole waiting room that he sent me to a ECMC psychiatric ward he said I was psycho