HIPAA Violations: Highest Fines for HIPAA Violations of Privacy Rule
HIPAA violations, intentional or not, can cost your organization up to US$ 1 million in fines. Knowing the kind of violations of HIPAA regulations that are occurring will give you a head start and help you avoid the same mistakes in your organization. Individuals are also advised to understand the laws in order to prevent their rights from been infringed upon. These violations are avoidable if care is taken to understand the HIPAA regulations and adhere to them.
What is HIPAA?
HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law that was passed by the US Congress in 1996 to ensure the continued access to health insurance as well as the protection of the privacy of individual health information.
The law makes it possible for an individuals to carry their health information from one employer to the next without occasioning a lapse in coverage. There are also administrative provisions within the law that that seek to streamline the management of health information by moving from a manual to electronic health information system.
Other provisions of the law protect an individual’s personal health information by restricting access and ensuring security of the records.
Understanding HIPAA regulations
HIPAA aims at improving the management of personal health information so as to make it easily transferable in the case of change of jobs. Another goal of the act is to streamline the administration of health information and reduce costs in the process.
To better understand the law, it can be divided into four major components:
- Safeguards against discrimination, reduction of exclusions due to pre-existing conditions and expressly prohibits any form of discrimination
- Standardization of formats, codes and IDs in the healthcare industry
- Security policy ensures that the personal health information that is stored electronically or by any other means is safe and cannot be accessed by unauthorized parties.
What HIPAA Violations are most common?
The recent hefty fine that was imposed on a Puerto Rican insurance company is a good example of the seriousness of HIPAA violations. The company paid $6.8 million as settlement for a HIPAA violation. The most common HIPAA violations include:
- Disclosing patient information without authority
- Failing to safely secure information thereby making it accessible to unauthorized individuals
- Releasing of more information than is required
- Denying patients access to their personal health information
- Disclosing information that has an expired authorization date -- continued disclosure of personal health information after the prescribed expiration period for authorization is explicitly prohibited under the HIPAA regulations.
Resolution Agreements for Settlement of HIPAA Violations
When a breach occurs, the offending party may settle with the HHS to make corrective actions within a specified period. This settlement also includes a payment to the HHS and gives the party a chance to fully comply with the regulations of face the full penalties specified in the law.
The resolution agreements are not concessions by the HHS that a violation did not occur, but are meant to avoid the expense and burden of formal investigation and proceedings. Agreements are also not admissions of liability by the parties. Settlements can be anything from $100,000 to millions of dollars as the following examples show:
- Affinity Health Plan paid $1.2 million for a breach of protected health information. In this incident Affinity had leased photocopiers but did not erase the hard drives on returning them to the leasing company. This incident was brought to light by a CBS Evening News investigative team that came across the photocopiers in the cause of gathering information for their story. Over 300,000 records covered under the HIPAA privacy rule were breached in the incident.
- Adult & Paediatric Dermatology of Concord, MA paid $ 150,000 as settlement for a violation of HIPAA’s Privacy, Security and Breach Notification Rules. In this incident that occurred in October 2011, a thumb drive containing ePHI records of over 2,200 patients was stolen from the car of an employee of the company. The thumb drive was never recovered and the company reported the matter as per HIPAA requirements. An initial investigation revealed that the company did not follow the HIPAA rules for privacy, security and Breach Notification
- WellPoint Inc., a managed care company operating from Indiana, settled with the HHS-OCR for $ 1.7 million for a breach of individually identifiable health information in its databases. The Resolution Agreement was related to the measures the company had failed to take to ensure that their web-based application was secure and that unauthorized parties could not gain access to electronic protected health information (ePHI).
- Shasta Regional Medical Center (SRMC) paid $275,000 to the HHS-OCR as a settlement in their Resolution Agreement after an investigation revealed that they had disclosed a patient’s information without authorization. The violation involved the disclosure of an Affected Party’s personal health information in an interview with the Los Angeles Times, transmitting the information via email and correspondence without authorization.
In the above cases, in addition to the Resolution Amount paid to the HHS-OCR, the agreement also specified that a Corrective Action Plan (CAP) was to be developed in implemented within one year of the signing of the agreement.
HIPAA Resolution Agreement Amounts
Idaho State University
Breach of the ePHI of 175,000 people, did not implement enough security measures
Massachusetts Eye & Ear Assoc.
Loss of unencrypted laptop containing patient prescriptions and clinical information
Loss of USB hard drive containing ePHI, did not take enough measures to ensure compliance with HIPAA
Over 50 hard drives with encrypted ePHI of over 1 million employees stolen. It was the first HITECH breach.
Phoenix Cardiac Surgery
Failed to implement the required policies and safeguards to protect the ePHI of patients
In the first ever Civil Money Penalty, the company was penalized for failing to give 41 employees access to their medical records