2018 turned out to be a year of record fines for HIPAA violations. Over $25 million in fines, with the mean fine being just over $2.5 million. Could your medical entity bear that financial burden? Would it suffer irreparable harm from the adverse publicity? And just what violations did these healthcare entities do to get scrutinized, investigated and penalized?
Since 2016, settlements and fines from the Department of Health and Human Services’ Office for Civil Rights (OCR) have risen substantially. Healthcare entities should expect that this trend may continue and remain committed to avoiding HIPAA security breaches, negligence and failure to follow long-standing policies.
2018 Review of OCR Settlements
Whether your business is a smaller, private entity or a large, public entity, OCR investigations are expensive and potentially damaging to your business’s reputation. Prevention is our best defense – don’t let these errors happen.
Don’t forget about your State’s Attorney General’s Office
Medical entities also saw a rise in fines/monetary penalties from state attorney generals. While the penalties are not always for HIPAA violations, they are still a distraction from your healthcare entity’s mission statement, requiring employees’ time and financial resources devoted to defending you against violation of state laws and HIPAA violations. Some states have become more aggressive in enforcement of HIPAA violations. The Northeastern states – New Jersey, New York, Massachusetts, Connecticut and the District of Columbia – have stepped up their enforcement efforts along with Washington State (who has yet to announce a settlement amount with Aetna). Defendants in these actions include insurance companies, hospitals, medical groups and even a transcription company.
State settlement amounts have ranged from a low of $75,000 to a high of over $1,000,000.
Common sense and training along with competent managed IT services will help ensure that your business is at decreased risk of HIPAA fines and penalties.
The deeper your understanding of the scope of potential HIPAA violations, the less likely you’ll be guilty of violating patient privacy. The Department of Health and Human Services publishes OCR news and bulletins on its website. Details of every action are published on a timely basis, including a PDF of the resolution agreement.
Make it a point to review the OCR website on a monthly basis. This site will provide insight into the actionable behaviors that employees or departments may commit.
Many of these offenses seem obvious in retrospect. Ensure that every employee understands these simple violations.
Cybersecurity may be seen as a burdensome expense – protection of data is expensive, but it protects your business’s ability to recover in the event of a natural disaster or ransomware attack. Many of these settlements and penalties resulted from simple mistakes which would not have been costly to avoid. Be proactive and develop a plan to avoid expensive, avoidable HIPAA violations.