The rules for HIPAA Compliance is managed by the Department of Health and Human Services but it is enforced by the Office for Civil Rights (OCR). If you’re in violation of HIPAA, you may be one of the thousands investigated each year.
Between 2015 and now, the OCR has distributed large scale fines to 28 businesses that exceeded $40 million (and more than half of that came from one year alone).
2017: $17,093,200 (Results at the end of May)
This is a huge deal considering that we’re only halfway through 2017, but the accumulation of fines comes close to last year’s record-breaking amount. Even more concerning, these large scale settlements are only a fraction of the fines given each year. For a full list of HIPAA investigations (affecting 500 or more individuals), view OCR’s breach portal here.
You may be wondering how those numbers got so large from such a small sample of businesses; this is because not all penalties for HIPAA violations are equal. Each violation can range from $100 to $50,000 and each group can be found with many violations. It also factors negligence and the American Medical Association (AMA) clearly lays it out here:
|HIPAA Violation||Minimum Penalty||Maximum Penalty|
|Unknowing||$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)|
|$50,000 per violation, with an annual maximum of $1.5 million|
|Reasonable Cause||$1,000 per violation, with an annual maximum of $100,000 for repeat violations||$50,000 per violation, with an annual maximum of $1.5 million|
|Willful neglect but violation is corrected within the required time period||$10,000 per violation, with an annual maximum of $250,000 for repeat violations||$50,000 per violation, with an annual maximum of $1.5 million|
|Willful neglect and is not corrected within required time period||$50,000 per violation, with an annual maximum of $1.5 million||$50,000 per violation, with an annual maximum of $1.5 million|
Most investigations begin because of theft or loss, but the top five issues in those investigated cases have been the same for over ten years:
- Impermissible Uses & Disclosures
- Administrative Safeguards
- Technical Safeguards
Don’t get on OCR’s breach list. Check with your internal practices and make sure any third party that has access to any PHI is secure as well. Also make sure you have a signed Business Associate Agreement with your vendors; not having one is an expensive HIPAA violation and the easiest to avoid.