If your practice isn’t HIPAA compliant, be prepared to pay outrageous OCR fines.

The rules for HIPAA Compliance is managed by the Department of Health and Human Services but it is enforced by the Office for Civil Rights (OCR). If you’re in violation of HIPAA, you may be one of the thousands investigated each year.

Between 2015 and now, the OCR has distributed large scale fines to 28 businesses that exceeded $40 million (and more than half of that came from one year alone).

2015: $6,193,000
2016: $23,504,800
2017: $17,093,200 (Results at the end of May)

This is a huge deal considering that we’re only halfway through 2017, but the accumulation of fines comes close to last year’s record-breaking amount. Even more concerning, these large scale settlements are only a fraction of the fines given each year. For a full list of HIPAA investigations (affecting 500 or more individuals), view OCR’s breach portal here.

You may be wondering how those numbers got so large from such a small sample of businesses; this is because not all penalties for HIPAA violations are equal. Each violation can range from $100 to $50,000 and each group can be found with many violations. It also factors negligence and the American Medical Association (AMA) clearly lays it out here:

HIPAA ViolationMinimum PenaltyMaximum Penalty
Unknowing$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)

 

$50,000 per violation, with an annual maximum of $1.5 million

 

Reasonable Cause$1,000 per violation, with an annual maximum of $100,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million

 

Willful neglect but violation is corrected within the required time period$10,000 per violation, with an annual maximum of $250,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million

 

Willful neglect and is not corrected within required time period$50,000 per violation, with an annual maximum of $1.5 million$50,000 per violation, with an annual maximum of $1.5 million

 

 

Most investigations begin because of theft or loss, but the top five issues in those investigated cases have been the same for over ten years:

  • Impermissible Uses & Disclosures
  • Safeguards
  • Administrative Safeguards
  • Access
  • Technical Safeguards

Don’t get on OCR’s breach list. Check with your internal practices and make sure any third party that has access to any PHI is secure as well. Also make sure you have a signed Business Associate Agreement with your vendors; not having one is an expensive HIPAA violation and the easiest to avoid.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *