ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

HIPAA Violations: Highest Fines for HIPAA Violations of Privacy Rule

Updated on March 12, 2014
HIPAA violations can be costly to your business
HIPAA violations can be costly to your business

HIPAA violations, intentional or not, can cost your organization up to US$ 1 million in fines. Knowing the kind of violations of HIPAA regulations that are occurring will give you a head start and help you avoid the same mistakes in your organization. Individuals are also advised to understand the laws in order to prevent their rights from been infringed upon. These violations are avoidable if care is taken to understand the HIPAA regulations and adhere to them.

What is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law that was passed by the US Congress in 1996 to ensure the continued access to health insurance as well as the protection of the privacy of individual health information.

The law makes it possible for an individuals to carry their health information from one employer to the next without occasioning a lapse in coverage. There are also administrative provisions within the law that that seek to streamline the management of health information by moving from a manual to electronic health information system.

Other provisions of the law protect an individual’s personal health information by restricting access and ensuring security of the records.

Understanding HIPAA

Understanding HIPAA regulations

HIPAA aims at improving the management of personal health information so as to make it easily transferable in the case of change of jobs. Another goal of the act is to streamline the administration of health information and reduce costs in the process.

To better understand the law, it can be divided into four major components:

  • Safeguards against discrimination, reduction of exclusions due to pre-existing conditions and expressly prohibits any form of discrimination
  • Standardization of formats, codes and IDs in the healthcare industry
  • Privacy policy ensures that personal health information is not disclosed to unauthorized parties
  • Security policy ensures that the personal health information that is stored electronically or by any other means is safe and cannot be accessed by unauthorized parties.

What HIPAA Violations are most common?

The recent hefty fine that was imposed on a Puerto Rican insurance company is a good example of the seriousness of HIPAA violations. The company paid $6.8 million as settlement for a HIPAA violation. The most common HIPAA violations include:

  • Disclosing patient information without authority
  • Failing to safely secure information thereby making it accessible to unauthorized individuals
  • Releasing of more information than is required
  • Denying patients access to their personal health information
  • Disclosing information that has an expired authorization date -- continued disclosure of personal health information after the prescribed expiration period for authorization is explicitly prohibited under the HIPAA regulations.

Resolution Agreements for Settlement of HIPAA Violations

When a breach occurs, the offending party may settle with the HHS to make corrective actions within a specified period. This settlement also includes a payment to the HHS and gives the party a chance to fully comply with the regulations of face the full penalties specified in the law.

The resolution agreements are not concessions by the HHS that a violation did not occur, but are meant to avoid the expense and burden of formal investigation and proceedings. Agreements are also not admissions of liability by the parties. Settlements can be anything from $100,000 to millions of dollars as the following examples show:

  • Affinity Health Plan paid $1.2 million for a breach of protected health information. In this incident Affinity had leased photocopiers but did not erase the hard drives on returning them to the leasing company. This incident was brought to light by a CBS Evening News investigative team that came across the photocopiers in the cause of gathering information for their story. Over 300,000 records covered under the HIPAA privacy rule were breached in the incident.
  • Adult & Paediatric Dermatology of Concord, MA paid $ 150,000 as settlement for a violation of HIPAAs Privacy, Security and Breach Notification Rules. In this incident that occurred in October 2011, a thumb drive containing ePHI records of over 2,200 patients was stolen from the car of an employee of the company. The thumb drive was never recovered and the company reported the matter as per HIPAA requirements. An initial investigation revealed that the company did not follow the HIPAA rules for privacy, security and Breach Notification
  • WellPoint Inc., a managed care company operating from Indiana, settled with the HHS-OCR for $ 1.7 million for a breach of individually identifiable health information in its databases. The Resolution Agreement was related to the measures the company had failed to take to ensure that their web-based application was secure and that unauthorized parties could not gain access to electronic protected health information (ePHI).
  • Shasta Regional Medical Center (SRMC) paid $275,000 to the HHS-OCR as a settlement in their Resolution Agreement after an investigation revealed that they had disclosed a patient’s information without authorization. The violation involved the disclosure of an Affected Party’s personal health information in an interview with the Los Angeles Times, transmitting the information via email and correspondence without authorization.

In the above cases, in addition to the Resolution Amount paid to the HHS-OCR, the agreement also specified that a Corrective Action Plan (CAP) was to be developed in implemented within one year of the signing of the agreement.

HIPAA Resolution Agreement Amounts

Company
Violations
Resolution Amount
Idaho State University
Breach of the ePHI of 175,000 people, did not implement enough security measures
$ 400,000
Massachusetts Eye & Ear Assoc.
Loss of unencrypted laptop containing patient prescriptions and clinical information
$ 1,000,000
Alaska DHHS
Loss of USB hard drive containing ePHI, did not take enough measures to ensure compliance with HIPAA
$ 1,500,000
BCBST, Tennessee
Over 50 hard drives with encrypted ePHI of over 1 million employees stolen. It was the first HITECH breach.
$ 100,000
Phoenix Cardiac Surgery
Failed to implement the required policies and safeguards to protect the ePHI of patients
$ 100,000
Cignet Health
In the first ever Civil Money Penalty, the company was penalized for failing to give 41 employees access to their medical records
$ 4,300,000

HIPAA violation penalties and resolution amounts (source: US DHHS)

working

This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://corp.maven.io/privacy-policy

Show Details
Necessary
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
Features
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Marketing
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Statistics
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)