Staying compliant with HIPAA is one of the biggest concerns healthcare providers have. There aren’t any major changes to HIPAA in 2018, but the cumulative changes of previous years have made this law more difficult to follow than ever. The fines for noncompliance are severe. Here is an overview of the fines that you would receive:
- $100 to $50,000 for a Category 1 violation
- $1,000 to $50,000 for a Category 2 violation
- $10,0000 to $50,000 for a Category 3 violation
- Minimum of $50,000 for a single Category 4 violation
- Healthcare providers can be charged up to $1.5 million a year for each violation category
These violations can cripple smaller healthcare practices if they aren’t careful. You can’t expect the HHS Office for Civil Rights to be lenient because you are a smaller organization. They are very serious about compliance and enforcement.
You need to consider these consequences and make sure that you take the right precautions. Here are some of the biggest fines that organizations have faced for serious HIPAA violations.
Failing to Develop ePHI Security
Developing a secure Electronic Public Health Information (ePHI) system is very important. MAPFRE Life Insurance Company of Puerto Rico is one of the companies that discovered this the hard way. The HHS Office for Civil Rights fined them $2.2 million for failing to develop the right healthcare information security system.
Healthcare companies in small territories or rural states may be more likely to miss the mark on these issues for a couple of reasons:
- They may think that they are less likely to be audited by the HHS Office for Civil Rights.
- They are in an area with a more limited IT infrastructure, which they feel is an excuse.
Nonetheless, they should secure their ePHI system. The investment to do this isn’t very high, regardless of where they are located. The MAPFRE case also demonstrates that it is far better than the consequences of a HIPAA fine.
Neglecting to Encrypt Data
The consequences can be very costly, as a violation against The University of Texas MD Anderson Cancer Center (MD Anderson shows. The organization had to pay $4.4 million in HIPAA fines after a couple of devices were stolen from an employee’s home, which included lots of patient information. Two of the devices weren’t encrypted, which is a huge HIPAA violation. OCR Director Roger Severino was pleased that a judge upheld this violation.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
Assuming that Your HIPAA Obligations End with the Closure of Your Business
You may think that your obligations to HIPAA end the moment your organization closes its doors. This isn’t the case at all. A judge decided that in a 2011 lawsuit.
You need to make sure that any healthcare data you have is still properly secured. If a security breach occurs, then you can still be held liable.
Not Developing a Risk Management Plan
Preparing for the possibility of a data breach is very important. You need to document the steps that you took to prove that you are prepared for any cybersecurity threat.
Fresenius Medical Care North America (FMCNA) reached a settlement of $3.5 million after five separate security breaches occurred. The volume of security breaches shows made the HHS believe that their security plans were completely unacceptable.