HIPAA Fines Hurt Pockets of Erring Healthcare Providers
You already know that since the Health Insurance Portability and Accountability Act or HIPAA was enacted in 1996, the government has not been remiss in reminding the covered entities about the hefty fines.
Unfortunately, healthcare providers continue to violate some of the provisions of the law, resulting in millions of fines.
Organizations Fined Under HIPAA
- In February this year, Cottage Health agreed to settle $3 million in fines for reported violations of the HIPAA. The company recorded two cases of a data breach, first in December 2013 and the other in December 2015. The breach affected 62,500 people.
- In February 2018, Fresenius Medical Care settled $3.5 million in HIPAA fines after failing to comply with government recommendations. The company was already warned about the risks but ignored the warnings.
- In June 2018, The University of Texas MD Anderson Cancer Center settled with the Office of Civil Rights a HIPAA fine of $4.3 million. The fine was in connection to the data breach arising from a laptop that was stolen from a company employee. Apparently, the laptop and the records were not encrypted.
- In May 2019, Indiana Medical Records paid $100,000 in fines for violations of the HIPAA law. The company also agreed to institute corrective measures to avoid repeating the violation.
- Also in May 2019, Tennessee Medical Imaging paid a $3 million fine after failing to secure its FTP servers. This allowed hackers to penetrate the system and access patient records. The company even denied the breach only to admit later on that 300,000 individuals were compromised.
- In August 2016, Advocate Health settled with the US Department of Health and Human Services to what became the record HIPAA fine. The company paid $5.5 million following a massive data breach. The amount is hardly surprising, considering that more than 4 million patient records were compromised. Before that, Triple S Management Corporation held the distinction of paying the record amount when it shelled out $3.5 million.
What those incidents proved is that the government is not joking around with the implementation of the HIPAA law.
While most of these cases are violations committed by the covered entities, what healthcare providers should also look at is the provision on the low covering “business associates.”
Business associates refer to your partners, specialists, or providers that render a particular service, which covers private information. For instance, if you are looking to hire a regular courier service, make sure you are only dealing with HIPAA compliant mailing services.
By choosing HIPAA compliant mailing services, you are complying with the “Security Rule” provision in the law. The Security Rule provides another layer of security to ensure that private information is protected. It covers third-party service providers with Business Associate Agreements with the covered entity. The problem is that, not only will the third-service provider pay the fine for violating HIPAA rules, the healthcare provider will also be slapped with hefty fines.