HIPAA through the years: 5 biggest fines since 2008

Two key laws govern patient privacy in the U.S. — HIPAA and the Health Information Technology for Economic and Clinical Health Act.

Signed into law in 1996, HIPAA establishes a set of safeguards that covered entities and business associates must abide by to protect patient data. Failure to adequately secure this information could result in criminal prosecution or a civil fine issued by either HHS' Office for Civil Rights or state attorneys general.

In 2009, the HITECH Act — designed in the age of electronic patient data — expanded HIPAA's rules, increasing the potential legal liability for non-compliance and providing more enforcement actions.   

Civil monetary penalties issued by OCR for HIPAA violations can reach up to $50,000 per violation, with an annual maximum of $1.5 million. The U.S. Justice Department may impose fines up to $250,000 and imprisonment up to 10 years for HIPAA violations, depending on the circumstances of the breach.

Here are five of the largest HIPAA fines issued since 2008, according to publicly available data:

1. Memorial Healthcare System in Hollywood, Fla., paid $5.5 million in 2017 to settle allegations that employees inappropriately disclosed 115,143 individuals' data to affiliated physician office staff.

2. Advocate Health Care Network agreed to pay $5.5 million in 2016 after an investigation showed it had failed to protect patient data, which led to the loss of 4 million patients' information in 2013.

3. NewYork-Presbyterian Hospital and Columbia University, both based in New York City, paid a total of $4.8 million in 2014 to settle a 2010 data breach related to their shared data network.

4. In June, the University of Texas MD Anderson Cancer Center in Houston was ordered to pay $4.3 million in civil penalties for HIPAA violations related to the organization's encryption policies.

5. Temple Hills, Md.-based Cignet Health paid $4.3 million in 2011 to settle claims it violated 41 patients' rights by denying them access to their medical records.

More articles on cybersecurity:

Flaw in medical devices might allow hackers to change patient vital signs, McAfee finds
Telemedicine vendor exposes data from 2M patients in Mexico
Here's why fax machines may be hackers' next big target

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months