CONSEQUENCES of HIPAA VIOLATIONS
What Happens When...
HIPAA violations are expensive.
The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision.
The most common HIPAA violations that have resulted in financial penalties are the
failure to perform an organization-wide risk analysis to identify risks to the
confidentiality, integrity, and availability of protected health information (PHI); the
failure to enter into a HIPAA-compliant business associate agreement; impermissible
disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI.
Financial penalties for healthcare organizations that have failed to prevent snooping are
relatively uncommon, but they are possible as University ofCalifornia Los Angeles Health
System discovered. UCLA was fined $865,000 for failing to restrict access to medical records. The healthcare provider was investigated following the discovery that a physician had accessed the medical records of celebrities and other patients without authorization.
Dr. Huping Zhou accessed the records of patients without authorization 323 times
after learning that he would soon be dismissed. Dr. Zhou became the first healthcare employee to be jailed for a HIPAA violation and was sentenced to four months in federal prison.
The failure to perform an organization-wide risk analysis is one of the most common HIPAA
violations to result in a financial penalty. If the risk analysis is not performed regularly,
organizations will not be able to determine whether any vulnerabilities to the confidentiality, integrity, and availability of PHI exist. Risks are therefore likely to remain
unaddressed, leaving the door wide open to hackers.
Oregon Health & Science University– $2.7 · ·million settlement for the lack of an enterprise- wide risk analysis. ·
Cardionet – $2.5 million settlement for an · ·incomplete risk analysis and lack of risk · management processes. ·
Cancer Care Group – $750,000 settlement for the · ·failure to conduct an enterprise-wide risk analysis. ·
Lahey Hospital and Medical Center– $850,000 · ·settlement for the failure to conduct an · organization-wide risk assessment and other
Alaska Department of health and Social · ·Services – $1.7 million penalty for the · ·failure to perform risk analysis and risk · ·management failures. · ·
University of Massachusetts Amherst · ·(UMass) – · ·$650,000 penalty for risk management failures.