This article will summarize a few HIPAA violation examples from 2019, which have resulted in hefty settlements with the Department of Health and Human Services’ Office for Civil Rights (OCR). These HIPAA violation examples include cases that have been pursued by the OCR after investigations of complaints submitted by the healthcare employees and patients, and after discovering potential HIPAA violations during data breach investigations. It shows how frequent HIPAA violations are and why proper management of HIPAA compliance is necessary.
HIPAA Violation Examples from 2019
Bayfront Health St. Petersburg
On 14th August 2018, Bayfront Health St. Petersburg was investigated following a complaint lodged by a patient. The hospital did not provide records within 9 months following the patient requesting a copy of her child’s fetal heart monitor records. To resolve the HIPAA violation the hospital agreed to settle for $85,000 with OCR. Under the 2019 HIPAA Right of Access enforcement initiative, this was the first settlement made by the OCR.
University of Rochester Medical Center
Following an incident of two breach reports in 2013 and 2017 where a flash drive and a laptop computer containing electronically protected health information (ePHI) was lost or stolen, OCR launched an investigation. Before the investigation, technical assistance was provided to the University of Rochester Medical Center by OCR, but yet, their devices were not encrypted. OCR also found there had been failures in risk analysis and risk management, and the organization lacked device media controls. As a result, the medical center paid a $3 million HIPAA penalty.
Korunda Medical, LLC
Korunda Medical, LLC settled with a fine of $85,000 to resolve a violation after OCR received a complaint from a patient in March 2019. That patient alleged that despite repeated requests she had not been provided with her medical records in the requested electronic format. OCR determined that there had been a HIPAA Right to Access failure.
After disclosing protected health information (PHI) in a mailing without permission, a patient submitted a complaint to OCR. The hospital reported that the breach had impacted eight individuals. Following the investigation by OCR, it was found that 577 patients had been affected but the hospital did not update its breach notice to reflect the correct number of patients affected. A business associate failure was also discovered by the OCR. As a result, Sentara Hospitals paid a penalty of $2.175 million.
West Georgia Ambulance
After losing an unencrypted laptop computer that contained PHI of 500 patients, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance. OCR determined that there had been a risk analysis failure, the lack of a proper security training program, and failure to implement the HIPAA Security Rule policies and procedures. As a result, the company had to settle for $65,000.
How much can Non-compliance cost?
HIPAA violation examples show that organizations are not being able to properly manage their HIPAA compliance programs. Often the complex nature of this federal law is seen as a burden by an organization. However, HIPAA violations have severe consequences for both the victims as well as the service providers. The types of information that can be compromised may contain sensitive information, which criminals can use to commit medical identity theft, a major issue for healthcare providers. HIPAA violation’s financial consequences can range from $100 – $50,000 depending on the level of negligence per incident with an annual maximum of up to $1.5 million.
Non-financial consequences include loss of brand image and patients’ trust. An organization’s name is put up on the HIPAA Wall of Shame where all breaches that are currently under investigation, within the two years, are displayed. Any breach that is submitted will remain on the HIPAA Wall of Shame for the whole two years.
Easily comply with HIPAAReady
These HIPAA violation examples show that HIPAA violations occur because of improper HIPAA compliance awareness, training, and management. HIPAAReady is a HIPAA compliance software that will enable organizations to evaluate and assess the risks within their organization, perform internal audits, and seamlessly provide training across the organization. In short, HIPAAReady has been designed to easily manage all aspects of HIPAA compliance. To find out more about HIPAAReady, leave a comment or request a free trial.