Healthcare Data Breach Enforcements and Fines At A Glance

more+
less-

The Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Enforcement of the Privacy Rule began on April 14, 2003, while enforcement of the Security Rule began on April 20, 2005. Furthermore, covered entities and business associates were required to comply with the HIPAA Breach Notification Rule beginning on September 23, 2009.1

The OCR relies on complaints filed by third parties, self-reports of data breaches, and media reports to identify targets for compliance reviews. If a covered entity or business associate is found to have committed serious violations during a compliance review, HHS may require the entity to enter into a “Resolution Agreement” (“RA”) that may include a fine and a corrective action plan.

134,246

Number of HIPAA complaints received by OCR since 2003.2

879

Number of compliance reviews initiated by OCR since 2003.3

28

Number of RAs since 2008.4

$28 million

Total fines collected for HIPAA violations.5

$4.8 million

Largest fine assessed by OCR to date.6

Trends in Enforcement Activities and Fines3

What to consider when assessing the impact of an OCR investigation:

  1. While enforcement activities and fines are projecting upward, they appear stable between 2014-2015.
  2. Only a minority of investigations leads to fines and penalties.
  3. Cooperation in government-initiated compliance reviews is key to reducing the risk of a penalty.
  4. Having multiple incidents, even if minor on their own, tends to trigger an investigation and lead to fines and RAs.

1. The HIPAA Breach Notification Rule requires covered entities and their business associates to notify the HHS Secretary, individuals, and in some cases, provide notice in media, regarding breaches of unsecured protected health information.

2. U.S. Dep't of Health and Human Servs., Enforcement Highlights, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html (July 9, 2016).

3. Id.

4. U.S. Dep't of Health and Human Servs., Resolution Agreements, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html (July 9, 2016).

5. Id.

6. U.S. Dep't of Health and Human Servs., Data Breach Results in $4.8 Million HIPAA Settlements, http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/new-york-and-Presbyterian-hospital/index.html (July 9, 2016).

[View source.]

 


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bryan Cave | Attorney Advertising

Written by:

more+
less-

Bryan Cave on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
×
Loading...
×
×