New HIPAA Fines Can Be Seven Figures

By in

By Marion K. Jenkins, PhD, FHIMSS

• UCLA Medical Center: Fined $865,000
• Massachusetts General Hospital: Fined $1 million
• Cignet Healthcare: Fined $4.3 million.

These are some serious fines.

Since 1996, when the HIPAA Privacy Rule went into effect, and since 2005, when the HIPAA Security Rule went into effect, there has been little news of actual fines. But these three episodes above, which have happened just in 2011 alone, have raised many people’s awareness, and signaled a rise in HIPAA investigations and enforcement, along with resulting fines.

In addition to increased enforcement, the amount of penalties and fines have been significantly increased. Prior to Feb. 2009, the maximum fine for a covered entity (those subject to HIPAA rules) was $25,000. Now, the fines can top out at $1.5 million. Plus under certain circumstances civil penalties, as well as state regulations and sanctions, can also apply.

It is no longer a wise or acceptable practice to merely assume you are HIPAA Security compliant. Based on our experience with hundreds of HIPAA assessments, nearly three-fourths of medical facilities have major HIPAA Security issues.

If you have not had an assessment in the last 24 months, then you are probably not compliant.