Improper Release (and Use) of Information Unleashes Major Consequences

While ever-evolving technologies have streamlined how patient data is shared and used, the risk of a data breach that violates HIPAA rules remains – whether through a failure in the technology or through the improper use of patient information by humans. Regardless of how a data breach occurs, the federal government takes these breaches seriously, imposing stiff penalties, both monetary and criminal, depending on the severity and circumstances of the data breach. And adding insult to injury, a data breach can also trigger a full compliance audit of the healthcare organization.

According to the federal Department of Health and Human Services, which regulates HIPAA and issues civil penalties, inadvertent, unknowing violations  of the law can result in a fine up to $50,000  per violation with an annual maximum of $1.5 million. The agency receives more than 30,000 complaints of potential violations each year.

Criminal violations are handled by the federal Department of Justice. Those penalties range from fines from $50,000 to $250,000 and up to 10 years in prison depending on the severity and circumstances of the violation.

A failure to train employees on how to protect patient data or implement preventative security measures have lead to several major HIPAA violations in the past 10 years and dozens so far already this year.

Last month, the Department of Health and Human Services issued a $5.5 million fine to Memorial Healthcare System, based in South Florida. Employees of the healthcare group had disclosed personal medical information for more than 115,000 people, including their names, birthdates, and social security numbers. MHS is a nonprofit corporation, which operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary healthcare facilities.

Although the healthcare organization had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying, and terminating users’ right of access, as required by the HIPAA Rules, according to HHS. The group also failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

A Puerto-Rican-based insurance holding company, Triple-S, settled with HHS agreeing to pay $3.5 million in 2015 after multiple data breaches were reported. The agency found widespread noncompliance with HIPAA across the company’s subsidiaries. That noncompliance included failing to implement appropriate safeguards to protect beneficiaries’ protected health information, disclosing more patient information than necessary to carry out mailings and failing to conduct risk analyses.

In the largest fine at the time, CVS Pharmacy was fined $2.25 million in 2009 for failing to implement security policies to prevent patient disclosures and failing to train employees on how to dispose of HIPAA-covered information properly. In addition to paying the fine, CVS agreed to enact a corrective action plan that required updated compliance policies for safeguarding patient information and employee training and penalties for employees who violate the law, according to HHS.

The agency reports that a lack of technical and administrative safeguards and wrong uses and disclosures were the top issues they investigated from 2014-2015.   In order to avoid breaches, employees who deal with HIPAA-protected information should be trained in HIPAA’s rules and regulations. They should also understand what happens when those rules are broken.

Data breaches of patient information not only results in fines and possible jail time for healthcare organizations and employees, it erodes patient trust in the healthcare provider.

Providers are required to notify the federal government of a breach within 60 days, and breaches are displayed publicly on the HHS website. Large data breaches often get media attention and scrutiny, but the disclosure of even one patient hurts the work the healthcare organization is trying to do.