Average HIPAA Fine Reaches $1.5 Million

HIPAA FineHIPAA fines have changed significantly since HIPAA enforcement first began. Regardless of the type of violation or the scope of the data breach involved, the consequences of a HIPAA fine can have long-lasting impacts. The average HIPAA fine, as calculated from publicly available data on the HHS website, comes out to a stunning $1.5 million.

Since HIPAA enforcement first began, the nature of fines levied by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) have changed dramatically.

With additions to the HIPAA Rules–such as the enactment of the Omnibus Rule in 2013, and the enactment of the HITECH Act in 2009–there have been significant revisions to the scope of the OCR investigations. As such, fines that were non-existent in the early 2000’s, have the potential to become commonplace in the years ahead.

One stunning example of uncharacteristic enforcement efforts contributing to the average HIPAA fine of $1.5 million comes in the form of business associate management.

Under HIPAA regulation, a business associate (BA) is any vendor hired by a health care professional who will necessary encounter protected health information (PHI) over the course of the work they’ve been hired to perform. PHI is any demographic information that can be used to identify a patient (such as name, date of birth, Social Security number, medical record, etc.). Common examples of BAs include cloud storage providers, shredding companies, telehealth platforms, electronic health record (EHR) platforms, and many more.

Recently, a HIPAA settlement was announced on April 20, 2017, wherein a health care provider was fined as a result of a HIPAA investigation into one of their business associates. The Center for Children’s Digestive Health (CCDH) agreed to pay a $31,000 fine due to a data breach caused by a vendor. OCR’s investigation uncovered that CCDH had failed to implement an effective HIPAA compliance program, after being contacted in the aftermath of their vendor’s breach.

This fine, and other uncharacteristic enforcement efforts, are making their rounds–resulting in an average HIPAA fine of $1.5 million.

The best way to defend against these HIPAA fines is to implement an effective HIPAA compliance program that addresses the full extent of the law. Keeping patient data safe is paramount to avoiding fines and maintaining your hard-fought reputation as a trusted behavioral health practitioner.