Average HIPAA Fine Reaches $1.5 Million
HIPAA fines have changed significantly since HIPAA enforcement first began. Regardless of the type of violation or the scope of the data breach involved, the consequences of a HIPAA fine can have long-lasting impacts. The average HIPAA fine, as calculated from publicly available data on the HHS website, comes out to a stunning $1.5 million.
Since HIPAA enforcement first began, the nature of fines levied by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) have changed dramatically.
With additions to the HIPAA Rules–such as the enactment of the Omnibus Rule in 2013, and the enactment of the HITECH Act in 2009–there have been significant revisions to the scope of the OCR investigations. As such, fines that were non-existent in the early 2000’s, have the potential to become commonplace in the years ahead.
One stunning example of uncharacteristic enforcement efforts contributing to the average HIPAA fine of $1.5 million comes in the form of business associate management.
Under HIPAA regulation, a business associate (BA) is any vendor hired by a health care professional who will necessary encounter protected health information (PHI) over the course of the work they’ve been hired to perform. PHI is any demographic information that can be used to identify a patient (such as name, date of birth, Social Security number, medical record, etc.). Common examples of BAs include cloud storage providers, shredding companies, telehealth platforms, electronic health record (EHR) platforms, and many more.
Recently, a HIPAA settlement was announced on April 20, 2017, wherein a health care provider was fined as a result of a HIPAA investigation into one of their business associates. The Center for Children’s Digestive Health (CCDH) agreed to pay a $31,000 fine due to a data breach caused by a vendor. OCR’s investigation uncovered that CCDH had failed to implement an effective HIPAA compliance program, after being contacted in the aftermath of their vendor’s breach.
This fine, and other uncharacteristic enforcement efforts, are making their rounds–resulting in an average HIPAA fine of $1.5 million.
The best way to defend against these HIPAA fines is to implement an effective HIPAA compliance program that addresses the full extent of the law. Keeping patient data safe is paramount to avoiding fines and maintaining your hard-fought reputation as a trusted behavioral health practitioner.
If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure.Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.