2017 HIPAA fines and enforcement illustrated new trends that all behavioral health practitioners should be aware of. Taking lessons learned from 2017 and applying them to 2018 is your best chance at protecting your practice from the mounting threat of fines.
It’s important to remember that this fine total only accounts for large-scale settlements reached between providers and the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Smaller fines that didn’t require drawn-out legal proceedings and Corporate Integrity Agreements are not included in this list, nor are they publicized. That means that the total amount of fines is likely significantly greater than the officially publicized $19.4 million.
To see a total list of HIPAA violations and “meaningful breaches” that affected more than 500 individuals in 2017, you can view the HHS “Wall of Shame.” This is the HHS’ breach portal, which lists the name and State of each and every health care professional or health care vendor that experienced a meaningful HIPAA breach since 2009.
Below, we take a look at some of the major public settlements that defined HIPAA enforcement in 2017. Take stock of how your behavioral health practice stacks up against these enforcement actions so you can avoid making these same mistakes!
- Presence Health, $475,000 fine, January 9, 2017: The Presence Health settlement was the first enforcement action taken for a violation of the HIPAA Breach Notification Rule. The Rule sets national standards that health care professionals must follow in the event of a data breach. This case set a precedent for new enforcement in the aftermath of even the most common of data breaches.
- Memorial Healthcare Systems, $5.5 Million fine, February 16, 2017: OCR sent a strong message by levying the second highest HIPAA fine in history for multiple violations.
- The Center for Children’s Digestive Health, $31,000 fine, April 20, 2017: This fine was levied for the lack of Business Associate Agreements in place between the organization and its vendors. This is a serious breach of the HIPAA Omnibus Rule, which states that all health care providers must execute BAAs with vendors before sharing any health information, or risk fines.
- Luke’s Roosevelt Hospital System, $387,000, May 23, 2017: This fine highlights every practitioner’s worst nightmare: sending a patient’s sensitive health information to an unintended recipient. In this case, NY-based St. Luke’s sent medical records detailing a patient’s HIV+ status and sexual orientation to the patient’s employer by mistake. This is a serious breach of the HIPAA Privacy Rule, resulting in a hefty fine for the mishandling of just a single patient’s health information.
These are just a few of the major fines that shook the health care world in 2017. One of the best ways to protect your behavioral health practice is by implementing an effective HIPAA compliance program. Understanding exactly how to become HIPAA compliant should be the first step on your journey toward success.