HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Fines for Violations Issued for HIPPA Non-Compliance and Data Breaches

Following on from high profile data breaches in recent months, in particular the breach of PHI across 209 hospitals operated by CHS, compliance with HIPAA regulations is now high on the agenda, especially considering the steep fines being issued by the OCR.

Any data breach involving more than 500 individuals must be reported at both state and national levels, with the report launching an investigation by the OCR. The investigation will assess how the data breach occurred and the measures and safeguards put in place to protect data. Fines are issued for any breaches which have resulted from failures to adhere to HIPAA guidelines.

However data breaches alone are not the only reason for fines being issued. Compliance with HIPAA requires policies to be adopted and procedures to be followed to ensure security risks are effectively dealt with. When an organization is assessed it will be against a standard to determine if there has been willful neglect, and whether a violation has occurred.

A failure to conduct a thorough risk analysis is a violation of HIPAA regulations. If the risk analysis is conducted and data security issues are highlighted, all of those issues must be addressed promptly. If security concerns are not dealt with, ePHI could be exposed and the OCR will consider it a violation and is likely to issue a monetary penalty.

Please see the HIPAA Journal Privacy Policy

However, even in the absence of a data breach a compliance review may be ordered and an organization can be selected for review in random audits. Compliance with all procedures will be assessed and the OCR will issue a financial penalty for each procedural violation of HIPAA regulations identified.

The right to file a complaint belongs to any person who has reason to believe that regulations have been violated or where a covered entity or business associate “is not complying with the administrative simplification provisions”. If an individual files a complaint the HHS may conduct a compliance review.

Healthcare organizations and other HIPAA covered entities are therefore advised to take action on each privacy issue and not to wait for the OCR to investigate. Non compliance, including a failure to maintain appropriate documentation is enough to earn a violation and financial penalty for each compliance issue uncovered. Burying your head in the sand and ignoring HIPPA compliance issues can be a very costly mistake to make.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.