Share this article on:
We are often asked about healthcare data breaches and HIPAA violations and two of the most recent questions are how many HIPAA violations in 2017 resulted in data breaches and how many HIPAA violations occurred in 2017.
How Many HIPAA Violations Occurred in 2017?
The problem with determining how many HIPAA violations occurred in 2017 is many violations are not reported, and out of those that are, it is only the HIPAA breaches that impact more than 500 individuals that are published by the Department of Health and Human Services’ Office for Civil Rights on its breach portal – often incorrectly referred to as the “Wall of Shame”.
To call it a ‘Wall of Shame’ is not fair on healthcare organizations because the breach reports show organizations that have experienced data breaches, NOT organizations that have violated HIPAA Rules. Even organizations with multi-million-dollar cybersecurity budgets, mature security defenses, and advanced employee security awareness training programs can experience data breaches. All it takes if for a patch not to be applied immediately or an employee to accidently click on a phishing link for a data breach to occur. The breach reports are therefore not an accurate guide to the number of HIPAA violations that have occurred.
Some attorneys general publish details of data breaches, and many of those breaches are the result of HIPAA violations; however, only a small number of states publish that data breach summaries and as with OCR’s breach portal, there are many breaches that have occurred at organizations that are fully compliant with HIPAA Rules. It is also not possible to say how many of those breaches were the result of HIPAA violations. That can only be determined with a detailed investigation.
Complaints about potential HIPAA violations are frequently submitted to OCR. These tend to be smaller incidents involving relatively few individuals, such as a patient who believes HIPAA Rules have been violated or employees who believe colleagues have violated HIPAA Rules. OCR occasionally releases figures on the number of complaints that it receives, but many of those complaints turn out to be unfounded and, in many cases, OCR cannot prove beyond reasonable doubt that a HIPAA violation has occurred.
It is also not possible to gauge the level of serious HIPAA violations that have occurred based on settlements and civil monetary penalties. Even when there is evidence to suggest HIPAA Rules have been violated, financial settlements are typically only pursued when a case against a HIPAA-covered entity is particularly strong and likely to be won.
It is therefore not possible to determine how many HIPAA violations in 2017 resulted in data breaches nor how many violations occurred last year.
How Many HIPAA Violations in 2017 Resulted in Financial Settlements?
It is also not possible to determine how many HIPAA violations in 2017 have resulted in financial penalties being issued, at least not yet. OCR and state attorneys general open investigations when data breaches are experienced or complaints are received about potential HIPAA violations. However, it takes time to conduct investigations and gather evidence. Even when there is evidence of HIPAA violations, cases can take years before settlements are reached or civil monetary penalties are issued.
The latest HIPAA settlement is a good example. Fresenius Medical Care North America settled its case with OCR for $3,500,000 in 2018, yet the data breaches that triggered the investigation occurred in 2012. The list below shows the settlements and civil monetary penalties issued in 2017 and the years in which the violations occurred.
So unfortunately, it is not possible to say how many HIPAA violations in 2017 resulted in financial penalties, as that will not be known for many years to come
HIPAA Settlements and Civil Monetary Penalties in 2017
|Covered Entity||Penalty Amount||Penalty Type||Reason for Penalty||Date of Violation(s)|
|21st Century Oncology||$2,300,000||Settlement||Multiple HIPAA Violations||2015|
|Memorial Hermann Health System||$2,400,000||Settlement||Careless Handling of PHI||2015|
|St. Luke’s-Roosevelt Hospital Center Inc.||$387,000||Settlement||Unauthorized Disclosure of PHI||2014|
|The Center for Children’s Digestive Health||$31,000||Settlement||Lack of a Business Associate Agreement||2003-2015|
|Cardionet||$2,500,000||Settlement||Impermissible Disclosure of PHI||2011|
|Metro Community Provider Network||$400,000||Settlement||Lack of Security Management Process||2011|
|Memorial Healthcare System||$5,500,000||Settlement||Insufficient ePHI Access Controls||2007-2012|
|Children’s Medical Center of Dallas||$3,200,000||Civil Monetary Penalty||Impermissible Disclosure of ePHI||2006-2013|
|MAPFRE Life Insurance Company of Puerto Rico||$2,200,000||Settlement||Impermissible Disclosure of ePHI||2011|
|Presense Health||$475,000||Settlement||Delayed Breach Notifications||2013|
What we can say is HIPAA violations have occurred at most healthcare organizations, although oftentimes the violations are minor and inconsequential. We can go further and say that a majority of healthcare organizations have failed to follow HIPAA Rules to the letter all of the time.
The evidence comes from the second round of HIPAA compliance audits conducted by OCR in late 2016 and 2017. A final report on the findings of the audits has yet to be published, but last September preliminary results were released. They showed that healthcare organizations are still not getting to grips with HIPAA Rules and noncompliance is commonplace.
Findings of the 2017 HIPAA Compliance Audits
Listed below are the preliminary findings of the second round of HIPAA compliance audits. The audits consisted of ‘Desk Audits’ conducted on 166 covered entities on the HIPAA Privacy, Security, and Breach Notification Rules and 41 business associates of HIPAA covered entities on the Security and Breach Notification Rules.
OCR gave each audited entity a rating from 1-5 based on the level of compliance. A rating of 1 means the organization was in compliance with the goals and objectives of the audited standards and implementation specifications. A rating of 5 was given to entities that did not provide OCR with evidence to show that a serious attempt had been made to comply with HIPAA Rules.
|HIPAA Rule||Aspect of HIPAA Rule||1 Rating||2 Rating||3 Rating||4 Rating||5 Rating||N/A|
|Breach Notification Rule||Timeliness of Notification||65%||6%||2%||9%||11%||7%|
|Breach Notification Rule||Content of Notification||14%||14%||23%||37%||7%||5%|
|Privacy Rule||Patient Right to Access||1%||10%||27%||54%||11%||N/A|
|Privacy Rule||Notice of Privacy Practices||2%||33%||39%||11%||15%||2%|
|Privacy Rule||Provision of eNotice||57%||15%||4%||6%||15%||3%|
|Security Rule||Risk Analysis||0%||2%||19%||23%||13%||N/A|
|Security Rule||Risk Management||1%||3%||13%||29%||17%||N/A|