How Many HIPAA Violations in 2017 Resulted in Financial Penalties?

Share this article on:

We are often asked about healthcare data breaches and HIPAA violations and two of the most recent questions are how many HIPAA violations in 2017 resulted in data breaches and how many HIPAA violations occurred in 2017.

How Many HIPAA Violations Occurred in 2017?

The problem with determining how many HIPAA violations occurred in 2017 is many violations are not reported, and out of those that are, it is only the HIPAA breaches that impact more than 500 individuals that are published by the Department of Health and Human Services’ Office for Civil Rights on its breach portal – often incorrectly referred to as the “Wall of Shame”.

To call it a ‘Wall of Shame’ is not fair on healthcare organizations because the breach reports show organizations that have experienced data breaches, NOT organizations that have violated HIPAA Rules. Even organizations with multi-million-dollar cybersecurity budgets, mature security defenses, and advanced employee security awareness training programs can experience data breaches. All it takes if for a patch not to be applied immediately or an employee to accidently click on a phishing link for a data breach to occur. The breach reports are therefore not an accurate guide to the number of HIPAA violations that have occurred.

Some attorneys general publish details of data breaches, and many of those breaches are the result of HIPAA violations; however, only a small number of states publish that data breach summaries and as with OCR’s breach portal, there are many breaches that have occurred at organizations that are fully compliant with HIPAA Rules. It is also not possible to say how many of those breaches were the result of HIPAA violations. That can only be determined with a detailed investigation.

Complaints about potential HIPAA violations are frequently submitted to OCR. These tend to be smaller incidents involving relatively few individuals, such as a patient who believes HIPAA Rules have been violated or employees who believe colleagues have violated HIPAA Rules. OCR occasionally releases figures on the number of complaints that it receives, but many of those complaints turn out to be unfounded and, in many cases, OCR cannot prove beyond reasonable doubt that a HIPAA violation has occurred.

It is also not possible to gauge the level of serious HIPAA violations that have occurred based on settlements and civil monetary penalties. Even when there is evidence to suggest HIPAA Rules have been violated, financial settlements are typically only pursued when a case against a HIPAA-covered entity is particularly strong and likely to be won.

It is therefore not possible to determine how many HIPAA violations in 2017 resulted in data breaches nor how many violations occurred last year.

How Many HIPAA Violations in 2017 Resulted in Financial Settlements?

It is also not possible to determine how many HIPAA violations in 2017 have resulted in financial penalties being issued, at least not yet. OCR and state attorneys general open investigations when data breaches are experienced or complaints are received about potential HIPAA violations. However, it takes time to conduct investigations and gather evidence. Even when there is evidence of HIPAA violations, cases can take years before settlements are reached or civil monetary penalties are issued.

The latest HIPAA settlement is a good example. Fresenius Medical Care North America settled its case with OCR for $3,500,000 in 2018, yet the data breaches that triggered the investigation occurred in 2012. The list below shows the settlements and civil monetary penalties issued in 2017 and the years in which the violations occurred.

So unfortunately, it is not possible to say how many HIPAA violations in 2017 resulted in financial penalties, as that will not be known for many years to come

HIPAA Settlements and Civil Monetary Penalties in 2017

 

Covered Entity Penalty Amount Penalty Type Reason for Penalty Date of Violation(s)
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations 2015
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI 2015
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI 2014
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement 2003-2015
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI 2011
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process 2011
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls 2007-2012
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI 2006-2013
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI 2011
Presense Health $475,000 Settlement Delayed Breach Notifications 2013

 

What we can say is HIPAA violations have occurred at most healthcare organizations, although oftentimes the violations are minor and inconsequential. We can go further and say that a majority of healthcare organizations have failed to follow HIPAA Rules to the letter all of the time.

The evidence comes from the second round of HIPAA compliance audits conducted by OCR in late 2016 and 2017. A final report on the findings of the audits has yet to be published, but last September preliminary results were released. They showed that healthcare organizations are still not getting to grips with HIPAA Rules and noncompliance is commonplace.

Findings of the 2017 HIPAA Compliance Audits

Listed below are the preliminary findings of the second round of HIPAA compliance audits. The audits consisted of ‘Desk Audits’ conducted on 166 covered entities on the HIPAA Privacy, Security, and Breach Notification Rules and 41 business associates of HIPAA covered entities on the Security and Breach Notification Rules.

OCR gave each audited entity a rating from 1-5 based on the level of compliance. A rating of 1 means the organization was in compliance with the goals and objectives of the audited standards and implementation specifications. A rating of 5 was given to entities that did not provide OCR with evidence to show that a serious attempt had been made to comply with HIPAA Rules.

HIPAA Rule Aspect of HIPAA Rule 1 Rating 2 Rating 3 Rating 4 Rating 5 Rating N/A
Breach Notification Rule Timeliness of Notification 65% 6% 2% 9% 11% 7%
Breach Notification Rule Content of Notification 14% 14% 23% 37% 7% 5%
Privacy Rule Patient Right to Access 1% 10% 27% 54% 11% N/A
Privacy Rule Notice of Privacy Practices 2% 33% 39% 11% 15% 2%
Privacy Rule Provision of eNotice 57% 15% 4% 6% 15% 3%
Security Rule Risk Analysis 0% 2% 19% 23% 13% N/A
Security Rule Risk Management 1% 3% 13% 29% 17% N/A

Author: HIPAA Journal

Share This Post On