HIPAA Security: Harsh Fines, Penalties Are a Wake-up Call to Us All

05/03/11 - Life at NYULMC

Last year, the HITECH Act went into effect, amending the HIPAA Privacy and Security Rules. One of the most notable changes is in the penalties for a breach of patient information for a violation of patients’ rights under HIPAA. When HIPAA was first enacted, the maximum penalty for a HIPAA violation was $250,000. Now, the maximum penalty is $1.5 million. Fines as well as criminal penalties can be imposed on the violating institution and the individuals involved. 

It is important that all faculty and staff know about these severe penalties. As noted by the director of the Office for Civil Rights (OCR), the division of the U.S. Department of Health and Human Services that regulates and enforces HIPAA, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.” This is a tough standard, but has never been more important. In fact, recent enforcement actions indicate that the OCR is imposing penalties in the millions to show how serious it is about HIPAA enforcement and protecting patients’ rights. 

USBWithin the last year, at our own Medical Center, there have been three reportable breaches of patient information (two involved the loss of USB drives containing patient information, and the third was the result of a stolen desktop computer that had protected health information saved to the hard drive). 

Below are just a few examples of recent breaches at other institutions. As you can see, we can face severe penalties for patient breaches, including fines, criminal sentencing, and disciplinary action by licensing boards and employers. 

Remember, everyone plays an important role in protecting our patients’ privacy rights!  

If you have any questions about HIPAA Security and Privacy Rules and the HITECH Act, please contact the Privacy Office at 212-404-4078 or call the HIPAA Helpline, 1-877-PHI-LOSS, available 24 hours a day, seven days a week.  

Incident: A Massachusetts General Hospital employee took some work home, but accidentally left 192 paper billing records—containing detailed protected health information—on the subway.

Penalties: Even though it appears to have been an accident, severe penalties have been imposed on the hospital:

  • $1-million fine
  • Three-year corrective action plan of unprecedented oversight and intervention by the OCR, including the appointment of a designated OCR representative on premises to conduct audits and inspections and additional and frequent reporting to OCR on the hospital’s HIPAA compliance.
  • Requirements to develop comprehensive policies and procedures on laptop and USB encryption, even though the breach involved paper records. The hospital must also implement a comprehensive training program on HIPAA policies and provide written certification that all staff have received and understand the policies. 

Incident: Cignet denied 41 patients, on separate occasions, access to their medical records when requested. This is a violation of the HIPAA Privacy Rule, which requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The company also failed to cooperate with the Office for Civil Rights’ investigation.

Penalties: The fine for the initial violation was $1.3 million. OCR concluded that Cignet’s committed willful neglect to comply with the Privacy Rule. The fine for these violations was $3 million. 

Incident: An employee of a Miami hospital stole patient information, then sold it as part of an identity theft conspiracy.

Penalties: The employee was sentenced to two years in prison, including 12 months of home confinement, to be followed by three years of supervised release. 

Incident: A researcher at the UCLA School of Medicine received a notice of termination. In retaliation, that evening, he accessed the medical records of his superior and co-workers, and during three other periods over the next four weeks, he accessed UCLA patient records, many of them involving celebrities, a total of 323 times.

Penalty: The researcher was sentenced to four years in prison for violating the HIPAA Privacy Rule 

The OCR is not the only enforcement agency taking action for HIPAA violations. Licensing boards and employers can also take action including suspension and termination. 

Incident: A physician in Rhode Island posted details of some of her emergency room encounters on Facebook.

Penalty: The Rhode Island Board of Medical Licensure found her guilty of unprofessional conduct and issued a reprimand and a fine. Even though patient names were not used, there was sufficient information about the nature of the injuries to one patient to allow an unauthorized third party to figure out who the patient was. The physician claimed she did not intend to disclose confidential information. 

Incident: Thirteen staff members at UCLA accessed Britney Spears’ medical records without authorization.

Penalty: UCLA fired the 13 individuals and suspended another 6. 

Incident: A doctor and two hospital employees accessed the medical records of slain Arkansas TV reporter, Anne Pressly, who was found severely beaten in her home and died five days later. The details of her attack were leaked to the media.

Penalty: The three individuals pled guilty to misdemeanors for violating HIPAA Privacy Rules. A federal judge fined the doctor and the two hospital employees and sentenced them to one year probation. The hospital suspended the doctor’s privileges for two weeks and terminated the two employees, an account representative and an emergency room coordinator.