HIPAA enforcement falls under the United States Department of Health and Human Services (HHS).  Among its several objectives, it’s intent is to protect patients from the disclosure of their personal health information.  While the HHS Department may levy fines or penalties, you also have a right to file suit for the disclosure.

HIPAA covers various types of data held by the healthcare provider.  It applies to information in various formats including paper, digital and even oral.  Regardless of how the information exists, privacy must be maintained and protected.  The hospital, clinic or doctor’s office will typically request that the patient sign a HIPAA Release form, which grants the provider authorization to release certain information to specific third parties (including insurance companies.

The 4 primary types of information protected under HIPAA include:

• Name, address, birth date and social security number
• Information about an individual’s physical or mental health status
• Information detailing care provided to a patient
• Information regarding the payment for care that was provided to an individual

There are various penalties that may apply in the event of a breach of healthcare information.  It’s best to consider these as Minimum Tiers:

• $100 per violation for unknowingly committing a violation. The annual maximum of $25,000 for repeat violations.
• $1,000 per violation for having reasonable cause. The annual maximum is $100,000 for repeat violations.
• $10,000 per violation if it was done with willful neglect – but corrected within a given time period. The annual maximum is $250,000 for repeat violations.
• $50,000 per violation with willful neglect and the violation remains uncorrected. The annual maximum for repeat violations is $1.5 million.
• Note the above figures are minimum amounts. The maximum for any of the tiers is $50,000 per violation and is capped at $1.5 million for repeat violations.

There are other remedies that could potentially be imposed.  It’s not uncommon for the offending entity to have to provide a year or more of identity theft protection.  This can be an extremely valuable benefit to victims whose personal information was exposed.

You have a right to assume your information will remain confidential.  This is even more important when that information involves sensitive healthcare data.  When a provider violates that trust, steps need to be taken to ensure it doesn’t happen again.  Especially in this day and age wherein protected personal information can be bought and sold to those with less than honorable intentions.

As we discussed in a previous blog post, companies also have a duty to preserve your personal information such as your name, address, phone and email address.  Disclosure of such data can put you at risk for identity theft.

It today’s world, we are bombarded by news reports about identity theft.  You’ve probably seen hundreds of TV commercials for companies providing protection against this growing issue.  The bottom line is that by exposing your personal information, the doctor’s office, clinic, hospital, or other business has increased the chance that you could be vulnerable to malicious actions by cyber thieves.

Resolving identity theft issues can take months, maybe years, of effort and cost thousands of dollars.  You shouldn’t be placed at risk due to someone else’s negligence.

Examples of HIPAA Penalties in 2016

$239,800 – Lincare, Inc. lost a case on summary judgement for HIPAA violations.

$400,000 – Metro Community Provider Network (MCPN), a federally-qualified health center to settle potential noncompliance with the HIPAA Rules

$650,000 – Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential violations involving hundreds of nursing home residents. The total number of individuals affected by the combined breaches was 412.

$1.55 Million – North Memorial Health Care of Minnesota to settle charges it potentially violated HIPAA.

$2.2 Million – New York Presbyterian Hospital for disclosing protected information about 2 patients, without obtaining authorization from the patients.

$3.9 Million – Feinstein Institute for Medical Research to settle charges it potentially violated HIPAA.