• E-mail
• Print
• RSS

Where can I find information on organizations fined or penalized for HIPAA violations?

HIPAA Weekly Advisor, August 2, 2004

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: Where can I find information on organizations fined or penalized for HIPAA violations? My management says that the government won't do anything to us if we're not following the rules, but that sounds risky to me. What can I tell them to refute their assertion we won't run into trouble if we violate the rules?

A: Several thousand medical privacy complaints were filed with HHS Office for Civil Rights (OCR) during the first year of privacy rule enforcement, with no civil monetary penalties assessed. However, you're right to be concerned about your management's risky attitude. Bear in mind the following:

OCR reportedly turned over to the U.S. Department of Justice (DOJ) dozens of complaints for criminal investigation. These are complaints of "wrongful disclosure" broadly defined by HIPAA and not limited to actions with malicious intent or for personal gain. They are the more serious cases by definition and we have yet to learn their outcome. Note that both monetary penalties and prison time can result from so-called criminal actions.

Another federal agency, the Federal Trade Commission, imposed severe penalties on healthcare organizations, and we may see the same from the DOJ. Furthermore, over time, as federal administrations change and public opinion shifts, OCR could more vigorously enforce the rule. In fact, the well-regarded Health Privacy Project urges Congress and the OCR to aggressively monitor compliance rather than rely solely on consumer-driven complaints.

But the greatest risks today to your organization come from private lawsuits and negative publicity. Courts cited HIPAA's privacy rule in medical privacy cases even before the rule became enforceable. And a growing body of information security laws and regulations create a de facto standard.

Any organization, even a small one, that does not meet that standard (i.e., acceptable information security practices) will find it difficult to withstand a legal challenge in the face of a breach. Absent a breach, if your local newspaper discovers that your organization engages in substandard practices-for example, improper disposal of papers and electronic media-the bad press alone can financially impact a facility because patients may go elsewhere for their care.

Note: Health Privacy Project is a nonprofit organization dedicated to raising public awareness of the importance of ensuring privacy to improve healthcare access and quality. Go to www.healthprivacy.org for more information.

This question was answered by Kate Borten, CISSP, CISM, president and founder of The Marblehead Group, Inc., in Marblehead, MA, a national security and privacy consulting firm focusing on the healthcare industry. This is not legal advice. Consult with your facility's legal counsel for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive