Cost of a Patient Data Breach: Fines

By Robert Lord
Co-Founder and CEO, Protenus 

Healthcare data breaches are long and expensive affairs, between the cost of conducting a forensics investigation, notifying affected patients, and dealing with any resulting lawsuits. However, even after an organization has paid these immediate costs and is facing lost revenue and brand value from customer attrition, it may find itself facing yet another cost: fines.

The U.S. Department of Health and Human Services (HHS) created the Office for Civil Rights (OCR) to enforce the HIPAA Privacy and Security Rules. One of the main ways that OCR does this is by fining organizations that fail to meet HIPAA regulations. Recently, OCR has been much more aggressive in handing out these penalties, fining organizations more frequently and more heavily for violations of the HIPAA Rules, and this has increased the overall cost of a healthcare data breach.

Consider reading the entire Cost of a Breach series to better understand impacts beyond fines.

The 4 Categories of HIPAA Fines

OCR has established different categories when determining how much to fine an organization, based mainly on how much knowledge an organization had of the HIPAA violation. These categories are:

• Category 1: The organization was unaware of the violation and could not have realistically avoided it.
• Category 2: The organization should have been aware of the violation, but still could not have reasonably avoided it.
• Category 3: The organization willfully neglected the HIPAA Rules, but attempted to rectify the violation.
• Category 4: The organization willfully neglected the HIPAA Rules and no attempt was made to rectify the violation.

The higher the violation category, the more expensive the fine, and the maximum fine per violation category, per year, is $1.5 million. Moreover, with the establishment of the Omnibus Rule in 2013, all healthcare providers, health plans, and healthcare clearinghouses, as well as any business associates of those organizations, are required to adhere to HIPAA Rules and are thus subject to HIPAA fines. In short, it applies to anyone or any business that comes in contact with protected healthcare information.

Recent HIPAA Fines

The past few years are rife with examples of HIPAA violations and OCR levying large fines against healthcare organizations. Here are a few recent examples:

• An unencrypted laptop belonging to Concentra Health Services was stolen, and in April 2014, OCR fined that organization $1.7 million for the HIPAA violation.
• Similarly, New York-Presbyterian Hospital and Columbia University agreed to pay $4.8 million in May 2014 after patients’ records were exposed on the internet.
• Finally, in July of this year, Oregon Health and Science University (OHSU) was fined $2.7 million for its two 2013 data breaches that affected 7,066 patients.

These three examples illustrate that OCR is being much more aggressive in fining organizations for HIPAA violations and that the amount of these fines continues to rise. The graph below emphasizes this point further, showing the upward trend in fine amounts, and an increase in months with millions of dollars of fines.

HIPAA Fines on the Rise

It appears that this trend of more aggressive and more expensive HIPAA fines will continue into the future. Recent cases, for instance, demonstrate that OCR is levying large fines for minor breaches as well as major ones. The two OHSU breaches are a good example of this; those breaches affected 7,066 patients, a small number compared to some of the other, much larger breaches that have rocked the healthcare world. Nevertheless, OCR fined OHSU $2.7 million for the HIPAA violations. Furthermore, OCR is concentrating more and more on “systemic compliance failures.” In other words, it is focusing on penalizing organizations that consistently neglect to safeguard the electronic protected health information (ePHI) of their patients.

The cost of HIPAA fines will also likely see an increase in the future. Adam Greene, a privacy attorney who has worked with OCR in the past, stated in an interview in April 2015 that OCR would be fining healthcare organizations even more heavily in the coming years. These fines, he continued, would far outweigh the fines levied in 2014. This year has already been a banner one for HIPAA fines. From January to July 2016, OCR has levied a total of approximately $15 million in fines, compared to the $6.2 million in all of 2015.

And that 2016 number does not even include the massive HIPAA fine that was levied against the Advocate Health Care Network in August of this year. Last month, Advocate agreed to pay $5.55 million – the largest fine ever levied by OCR – for multiple HIPAA violations that lead to its 2013 data breach, in which four unencrypted laptops were stolen, affecting 4 million patients. Jocelyn Samuels, the director of OCR, said that she hopes this will send “a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure.”

How to Mitigate HIPAA Fines

If these fines are getting more expensive and being enforced more aggressively, what steps can an organization take to mitigate or even eliminate them? Two specific standards that a healthcare organization can concentrate on implementing more effectively are risk assessment and risk management. As Director Samuels suggested, OCR is focusing on these standards and trying to encourage organizations to work to meet them by penalizing organizations that fail to do so. See a recent post on the HIPAA Security Rule and the role an analytics platform can play in meeting these standards for more information on this topic.

Other factors that OCR considers when determining how much to fine an organization for HIPAA violations include the nature and extent of the violation itself; the harm caused by the violation; and the history of that organization’s compliance with HIPAA. Thus, an organization that repeatedly suffers large breaches resulting from noncompliance with the same HIPAA rule and that cause great harm to the affected patients will be fined heavily. On the other hand, an organization that is proactive in assessing and managing risks to ePHI, as well as in identifying and eliminating threats, will be able to mitigate or even eliminate HIPAA fines, thereby reducing the overall cost of a healthcare data breach.

Don’t Just Mask the Symptoms, Fix the Problem

Nevertheless, HIPAA fines are merely a symptom of a deeper problem. The HIPAA Rules represent the minimum an organization must do to protect ePHI. If an organization wants to take patient privacy seriously, it must implement an effective privacy program that will enable it to not only meet the HIPAA standards, but – more importantly – to be proactive in working to eliminate the deeper problem – data breaches themselves.

[clickToTweet tweet=”Cost of a Patient Data Breach: Fines” quote=”Cost of a Patient Data Breach: Fines” theme=”style3″]