We often discuss how noncompliance can lead to steep HIPAA fines, civil penalties, and loss of reputation. The release of information (ROI) is a complicated process, however. It can be challenging to truly understand how crucial compliance is through all the legal jargon.
While it’s hard to believe your organization could face devastating HIPAA fines, many cases involve no prior knowledge of violations. It’s also an unfortunate truth that HIPAA fines have cost covered entities nearly $140 million and rising.
In this article, we’ll discuss six HIPAA fines in 2023 in order of their settlement costs. Each of these incidents presents an opportunity to learn from others’ mistakes and avoid becoming the next organization fined.
6: Life Hope Labs, LLC – $16,500 Settlement
The first example is Life Hope Labs, LLC, a full-service diagnostic laboratory in Georgia, for Right of Access Initiative noncompliance. While $16,500 is a relatively small HIPAA fine, this type of violation is a common one.
The Office for Civil Rights (OCR) implemented the Right of Access Initiative in 2019, and it has been a leading cause of HIPAA violations ever since. Failure to release requested PHI within the 30-day HIPAA deadline may result in fines like this one.
This incident has an interesting timeline.
- On July 7, 2021, a requestor submitted a request for their deceased father’s medical records.
- Next, in August 2021, the requestor submitted a complaint with OCR after not receiving the records within the 30-day deadline.
- Finally, in February 2022, Life Hope Labs, LLC released the requested records.
- In January 2023, the HHS Press Office announced the settlement for this violation.
The first part of this incident we should note is that the requestor didn’t delay in submitting the complaint. OCR makes complaints easy to submit, and they’ve worked hard to ensure patients understand their rights.
The second part is the 7-month gap between request submission and fulfillment. Even if they submitted valid extension documentation, Life Hope Labs, LLC would still be 5 months overdue.
The third noteworthy part is the date of the official press release. Almost a full year passed between the release of the requested records and the press release publication. This really drives home the point that time won’t make HIPAA violations disappear.
5: Manasa Health Center, LLC – $30,000 Settlement
Google Reviews can be an excellent tool for assessing healthcare organizations, release of information companies, and more. In this $30,000 HIPAA fine settlement, however, it was a tool used to breach patient privacy multiple times after negative reviews.
Manasa Health Center, LLC is a healthcare organization in New Jersey that provides psychiatric services to children and adults. OCR received a complaint against them in April 2020 from a patient whose PHI was impermissibly breached on Google Reviews. During their investigation, OCR discovered that Manasa Health Center, LLC had done this to 3 other patients as well.
We recently posted an article about assessing release of information companies using Google Reviews, but this is a different situation. Per the negativity bias, people are more likely to leave negative reviews than positive ones. Sometimes reviewers even leave negative reviews in hopes that it will spark a faster resolution of their issue.
Upon receiving a negative review, it’s important for the organization to consider it as an opportunity for improvement. Under no circumstances, however, is it acceptable to retaliate by exposing private information on a public website.
Perhaps unsurprisingly, Manasa Health Center, LLC also failed to implement HIPAA Privacy Rule and Breach Notification Rule policies and procedures. In addition to the $30,000 settlement fine, Manasa Health Center, LLC must comply with a rigid two-year corrective action plan monitored by OCR.
4: iHealth Solutions, dba Advantum Health – $75,000 Settlement
Despite the best efforts of health IT professionals, hackers occasionally manage to breach the systems organizations use to store PHI. Whether this is due to technical issues or human error, it exposes sensitive data cybercriminals can use for identity theft.
This is what happened to Advantum Health, a business associate that provides organizations with coding, billing, and onsite IT services. This $75,000 HIPAA fine settlement occurred because an unsecured server breach exposed the individually identifiable health information (IIHI) of 267 patients.
This was achieved via an unauthorized transfer of PHI, which is called data exfiltration. In this HIPAA breach, the hackers gained access to patient information including full legal names, dates of birth, home addresses, email addresses, Social Security numbers, diagnoses, treatment information, medical procedures, and medical histories.
While the issue was caused by a server weakness, Advantum Health inadequately assessed its risks and vulnerabilities. HIPAA Security Rule and Privacy Rule risk analysis may take time and resources to complete, but this incident proves how important it is for lasting compliance and patient privacy.
In addition to the $75,000 fine, Advantum Health will implement a corrective action plan monitored by OCR.
3: Yakima Valley Memorial Hospital – $240,000 Settlement
When you think about protecting medical records for HIPAA compliance, generally most people think about guarding PHI from outside entities. In this $240,000 HIPAA fine settlement, however, the violation is due to a breach that remained within the organization.
In 2018, OCR began investigating Yakima Valley Memorial Hospital in Washington for unlawful access of PHI by hospital workers. According to the report, 23 security guards in the emergency department used their login credentials to snoop on 419 patients.
Curiosity is natural, and there’s a precedent of healthcare workers reviewing celebrity and family medical records without a medical reason. Without the patient’s authorization or a reason directly related to their job function, however, this is considered a breach.
In this situation, the root of the HIPAA fine was a lack of access control. While it makes sense for security guards to have access to certain system functions, their job description doesn’t involve care.
There’s a common HIPAA term called the Minimum Necessary Standard. This is essentially the idea that people should only access and release the minimum records necessary to fulfill requests. Anything beyond that may be cause for an investigation.
When developing access control policies, it’s important to assess what data each individual role will require. For example, a medical records manager who oversees all requests likely needs access to the organization’s entire system(s) of record, while a front office worker may only need basic patient information for scheduling appointments.
Each role’s access requirements may vary from organization to organization, and this HIPAA fine serves as a great example of why risk analysis must include access control. Like the previous incidents, Yakima Valley Memorial Hospital will implement a corrective action plan monitored by OCR for 2 years.
2: MedEvolve Inc. – $350,000 Settlement
Snooping on the PHI of 419 patients is a serious offense, but that’s pretty minor compared to this next breach. In the last incident, the data was secure from the outside world but accessed unlawfully by individuals within the organization.
MedEvolve Inc, a business associate that specializes in practice and revenue cycle management, settled for $350,000 after a major data security issue breached the PHI of 230,572 patients. This follows a 2018 investigation, which discovered that their server housing PHI was accessible by anyone with an internet connection.
According to the official press release, 79% of large breaches reported to OCR were due to hacking or IT incidents. Hackers can gain a lot of money by using or selling PHI for the purpose of identity theft. In this case, however, cybercriminals wouldn’t need to use tools, skills, or manipulation to access sensitive medical information.
While it’s unclear whether patients were impacted by this breach, its magnitude and avoidability contributed to its high fine amount. This is another situation where inadequate risk analysis led to devastating financial losses.
Additionally, the press release reports that MedEvolve, Inc failed to enter into a business associate agreement with a subcontractor. In this case, the OCR corrective action plan focuses on ensuring compliance with the Security Rule.
1: Banner Health – $1,250,000 Settlement
It may be cliche, but great power requires great responsibility, and bad things happen when that responsibility is neglected. The final HIPAA fine on our list breached the PHI of about 12 times more people than the previous entry.
In 2016, a hacker targeted a weak threat vector to breach the PHI of 2.81 million Banner Health patients. This Arizona-based nonprofit health system paid a settlement of $1.25 million after the cyber attack.
In this attack, the hacker accessed sensitive patient information, including full legal names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses & conditions, and health insurance information.
In their investigation, OCR found that Banner Health had “long-term, pervasive noncompliance with the HIPAA Security Rule.” This incident was caused by a combination of poor risk assessment, insufficient system monitoring, the lack of a requestor authentication process, and failure to implement security measures to protect PHI.
In addition to this astronomical HIPAA fine, Banner Health must undergo a comprehensive correction action plan.
How Can You Prevent HIPAA Fines For Your Organization?
Avoiding HIPAA fines requires continuous compliance with all of the HIPAA Rules, and violations can take just moments to occur. Covering everything necessary for HIPAA compliance would take dozens of pages, so here are 6 key things to prioritize.
Staff Training: Conduct regular HIPAA training sessions for all employees to educate them on privacy rules, handling patient information, and potential risks. Ensure that staff members are well-informed about the consequences of non-compliance.
Risk Assessments and Monitoring: Regularly conduct comprehensive risk assessments to identify vulnerabilities in data security. Address any weaknesses promptly to prevent potential breaches.
Secure Communication: Encourage the use of secure, encrypted channels for transmitting patient data, to prevent unauthorized access to sensitive information.
Access Controls: Limit access to patient data to only those employees who require it for their specific roles. Regularly review and revoke access for former employees or those with changing roles.
Incident Response Plan: Develop and implement a detailed incident response plan to handle data breaches promptly and effectively, minimizing the impact on patients and the organization. This should include data backup and recovery procedures.
Only Partner With Trusted Business Associates: Business associates must follow the same HIPAA guidelines as covered entities or face HIPAA fines. Mitigate the risk by only partnering with organizations that care about patient privacy and security as much as you do.
If your organization is concerned with meeting various HIPAA requirements, such as the Right of Access Initiative, ChartRequest can help. With over a decade of experience helping healthcare organizations across the country streamline the release of information, our digital ROI solution makes compliance a breeze.