Tips on Avoiding Large HIPAA FinesOCR's Leon Rodriguez Offers Insights on Key Factors
What determines the size of a penalty for HIPAA violations? The key factors are the lack of a timely risk assessment and the failure to address ongoing security issues, says Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights.
"Failure to take action quickly ratchets up the penalties," Rodriguez told an audience at a HIPAA security conference in Washington on May 22, hosted by OCR and the National Institute of Standards and Technology. As an example, he pointed to a $1.7 million settlement last year with the Alaska Department of Health after an investigation of a relatively small breach incident that uncovered bigger issues. "The issues of the underlying breach went on for a year after the breach - that's why the fine was so big," he says.
The largest non-compliance penalty so far - $4.3 million - was issued to Cignet Health in a case where the organization refused to provide patients with their medical information and then refused to cooperate with investigators, Rodriguez notes. OCR is currently in court trying to collect the fine, he adds.
OCR has issued monetary penalties in 13 HIPAA cases, Rodriguez says. In the most recent agreement, announced this week, an investigation of a breach at a clinic owned by Idaho State University led to a $400,000 penalty.
Leveraging Best Practices
Rodriguez' best advice for avoiding OCR enforcement actions? "Be smart and implement best practices, and conduct ongoing risk analysis. ... Ongoing is key."
Too many organizations fail to update their HIPAA compliance training or refresh their risk assessments as their business activities and technologies change, he stresses.
Last year's pilot HIPAA compliance audit program also identified the lack of updated risk assessments as a common problem (see: HIPAA Audits: The Next Round).