Tips on Avoiding Large HIPAA Fines

OCR's Leon Rodriguez Offers Insights on Key Factors
Tips on Avoiding Large HIPAA Fines

What determines the size of a penalty for HIPAA violations? The key factors are the lack of a timely risk assessment and the failure to address ongoing security issues, says Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights.

See Also: 5 Requirements for Modern DLP

"Failure to take action quickly ratchets up the penalties," Rodriguez told an audience at a HIPAA security conference in Washington on May 22, hosted by OCR and the National Institute of Standards and Technology. As an example, he pointed to a $1.7 million settlement last year with the Alaska Department of Health after an investigation of a relatively small breach incident that uncovered bigger issues. "The issues of the underlying breach went on for a year after the breach - that's why the fine was so big," he says.

The largest non-compliance penalty so far - $4.3 million - was issued to Cignet Health in a case where the organization refused to provide patients with their medical information and then refused to cooperate with investigators, Rodriguez notes. OCR is currently in court trying to collect the fine, he adds.

OCR has issued monetary penalties in 13 HIPAA cases, Rodriguez says. In the most recent agreement, announced this week, an investigation of a breach at a clinic owned by Idaho State University led to a $400,000 penalty.

Leveraging Best Practices

Rodriguez' best advice for avoiding OCR enforcement actions? "Be smart and implement best practices, and conduct ongoing risk analysis. ... Ongoing is key."

Too many organizations fail to update their HIPAA compliance training or refresh their risk assessments as their business activities and technologies change, he stresses.

Last year's pilot HIPAA compliance audit program also identified the lack of updated risk assessments as a common problem (see: HIPAA Audits: The Next Round).

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.