In previous blog posts discussing HIPAA compliance we discussed the importance of the various controls and measures that HR departments operating with protected health information (PHI) must follow based on common security vulnerabilities and the attack techniques used by criminals.
This time, we consider the potential cost and consequence of HIPAA non-compliance through the lens of recent enforcement actions by the Office of Civil Rights (OCR), state governments, and civil suits brought by private citizens.
The monetary costs of non-compliance are not insignificant.
Since 2022, organizations have paid penalties 32 times, amounting to more than $59 million dollars. The OCR, the entity that enforces the HIPAA regulations, recently revised the tiered framework used to impose civil monetary penalties, which is based on the seriousness and extent of the harm:
Violation category | Minimum penalty per violation | Maximum penalty per violation | Annual limit |
Did not know | $137 | $68,928 | $2,067,813 |
Reasonable cause | $1,379 | $68,928 | $2,067,813 |
Willful neglect – corrected | $13,785 | $68,928 | $2,067,813 |
Willful neglect – not corrected in 30 days | $68,928 | $2,067,813 | $2,067,813 |
OCR takes into consideration that some security breaches are almost inevitable. Some are caused by “zero-day” vulnerabilities – where criminals discover and act on a new system weakness before anyone knows about or can defend against it – and some are caused by inevitable human error. Penalty amounts increase with the seriousness of the infraction and the degree of neglect demonstrated by the organization. This framework only applies to actions taken by OCR, while amounts decided by State Attorneys General or recovered through class action lawsuits are not limited.
Penalties are usually related to security gaps.
Most commonly, penalties were levied for gaps in the organization’s data security and privacy program. Examples of common infractions are a lack of multifactor authentication on email systems, not applying patches promptly, lack of a realistic risk analysis, inaction on known problems, and taking too long to notify victims of breaches. In addition to paying penalties, in every such case each organization was required to redo their risk analysis and resolve the specific deficiencies.
While the OCR and State AGs often pursue the cases causing the most harm to the most people, we also see them picking cases where few were harmed but there is significant training and publicity value. For example, there are instances where an action may not have caused significant harm to anyone but the cases were brought to emphasize that PHI is not to be used for purposes for which it was not intended.
Recent enforcement actions drive home the consequences.
The largest penalty of all time was $49,000,000, levied by the State of California in 2023 against a major healthcare provider . The State found that the organization was improperly disposing of various records and medical waste in unlocked dumpsters handled by uncertified disposal companies at some of its 800 locations. State Attorneys General have more leeway to bring suit, and in this instance, California found the provider in violation of 11 different laws and regulations.
In another case, a medical center paid $250,000 in a settlement with the State Attorney General after a ransomware attack compromised the sensitive data of 89,707 state residents. The State Attorney General alleged violations of the HIPAA Security Rule, HIPAA Breach Notification Rule, the State Disclosure of Security Breach Act and the State Deceptive Consumer Sales Act. The State determined the company’s HIPAA risk analysis was not accurate and thorough, and the critical security issues it did identify were not addressed. The State also found that the organization had not implemented proper security and privacy procedures and it took more than 225 days to issue breach notification letters, where the OCR requirement is 90 days. To add insult to injury, patients later filed two class action lawsuits against the center which were settled for $1.3 million.
In May of this year, a national vision care provider agreed to pay $2.5 million in a settlement with the states of New Jersey, Oregon, and Florida, only after having settled with the New York Attorney General for $600,000 in January 2022, and with the New York State Department of Financial Services for $4.5 million in October 2022 – all for violations related to a single breach where a threat actor got the credentials to an employee’s email account and was able to steal six years’ worth of personal information on 2.1 million people including names, Social Security numbers, and medical diagnoses, and then sent 2,000 phishing emails from the compromised account.
Take every precaution to protect PHI – and your organization.
The bottom line is that noncompliance with HIPAA can have significant consequences for an organization – in addition to OCR enforcement actions including the aforementioned penalty framework, there are a myriad of state privacy laws and private claims that can be brought against a company that did not take appropriate precautions.