No one thought that the U.S. Department of Health and Human Services (HHS) would go after a small medical practice until a 5-doctor cardiac practice in Phoenix paid a $ 100,000 HIPAA penalty. Many were surprised when the Alaska Department of Health and Social Services paid a $ 1.7 million fine for losing a hard drive. People commented that they did not think the federal government would go after a state agency, out of 'professional courtesy.' In September, 2012, the prestigious Massachusetts Eye and Ear Infirmary (part of Harvard Medical School) was fined $ 1.5 million after a doctor had his laptop stolen while he was attending a conference in Korea.

In each case HHS said that the organizations were guilty of 'willful neglect' of HIPAA. Simply, they knew the law went into effect in 2005 and they did not do enough to comply with it.

So what changed, after 7 years of virtually no enforcement?

In 2008, the HHS Inspector General's office issued a very critical report saying that the HIPAA regulations were not being enforced by the Centers for Medicare and Medicaid Services (CMS.) In July, 2009, the HHS Office for Civil Rights (OCR) was given the responsibility of enforcing the HIPAA Security Rule governing the privacy of electronic protected health information. HHS hired a former federal prosecutor as the Director of the Office for Civil Rights.

The HITECH Act of 2009 (which is best known for providing $ 36 billion to fund electronic medical records systems for doctors and hospitals) made several significant changes to HIPAA. Data breach reporting was enhanced. The HHS Office for Civil Rights was allowed to keep any fines it levied. Audits and enforcement were funded. The state attorneys general were given the authority to enforce civil violations of HIPAA (instantly multiplying the enforcement agencies by 50 times.) Business Associates were required to comply with HIPAA as if they were Covered Entities.
OCR has asked for additional funding to permanently continue the audit program. More enforcement is expected because whistleblowers will be able to share in the HIPAA financial penalties.

There is no way to totally prevent a data breach. A trusted employee with authorized access to protected data may become rogue and take advantage of the access to divulge protected information for personal gain or harm. However, this is very infrequent compared to the accidental loss of data due to weak (or non-existent) controls, a lack of policies and procedures, and no training for the workforce. These underlying issues are often discovered after a data breach has occurred, and when it is too late. Heavy fines are not just issued for the breach itself, but for ignoring the rules for years.

Our next article will review the Resolution Agreements signed for each data breach, and what advice the Chief Security Officer of one of the penalized organization has for you. Even if you have a data breach, you are much more likely to get the benefit of the doubt—and a reduced penalty—if you have done everything you can to comply with HIPAA.