HIPAA Fines: How a Medical Practice Had to Pay $750,000 For Not Being HIPAA Compliant

Health Insurance Portability and Accountability (HIPAA) fines can range from a harmless $100 to a downright detrimental $1.5 million.

Depending on the severity of the compliance mishap, your medical practice may or may not come out of the other end alive.

That's why it is essential to ensure that your operations, IT, and data are secure and compliant with HIPAA.

If not, you may end up like Cancer Care Group (CCG), a large radiation oncology practice located in Indiana. After running into a data breach and widespread evidence of non-compliance with HIPAA, they ended up paying a whopping $750,000 in fines.

Here is how it happened.

A HIPAA Compliance Horror Story

In August of 2012, CCG came forward and reported a security breach to the Office for Civil Rights.

The breach? An encrypted server backup media and laptop were stolen from an employee's vehicle in the parking lot of their offices. The backup media and laptop contained the data for about 55,000 patients, including their protected health information, Social Security numbers, and insurance data.

This breach seemed easy to avoid — simply make sure that any devices that contain sensitive information on your patients are safe and secure (i.e. not left in your parked car).

However, an investigation launched by the division within the Office for Civil Rights that handles HIPAA compliance found that even before the breach, CCG was not careful with their data.

A statement from the investigation's report reads that CCG was in "widespread non-compliance with the HIPAA Security Rule," before the device was ever stolen from the car.

In other words, a breach was inevitable.

In addition to failing to conduct an enterprise risk analysis when the laptop and device were originally stolen, Cancer Care had no written policy in place to address the removal of electronic media from its locations. Since 2005, the year that this security rule was put in place, the oncology practice did not address these deficiencies.

There appeared to be a company-wide culture that did not put enough effort towards ensuring they were HIPAA compliant.

Put all this together, and you get a $750,000 fine. Depending on the size of your healthcare practice, failing to ensure that you are HIPAA compliant can cost you dearly.

For more information on HIPAA fines, check out this brief breakdown of how the amount of these fines are calculated. Keep in mind, other factors and variables are considered, but this is a basic summary:

HIPAA Fines Breakdown

First Tier

Description: The entity did not know and could not have reasonably known about the data breach.

Fine Amount: $100-$50,000 per incident (up to $1.5 mill).

Second Tier

Description: The entity knew, or by exercising reasonable diligence, would have known of the violation. Although they did not act with willful neglect.

Fine Amount: $1,000 - $50,000 per incident (up to $1.5 mill).

Third Tier

Description: The entity acted with willful neglect, but corrected the issue within 30 days.

Fine Amount: $10,000 - $50,000 per incident (up to $1.5 mill).

Fourth Tier

Description: The entity acted with willful neglect and failed to correct the issue promptly.

Fine Amount: $50,000 - $1.5 million

How Medicus IT Can Help You Avoid These Fines and Keep Your Patients' Data Safe

Here at Medicus IT, we have a team of healthcare-oriented IT professionals who are passionate about making sure the necessary solutions are in place to make your healthcare practice HIPAA compliant.

Through our ongoing training, we'll help ensure that you're up-to-date on the latest information when it comes to healthcare security. We're transparent with our clients so that they know what we are doing and how we are helping.

Today, hackers are trying to steal information from healthcare practices in many different ways. Because of this, these practices have to make the security of their patient data a top priority.

And if your practice ever experiences a security breach and the audit that follows finds issues in your security systems, you will be subjected to heavy fines.

We understand the risk you face as a medical practice, and we’ll make sure the security of your patient’s data is a top priority.

For more information, please contact us and schedule your free network assessment today!