The Office for Civil Rights (OCR) set a record in 2016 for the number of breach settlements and for the amount in penalties.
Not only did the OCR ramp up their audit program, they also started enforcing HIPAA more stringently. In 2016, the OCR settled with 12 healthcare organizations for HIPAA violations. The total amount for these settlements was $22,855,300. For more information on the individual breaches, see the table below.
*Information found at the OCR Breach Notification Portal
Investigations into breaches take time. Many of the breaches occurred in 2012 or 2013, and were only settled in 2016. It is likely that 2017 will see many more settlements.
Additionally, in many of the press releases from the OCR regarding the various settlement cases, the need for a risk assessment was highlighted. The OCR discovered during the course of these investigations that on top of having a significant breach, many organizations had never conducted a risk assessment. As this is a requirement for HIPAA compliance, the OCR determined the fines for these settlements should be larger for noncompliance.
Also, smaller organizations, be sure to note the settlement with Catholic Health Care Services of the Archdiocese of Philadelphia(***). Only 412 individuals were affected. That falls below the 500-minimum for reporting to the media; however, they still ended up with a settlement of $650,000. Just because a breach at your organization may not affect more than 500 individuals does not mean that you will not receive severe monetary penalties for a breach.
Make sure that you don’t end up on a list like this and conduct your risk assessment now. HIPAAgps offers a user-friendly solution to help you complete your risk assessment.