Health Insurance Portability and Accountability Act (HIPAA) Enforcement Actions
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, is a federal law that protects the privacy and security of individuals’ health information. It establishes national standards for electronic healthcare transactions, ensures the confidentiality of personal health records, and promotes data integrity.
HIPAA enforcement actions are taken by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS). The OCR investigates complaints filed against covered entities such as healthcare providers, health plans, and business associates to ensure compliance with HIPAA regulations.
Real Examples of HIPAA Enforcement Actions:
- Anthem Inc. – $16 Million Settlement:
- Cottage Health System – $3 Million Settlement:
- New York-Presbyterian Hospital and Columbia University – $4.8 Million Settlement:
In 2015, Anthem Inc., one of America’s largest health insurance companies, suffered a massive data breach compromising nearly 79 million individuals’ personal information. The OCR conducted an investigation revealing multiple HIPAA violations related to insufficient security measures to protect electronic protected health information (ePHI). As a result, Anthem agreed to pay a settlement amounting to $16 million.
In 2013-2014, Cottage Health System experienced several breaches affecting over 62 thousand patients’ ePHI due to inadequate safeguards on their servers. The OCR found significant deficiencies in risk management processes leading to unauthorized access to patient records. Cottage Health System settled the case by paying $3 million.
In 2010, a joint breach occurred between New York-Presbyterian Hospital and Columbia University resulting in the exposure of approximately 6,800 patients’ ePHI on the internet. The OCR investigation revealed insufficient security measures and lack of proper authorization controls to protect patient data. Both entities agreed to pay a combined settlement amounting to $4.8 million.
Verdict:
HIPAA enforcement actions are crucial for maintaining the privacy and security of individuals’ health information. The real examples mentioned above highlight the severity of consequences faced by organizations that fail to comply with HIPAA regulations.
To avoid potential penalties and reputational damage, covered entities must prioritize implementing robust security measures, conducting regular risk assessments, training employees on privacy policies, ensuring appropriate authorization controls are in place, and promptly addressing any identified vulnerabilities.