Federal HIPAA violations and state law causes of action are nothing to ignore. The penalties are substantial.
In 2014, there have been many "advances" in the amount and type of financial penalties related to HIPAA. In this article, I want to highlight two. The first relates to a sanction against an insurance company for HIPAA violations in Puerto Rico, with a promise for heftier fines. The second relates to a case, which was brought in state court in Louisiana against a major health system. Both are significant for two reasons: (1) the breaches stemmed from a non-IT incident; and (2) one was brought by a government agency and the other was brought via a state law case.
The case in Puerto Rico, which resulted in a record $6.8 million sanction, involved a mailing error impacting approximately 13,000 beneficiaries. The Puerto Rico Health Insurance Administration (ASES) signaled that the fine against Triple S Insurance was just the beginning and that other companies should be cognizant about safeguarding protected health information in order to avoid similar fines. Not surprisingly, a higher fine could have been imposed. Ricardo Rivera Cardona, a top official at ASES indicated, "[t]heir contact with us specifies that any contractual violation, including HIPAA, is subject to a fine of $500 to $100,000 per member."
The second case, which was a class action lawsuit filed in Louisiana State Court, stems back nearly 20 years, before the passage of HIPAA, and involved thousands of patient records from a psychiatric hospital being left in the parking lot of the psychiatric hospital owned by Tenet Healthcare. The case was based on an invasion of the plaintiffs' privacy and the settlement totaled $32.5 million.
These two items underscore the importance of protecting both paper and electronic protected health information. Make sure to have a cross-cut shredder that complies with the Privacy and Security Rules and read the contents of your insurance policies closely.