Same Song, Different Verse

by James Lawson

So, remember a couple of weeks ago when I wrote about it being a tough week for HIPAA violators because of the two cases that had gone to trial that week? Well apparently the fun is not over for health care systems concerned about privacy breaches. It appears that the U.S. Department of Health and Human Services has now increased the level of fines available for HIPAA violations up to $1.5 million dollars based on a new interim final rule.  Healthcare IT News wrote about it last week, you can read the article here.

This is significant in that it changes the prior limits of breach from $100 for each violation or $25k for all identical violations all the way up to a new maximum penalty of $1.5 million. I  have to say, this  is now a significant penalty and could adversely effect a hospital’s bottom line. In fact, if you were to have a hospital that did not do a  really good job of securing patient data, it  could face many of these type of fines and possibly put that hospital out of business. This is a real game changer in my opinion. If you are a CIO, CEO, or privacy officer you likely now are going to have an additional ulcer from this one as now you may have to worry about bankrupting your hospital if you are not diligent in your duties of protecting patient data.

Interestingly enough I think it also bears mentioning that the same body that is levying the fines for this is also funded by those same fines, so I believe that there is a good chance we will some of these fines soon and likely a concerted effort by that body to fine many violators.

While we have this new update to the interim final rule, what we don’t have is a facility that has seen this penalty yet. When that happens it could be an event that shakes up the healthcare community to verify that they are protecting patient data or else suffer even more serious consequences.