Civil Actions for HIPAA Privacy and Security Violations

by Trish Voss

Last week, the first case of a state attorney general pursuing civil action for patient privacy violations was publicized in an article posted on FierceHealthcare.  The lawsuit affects more than 450,000 individuals whose medical and financial information was compromised when an unencrypted computer disk disappeared. Authorities and the individuals affected were not notified in a timely manner (six months after the incident occurred).

The HITECH Act, which was passed last year, authorized state attorney generals to represent residents of their state for any violation occurring after February 19, 2009 and to obtain statutory damages on their behalf. Restitution amounts increased to a maximum penalty of $1.5 million.

In speaking to hospitals, we often hear how tight budgets are and how they are limited on resources. I know anyone who has ever worked in health care can completely understand and relate to this dilemma. However, I am afraid this public announcement is just the start of many more to come.

Just one violation can drastically affect your reputation. Several violations will affect your bottom line. Make sure you have the resources, tools and policies in place to effectively secure, monitor and report on your patients’ protected health information.