Protecting sensitive data in the healthcare vertical has become a significant priority for our government. And as the number of breaches continues to rise, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has continued to push healthcare organizations to make compliance a top priority by handing out more than $19 million dollars in fines in 2017 alone. The lack of a comprehensive risk assessment that considers relevant threats to protected health information is an often-cited reason that organizations fail to comply with HIPAA requirements—and end up paying the price.

A Quick Overview of HIPAA Fines and Penalties

As the amount of healthcare data being managed electronically has drastically increased over the past several years, regulations have become more stringent to combat the enhanced risk of cyber threats. In fact, the fines and penalties that were part of the first version of HIPAA pale in comparison to the consequences of non-compliance laid out in HITECH and Omnibus.

Today, the penalties for non-compliance are very expensive—ranging anywhere from a maximum fine of $1.5 million dollars to even prison time. It is important to note that the maximum penalty is per category of violation, so multiple types of violation may (and has) netted fines and settlements well in excess of $1.5 million. The penalty structure is comprised of four different categories:

  1. Unknowing penalties are given when an establishment commits a HIPAA violation without knowing they were doing so. This action is punishable by a $100 fine per violation to $50,000 per violation with an annual maximum of $1.5 million per year.
  2. Reasonable Cause penalties are given when an event occurred even though the medical establishment should have been exercising reasonable diligence and should have known they were committing a violation. This is punishable by a $1000 fine to a $50,000 fine per violation up to $1.5 million per year.
  3. A Willful Neglect but Corrected penalty is given when an event occurred because of an intentional failure of compliance requirements but is then corrected by the organization. This is punishable by a $10,000 to a $50,000 fine per violation up to $1.5 million per year.
  4. Willful Neglect without Correction penalties are given when there is an intentional failure of compliance requirements and the entity did not make any effort to correct the issue. This is punishable by a $50,000 fine per violation with an annual maximum of $1.5 million.

As can be gathered from this information, HIPAA violations have severe consequences. Not only do healthcare organizations face exorbitant fines, they also can’t afford to lose clients’ trust in their ability to safeguard patient information.

How BALLAST Helps Health Providers and their Business Associates Avoid HIPAA Fines and Penalties

BALLAST is a tool that helps healthcare organizations simplify the compliance process and help ensure they are taking adequate steps to avoid HIPAA fine and penalties through a variety of different support systems:

  1. Eliminate the Guesswork and Manual Management of Risk Assessments. BALLAST offers a platform that will simplify the risk assessment process and meet both the challenges of compliance and security.
  2. Don’t just Assess, but Address Your Risks. BALLAST not only helps you identify potential risks, it also provides a work plan that includes actions, goals, or steps that will need to be taken in response to the areas of risk.
  3. Be Prepared for an OCR Audit. If your hospital is selected for an OCR audit, you will only have 10 days to respond. BALLAST helps you proactively prepare by incorporating the latest OCR protocol requirements in the event your hospital is selected.
  4. Stay up to Date on Rules and Regulations. As technology evolves and new threats emerge, HIPAA requirements will continue to change. BALLAST integrates the latest requirements for compliance so that you’re always up-to-date on the latest rules and regulations.

To learn more about how BALLAST can help your healthcare organization proactively protect patient data and avoid HIPAA fines and penalties, click here.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.