Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

Average HIPAA Fine Reaches $1.5 Million

HIPAA fines have changed significantly since HIPAA enforcement first began. Regardless of the type of violation or the scope of the data breach involved, the consequences of a HIPAA fine can have long-lasting impacts. The average HIPAA fine, as calculated from publicly available data on the HHS website, comes out to a stunning $1.5 million.

Since HIPAA enforcement first began, the nature of fines levied by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) have changed dramatically.

With additions to the HIPAA Rules–such as the enactment of the Omnibus Rule in 2013, and the enactment of the HITECH Act in 2009–there have been significant revisions to the scope of the OCR investigations. As such, fines that were non-existent in the early 2000’s, have the potential to become commonplace in the years ahead.

One stunning example of uncharacteristic enforcement efforts contributing to the average HIPAA fine of $1.5 million comes in the form of business associate management.

Under HIPAA regulation, a business associate (BA) is any vendor hired by a health care professional who will necessary encounter protected health information (PHI) over the course of the work they’ve been hired to perform. PHI is any demographic information that can be used to identify a patient (such as name, date of birth, Social Security number, medical record, etc.). Common examples of BAs include cloud storage providers, shredding companies, telehealth platforms, electronic health record (EHR) platforms, and many more.

Recently, a HIPAA settlement was announced on April 20, 2017, wherein a health care provider was fined as a result of a HIPAA investigation into one of their business associates. The Center for Children’s Digestive Health (CCDH) agreed to pay a $31,000 fine due to a data breach caused by a vendor. OCR’s investigation uncovered that CCDH had failed to implement an effective HIPAA compliance program, after being contacted in the aftermath of their vendor’s breach.

This fine, and other uncharacteristic enforcement efforts, are making their rounds–resulting in an average HIPAA fine of $1.5 million.

The best way to defend against these HIPAA fines is to implement an effective HIPAA compliance program that addresses the full extent of the law. Keeping patient data safe is paramount to avoiding fines and maintaining your hard-fought reputation as a trusted behavioral health practitioner.

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x