January 28, 2022 We aren’t even a full month into 2022 and it’s already looking like increasing HIPAA enforcement might be a New Year’s Resolution for the state of New York. Starting the year off strong, New York Attorney General Letitia James just announced a $600k settlement with vision benefits provider EyeMed as a result of a healthcare data breach that compromised the Protected Health Information (PHI) of over 2 million individuals. It all started back in June of 2020 when cybercriminals got ahold of an EyeMed email account after the provider failed to implement any multi-factor authentication and sufficient password management processes. In just a week of the hackers having access to the EyeMed email account, they were able to obtain emails and attachments from up to six years prior. The following month, the same attacker used the email account to send out 2,000 phishing emails, looking to acquire the login credentials of other EyeMed users. This lack of proper safeguards and security protocols enabled millions of individuals’ names, social security numbers, addresses, medical diagnoses’ and other sensitive data to be compromised. This latest settlement adds on to the continued rise in cyber attacks and government enforcement seen over past years, further proving just how important having a strong cybersecurity and HIPAA program are for healthcare providers. So if your New Year’s Resolution is to avoid a cyberattack yourself, we recommend ensuring that you have the following in place: While data breaches and cyberattacks aren’t always totally avoidable, checking off the list items above is a great way to reduce your chances. But in the case that you’ve already experienced a data breach in 2021, it’s important to note that the annual minor breach reporting deadline (classified by HIPAA as incidents impacting fewer than 500 individuals) is rapidly approaching on March 1, 2022. And as for any major incidents affecting 500+ individuals – the reporting requirement is within 60 days of discovery (or less depending on your state). So some final words of advice? Have the necessary compliance and security programs in place to protect your practice from falling victim to an attack like EyeMed. And in the chance that you do experience a breach, follow the breach reporting requirements to reduce the fines and penalties that could come as a result.
Abyde Partners With VisionWeb to Provide Complete HIPAA Compliance Solutions for Eye Care Professionals
January 7, 2022 January 7, 2022 – Tampa, FL – Abyde is honored to announce their latest partnership with VisionWeb, working together towards a mutual goal in making HIPAA compliance simple and stress-free for even more independent eye care providers across the nation. Abyde’s collaboration with VisionWeb showcases their mission to revolutionize HIPAA compliance by providing a simple, user-friendly solution that fits perfectly with eye-care providers’ day-to-day operations. This partnership will provide VisionWeb users across all products and services with the tools necessary to implement a complete HIPAA compliance program, fulfilling essential, government-mandated HIPAA compliance requirements while streamlining providers’ time and resources spent on HIPAA. Abyde’s software solution is the easiest way for any sized eye care practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “Getting the opportunity to collaborate with VisionWeb has energized our whole organization. We are eager to show their users how easy HIPAA compliance can be,” said Matt DiBlasi, President of Abyde. “Together, we are committed to eradicating HIPAA complexities for eye care professionals across the country.” “Abyde will give our users the opportunity to use an advanced software solution full of education, tools and resources to certify that providers have what they need to be HIPAA compliant,” said Craig Drury, VP of Customer Development at VisionWeb. “VisionWeb is so excited to partner with Abyde to give our members the best HIPAA solution on the market.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About VisionWeb VisionWeb pioneered the first open and neutral online order processing platform for the optical industry in 2000. Today, as the largest platform in the country, VisionWeb connects over 20,000 eye care professionals with over 500 suppliers. VisionWeb also provides revenue cycle management services to help eye care practices maximize revenue from their insurance claims. Uprise is VIsionWeb’s cloud-based EHR and Practice Management software designed to streamline office workflow, provide regulatory-compliant exam documentation, and offer insight into practice operations and performance. Learn more at visionweb.com. Read the full press release here.
2021 HIPAA in Review
December 28, 2021 Break out your pen and paper because if you haven’t already started your list of new year’s resolutions, the past 12 months have given us plenty of ‘New Year, new me’ examples to take note of. From ratified legislation and appointed government officials to trending cyberthreat tactics (and binge-worthy Netflix series), there have been plenty of ways that 2021 has said, “out with the old, and in with the new”. But while the world around us continues to evolve, the importance of protecting your patients is something that has not and will never falter. So as we wrap up yet another eventful year – let’s take a look at what’s changed, what’s stayed the same and what we can expect to see from HIPAA as we take on 2022. Proposed HIPAA Privacy Rule Modifications 2021’s transformations began even before the new year countdown started with the announcement of proposed HIPAA Privacy Rule modifications made back in December 2020. The government’s proposed modifications help bring the HIPAA Privacy Rule up to current technology standards and address things like removing the barriers to value-based health care, reducing “unnecessary regulatory burdens” and improving the privacy of protected health information (PHI). These highlights only brush the surface of what the 357-page document aims to amend but until the ruling is officially finalized, it’s important for your practice to ensure your HIPAA compliance program is up to date and easy to manageas we should anticipate the new requirements coming into effect in the new year. HIPAA Safe Harbor Law 2021 checked off another one of its resolution list items back in early January by officially signing the HIPAA Safe Harbor Bill into law. The amendment of the HITECH Act takes into account whether healthcare organizations have “recognized cybersecurity practices” in place and allows for some leniency in fines and other enforcement actions in the case of a data breach. While there’s a bit of fine print to follow, the biggest thing for your practice to know is that as long as you have a Security Risk Analysis (SRA), technical safeguards, and other HIPAA Security Rule basics down – you can not only reduce the penalties associated with a data breach but lessen your chances of falling victim in the first place. 21st Century Cures Act Following the Safe Harbor Law’s lead, the 21st Century Cures Act came into effect just a few months later in April of 2021. The new legislation directed by the Office of the National Coordinator for Healthcare Technology (ONC) is centered around the ongoing balancing act that healthcare providers and app developers face in giving patients easy access to their ePHI while still maintaining data privacy and security. With patients at the focus, the Cures Act requirements enable things like transparency into the cost and outcomes of patient care, easier access to health data through apps that meet modern patient needs and the prevention of information blocking. Now, this law also requires a bit of further reading to see just how it impacts your practice but having a complete HIPAA program lays the foundation for meeting these additional requirements and ultimately protecting patient data. Proposed Budget & New Appointed OCR Director If all the new legislation wasn’t enough of a tell-tale sign that 2021 was the year of protecting patient rights along with healthcare and technology – the proposed 2022 HHS budget that increases its funding for those areas specifically sure is. In early June, the Biden Administration released their proposed budget calling for additional spending to better safeguard the healthcare industry from evolving cyber threats and support government efforts in compliance enforcement. This additional spending comes in the form of over $200 million for several different cybersecurity measures and $67 million in funding for the HHS and their HIPAA enforcement efforts. Much of this proposed budget includes an increase in hiring for these specific government agencies with the hope to add 39 staff members to the Office for Civil Rights (OCR) specifically. But the initiatives don’t just stop at the dollar signs – this past September the HHS officially appointed Lisa J. Pino as the new Director of the OCR, marking another step in the right direction of continuing their mission. HIPAA Waivers Extended In the midst of all the change, there have been some things that have stayed the same – one of them being the extension of the HIPAA Waivers and Enforcement Discretions. At the onset of COVID-19, the government issued a National Public Health Emergency. With it came several waivers and flexibilities that work in mitigating the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to continue caring for their patients. So after several extensions to the waiver’s expiration date, we are starting off our second new year with the Public Health Emergency status with the hopes that the current end date of January 16, 2022 sticks. But even with the current flexibilities still in place, it’s important to adhere to HIPAA requirements for telehealth and PHI disclosure to avoid any violations once the enforcement discretion is lifted. Patient Right of Access Enforcement Now a seasoned veteran to the regulatory priority list, Patient Right of Access violations has had yet another impactful year in HIPAA enforcement. 2021’s Right of Access settlements has brought the total violation number to 25 and dollars collected to $1,505,650 since the government announced their initiative back in 2019. And just a few weeks ago, the OCR announced 5 Right of Access settlements in one day alone. So as the government’s focus on timely medical record access continues to reign, your practice should be adding HIPAA right of access standards to the top of your 2022 to-do list too. Data Breaches Last but certainly not least comes another trend that has shown little to no signs of stopping – data breaches. Between ransomware threats, phishing schemes, accidental disclosures and business associate incidents, 2021 has put up record numbers. And just in the past year alone, a total of 550 covered entities had experienced a data breach putting the PHI of over 40 million individuals at risk. So while maintaining strong cybersecurity within your organization is easier said than done, knowing how to identify a cyber threat and having
Virginia Optometric Association and Abyde partner to deliver HIPAA compliance to independent eye care professionals
December 27, 2021 December 27, 2021 – Tampa, FL – Today, industry-leading HIPAA compliance solution provider Abyde announced their latest partnership with Virginia Optometric Association (VOA), offering a complete user-friendly HIPAA program to VOA’s members. The new partnership with Virginia Optometric Association will provide their eyecare members with the foundation needed to start the new year off compliant and stress-free! Abyde’s software solution and team of HIPAA experts are the perfect complement to an independent provider’s day-to-day operations, simplifying complex government requirements and revolutionizing complete HIPAA compliance. Abyde’s software solution is the easiest way for eye care professionals to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach to HIPAA compliance guides practices through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, dynamically generated policies and more. “Partnering with VOA allows for even more of Virginia’s eye care professionals to have access to Abyde’s simplified solution, helping them meet essential government compliance requirements in the most efficient and cost-effective way,” said Matt DiBlasi, President of Abyde. “We are thrilled to share valuable resources necessary to thrive in today’s environment with Virginia Optometric Association members.” “Our partnership with Abyde gives our members unmatched education, tools and resources necessary to a complete HIPAA compliance program,” said Bo Keeney, VOA Executive Director. “We are confident our VOA members will find that HIPAA compliance can be the easiest part of running their practice with Abyde’s industry-leading solution.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About Virginia Optometric Association Virginia Optometric Association (Henrico, VA) is the only state association representing Virginia doctors of Optometry. Our mission is to promote eye health, vision, and the advancement of Virginia Optometry. For more information on Virginia Optometric Association visit thevoa.org. Read full press release here.
NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation
December 21, 2021 Handling sensitive information without having the right safeguards in place can be like playing with fire, and we’ve all seen enough headlines to know just how easily a data breach can send a healthcare organization up in smoke. Just last week, the New Jersey Office of the Attorney General and its Division of Consumer Affairs announced a $425,000 settlement with Regional Cancer Care Associates LLC (RCCA). Along with the payment, RCCA has agreed to strengthen data security and privacy practices to prevent further breaches. The investigation was sparked back in 2019 after RCCA reported two separate data breaches involving the protected health information (PHI) of 105,000 individuals. The first of the two breaches occurred after several RCCA employees fell victim to a targeted phishing scheme that gave unauthorized access to patient data stored on those accounts from April – June 2019. The phishing scheme exposed driver’s license, Social Security, and financial account numbers along with other health records. While the threat of a phishing scheme can be better avoided through proper cybersecurity measures and employee training, the even bigger problem began in RCCA’s attempt to put out the first set of flames. Following the Breach Notification Rule, the cancer care provider notified impacted patients in July of that same year. However, the third-party vendor they used to provide this notice, improperly mailed notification letters intended for 13,047 living patients by addressing the patients’ perspective next-of-kin. This mistake resulted in patients’ relatives being informed of their medical conditions without consent – essentially just adding even more fuel to the blaze that the initial breach set off. Now just one lit match wouldn’t ignite a settlement of this proportion, but rather RCCA’s failure to do all of the following: So while the rising trend of healthcare data breaches won’t be easily extinguished, keeping your practice best-protected starts with having a complete HIPAA and cybersecurity program in place. Better staff education and compliance measures should be a top priority and the message from Acting Attorney General Bruck stating, “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short,” is hopefully something that will spark some change.
HHS Issues Guidance on HIPAA Disclosures for Extreme Risk Protection Orders
December 20, 2021 To combat HIPAA’s common misconception of acting as a barrier law, the Department of Health and Human Services (HHS) along with the Office for Civil Rights (OCR) has continued to emphasize that the law does not simply prohibit PHI disclosure altogether but rather permits the safe sharing of relevant information when necessary. While we’ve recently seen information published in response to HIPAA’s role in a public health emergency and disclosure of vaccination status – just today the government issued guidance addressing another widely important concern. The latest announcement helps clarify how the HIPAA Privacy Rule permits covered health care providers to disclose protected health information (PHI) for the purpose of extreme risk protection orders (ERPO) and to prevent an individual in crisis from accessing firearms. This guidance follows suit with the U.S. Department of Justice’s model extreme risk protection order legislation and aims to support law enforcement, family members and others who intervene in an effort to prevent firearm injuries and deaths. The issued guidance speaks to HIPAA’s requirements in relation to ERPO laws, stating that the Privacy Rule does allow a health care provider to disclose PHI in support of an application for an ERPO against an individual in limited circumstances. HIPAA allows entities to share an individual’s PHI without authorization if they feel that the individual poses a danger to themselves or others, if the disclosure is required by law, or when the disclosure is in response to an order of a court or other lawful process. It details specific examples for each permission along with general considerations for meeting the Privacy Rule’s “minimum necessary” standard. This standard requires covered entities and business associates to make reasonable efforts to limit the PHI disclosed to the minimum necessary to accomplish the intended purpose of the use or request. In response to the issued notice, recently appointed OCR Director, Lisa J. Pino states that, “HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis. Today’s guidance helps clarify legal requirements and to better support individuals in crisis.” This guidance is essential in not only improving the public’s safety but clarifying any confusion that could get in the way of doing that. “Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.” HIPAA plays a key role in not only protecting the privacy and security of patients’ health information but permitting health care providers to intervene in a safe and appropriate matter if ever necessary. So when it comes to keeping your patients and your practice’s best interest at heart, understanding HIPAA law and following guidance such as the one released today, is vital.
The Security Risk Analysis: Setting the Pace for MIPS and HIPAA Compliance
December 6, 2021 As a healthcare provider, tackling your daily to-do list probably feels like running a marathon without a finish line at times. You’re tasked with managing a successful business, keeping up with ever-changing legislation and new technology all the while having to ensure that your top priority of patient care never falls behind. But despite the challenging course, there’s a benefit to keeping pace with both quantity and quality. And thanks to Value-Based payment programs like MIPS and other government incentives like the HIPAA Safe Harbor Law, providers are rewarded for going the extra mile. You’ve most likely heard of the Merit-based Incentive Payment System (MIPS) and might even be participating in it already. But whether it’s a Quality Payment Program or new legislation passed into law – the government is continually emphasizing the importance of being proactive rather than reactive and providing incentives for doing so. This is why there’s so much value in knowing what your organization is eligible to participate in (or using government lookup tools like this one if you don’t) and getting yourself on track to ensure that no money is being left on the table. Because many of these different program requirements fall right in line with the standards your practice already has to meet under HIPAA law – protecting your patients, checking off compliance requirements and receiving incentives can often be done all in one stride. So, what exactly is MIPS? To take a quick step back, MIPS is one of two payment tracks under the Medicare Quality Payment Program and is a system used by the Centers for Medicare and Medicaid Services (CMS) to measure eligible clinician performance and reward high-value, low-cost care. MIPS participants can receive a payment adjustment to their Medicare reimbursements based on their performance scores across four different categories being: Now achieving high scores in each of those categories requires some endurance but luckily, your organization can check several quality and interoperability objectives off just by utilizing a compliant and reputable EHR system. But before you can get to these different performance measures, there’s a prerequisite for even participating in the MIPS Promoting Interoperability performance category which also just happens to be a front-runner for achieving HIPAA compliance and taking advantage of other government incentives like the Safe Harbor Law – the Security Risk Analysis (SRA). The SRA is not only a requirement for MIPS participation but is also the first step in achieving a complete HIPAA compliance program. Conducting an SRA involves assessing any potential risks to your organization’s ePHI and implementing the necessary security updates and safeguards to mitigate whatever vulnerabilities were found. To fulfill MIPS and HIPAA law standards, your organization must complete an SRA annually at minimum and should continually review and update the analysis to address any changes in your technology or practice operations throughout the year. In addition to being a necessary stride towards implementing a complete HIPAA compliance program and enabling your practice to participate in MIPS reimbursements, the SRA is also key in ensuring your patient’s sensitive health information is best protected. As the healthcare industry continues to emerge as a top target for data breaches – having the proper cybersecurity practices in place are essential. The government recognizes these additional hurdles that providers are faced with, and knows the importance of identifying and mitigating security risks within the organization before an incident occurs. This is exactly where the HIPAA Safe Harbor Law that we keep mentioning comes into play. The legislation passed in January of 2021, basically says that organizations can receive reduced HIPAA fines and penalties if they have the proper security measures in place – step number one being (you guessed it) a properly completed SRA. But while it’s one thing to know why your organization should be meeting the requirement, it’s another to actually know what to do to get your practice off the starting blocks – and avoid the many misconceptions that might slow you down. Luckily a solution like Abyde makes conducting a thorough and accurate assessment of your organization a breeze. With dynamically generated questions to cover all the necessary safeguards and ongoing compliance assessments to ensure any identified risks are mitigated – you can feel confident that your organization is covered. Even though throwing in the SRA to your already jam-packed to-do list might seem like adding miles to the track, with Abyde you can score your best time and complete this key requirement in just a few clicks of a mouse and only 20-minutes a month. So while your marathon of responsibilities might go the distance – with the close of 2021 right around the corner, the only way to get your organization across the finish line and meet HIPAA and MIPS requirements is to have a properly completed Security Risk Analysis in place.
OCR Settles 5 HIPAA Right of Access Violations
December 1, 2021 In celebration of ‘Giving Tuesday’ this year, the Office for Civil Rights (OCR) came bearing gifts by the handful (literally) – announcing five separate HIPAA Right of Access violations all in one day. Now you might be thinking that this sounds like a historic first for same-day settlements, but just last September, the OCR made a similar five-violation announcement. The latest enforcement brings the Right of Access settlement total to 25 and dollars collected to $1,505,650 since the government announced their enforcement initiative back in 2019. And while the not-so-lucky receivers of the government’s “gifts” range by size, specialty, and location – failing to ensure individuals’ right to timely medical record access is one thing that all of these practices share. Wake Health Medical Group The first of five settlements went to a primary care provider out of North Carolina, who agreed to a $10,000 fine and corrective action plan to resolve their violation of the HIPAA Privacy Rules’ Right of Access standard. Denver Retina Center Violation number two was given to a Denver-based ophthalmologist and included a $30,000 settlement and one-year corrective action plan as a result of their potential HIPAA Right of Access violations. Advanced Spine & Pain Management (ASPM) The third settlement was gifted to a provider of management and treatment of chronic pain services out of Ohio, whose Privacy Rule violations landed them with a $32,150 fine and corrective action plan consisting of two years of monitoring. Rainrock Treatment Center, LLC (dba Monte Nido Rainrock) Violation number four went to a licensed eating disorder treatment provider out of Oregon who agreed to pay $160,000 and participate in a year-long corrective action plan to settle their HIPAA violations. Dr. Robert Glaser And last but certainly not least, the fifth settlement came as a result of not only failing to provide a patient with a copy of their medical records but also lacking cooperation with the OCR. The New York-based internal medicine and cardiovascular disease specialist ignored the OCR’s data requests and waived their rights to a hearing, leaving them with a civil money penalty of $100,000. In addition to the settlement announcement, the recently appointed OCR Director, Lisa J. Pino issued a statement in response: “Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.” While these gifts might not have come wrapped in a bow, they did bring along a trending theme that we encourage all providers to do some unpacking themselves. Noncompliance with the HIPAA Right of Access standard continues to prove itself as a widespread gap that the OCR is committed to enforcing. So even though we might have to wait until next November to celebrate another “Giving Tuesday” – getting your organization HIPAA compliant and meeting all government requirements – including Patient Right of Access – is the year-round gift that keeps on giving so you can avoid making the next OCR settlement list.
OCR Announces 20th HIPAA Right of Access Settlement
September 10, 2021 There might not be such thing as time travel but with the latest HIPAA settlement announcement, it’s looking like the Office for Civil Rights (OCR) has traveled back to their own version of the Roaring ‘20s. Two years, and now twenty resolutions later, the government initiative to support individuals’ right to timely record access has driven its own little economic boom – with the 20th financial penalty bringing the right of access running total to $1,173,500. Children’s Hospital & Medical Center (CHMC) became the most recent healthcare organization to settle with the OCR, with a fine of $80,000 and requirement to adopt a corrective action plan that involves one year of government monitoring. But while the Nebraska-based pediatric provider probably isn’t too jazzed about the repercussions, the penalty comes as a result of an equally unhappy individual who was not provided the proper access that HIPAA strives to ensure. The issue was brought to the OCR’s attention back in May of 2020 after a parent filed a complaint alleging that CHMC failed to provide full access to her late daughter’s medical records. The complaint stated that while the organization fulfilled a portion of the request, CHMC failed to provide all of the requested records despite the parent’s several follow-up requests. The delay was in part due to the remainder of the requested records being needed to obtain from a different CHMC division but it wasn’t until after the OCR’s investigation that full access was provided. In addition to the resolution agreement, Acting OCR Director, Robinsue Frohboese released in a statement, “Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative. OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.” While this settlement shares plenty of similarities with the 19 other examples of noncompliance that we have seen since the enforcement initiative started, it’s important to note the fact that this $80,000 fine was the result of just one patient complaint. And though the Roaring ’20s might’ve been a relatively short-lived era, proposed updates to the HIPAA Privacy Rule and expansions to the OCR budget are enough to predict that the right of access enforcement initiative isn’t going anywhere, anytime soon. So with the latest settlement serving as the perfect example of just how much damage a single HIPAA complaint can have on a healthcare organization – ensuring you’re fulfilling all medical record requests in a timely and HIPAA-compliant manner is essential to avoid becoming lucky settlement number 21.
The Cost of a HIPAA Violation
September 3, 2021 We’ve all seen enough news headlines to know that the going rate for a HIPAA violation isn’t cheap. This past year has tallied up more than a handful of fines with numbers that might not have Jeff Bezos doing a double-take, but certainly have us seeing dollar signs. Not to mention that the first fine of 2021 brought in $5.1 million alone. And although not every HIPAA violation warrants front-page news status, even the minimum fine amount can do some major damage – especially when it’s a small, independent practice footing the bill. So if you’re looking for an exact dollar amount, to date the Office for Civil Rights (OCR) has collected on 101 settlements to the tune of $135,328,482. We all know that a check that size doesn’t just add up without reason but what caused it to accumulate and why so high? Well back when HIPAA law was first introduced in 1996, the hope was to establish a set of standards to protect sensitive health information in the medical industry. But as the later published Privacy and Security Rules provided a laundry list of requirements for covered entities to follow, many failed to fully comply. So in 2006, the government came up with a solution and that’s where the HIPAA Enforcement Rule was born. It was this ruling that essentially started the tab on that billion-dollar bill, granting the OCR the right to hold covered entities and their business associates accountable with fines and other penalties for noncompliance. Now just as the repercussions for speeding are understandably different than they are for a case of highway robbery, HIPAA fines also come with a “prices may vary” label attached. Each penalty is determined based on the extent to which the organization was aware that HIPAA rules were being violated and is broken down into the following four tiers: If you were wondering, that “per incident” statement is the reason why we see those multi-million dollar fines – and what comes with HIPAA’s many different rules is a lot of different ways to break them. But it’s not just the monetary penalties that violators have to worry about. HIPAA settlements are usually a package deal including a corrective action plan that typically involves anywhere from two to three years of OCR monitoring. And if hefty fines and the government breathing down your back aren’t enough to prove just how costly violations can be – in the case that the HHS decides that there was deliberate malicious intent, the Department of Justice can step in and also assign criminal penalties with maximum jail time of 10 years. We know that the mention of hefty fines and possible jail time definitely puts a damper on things, but with every “bad news” there’s typically good to follow. So the good news is there are ways to help avoid these worst-case scenarios, and recently passed legislation like the Safe Harbor Law to protect against incidents like data breaches that aren’t as easily avoidable. But the best protection? Having a full understanding of your organization’s responsibilities and a complete HIPAA compliance program to check all the governments’ boxes. Because after all – with how high the cost of a violation can be, you can’t put a price tag on the peace of mind that comes with being compliant.