The Financial Impact of HIPAA Violations
Federal vs. State Enforcement Trends in Fines and Settlements
In the last post, I had presened the trends in healthcare data breaches across the US and highlighted the increase in the number and impact of these incidents over the years. Since the time of the last post, the title of the largest data breach has shifted hands yet again - Change Healthcare recently confirmed that its February 21, 2024, cyberattack compromised the protected health information of over 100 million individuals, marking it the largest known breach at a HIPAA-regulated entity. This surpasses Anthem Inc.'s 2015 record of 78.8 million affected individuals, impacting nearly one-third of the U.S. population.
With healthcare data breaches on the rise, financial penalties for HIPAA violations have also grown in prominence. In this post, we’ll explore the current landscape of HIPAA penalties, contrasting fines issued by the Office for Civil Rights (OCR) with those imposed by state attorneys general, while also spotlighting some of the most impactful breaches.
But first, what exactly are HIPAA fines?
What Are HIPAA Fines and Who Issues Them?
HIPAA fines are monetary fines imposed on healthcare organizations and their associates for failing to protect patients’ health information. Both the the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) and state attorneys general can impose these fines, but each operates differently.
OCR fines are typically triggered by violations of federal HIPAA rules, such as failing to safeguard electronic Protected Health Information (ePHI) or delaying breach notifications. State attorneys general, meanwhile, can issue fines under both HIPAA and state-specific laws, often resulting in separate or additional settlements.
The key difference lies in the laws under which these fines are issued and the penalties involved.
So many terms - fines, settlements, penalties. Are they different?
So let us break it down.
When a HIPAA violation is suspected, an investigation is initiated to assess whether a violation likely occurred.
OCR-Level Actions:
If the violation is confirmed, the Office for Civil Rights (OCR) steps in to review and proceed the case.
Entity action
Entity Acknowledges the Violation: A settlement with the entity is negotiated, which typically includes a monetary fine and a Corrective Action Plan to prevent future issues.
Entity Disputes the Violation: If the entity disputes the findings, the OCR may issue a Civil Monetary Penalty (CMP).
Appeal Process:
If a CMP is issued, the entity has the option to appeal.
Appeal Successful: If the appeal succeeds, the penalty is vacated, and the case may be closed.
Appeal Unsuccessful: If the appeal fails, the penalty is upheld, and the entity must pay.
State Law Violations:
If the violation also breaches state laws, State Attorneys General may impose additional fines. These can apply to HIPAA violations or be based on stricter state-specific regulations if those carry higher penalties.
No Violation Found: If the investigation finds no evidence of a violation, the case is closed without any penalty imposed.
To make it easy to understand let’s put it in a picture.
A Closer Look at HIPAA Fines & Settlements Data
Below chart shows the rise in the HIPAA violation cases issued by the HHS’ Office for Civil Rights and the State Atorney general actions against these violations.
So, what do these numbers mean in terms of dollars?
1. Financial Settlements & Fines for HIPAA Violations
This visual provides an overview of the financial impact of HIPAA non-compliance across the US healthcare industry. As data breaches have risen, so too have fines, with OCR and state attorneys general issuing increasingly significant penalties to covered entities and business associates that fail to safeguard PHI.
2. Top 10 OCR Settlements & Penalties
The following visual shows the Top 10 HIPAA fines by OCR. These violations span a range of issues from risk analysis failures and improper system access controls to breaches of technical and procedural safeguards.
One of the most notable cases is the $16 million fine imposed on Anthem Inc. in 2018 following a massive data breach in which 78.8 million patient records were compromised. The company was penalized for failing to perform adequate risk analysis and having insufficient technical controls, which led to unauthorized access to sensitive ePHI.
3. Top 10 State Attorney General Fines & Settlements
In recent years, the landscape of HIPAA violations and their subsequent penalties has evolved, with increasing attention from state regulators as well. Notably, violations that involve inadequate data safeguards, breach response failures, and security lapses have resulted in multimillion-dollar fines for healthcare organizations - much higher than the OCR Fines.
A significant portion of the highest fines came from multistate settlements, where companies faced penalties from a coalition of states in addition to HIPAA violations. For example, Blackbaud was fined $49.5 million in 2023 for violations of both HIPAA and various state consumer protection laws, affecting 5.5 million individuals.
States like California are increasingly enforcing stricter consumer protection and privacy laws alongside HIPAA, leading to larger fines. The Kaiser Foundation Health Plan faced a $49 million penalty for violations not only under HIPAA but also multiple California state laws, including the California Customer Records Law and Medical Waste Management Act.
And a majority of these large settlements have come in the last couple of years. This reflects an ongoing trend where state-specific regulations and consumer protection laws are becoming integral in enforcement actions.
These visualizations attempt to illustrate the serious financial consequences of HIPAA non-compliance. As data security threats grow, healthcare organizations face increasing pressure to not only comply with HIPAA but also to implement proactive, comprehensive security practices that minimize the risk of breaches.
For healthcare entities, the message is clear: non-compliance is costly, both financially and reputationally.
Sources:
HIPAA Journal - Healthcare data breach statistics
HIPAA Journal - HIPAA violation fines
References:
https://www.hipaajournal.com/blackbaud-6-75-million-data-breach-settlement-california/
https://www.hipaajournal.com/kaiser-pays-49-million-to-settle-improper-disposal-investigation/