The High Cost of HIPAA Violations

Join Our Mailing List

A Review of Serious Penalties

The Health Insurance Portability and Accountability Act (HIPAA) was instituted in order to protect the personal health information held by covered entities, including doctors, pharmacies and health insurance companies.

The Violations

A HIPAA violation can cost an individual or entity millions of dollars in fines and can even land those responsible in prison.


In this HIPAA infographic, we detail some of the most serious penalties ever dished out by the federal government and break down the various fines that are on the table for noncompliance.


Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.


Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact:

Our Other Print Books and Related Information Sources:

Health Dictionary Series:

Practice Management:

Physician Financial Planning:

Medical Risk Management:


Physician Advisors:

Product Details

5 Responses

  1. HIPAA compliance management
    [Managing contractor, vendor and outside employees in HIPAA compliance]

    The vulnerability of a HIPAA Covered Entity to the irreversible damage that can be caused by a reckless Business Associate makes Smart Training a good idea, Doc.

    It’s my opinion that there are far too many covered entities who don’t realize the consequences of doing business with careless HIT contractors and other HIPAA Business Associates. If a BA fumbles over 500 patient identities from a practice, it might as well have been the fault of the doctor. The angry individuals involved in the breach – including many soon-to-be former patients – must be notified according to federal law.

    In addition, the breach must be reported in the doctor’s community as a press release. All it takes is one careless BA to permanently damage an innocent provider’s reputation in the community.

    A free webinar on managing contractor, vendor and outside employees in HIPAA compliance is Thursday October 18, 3:00 – 4:30 pm Central Time.


    Darrell K. Pruitt DDS


  2. Providers Struggle With New HIPAA Security Rules

    Smaller healthcare providers, as well as many of the firms that work with all healthcare providers, are struggling to comply with federal data security rules that take effect soon. But even larger healthcare providers would do well to examine their contracts with the firms with which they deal, to be sure their contracts include proper indemnification and other safeguards, experts say.

    In January, HHS’ Office of Civil Rights issued its final rule modifying the Health Insurance Portability and Accountability Act’s privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act, which is often referred to as the HIPAA omnibus final rule.

    The final rule becomes effective March 26th, and final compliance is required by Sept. 23rd. The new rule significantly broadens the definition of healthcare providers’ business associates, bringing many more downstream subcontractors and others under HIPAA’s authority. It also changes the criteria to be used in deciding whether a breach requires notification, placing a greater onus on the healthcare provider to establish why notification should not be made.

    Judy Greenwald, Modern [3/15/13]


  3. New Patients’ Access Rights Mean New Requirements, Including ‘Duty to Warn’

    Covered entities (CEs) and the business associates (BAs) they may use to handle medical records requests from patients will need to ensure they can produce an electronic copy if that is how data are kept. They will also have to give patients the option of receiving their records through unencrypted emails and other electronic formats considered to be “unsecure” while warning them of risks, and comply with an expanded definition of a “designated records set.”

    These are just a few of the provisions and clarifications regarding patients’ and individuals’ rights under the new HITECH Act final rules issued by the HHS Office for Civil Rights on March 26 that will necessitate changes in medical records policies and procedures by CEs and BAs. There are also tighter timeframes to produce patient records as well as a new mandate to restrict protected health information (PHI) from going to a patient’s health plan under specific circumstances.

    Source: Report on Patient Privacy [April 2013]


  4. Encryption and the Hippocratic Oath

    “Court ruling sparks patient privacy talk – California appeals court takes side of covered entity in privacy breach case,” by Erin McCann, Associate Editor of HealthcareITNews, was posted yesterday.

    “A recent court decision ruling that a HIPAA-covered entity was not liable for losing a hard drive containing patients’ protected health information could have big implications for future cases in the realm of privacy and security.” McCann continues, “To all those business associates and covered entities out there who may deem this a legal win if, say, they happen to lose or misplace devices containing patient data, there’s one important detail to remember: The hard drive was encrypted.“

    If nobody has to be notified should a breach occur which includes patients’ encrypted identities – victim’s private information which lasts lifetimes – the quick fix dangerously instills false security. Eliminating the immediate liability of carelessness offers HIPAA Covered Entities and Business Associates short term gain at the risk of massive, unexpected identity thefts in the future as today’s encryption inevitably grows vulnerable.

    In my opinion, Americans should demand to be notified of data breaches regardless of encryption. It’s the Hippocratic choice.

    D. Kellus Pruitt DDS


  5. Three Laptops Stolen from NY Podiatry Office

    Nearly 6,500 patients of Sims and Associates Podiatry may have had personal information – including Social Security numbers – compromised after three laptops containing the patient data were stolen from the New York office. The theft occurred sometime between Jan. 10 and Jan. 12 and was discovered on Jan. 12 at around 9:30 a.m. The data for patients undergoing vascular testing was taken from 2007 to Jan. 2010. The data for patients who were prescribed orthotics was taken from mid-2012 to Jan. 2010. The data for patients who had x-rays taken was from 2004 to Jan. 2010.

    “There has been no evidence of misuse of any affected person’s information, and a review of procedures to enhance security and theft protection is ongoing,” according to the notification posted to the podiatry office’s website.

    Source: Adam Greenberg, SC Magazine [4/22/14]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: