That probably sounds like an awful lot, but in truth it isn’t. It’s awfully difficult to find exact figures on regulatory fines – companies tend to be rather tight-lipped on the subject, after all. But on the scale of companies and business fines, and knowing that companies in general, and hospitals in particular, are generally good at cushioning themselves against such damage, it’s just not that much.
Also, HIPAA is considered something of a paper tiger. Although HIPAA was passed in 1996, there weren’t any fines issued until 2006. While there have been quite a few fines and even criminal prosecutions since then, and the UCLA fine is the third “large” fine in 2011 – the largest being $4.3 million – that’s still not all that much on a business scale.
However, HIPAA compliance is a major concern for healthcare providers; a concern which is far out of proportion to the expected costs of non-compliance?
Why? Are all hospitals, insurance providers, and private practices that concerned with patient privacy?
I’d like to say yes. But, cynically, my time working at a hospital tells me the real reason: they don’t want to undergo an inspection.
HIPAA originally set the maximum fine for each individual violation at a mere $100, with the maximum possible fines being $25,000. Those limits were raised in 2008, and there is a risk of criminal penalties to boot, but that’s not the biggest risk, nor the biggest potential cost.
Each reported violation can trigger a HIPAA inspection. Inspectors can look over the entire facility, from top to bottom, looking for each and every violation. The costs involved in such an inspection, in terms of disruption to the facility, far exceed the possible fine involved.
The numbers don’t tell the whole story with HIPAA. The fear of an inspection has motivated hospitals throughout the nation to adopt far more secure practices with respect to medical records. While there can, and will be, data leaks, HIPAA is more effective than it seems.