“The HIPAA Privacy Rule for the first time created national standards to protect individuals’ medical records and other personal health information. Some of the most important pieces of the legislation included:
- It gave patients more control over their health information.
- It set boundaries on the use and release of health records.
- It established appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
- It held violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used. Some of the benefits to patients are that:
- It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
- It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
- It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
- It empowers individuals to control certain uses and disclosures of their health information.” Source Webpage
For the bulk of the life of the law and subsequent rules, there was little enforcement of HIPAA with regards to prosecution or penalties. However, over the last several years, that has begun to change. Over the past five years, prosecutions have become more commonplace. Fines and penalties are becoming both more numerous and expensive. In 2017, fines across the largest HIPAA violations topped out at over $20M across several large organizations.
A list of HIPAA Settlements from 2016 shows the fines, size and scale from these violations:
| Covered Entity | Date | Amount | Breach that triggered OCR investigation | Individuals impacted |
| University of Massachusetts Amherst (UMass) | November, 2016 | $650,000 | Malware infection | 1,670 |
| St. Joseph Health | October, 2016 | $2,140,500 | PHI made available through search engines | 31,800 |
| Care New England Health System | September, 2016 | $400,000 | Loss of two unencrypted backup tapes | 14,000 |
| Advocate Health Care Network | August, 2016 | $5,550,000 | Theft of desktop computers, loss of laptop, improper access of data at business associate | 3,994,175 (combined total of three separate breaches) |
| University of Mississippi Medical Center | July, 2016 | $2,750,000 | Unprotected network drive | 10.,000 |
| Oregon Health & Science University | July, 2016 | $2,700,000 | Loss of unencrypted laptop / Storage on cloud server without BAA | 4,361 (combined total of two breaches) |
Image Source: https://www.hipaajournal.com/ocr-hipaa-enforcement-summary-2016-hipaa-settlements-8646/