The Omnibus rule introduced a penalty scheme with four tiers, ranging from $100 to $50,000 per each violation:
It’s worth mentioning that the HIPAA regulation affects organizations regardless of its size and the amount of PHI handled or involved in a breach incident.
In 2013, HHS announced the first HIPAA breach settlement involving less than 500 patients.
The Hospice of Northern Idaho (HONI) has agreed to pay the Office for Civil Rights $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
One of the key facets of the HIPAA regulation is timely response to incidents, including proper notification.
In 2017, HSS announced the first HIPAA settlement based on the untimely reporting of a breach of unsecured protected health information.
Presence Health agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000 and agreeing to implement a corrective action plan.
The penalties are of a cumulative nature. Back in July 2022, OCR’s investigation opened on Oklahoma State University Center for Health Services found potential violations of the HIPAA Rules, including impermissible uses and disclosures of PHI; failure to conduct an accurate and thorough risk analysis; failure to perform an evaluation; failure to implement audit controls, security incident response and reporting, and failure to provide timely breach notification to affected individuals and HHS.
With 279,865 e-PHI records affected, all these violations accumulated to $875,000 penalty.
Over 700 healthcare breaches have been reported to the Office for Civil Rights in 2022 alone, affecting more than 50 million healthcare records.
Hundreds of investigations can be found at the OCR breach portal opened against organizations for non-compliance with HIPAA as well.