The link below is to a blog about a large HIPAA violation penalty. It is interesting to note that since HIPAA started in 2003 and until today, there have been little or no enforcement actions against doctors offices, hospitals, or other medical places for improper release of protected health information. Everyone has been (perhaps overly) careful to avoid inadvertent disclosure of information. That’s great.
This big ($4.3 Million!) fine was against an insurance company that failed to properly communicate with its own customers. Patients (insured) wanted access to their own information and records (to which they are entitled) but the company did not properly respond or provide systems for customers to get the information. After attempts to work with them, and a complete lack of cooperation, the government fined the company – most of it for their failure to even respond to the complaints.
So, the moral here appears to be that small doctors offices and other medical facilities need to maintain patient privacy, but they really shouldn’t worry about facing HIPAA violations as long as they try. But, they need to make sure, in their zeal to protect private information, that they allow their patients/customers the proper access to their own information.
Lessons Galore from Eye-Popping $4.3 Million HIPAA Penalty : Workplace Privacy Counsel