The Field Report with Tom Field

The High Price of Non-Compliance

Healthcare Organizations Learn Expensive Lessons About HIPAA, HITECH

But two organizations this week learned hard lessons about the cost of non-compliance.

Health insurer WellPoint Inc. settled with the Indiana Attorney General's office over a delayed notification of a consumer data breach that affected the records of 32,051 people.

These cases show not just the serious consequences of non-compliance, but also how serious the regulatory bodies are about enforcing their rules. 

Under terms of the settlement, WellPoint will pay the state $100,000 for an incident, which exposed data that included social security numbers, financial information and health records. In addition to the fine, WellPoint must provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach, as well as offer reimbursement to any WellPoint consumer of up to $50,000 for any losses that result from identity theft due to the breach.

Meanwhile, the University of California at Los Angeles Health System has agreed to pay a fine of $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with the HIPAA's Privacy and Security Rules. This after complaints that employees were snooping into celebrity patients' health records.

In addition to the fine, UCLAHS has agreed to review, revise and maintain, as necessary, existing policies and procedures and develop written policies and procedures that comply with federal standards that govern the privacy of individually identifiable health information.

The non-compliant organizations are saying all the right things in the wake of their penalties. "Our patients' health, privacy and well-being are of paramount importance to us," says Dr. David T. Feinberg, CEO of UCLAHS. But the contrition would have been totally unwarranted if the groups had just been compliant from the start.

These cases show not just the serious consequences of non-compliance, but also how serious the regulatory bodies are about enforcing their rules. And making public examples of those who break them. Nothing encourages compliance better than seeing an organization's reputation strapped into the PR stockade.

In other notable news this week:

  • Executive Editor Eric Chabrow spoke with RSA's new CSO Eddie Schwartz about life after the organization's stunning data breach;
  • And Contributing Editor Upasana Gupta blogs about the murky question of whether security organizations should even consider hiring staffers who have histories as hackers.
Be sure to visit HealthcareInfoSecurity for all the latest news and views on the issues that matter most to healthcare/security leaders.

About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.