The High Price of Non-ComplianceHealthcare Organizations Learn Expensive Lessons About HIPAA, HITECH
But two organizations this week learned hard lessons about the cost of non-compliance.
These cases show not just the serious consequences of non-compliance, but also how serious the regulatory bodies are about enforcing their rules.
Under terms of the settlement, WellPoint will pay the state $100,000 for an incident, which exposed data that included social security numbers, financial information and health records. In addition to the fine, WellPoint must provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach, as well as offer reimbursement to any WellPoint consumer of up to $50,000 for any losses that result from identity theft due to the breach.
Meanwhile, the University of California at Los Angeles Health System has agreed to pay a fine of $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with the HIPAA's Privacy and Security Rules. This after complaints that employees were snooping into celebrity patients' health records.
In addition to the fine, UCLAHS has agreed to review, revise and maintain, as necessary, existing policies and procedures and develop written policies and procedures that comply with federal standards that govern the privacy of individually identifiable health information.
The non-compliant organizations are saying all the right things in the wake of their penalties. "Our patients' health, privacy and well-being are of paramount importance to us," says Dr. David T. Feinberg, CEO of UCLAHS. But the contrition would have been totally unwarranted if the groups had just been compliant from the start.
These cases show not just the serious consequences of non-compliance, but also how serious the regulatory bodies are about enforcing their rules. And making public examples of those who break them. Nothing encourages compliance better than seeing an organization's reputation strapped into the PR stockade.
In other notable news this week:
- Executive Editor Eric Chabrow spoke with RSA's new CSO Eddie Schwartz about life after the organization's stunning data breach;
- And Contributing Editor Upasana Gupta blogs about the murky question of whether security organizations should even consider hiring staffers who have histories as hackers.