Blog

What Is Your Business Risking by Underinvesting in HIPAA Compliance?

Blog

What Is Your Business Risking by Underinvesting in HIPAA Compliance?

Blog

What Is Your Business Risking by Underinvesting in HIPAA Compliance?

Blog

What Is Your Business Risking by Underinvesting in HIPAA Compliance?

Blog

What Is Your Business Risking by Underinvesting in HIPAA Compliance?

Download PDFDownload PDF
Blog

What Is Your Business Risking by Underinvesting in HIPAA Compliance?

Lacey Jackson
/
December 23, 2020
Blog

What Is Your Business Risking by Underinvesting in HIPAA Compliance?

MIN
/
December 23, 2020
About the Episode
Episode Highlights
Meet our Guest
Episode Transcript

In 2017, we published an article outlining the complications that arise when a healthcare organization violates HIPAA requirements. In the three years since we shared those facts, a lot has changed. The US healthcare system has seen new federal regulations on data sharing, an increase in telehealth and interoperability, and faced a global pandemic. One constant has been the need to protect patient health information. 

Patient health information (PHI) is some of the most valuable data out there. A single PHI file can yield a profit of up to $20,000 for hackers. The main reason PHI is so valuable to cybercriminals is because it contains important information, such as social security numbers. Additionally, cybercriminals can usually take advantage of PHI for a longer period of time because it can take weeks or months for a healthcare data breach to be discovered. 

Healthcare organizations often underinvest in IT. The SANS institute the world’s largest provider of cybersecurity training, recommends spending 10% of a business's annual IT budget on cybersecurity. But most healthcare organizations only spend about 3%.

So, the question remains: what is your business risking by underinvesting in healthcare data security?

COVID-19 

Before we dive in, it’s important to note the recent changes to HIPAA requirements driven by the COVID-19 pandemic. The Department of Health and Human Services and the Office of Civil Rights (OCR) relaxed HIPAA requirements in  some areas as a response to COVID-19

Some of these changes were made to smooth the transition from in-person to telehealth appointments. There are several additional HIPAA updates to expand abilities in other areas, such as providing first responders with a patient’s infection status.  


Learn More: See how these healthcare organizations met HIPAA requirements during the COVID-19 pandemic

Fines

A major motivator for ensuring HIPAA compliance across your organization is avoiding the hefty fines. In March 2020, the Department of Health and Human Services upped the financial penalties for HIPAA violations as follows: 

  • If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $119 to $59,522 per violation.
  • If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,191 to $59,522 per violation. 
  • If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,904 to $59,522 per violation. 
  • For violations caused by willful neglect that are not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.

In 2020, the Office of Civil Rights saw the second largest settlement in its history. After a breach affecting 10.4 million people, Premera Blue Cross (PBC) agreed to pay $6.85 million to resolve the HIPAA investigation. Now, you may be thinking that your organization doesn’t hold nearly enough data to pay a major sum like that. If data breaches go unreported or unresolved, the fines can pile up and end up bankrupting a business.  

Read More: Learn how AdventHealth resolved a data breach by switching to Formstack Forms

Corrective Action

But HIPAA violations are more than just simply paying a fine. Before the fines start rolling in, OCR will seek to resolve the issue by requiring your organization to work through a deadline-driven corrective action plan (CAP). While the dollar amounts appear to be the worst part of resolving your HIPAA violation, the corrective action plan is just as bad. It’s mandatory, burdensome, and constantly monitored by OCR. 

These plans typically last one to three years and are designed to address the specific issues uncovered in the initial investigation. The key requirements of a CAP are usually:

  • Conduct a Risk Analysis every year
  • Develop and implement a Risk Management Plan
  • Report events that may lead to HIPAA violations
  • Keep documentation for six years

Additional requirements may be included based on the specific security weaknesses plaguing an organization. These requirements might include better oversight of business associates, updated policies, or workforce training.


Jail Time

Some HIPAA penalties haven’t changed at all since we initially published our 2017 article. For example, some HIPAA violations still lead to criminal penalties. Arrest isn’t a major concern for most healthcare organizations. However, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges. 


HIPAA violations by employees can result in a fine of up to $250,000 with a maximum jail term of 12 years. Jail time may be ordered based on a three-tiered approach:


Career Decline and Patient Mistrust 

One of the most valuable assets your healthcare organization has is the trust of patients. A huge business generator for many providers is word of mouth from your patients. Your patients put a lot of faith in your organization to keep their most valuable information safe. If you compromise their privacy, they will lose trust in you and potentially seek healthcare elsewhere and be unlikely to recommend your practice to others. 

Additionally, many patients likely find your practice after an internet search for services in their area. The Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be the first thing that pops up when a patient searches for your organization. 

Failing to comply with HIPAA requirements can be really damaging for your business. All of this will strip your organization of credibility. For small practices, this damage could be irreversible. you of your credibility. 


Failing to comply with HIPAA requirements puts your business at serious risks for consequences. Make sure you’re using HIPAA compliant solutions like Formstack. Start a free trial today to start collecting and managing patient health data securely. 


Blog

What Is Your Business Risking by Underinvesting in HIPAA Compliance?

Blog

What Is Your Business Risking by Underinvesting in HIPAA Compliance?

Get the Report

Great, thank ya!

You can now access the content.
Oops! Something went wrong while submitting the form.
Blog

What Is Your Business Risking by Underinvesting in HIPAA Compliance?

Panelists
No items found.
Introduction
Introduction

Great, thank ya!

You can now access the content.
Download NowDownload Now
Oops! Something went wrong while submitting the form.

In 2017, we published an article outlining the complications that arise when a healthcare organization violates HIPAA requirements. In the three years since we shared those facts, a lot has changed. The US healthcare system has seen new federal regulations on data sharing, an increase in telehealth and interoperability, and faced a global pandemic. One constant has been the need to protect patient health information. 

Patient health information (PHI) is some of the most valuable data out there. A single PHI file can yield a profit of up to $20,000 for hackers. The main reason PHI is so valuable to cybercriminals is because it contains important information, such as social security numbers. Additionally, cybercriminals can usually take advantage of PHI for a longer period of time because it can take weeks or months for a healthcare data breach to be discovered. 

Healthcare organizations often underinvest in IT. The SANS institute the world’s largest provider of cybersecurity training, recommends spending 10% of a business's annual IT budget on cybersecurity. But most healthcare organizations only spend about 3%.

So, the question remains: what is your business risking by underinvesting in healthcare data security?

COVID-19 

Before we dive in, it’s important to note the recent changes to HIPAA requirements driven by the COVID-19 pandemic. The Department of Health and Human Services and the Office of Civil Rights (OCR) relaxed HIPAA requirements in  some areas as a response to COVID-19

Some of these changes were made to smooth the transition from in-person to telehealth appointments. There are several additional HIPAA updates to expand abilities in other areas, such as providing first responders with a patient’s infection status.  


Learn More: See how these healthcare organizations met HIPAA requirements during the COVID-19 pandemic

Fines

A major motivator for ensuring HIPAA compliance across your organization is avoiding the hefty fines. In March 2020, the Department of Health and Human Services upped the financial penalties for HIPAA violations as follows: 

  • If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $119 to $59,522 per violation.
  • If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,191 to $59,522 per violation. 
  • If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,904 to $59,522 per violation. 
  • For violations caused by willful neglect that are not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.

In 2020, the Office of Civil Rights saw the second largest settlement in its history. After a breach affecting 10.4 million people, Premera Blue Cross (PBC) agreed to pay $6.85 million to resolve the HIPAA investigation. Now, you may be thinking that your organization doesn’t hold nearly enough data to pay a major sum like that. If data breaches go unreported or unresolved, the fines can pile up and end up bankrupting a business.  

Read More: Learn how AdventHealth resolved a data breach by switching to Formstack Forms

Corrective Action

But HIPAA violations are more than just simply paying a fine. Before the fines start rolling in, OCR will seek to resolve the issue by requiring your organization to work through a deadline-driven corrective action plan (CAP). While the dollar amounts appear to be the worst part of resolving your HIPAA violation, the corrective action plan is just as bad. It’s mandatory, burdensome, and constantly monitored by OCR. 

These plans typically last one to three years and are designed to address the specific issues uncovered in the initial investigation. The key requirements of a CAP are usually:

  • Conduct a Risk Analysis every year
  • Develop and implement a Risk Management Plan
  • Report events that may lead to HIPAA violations
  • Keep documentation for six years

Additional requirements may be included based on the specific security weaknesses plaguing an organization. These requirements might include better oversight of business associates, updated policies, or workforce training.


Jail Time

Some HIPAA penalties haven’t changed at all since we initially published our 2017 article. For example, some HIPAA violations still lead to criminal penalties. Arrest isn’t a major concern for most healthcare organizations. However, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges. 


HIPAA violations by employees can result in a fine of up to $250,000 with a maximum jail term of 12 years. Jail time may be ordered based on a three-tiered approach:


Career Decline and Patient Mistrust 

One of the most valuable assets your healthcare organization has is the trust of patients. A huge business generator for many providers is word of mouth from your patients. Your patients put a lot of faith in your organization to keep their most valuable information safe. If you compromise their privacy, they will lose trust in you and potentially seek healthcare elsewhere and be unlikely to recommend your practice to others. 

Additionally, many patients likely find your practice after an internet search for services in their area. The Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be the first thing that pops up when a patient searches for your organization. 

Failing to comply with HIPAA requirements can be really damaging for your business. All of this will strip your organization of credibility. For small practices, this damage could be irreversible. you of your credibility. 


Failing to comply with HIPAA requirements puts your business at serious risks for consequences. Make sure you’re using HIPAA compliant solutions like Formstack. Start a free trial today to start collecting and managing patient health data securely. 


Panelists
No items found.
Infographic

What Is Your Business Risking by Underinvesting in HIPAA Compliance?

What is your business risking with lax HIPAA practices? We’ve compiled a list of the consequences to help you understand of not maintaining HIPAA compliance.
Download InfographicDownload Infographic

In 2017, we published an article outlining the complications that arise when a healthcare organization violates HIPAA requirements. In the three years since we shared those facts, a lot has changed. The US healthcare system has seen new federal regulations on data sharing, an increase in telehealth and interoperability, and faced a global pandemic. One constant has been the need to protect patient health information. 

Patient health information (PHI) is some of the most valuable data out there. A single PHI file can yield a profit of up to $20,000 for hackers. The main reason PHI is so valuable to cybercriminals is because it contains important information, such as social security numbers. Additionally, cybercriminals can usually take advantage of PHI for a longer period of time because it can take weeks or months for a healthcare data breach to be discovered. 

Healthcare organizations often underinvest in IT. The SANS institute the world’s largest provider of cybersecurity training, recommends spending 10% of a business's annual IT budget on cybersecurity. But most healthcare organizations only spend about 3%.

So, the question remains: what is your business risking by underinvesting in healthcare data security?

COVID-19 

Before we dive in, it’s important to note the recent changes to HIPAA requirements driven by the COVID-19 pandemic. The Department of Health and Human Services and the Office of Civil Rights (OCR) relaxed HIPAA requirements in  some areas as a response to COVID-19

Some of these changes were made to smooth the transition from in-person to telehealth appointments. There are several additional HIPAA updates to expand abilities in other areas, such as providing first responders with a patient’s infection status.  


Learn More: See how these healthcare organizations met HIPAA requirements during the COVID-19 pandemic

Fines

A major motivator for ensuring HIPAA compliance across your organization is avoiding the hefty fines. In March 2020, the Department of Health and Human Services upped the financial penalties for HIPAA violations as follows: 

  • If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $119 to $59,522 per violation.
  • If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,191 to $59,522 per violation. 
  • If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,904 to $59,522 per violation. 
  • For violations caused by willful neglect that are not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.

In 2020, the Office of Civil Rights saw the second largest settlement in its history. After a breach affecting 10.4 million people, Premera Blue Cross (PBC) agreed to pay $6.85 million to resolve the HIPAA investigation. Now, you may be thinking that your organization doesn’t hold nearly enough data to pay a major sum like that. If data breaches go unreported or unresolved, the fines can pile up and end up bankrupting a business.  

Read More: Learn how AdventHealth resolved a data breach by switching to Formstack Forms

Corrective Action

But HIPAA violations are more than just simply paying a fine. Before the fines start rolling in, OCR will seek to resolve the issue by requiring your organization to work through a deadline-driven corrective action plan (CAP). While the dollar amounts appear to be the worst part of resolving your HIPAA violation, the corrective action plan is just as bad. It’s mandatory, burdensome, and constantly monitored by OCR. 

These plans typically last one to three years and are designed to address the specific issues uncovered in the initial investigation. The key requirements of a CAP are usually:

  • Conduct a Risk Analysis every year
  • Develop and implement a Risk Management Plan
  • Report events that may lead to HIPAA violations
  • Keep documentation for six years

Additional requirements may be included based on the specific security weaknesses plaguing an organization. These requirements might include better oversight of business associates, updated policies, or workforce training.


Jail Time

Some HIPAA penalties haven’t changed at all since we initially published our 2017 article. For example, some HIPAA violations still lead to criminal penalties. Arrest isn’t a major concern for most healthcare organizations. However, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges. 


HIPAA violations by employees can result in a fine of up to $250,000 with a maximum jail term of 12 years. Jail time may be ordered based on a three-tiered approach:


Career Decline and Patient Mistrust 

One of the most valuable assets your healthcare organization has is the trust of patients. A huge business generator for many providers is word of mouth from your patients. Your patients put a lot of faith in your organization to keep their most valuable information safe. If you compromise their privacy, they will lose trust in you and potentially seek healthcare elsewhere and be unlikely to recommend your practice to others. 

Additionally, many patients likely find your practice after an internet search for services in their area. The Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be the first thing that pops up when a patient searches for your organization. 

Failing to comply with HIPAA requirements can be really damaging for your business. All of this will strip your organization of credibility. For small practices, this damage could be irreversible. you of your credibility. 


Failing to comply with HIPAA requirements puts your business at serious risks for consequences. Make sure you’re using HIPAA compliant solutions like Formstack. Start a free trial today to start collecting and managing patient health data securely. 


In 2017, we published an article outlining the complications that arise when a healthcare organization violates HIPAA requirements. In the three years since we shared those facts, a lot has changed. The US healthcare system has seen new federal regulations on data sharing, an increase in telehealth and interoperability, and faced a global pandemic. One constant has been the need to protect patient health information. 

Patient health information (PHI) is some of the most valuable data out there. A single PHI file can yield a profit of up to $20,000 for hackers. The main reason PHI is so valuable to cybercriminals is because it contains important information, such as social security numbers. Additionally, cybercriminals can usually take advantage of PHI for a longer period of time because it can take weeks or months for a healthcare data breach to be discovered. 

Healthcare organizations often underinvest in IT. The SANS institute the world’s largest provider of cybersecurity training, recommends spending 10% of a business's annual IT budget on cybersecurity. But most healthcare organizations only spend about 3%.

So, the question remains: what is your business risking by underinvesting in healthcare data security?

COVID-19 

Before we dive in, it’s important to note the recent changes to HIPAA requirements driven by the COVID-19 pandemic. The Department of Health and Human Services and the Office of Civil Rights (OCR) relaxed HIPAA requirements in  some areas as a response to COVID-19

Some of these changes were made to smooth the transition from in-person to telehealth appointments. There are several additional HIPAA updates to expand abilities in other areas, such as providing first responders with a patient’s infection status.  


Learn More: See how these healthcare organizations met HIPAA requirements during the COVID-19 pandemic

Fines

A major motivator for ensuring HIPAA compliance across your organization is avoiding the hefty fines. In March 2020, the Department of Health and Human Services upped the financial penalties for HIPAA violations as follows: 

  • If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $119 to $59,522 per violation.
  • If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,191 to $59,522 per violation. 
  • If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,904 to $59,522 per violation. 
  • For violations caused by willful neglect that are not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.

In 2020, the Office of Civil Rights saw the second largest settlement in its history. After a breach affecting 10.4 million people, Premera Blue Cross (PBC) agreed to pay $6.85 million to resolve the HIPAA investigation. Now, you may be thinking that your organization doesn’t hold nearly enough data to pay a major sum like that. If data breaches go unreported or unresolved, the fines can pile up and end up bankrupting a business.  

Read More: Learn how AdventHealth resolved a data breach by switching to Formstack Forms

Corrective Action

But HIPAA violations are more than just simply paying a fine. Before the fines start rolling in, OCR will seek to resolve the issue by requiring your organization to work through a deadline-driven corrective action plan (CAP). While the dollar amounts appear to be the worst part of resolving your HIPAA violation, the corrective action plan is just as bad. It’s mandatory, burdensome, and constantly monitored by OCR. 

These plans typically last one to three years and are designed to address the specific issues uncovered in the initial investigation. The key requirements of a CAP are usually:

  • Conduct a Risk Analysis every year
  • Develop and implement a Risk Management Plan
  • Report events that may lead to HIPAA violations
  • Keep documentation for six years

Additional requirements may be included based on the specific security weaknesses plaguing an organization. These requirements might include better oversight of business associates, updated policies, or workforce training.


Jail Time

Some HIPAA penalties haven’t changed at all since we initially published our 2017 article. For example, some HIPAA violations still lead to criminal penalties. Arrest isn’t a major concern for most healthcare organizations. However, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges. 


HIPAA violations by employees can result in a fine of up to $250,000 with a maximum jail term of 12 years. Jail time may be ordered based on a three-tiered approach:


Career Decline and Patient Mistrust 

One of the most valuable assets your healthcare organization has is the trust of patients. A huge business generator for many providers is word of mouth from your patients. Your patients put a lot of faith in your organization to keep their most valuable information safe. If you compromise their privacy, they will lose trust in you and potentially seek healthcare elsewhere and be unlikely to recommend your practice to others. 

Additionally, many patients likely find your practice after an internet search for services in their area. The Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be the first thing that pops up when a patient searches for your organization. 

Failing to comply with HIPAA requirements can be really damaging for your business. All of this will strip your organization of credibility. For small practices, this damage could be irreversible. you of your credibility. 


Failing to comply with HIPAA requirements puts your business at serious risks for consequences. Make sure you’re using HIPAA compliant solutions like Formstack. Start a free trial today to start collecting and managing patient health data securely. 


Collecting payments with online forms is easy, but first, you have to choose the right payment gateway. Browse the providers in our gateway credit card processing comparison chart to find the best option for your business. Then sign up for Formstack Forms, customize your payment forms, and start collecting profits in minutes.

Online Payment Gateway Comparison Chart

NOTE: These amounts reflect the monthly subscription for the payment provider. Formstack does not charge a fee to integrate with any of our payment partners.

FEATURES
Authorize.Net
Bambora
Chargify
First Data
PayPal
PayPal Pro
PayPal Payflow
Stripe
WePay
ProPay
Monthly Fees
$25
$25
$149+
Contact First Data
$0
$25
$0-$25
$0
$0
$4
Transaction Fees
$2.9% + 30¢
$2.9% + 30¢
N/A
Contact First Data
$2.9% + 30¢
$2.9% + 30¢
10¢
$2.9% + 30¢
$2.9% + 30¢
$2.6% + 30¢
Countries
5
8
Based on payment gateway
50+
203
3
4
25
USA
USA
Currencies
11
2
23
140
25
23
25
135+
1
1
Card Types
6
13
Based on payment gateway
5
9
9
5
6
4
4
Limits
None
None
Based on payment gateway
None
$10,000
None
None
None
None
$500 per transaction
Form Payments
Recurring Billing
Mobile Payments
PSD2 Compliant

In 2017, we published an article outlining the complications that arise when a healthcare organization violates HIPAA requirements. In the three years since we shared those facts, a lot has changed. The US healthcare system has seen new federal regulations on data sharing, an increase in telehealth and interoperability, and faced a global pandemic. One constant has been the need to protect patient health information. 

Patient health information (PHI) is some of the most valuable data out there. A single PHI file can yield a profit of up to $20,000 for hackers. The main reason PHI is so valuable to cybercriminals is because it contains important information, such as social security numbers. Additionally, cybercriminals can usually take advantage of PHI for a longer period of time because it can take weeks or months for a healthcare data breach to be discovered. 

Healthcare organizations often underinvest in IT. The SANS institute the world’s largest provider of cybersecurity training, recommends spending 10% of a business's annual IT budget on cybersecurity. But most healthcare organizations only spend about 3%.

So, the question remains: what is your business risking by underinvesting in healthcare data security?

COVID-19 

Before we dive in, it’s important to note the recent changes to HIPAA requirements driven by the COVID-19 pandemic. The Department of Health and Human Services and the Office of Civil Rights (OCR) relaxed HIPAA requirements in  some areas as a response to COVID-19

Some of these changes were made to smooth the transition from in-person to telehealth appointments. There are several additional HIPAA updates to expand abilities in other areas, such as providing first responders with a patient’s infection status.  


Learn More: See how these healthcare organizations met HIPAA requirements during the COVID-19 pandemic

Fines

A major motivator for ensuring HIPAA compliance across your organization is avoiding the hefty fines. In March 2020, the Department of Health and Human Services upped the financial penalties for HIPAA violations as follows: 

  • If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $119 to $59,522 per violation.
  • If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,191 to $59,522 per violation. 
  • If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,904 to $59,522 per violation. 
  • For violations caused by willful neglect that are not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.

In 2020, the Office of Civil Rights saw the second largest settlement in its history. After a breach affecting 10.4 million people, Premera Blue Cross (PBC) agreed to pay $6.85 million to resolve the HIPAA investigation. Now, you may be thinking that your organization doesn’t hold nearly enough data to pay a major sum like that. If data breaches go unreported or unresolved, the fines can pile up and end up bankrupting a business.  

Read More: Learn how AdventHealth resolved a data breach by switching to Formstack Forms

Corrective Action

But HIPAA violations are more than just simply paying a fine. Before the fines start rolling in, OCR will seek to resolve the issue by requiring your organization to work through a deadline-driven corrective action plan (CAP). While the dollar amounts appear to be the worst part of resolving your HIPAA violation, the corrective action plan is just as bad. It’s mandatory, burdensome, and constantly monitored by OCR. 

These plans typically last one to three years and are designed to address the specific issues uncovered in the initial investigation. The key requirements of a CAP are usually:

  • Conduct a Risk Analysis every year
  • Develop and implement a Risk Management Plan
  • Report events that may lead to HIPAA violations
  • Keep documentation for six years

Additional requirements may be included based on the specific security weaknesses plaguing an organization. These requirements might include better oversight of business associates, updated policies, or workforce training.


Jail Time

Some HIPAA penalties haven’t changed at all since we initially published our 2017 article. For example, some HIPAA violations still lead to criminal penalties. Arrest isn’t a major concern for most healthcare organizations. However, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges. 


HIPAA violations by employees can result in a fine of up to $250,000 with a maximum jail term of 12 years. Jail time may be ordered based on a three-tiered approach:


Career Decline and Patient Mistrust 

One of the most valuable assets your healthcare organization has is the trust of patients. A huge business generator for many providers is word of mouth from your patients. Your patients put a lot of faith in your organization to keep their most valuable information safe. If you compromise their privacy, they will lose trust in you and potentially seek healthcare elsewhere and be unlikely to recommend your practice to others. 

Additionally, many patients likely find your practice after an internet search for services in their area. The Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be the first thing that pops up when a patient searches for your organization. 

Failing to comply with HIPAA requirements can be really damaging for your business. All of this will strip your organization of credibility. For small practices, this damage could be irreversible. you of your credibility. 


Failing to comply with HIPAA requirements puts your business at serious risks for consequences. Make sure you’re using HIPAA compliant solutions like Formstack. Start a free trial today to start collecting and managing patient health data securely. 


In 2017, we published an article outlining the complications that arise when a healthcare organization violates HIPAA requirements. In the three years since we shared those facts, a lot has changed. The US healthcare system has seen new federal regulations on data sharing, an increase in telehealth and interoperability, and faced a global pandemic. One constant has been the need to protect patient health information. 

Patient health information (PHI) is some of the most valuable data out there. A single PHI file can yield a profit of up to $20,000 for hackers. The main reason PHI is so valuable to cybercriminals is because it contains important information, such as social security numbers. Additionally, cybercriminals can usually take advantage of PHI for a longer period of time because it can take weeks or months for a healthcare data breach to be discovered. 

Healthcare organizations often underinvest in IT. The SANS institute the world’s largest provider of cybersecurity training, recommends spending 10% of a business's annual IT budget on cybersecurity. But most healthcare organizations only spend about 3%.

So, the question remains: what is your business risking by underinvesting in healthcare data security?

COVID-19 

Before we dive in, it’s important to note the recent changes to HIPAA requirements driven by the COVID-19 pandemic. The Department of Health and Human Services and the Office of Civil Rights (OCR) relaxed HIPAA requirements in  some areas as a response to COVID-19

Some of these changes were made to smooth the transition from in-person to telehealth appointments. There are several additional HIPAA updates to expand abilities in other areas, such as providing first responders with a patient’s infection status.  


Learn More: See how these healthcare organizations met HIPAA requirements during the COVID-19 pandemic

Fines

A major motivator for ensuring HIPAA compliance across your organization is avoiding the hefty fines. In March 2020, the Department of Health and Human Services upped the financial penalties for HIPAA violations as follows: 

  • If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $119 to $59,522 per violation.
  • If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,191 to $59,522 per violation. 
  • If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,904 to $59,522 per violation. 
  • For violations caused by willful neglect that are not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.

In 2020, the Office of Civil Rights saw the second largest settlement in its history. After a breach affecting 10.4 million people, Premera Blue Cross (PBC) agreed to pay $6.85 million to resolve the HIPAA investigation. Now, you may be thinking that your organization doesn’t hold nearly enough data to pay a major sum like that. If data breaches go unreported or unresolved, the fines can pile up and end up bankrupting a business.  

Read More: Learn how AdventHealth resolved a data breach by switching to Formstack Forms

Corrective Action

But HIPAA violations are more than just simply paying a fine. Before the fines start rolling in, OCR will seek to resolve the issue by requiring your organization to work through a deadline-driven corrective action plan (CAP). While the dollar amounts appear to be the worst part of resolving your HIPAA violation, the corrective action plan is just as bad. It’s mandatory, burdensome, and constantly monitored by OCR. 

These plans typically last one to three years and are designed to address the specific issues uncovered in the initial investigation. The key requirements of a CAP are usually:

  • Conduct a Risk Analysis every year
  • Develop and implement a Risk Management Plan
  • Report events that may lead to HIPAA violations
  • Keep documentation for six years

Additional requirements may be included based on the specific security weaknesses plaguing an organization. These requirements might include better oversight of business associates, updated policies, or workforce training.


Jail Time

Some HIPAA penalties haven’t changed at all since we initially published our 2017 article. For example, some HIPAA violations still lead to criminal penalties. Arrest isn’t a major concern for most healthcare organizations. However, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges. 


HIPAA violations by employees can result in a fine of up to $250,000 with a maximum jail term of 12 years. Jail time may be ordered based on a three-tiered approach:


Career Decline and Patient Mistrust 

One of the most valuable assets your healthcare organization has is the trust of patients. A huge business generator for many providers is word of mouth from your patients. Your patients put a lot of faith in your organization to keep their most valuable information safe. If you compromise their privacy, they will lose trust in you and potentially seek healthcare elsewhere and be unlikely to recommend your practice to others. 

Additionally, many patients likely find your practice after an internet search for services in their area. The Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be the first thing that pops up when a patient searches for your organization. 

Failing to comply with HIPAA requirements can be really damaging for your business. All of this will strip your organization of credibility. For small practices, this damage could be irreversible. you of your credibility. 


Failing to comply with HIPAA requirements puts your business at serious risks for consequences. Make sure you’re using HIPAA compliant solutions like Formstack. Start a free trial today to start collecting and managing patient health data securely. 


In 2017, we published an article outlining the complications that arise when a healthcare organization violates HIPAA requirements. In the three years since we shared those facts, a lot has changed. The US healthcare system has seen new federal regulations on data sharing, an increase in telehealth and interoperability, and faced a global pandemic. One constant has been the need to protect patient health information. 

Patient health information (PHI) is some of the most valuable data out there. A single PHI file can yield a profit of up to $20,000 for hackers. The main reason PHI is so valuable to cybercriminals is because it contains important information, such as social security numbers. Additionally, cybercriminals can usually take advantage of PHI for a longer period of time because it can take weeks or months for a healthcare data breach to be discovered. 

Healthcare organizations often underinvest in IT. The SANS institute the world’s largest provider of cybersecurity training, recommends spending 10% of a business's annual IT budget on cybersecurity. But most healthcare organizations only spend about 3%.

So, the question remains: what is your business risking by underinvesting in healthcare data security?

COVID-19 

Before we dive in, it’s important to note the recent changes to HIPAA requirements driven by the COVID-19 pandemic. The Department of Health and Human Services and the Office of Civil Rights (OCR) relaxed HIPAA requirements in  some areas as a response to COVID-19

Some of these changes were made to smooth the transition from in-person to telehealth appointments. There are several additional HIPAA updates to expand abilities in other areas, such as providing first responders with a patient’s infection status.  


Learn More: See how these healthcare organizations met HIPAA requirements during the COVID-19 pandemic

Fines

A major motivator for ensuring HIPAA compliance across your organization is avoiding the hefty fines. In March 2020, the Department of Health and Human Services upped the financial penalties for HIPAA violations as follows: 

  • If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $119 to $59,522 per violation.
  • If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,191 to $59,522 per violation. 
  • If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,904 to $59,522 per violation. 
  • For violations caused by willful neglect that are not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.

In 2020, the Office of Civil Rights saw the second largest settlement in its history. After a breach affecting 10.4 million people, Premera Blue Cross (PBC) agreed to pay $6.85 million to resolve the HIPAA investigation. Now, you may be thinking that your organization doesn’t hold nearly enough data to pay a major sum like that. If data breaches go unreported or unresolved, the fines can pile up and end up bankrupting a business.  

Read More: Learn how AdventHealth resolved a data breach by switching to Formstack Forms

Corrective Action

But HIPAA violations are more than just simply paying a fine. Before the fines start rolling in, OCR will seek to resolve the issue by requiring your organization to work through a deadline-driven corrective action plan (CAP). While the dollar amounts appear to be the worst part of resolving your HIPAA violation, the corrective action plan is just as bad. It’s mandatory, burdensome, and constantly monitored by OCR. 

These plans typically last one to three years and are designed to address the specific issues uncovered in the initial investigation. The key requirements of a CAP are usually:

  • Conduct a Risk Analysis every year
  • Develop and implement a Risk Management Plan
  • Report events that may lead to HIPAA violations
  • Keep documentation for six years

Additional requirements may be included based on the specific security weaknesses plaguing an organization. These requirements might include better oversight of business associates, updated policies, or workforce training.


Jail Time

Some HIPAA penalties haven’t changed at all since we initially published our 2017 article. For example, some HIPAA violations still lead to criminal penalties. Arrest isn’t a major concern for most healthcare organizations. However, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges. 


HIPAA violations by employees can result in a fine of up to $250,000 with a maximum jail term of 12 years. Jail time may be ordered based on a three-tiered approach:


Career Decline and Patient Mistrust 

One of the most valuable assets your healthcare organization has is the trust of patients. A huge business generator for many providers is word of mouth from your patients. Your patients put a lot of faith in your organization to keep their most valuable information safe. If you compromise their privacy, they will lose trust in you and potentially seek healthcare elsewhere and be unlikely to recommend your practice to others. 

Additionally, many patients likely find your practice after an internet search for services in their area. The Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be the first thing that pops up when a patient searches for your organization. 

Failing to comply with HIPAA requirements can be really damaging for your business. All of this will strip your organization of credibility. For small practices, this damage could be irreversible. you of your credibility. 


Failing to comply with HIPAA requirements puts your business at serious risks for consequences. Make sure you’re using HIPAA compliant solutions like Formstack. Start a free trial today to start collecting and managing patient health data securely. 


In 2017, we published an article outlining the complications that arise when a healthcare organization violates HIPAA requirements. In the three years since we shared those facts, a lot has changed. The US healthcare system has seen new federal regulations on data sharing, an increase in telehealth and interoperability, and faced a global pandemic. One constant has been the need to protect patient health information. 

Patient health information (PHI) is some of the most valuable data out there. A single PHI file can yield a profit of up to $20,000 for hackers. The main reason PHI is so valuable to cybercriminals is because it contains important information, such as social security numbers. Additionally, cybercriminals can usually take advantage of PHI for a longer period of time because it can take weeks or months for a healthcare data breach to be discovered. 

Healthcare organizations often underinvest in IT. The SANS institute the world’s largest provider of cybersecurity training, recommends spending 10% of a business's annual IT budget on cybersecurity. But most healthcare organizations only spend about 3%.

So, the question remains: what is your business risking by underinvesting in healthcare data security?

COVID-19 

Before we dive in, it’s important to note the recent changes to HIPAA requirements driven by the COVID-19 pandemic. The Department of Health and Human Services and the Office of Civil Rights (OCR) relaxed HIPAA requirements in  some areas as a response to COVID-19

Some of these changes were made to smooth the transition from in-person to telehealth appointments. There are several additional HIPAA updates to expand abilities in other areas, such as providing first responders with a patient’s infection status.  


Learn More: See how these healthcare organizations met HIPAA requirements during the COVID-19 pandemic

Fines

A major motivator for ensuring HIPAA compliance across your organization is avoiding the hefty fines. In March 2020, the Department of Health and Human Services upped the financial penalties for HIPAA violations as follows: 

  • If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $119 to $59,522 per violation.
  • If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,191 to $59,522 per violation. 
  • If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,904 to $59,522 per violation. 
  • For violations caused by willful neglect that are not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.

In 2020, the Office of Civil Rights saw the second largest settlement in its history. After a breach affecting 10.4 million people, Premera Blue Cross (PBC) agreed to pay $6.85 million to resolve the HIPAA investigation. Now, you may be thinking that your organization doesn’t hold nearly enough data to pay a major sum like that. If data breaches go unreported or unresolved, the fines can pile up and end up bankrupting a business.  

Read More: Learn how AdventHealth resolved a data breach by switching to Formstack Forms

Corrective Action

But HIPAA violations are more than just simply paying a fine. Before the fines start rolling in, OCR will seek to resolve the issue by requiring your organization to work through a deadline-driven corrective action plan (CAP). While the dollar amounts appear to be the worst part of resolving your HIPAA violation, the corrective action plan is just as bad. It’s mandatory, burdensome, and constantly monitored by OCR. 

These plans typically last one to three years and are designed to address the specific issues uncovered in the initial investigation. The key requirements of a CAP are usually:

  • Conduct a Risk Analysis every year
  • Develop and implement a Risk Management Plan
  • Report events that may lead to HIPAA violations
  • Keep documentation for six years

Additional requirements may be included based on the specific security weaknesses plaguing an organization. These requirements might include better oversight of business associates, updated policies, or workforce training.


Jail Time

Some HIPAA penalties haven’t changed at all since we initially published our 2017 article. For example, some HIPAA violations still lead to criminal penalties. Arrest isn’t a major concern for most healthcare organizations. However, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges. 


HIPAA violations by employees can result in a fine of up to $250,000 with a maximum jail term of 12 years. Jail time may be ordered based on a three-tiered approach:


Career Decline and Patient Mistrust 

One of the most valuable assets your healthcare organization has is the trust of patients. A huge business generator for many providers is word of mouth from your patients. Your patients put a lot of faith in your organization to keep their most valuable information safe. If you compromise their privacy, they will lose trust in you and potentially seek healthcare elsewhere and be unlikely to recommend your practice to others. 

Additionally, many patients likely find your practice after an internet search for services in their area. The Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be the first thing that pops up when a patient searches for your organization. 

Failing to comply with HIPAA requirements can be really damaging for your business. All of this will strip your organization of credibility. For small practices, this damage could be irreversible. you of your credibility. 


Failing to comply with HIPAA requirements puts your business at serious risks for consequences. Make sure you’re using HIPAA compliant solutions like Formstack. Start a free trial today to start collecting and managing patient health data securely. 


In 2017, we published an article outlining the complications that arise when a healthcare organization violates HIPAA requirements. In the three years since we shared those facts, a lot has changed. The US healthcare system has seen new federal regulations on data sharing, an increase in telehealth and interoperability, and faced a global pandemic. One constant has been the need to protect patient health information. 

Patient health information (PHI) is some of the most valuable data out there. A single PHI file can yield a profit of up to $20,000 for hackers. The main reason PHI is so valuable to cybercriminals is because it contains important information, such as social security numbers. Additionally, cybercriminals can usually take advantage of PHI for a longer period of time because it can take weeks or months for a healthcare data breach to be discovered. 

Healthcare organizations often underinvest in IT. The SANS institute the world’s largest provider of cybersecurity training, recommends spending 10% of a business's annual IT budget on cybersecurity. But most healthcare organizations only spend about 3%.

So, the question remains: what is your business risking by underinvesting in healthcare data security?

COVID-19 

Before we dive in, it’s important to note the recent changes to HIPAA requirements driven by the COVID-19 pandemic. The Department of Health and Human Services and the Office of Civil Rights (OCR) relaxed HIPAA requirements in  some areas as a response to COVID-19

Some of these changes were made to smooth the transition from in-person to telehealth appointments. There are several additional HIPAA updates to expand abilities in other areas, such as providing first responders with a patient’s infection status.  


Learn More: See how these healthcare organizations met HIPAA requirements during the COVID-19 pandemic

Fines

A major motivator for ensuring HIPAA compliance across your organization is avoiding the hefty fines. In March 2020, the Department of Health and Human Services upped the financial penalties for HIPAA violations as follows: 

  • If a facility was unaware (and could not have reasonably been aware) of a violation, the penalty ranges from $119 to $59,522 per violation.
  • If a violation occurs due to reasonable cause (and not willful neglect), the penalty ranges from $1,191 to $59,522 per violation. 
  • If a violation is due to willful neglect but is corrected in a timely manner, the penalty ranges from $11,904 to $59,522 per violation. 
  • For violations caused by willful neglect that are not corrected, the penalty amount is $59,522 per violation, with an annual cap of $1,785,651 for all violations of an identical requirement.

In 2020, the Office of Civil Rights saw the second largest settlement in its history. After a breach affecting 10.4 million people, Premera Blue Cross (PBC) agreed to pay $6.85 million to resolve the HIPAA investigation. Now, you may be thinking that your organization doesn’t hold nearly enough data to pay a major sum like that. If data breaches go unreported or unresolved, the fines can pile up and end up bankrupting a business.  

Read More: Learn how AdventHealth resolved a data breach by switching to Formstack Forms

Corrective Action

But HIPAA violations are more than just simply paying a fine. Before the fines start rolling in, OCR will seek to resolve the issue by requiring your organization to work through a deadline-driven corrective action plan (CAP). While the dollar amounts appear to be the worst part of resolving your HIPAA violation, the corrective action plan is just as bad. It’s mandatory, burdensome, and constantly monitored by OCR. 

These plans typically last one to three years and are designed to address the specific issues uncovered in the initial investigation. The key requirements of a CAP are usually:

  • Conduct a Risk Analysis every year
  • Develop and implement a Risk Management Plan
  • Report events that may lead to HIPAA violations
  • Keep documentation for six years

Additional requirements may be included based on the specific security weaknesses plaguing an organization. These requirements might include better oversight of business associates, updated policies, or workforce training.


Jail Time

Some HIPAA penalties haven’t changed at all since we initially published our 2017 article. For example, some HIPAA violations still lead to criminal penalties. Arrest isn’t a major concern for most healthcare organizations. However, if someone deliberately discloses or sells a patient’s personal health information, that person could face criminal charges. 


HIPAA violations by employees can result in a fine of up to $250,000 with a maximum jail term of 12 years. Jail time may be ordered based on a three-tiered approach:


Career Decline and Patient Mistrust 

One of the most valuable assets your healthcare organization has is the trust of patients. A huge business generator for many providers is word of mouth from your patients. Your patients put a lot of faith in your organization to keep their most valuable information safe. If you compromise their privacy, they will lose trust in you and potentially seek healthcare elsewhere and be unlikely to recommend your practice to others. 

Additionally, many patients likely find your practice after an internet search for services in their area. The Freedom of Information Act makes reported HIPAA violations publicly accessible, meaning even one small violation could be the first thing that pops up when a patient searches for your organization. 

Failing to comply with HIPAA requirements can be really damaging for your business. All of this will strip your organization of credibility. For small practices, this damage could be irreversible. you of your credibility. 


Failing to comply with HIPAA requirements puts your business at serious risks for consequences. Make sure you’re using HIPAA compliant solutions like Formstack. Start a free trial today to start collecting and managing patient health data securely. 


Lacey Jackson
As Formstack’s Demand Content Strategist, Lacey is focused on creating content that showcases the power of the Formstack platform. When she’s not creating Formstack Builders tutorials, she can be found reading, playing board games, or strolling with her dog. Lacey is a graduate of Franklin College.
More Articles
Meet The Host
CEO of
Connect
Chris is on a mission to turn people into great leaders. He's passionate about helping problem solvers see more value in the work they do every day.