Contact Us
Blog September 10, 2013

With The Omnibus Deadline Looming, Fines For HIPAA Violations Are Real

In January, 2013, The U.S. Department of Health and Human Services (HHS) announced the final Omnibus rule.   Dramatically amending the HIPAA Privacy Rule and portions of the HIPAA Security Rule, Omnibus is intended to greatly enhance a patient’s privacy protections, provide individuals new rights to their health information, and strengthen the government’s ability to enforce the law.  Since HIPAA was enacted 15 years ago, Omnibus is designed to address the expanding digital age and affects all Covered Entities, their Business Associates and subcontractors who have access to Protected Health Information.

The Omnibus rule requires Covered Entities and Business Associates to notify individuals of any breach in PHI as well as creating more direct liability for HIPAA compliance and enforcement within Business Associate Agreements.  This includes having written assurance of compliance from all downstream vendors and contractors as well as policies and procedures for compliance in place.  It is also no longer optional for covered entities to have Business Associate Agreements in place.  By law, any vendor or service provider with access to PHI, whether a Business Associate or a subcontractor to a Business Associate must sign a Business Associate Agreement.  The deadline for compliance with Omnibus is September 23, 2013.

Well what happens if a covered entity or BA fails to meet its compliance obligations?  If exposed, the covered entity and/or BA could be subject to hefty fines for their violations.  It could also damage the covered entity or BA’s reputation.  Violations are publicly announced which results in bad publicity which is bad for business.  No one wants to be the next headline exposing their ignorance, inability or neglect in safeguarding patients’ health information.   Besides, everyone should have a sense of moral and ethical responsibility to protect PHI in compliance with the law.

The cost of non-compliance with HIPAA laws are real.  Violation complaints have steadily risen.  For those in violation of privacy and security laws, civil and criminal penalties may result.  And the introduction of the HITECH Act, and now Omnibus, has strengthened HIPAA enforcement, with fines now ranging in excess of $1.5M and incarceration up to 10 years for those who knowingly misuse individually identifiable health information.

And if you think these fines can’t happen to you, or they only go after “the large providers,” think again.  Here’s just a sample of fines and related headlines:

  • Alaska Department of Health and Social Services fined $1.7M
  • Wellpoint, a managed care company fined $1.7M
  • Massachusetts Eye and EarInfirmary hit with a $1.5M fine
  • $1.2M  for Affinity Health Plan
  • $400,000 for Idaho State University
  • Shasta Regional Medical Center fined $275,000
  • The Hospice of Northern Idaho fined $50,000 for violations affecting fewer than 500 individuals

To ensure adequate coverage for compliance, the Office of Civil Rights (OCR) continue to hire auditors and assessors certain to increase the number of audits and fines.

As a Covered Entity, Business Associate or subcontractor to a Business Associate with access to PHI, are you prepared for the September 23, 2013 Omnibus deadline?  If not, your business could be the next headline.

For more specific information regarding HIPAA violations and related fines, please visit:

Related Resources

Mainframe Modernization: What You Need to Know
In today’s rapidly changing landscape, it’s more important than ever for companies to keep their systems up to date. We recently held a webinar where…
Technical Debt Doesn’t Have to be Scary
For better or worse, many businesses tend to make decisions that optimize short-term results. All too often, this shortsighted focus complicates business systems and creates…
3 Ways to Validate Your Cybersecurity Process This October
October is Cybersecurity Awareness Month. This month highlights the importance of safeguarding critical infrastructure from malicious cyber activity, ransomware, and more. This has become increasingly…