The OCR's Notorious Wall of Shame

Avoiding HIPAA Breaches and the “Wall of Shame”

Ever-evolving developments in healthcare technology, aimed at increasing efficiency and access, are growing at an exponential rate. That may offer more effective processes and support better care coordination, but it also leaves many practitioners finding it exceedingly difficult to remain compliant amid all of the security measures guided by the Health Insurance and Patient Accountability Act (“HIPAA”). Whether dealing with staffing shortages, clinic expansion, or a lack of training, avoiding breaches of personal health information (“PHI”) is both a top priority and an ongoing challenge.

When breaches do occur, HIPAA requires they be reported to the U.S. Department of Health & Services Office for Civil Rights (“OCR”). Violations affecting 500 individuals or more must be reported within 30 days of discovery to impacted individuals and within 60 days to the OCR and local media. OCR also publishes information identifying these breaches on what has become known as the OCR “Wall of Shame”.  Established under the HIPAA Breach Notification Rule and HITECH Act, the Wall of Shame lists the names and other details of organizations under investigation due to a violation that has occurred within the last 24 months. To state the obvious, you do not want to be placed on this list.

Recent Statistics

  • In 2021, 607 violations affecting nearly 45 million individuals were submitted to the OCR and are now visible on the Wall of Shame (a 20% increase in breaches compared to 2019, only two years prior) 1
  • Breaches have increased 84% in the last five years, with 329 reported in 20162
  • The average cost per record breached hit $499 in 2020 on an upward trend, totaling $13.2 billion for the year3
  • Unauthorized access/disclosure accounts for 34% of violations every year, up 162% over the past three years4
  • Hospitals typically account for 30% of all large data breaches4

Potential Financial Consequences

Most often, the OCR resolves cases through voluntary compliance or by accepting a covered entity’s plan to address the breach and adjust policies and procedures to avoid future violations. For severe cases, the Enforcement Final Rule of 2006 allows the OCR to issue financial penalties to covered entities that fail to comply with HIPAA Rules. There are currently four main tiers of such violations5:

  • Tier 1, $100 - $50,000 per breach: A violation that the covered entity was unaware of and could not have reasonably avoided.
  • Tier 2, $1,000 - $50,000 per breach: A violation that the covered entity should have been aware of but could not have avoided.
  • Tier 3, $10,000 - $50,000 per breach: This violation is considered to be the result of willful neglect in instances where corrective measures were taken within a reasonable timeframe.
  • Tier 4, $50,000 per breach: This violation is considered to be the result of willful neglect in instances where no corrective measures were taken to resolve the breach.

While less common, criminal penalties do exist in addition to fines for various violations, including malicious intent (i.e., selling data for harm or commercial gain).

How HealthMark Can Help

With management of PHI at the core of HealthMark’s business, it remains the highest priority to keep data secure and compliant. Our team responsible for the handling of medical records is required to undergo Certified Release of Information Specialist (“CRIS”) training and certification to demonstrate understanding of patient privacy rights and HIPAA requirements. Guidelines around HIPAA, the Privacy Rule, Information Blocking, etc. are constantly evolving, making regulatory education one more thing for practices to manage. Our goal as a partner is not only to offer services that ease administrative loads, but to also do the work for clients by combing through often convoluted details and staying abreast of the most important changes that are occurring. By doing so, we can share with clients what they need to know and when, which allows our clients to focus more of their limited resources on their primary goal of patient care.

  1. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  2. https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2016-8631/
  3. https://www.beckershospitalreview.com/cybersecurity/healthcare-data-breaches-up-55-1-in-2020-report-finds.html
  4. https://techjury.net/blog/healthcare-data-breaches-statistics/#gref
  5. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
Back to Blog

Related Articles

The No Surprises Act: What you Need to Know

Update (3/1/2022): The enforcement of the NSA is pending ongoing legislation and potentially...

Let's Break it Down: Right of Access

WHAT IS THE "RIGHT OF ACCESS"?

CRIS Certification – Why It’s Important for Record Management

CRIS CERTIFICATION – WHAT IS IT?