The announcement last week by Department of Health and Human Services (HHS) of two more settlements for HIPAA Privacy/Security violations brings this year’s total to five, totaling approximately $6.99M (see graphic below). We are barley mid-way through May and 2014 has already topped all prior years in terms of penalties imposed on covered entities for HIPAA violations.
Note: The 2011 figures exclude the $3M Civil Money Penalty (CMP) that Cignet received for failing to cooperate with OCRs investigation.
If the current run rate holds up, our total settlement count and penalties for 2014 would be around 12 and $17M respectively. This would be twice the number of settlements from the previous year and over four times the dollar amount in penalties.
A few additional tidbits of information from our analysis of the resolution agreements:
- Average time to arrive at settlement: 2.2 years.
- All settlements to date are for incidents that occurred prior to March 2012.
- Aside from the Cignet CMP of $3M mentioned above, 2014 had the first settlement of more than $2M (last week’s settlement with New York and Prespererian Hosptial was $3.3M)
