Like your privacy? Don't go to the doctor anymore.

[HoLeChit]

If you're a patient, you should probably assume your personal health information can't legally be shared with the news media or your relative's nosy spouse. Beyond that there's probably a way it will get shared, perhaps beyond your desire.

As for the penalties and "whistleblower protections", I certainly hope they don't work the way they do in .gov, because they're just for show there.

Well, they are putting all that healthcare info under government control... so I am willing to bet its all just for show. The "opt-out" form that they are saying people can use still records all of their data, it just restricts access to their data except for "emergencies", which could be literally anything for any reason.

 

[okcBob]

Penalties per Hipaa law:

Criminal penalties:

Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail
Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail

Financial penalties:

• Tier 1: Minimum fine of $100 per violation up to $50,000
• Tier 2: Minimum fine of $1,000 per violation up to $50,000
• Tier 3: Minimum fine of $10,000 per violation up to $50,000
• Tier 4: Minimum fine of $50,000 per violation

 

[Glocktogo]

Penalties per Hipaa law:

Criminal penalties:

Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail
Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail

Financial penalties:

• Tier 1: Minimum fine of $100 per violation up to $50,000
• Tier 2: Minimum fine of $1,000 per violation up to $50,000
• Tier 3: Minimum fine of $10,000 per violation up to $50,000
• Tier 4: Minimum fine of $50,000 per violation

Any real-world examples where this actually happened? Like I stated, the .gov has whistleblower protections that carry penalties too, but they're used about as often as the federal criminal statute that covers lying on a 4473, which is an infinitesimally small percentage of occurrences.

 

[BobbyV]

Any real-world examples where this actually happened? Like I stated, the .gov has whistleblower protections that carry penalties too, but they're used about as often as the federal criminal statute that covers lying on a 4473, which is an infinitesimally small percentage of occurrences.

Several of them here.

HIPAA violation fines happen quite often. One of them in 2022 was to OSU's Center for Health Services to the tune of $875k.

 

[Gadsden]

As someone with relatives in medicine, HIPPA has been a joke since day one. They all talk about you when you leave. All of them.

If all they've got to do is talk about me and my visit to see my doctor they really, seriously, need to get a life because nothing I go there for is that interesting..

 

[Chuckie]

Patients have always been able to opt-out of sharing data. Consent is still required to send data to an HIE.

Keep telling yourself that 'opting-out' actually means something, if it makes you sleep better at night

 

[Glocktogo]

Several of them here.

HIPAA violation fines happen quite often. One of them in 2022 was to OSU's Center for Health Services to the tune of $875k.

So it looks like HIPAA is violated often, most cases never get past counseling/corrective action plans, and almost all cases that do are settled rather than CP fines collected in full (to include OSU) and rarely if ever is any individual held to account. Meanwhile the actual costs of violations are amortized out in taxes and increased patient costs.

Does that about sum it up?

 

[BobbyV]

Keep telling yourself that 'opting-out' actually means something, if it makes you sleep better at night

I'm involved in interoperability now. Patients opting out means something in the Agency I work for . . . I sleep fine.

 

[BobbyV]

So it looks like HIPAA is violated often, most cases never get past counseling/corrective action plans, and almost all cases that do are settled rather than CP fines collected in full (to include OSU) and rarely if ever is any individual held to account. Meanwhile the actual costs of violations are amortized out in taxes and increased patient costs.

Does that about sum it up?

OCR refers cases to the DOJ for criminal investigation. I guess you'd need to check with the DOJ for stats related to those cases.

As far as whatever you're trying to get out with assuming individuals aren't held to account I'm aware of several folks who have lost their jobs over privacy incidents.

 

[okcBob]

So it looks like HIPAA is violated often, most cases never get past counseling/corrective action plans, and almost all cases that do are settled rather than CP fines collected in full (to include OSU) and rarely if ever is any individual held to account. Meanwhile the actual costs of violations are amortized out in taxes and increased patient costs.

Does that about sum it up?

Former Hospital Employee Sentenced for HIPAA Violations

www.justice.gov

Didn’t take long to find a “rarely if ever” guy.