In a HealthcareITNews article on a recent breach, Erin McCann included this eye-catching statement:
Out of the more than 80,000 HIPAA breach cases OCR has received since 2003, only 17 of them have resulted in fines thus far.
To paraphrase Einstein, HHS might do well to remember that if they keep doing what they’ve always done, they’ll keep getting what they’ve always gotten.
Both HHS and FTC need to engage in many more enforcement actions with fines and resolutions to really get the word out that sloppy data security or lack of appropriate policies and protections will cost you. If you play fast and loose with patient or consumer data or if you fail to do right by patients and consumers following a breach, your biggest worry should not be whether you have to offer free credit monitoring for a year. It should be whether the government will slam you with a big fine and put you under a microscope for the next 20 years – at your cost. And it should be that the bad press you receive from government action will cost you patient confidence or customer loyalty (or investors).
We need to make the consequences of breaches more costly and more predictably consistent so that entities do not continue to play the odds that they can get away with poor practices because the likelihood of state or federal action is minimal.
In 2014, I hope we’ll see more enforcement actions by HHS, the FTC, and state attorneys general. Six more enforcement actions for the year by HHS will just not do it….