Though there is the perception in many quarters that HIPAA privacy enforcement has been lax over the years, the HHS Office for Civil Rights investigated and resolved at least 11,421 cases of alleged violations from the time the regulations took effect in April 2003 through July 2010, a new report says.

The report, in the form of a white paper from data-monitoring firm FairWarning, St. Petersburg, Fla., says that a typical healthcare provider that does not have an active privacy monitoring system is likely to have 25 to 100 privacy breaches related to electronic patient data per month. And breaches can be expensive. In its survey of 300 hospitals and 1,400 clinics among its customer rolls, FairWarning found that some breaches resulted in fines of more than $2.25 million. If an incident attracts media coverage, internal management costs can run between $6.5 million and $15 million for per breach, according to Infosecurity (USA).

Having a monitoring system in place--you know, like the kind FairWarning sells--along with adequate risk assessment, employee training, remediation policies and swift sanctions for those responsible for breaches can cut the chance of a privacy incident by 85 to 99 percent, the white paper says.

"A provider must be willing to take action against offenders including physicians who provide a substantial patient draw to the organization because of their specialty and reputation," FairWarning reports. "On a continual basis, privacy and compliance should collaborate with information security to reduce risk exposure and close vulnerability gaps detected by privacy breach monitoring."

To learn more:
- have a look at this Infosecurity (USA) story
- see this FairWarning press release
- download the white paper (.pdf)

Related Articles:
OCR stepping up HIPAA privacy, security enforcement
HHS raises maximum HIPAA privacy fines to $1.5 million
Why toughen HIPAA when nobody enforces it?