Enacted in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act increased the maximum penalty for HIPAA violations to $2.25 million, as illustrated by these notable cases.
Rite Aid and its affiliates
$1 million settlement after media recorded incidents of pharmacies disposing of prescriptions and labeled pill bottles that contained individuals’ identifiable information in public trash receptacles
Massachusetts General Hospital
$1 million settlement after a Massachusetts General Hospital employee left documents containing patients’ protected health information on a subway train
$2.25 million settlement after the drugstore chain disposed of patient information in unsecured trash containers that were accessible to the public
Beyond the financial penalties, there are the following civil and criminal penalties for HIPAA violations: civil action, brand equity erosion, customer attrition, and even imprisonment. HITECH also expanded who must comply with HIPAA. Prior to HITECH only covered entities like hospitals, doctors, and insurance providers were required to comply with HIPPA; with the enactment of HITECH, most recipients of protected health information (PHI) from covered entities are also covered, including Business Associates. Click here to read more.
"News Release." CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Case. U.S. Department of Health & Human Services, 18 Feb. 2009. Web. 23 July 2012. http://www.hhs.gov/news/press/2009pres/02/20090218a.html.
"News Release." Massachusetts General Hospital Settles Potential HIPAA Violations. U.S. Department of Health & Human Services, 24 Feb. 2011. Web. 23 July 2012. http://www.hhs.gov/news/press/2011pres/02/20110224b.html.
"News Release." Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case. Http://www.hhs.gov/news/press/2010pres/07/20100727a.html, 27 July 2010. Web. 23 July 2012. http://www.hhs.gov/news/press/2010pres/07/20100727a.html.