By Julie-Karel Elkin

Two organizations were given fines for HIPAA violations in the past week—one for $31,000 and the other for $2.5 million. Both show how not understanding and complying with guidelines can rack up some major dollars.

The first violation resulted in a $31,000 fine, which doesn’t seem too bad based upon some of the others we have heard about, but it appears the “small” fine resulted from a single issue with a business associate and the pediatric practices’ inability to locate a copy of the agreement prior to 2015 from the one vendor. According to the government’s press release, the small provider, the Center for Children’s Digestive Health (CCDH), was drawn into the mix as part of an investigation into Filefax, Inc., a record storage company. Due to their connection with Filefax, the government was able to initiate an investigation of CCDH, and unfortunately for CCDH, they found something. Not much of something, but something nonetheless.

Now, if you are like me, you are thinking, “One agreement from two years ago that they just couldn’t lay hands on it at the moment?” Apparently so. As the story goes, since the OCR “found something,” the medical office must pay a fine, operate under a “Corrective Action Plan” for the next two years with the government overseeing compliance.  Sounds like fun.

The second fine was announced today, and it is more like the number we have grown accustomed to seeing because it is for $2.5 million. CardioNet reported the theft of a laptop from a workforce member’s vehicle that contained the ePHI of 1,391 individuals. The Office of Civil Rights’ investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.  As a result of its failure to properly craft and implement a compliance strategy, CardioNet will pay a rather large fine for non-compliance and submit to government monitoring of its revised and newly established policies, procedures and training.

Since CardioNet was noted to be a wireless health service provider, it appears as though the OCR wanted to send a message that should be received loud and clear by all types of new and emerging technologies in the healthcare space—and that is that compliance is not going anywhere and that everyone must adhere to the strict guidelines of privacy and security.



Julie-Karel Elkin is a Member and the Chief Compliance Officer at Spicer Rudstrom PLLC. She is the head of the Health Data Privacy and Security practice and has been helping companies and practices large and small with all aspects of their compliance needs for more than 20 years. Ensuring her clients protect and secure data through better training and the sensible use of technology is at the core of her mission.