HIPAA enforcements hit record $28 million in 2018

HHS collected a record $28.7 million from healthcare providers and insurers in 2018 for inadequate responses to data breaches, the agency reported Thursday.

The total for violations under the Health Insurance Portability and Accountability Act surpassed the previous record in 2016 of $23.5 million, HHS' Office for Civil Rights said.

"Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action," OCR Director Roger Severino said in a statement.

The record total included a massive $16 million settlement with insurer Anthem for a 2015 data breach that hit nearly 79 million people. The agreement was the largest settlement ever reached for a breach under HIPAA.

In the Anthem breach, Hackers stole personal information that included names, birth dates, Social Security numbers and home addresses.

The second-highest settlement stemmed from a ruling in June ordering MD Anderson Cancer Center in Houston to pay $4.3 million to resolve HIPAA violations that included not encrypting its devices.

The OCR closed out 2018 with a $3 million settlement in December with Cottage Health, which operates three hospitals in California, over breaches affecting 62,500 people in December 2013 and December 2015.

Cottage agreed to create a corrective action plan to comply with the HIPAA rules.

While OCR celebrates it's record-setting year, the CMS wants to know how to reduce HIPAA burdens on care coordination. The agency put out a request for information to the White House's Office of Management and Budget in November to figure out if HIPAA regulations are hindering or discouraging coordinated care between hospitals and doctors.

Hospitals and insurers continue to be a prime target for hackers. A study published in JAMA in September found that healthcare data breaches rose nearly every year from 2010 to 2017.

There have been 176.44 million patient records impacted by more than 2,149 data breaches from 2010 to 2017, according to the study.

Healthcare providers made up the majority of data breaches, accounting for 70% of the breaches from 2010 to 2017. However, hackers didn't get a lot of records from hospitals. While insurer breaches only accounted for 13% of total number of incidents, they represented most of the patient records stolen, at 110.4 million.