When complaints are filed by patients or other entities concerning potential HIPAA violations, OCR can investigate and levy fines and penalties, stipulate a corrective action plan, and even recommend criminal charges. As of the end of January 2017, OCR has collected over $58million in HIPAA violation settlements, and levied fines have steadily increased over the past few years.
Advocate Health was fined $5.55million for data breaches affecting 4 million patients, the most that any organization has been fined. Recently, an insurance company was fined $2.2million for noncompliance with HIPAA – all because of a stolen USB drive. The USB contained medical data on thousands of patients, and the device was not password protected or encrypted. The insurer reported the theft to OCR. Upon further investigation, OCR determined the insurer had violated a number of HIPAA rules, which was cause for the massive fine.