Each violation of HIPAA can carry a fine between $100 and $50,000 per violation. The hard part is that many people don't know what their privacy rights are, or to whom they go when their rights are violated (in this case, the Office of Civil Rights of the Department of Health and Human Services).
I had an office emailing me their appointment data for a patient; I don't know if we had a similar email or something. I responded the first two times I received it that it was being sent in error, and to please stop, for the sake of everyone concerned.
On occasions 3 and 4 I attempted to contact the practice. Both times I was sent to the manager's voicemail, where I left messages that were never returned.
After a half-dozen of these occasions, I contacted OCR on behalf of the patient (you can file an OCR complaint on someone else's behalf), specifically referencing the fact that although the privacy violation is not significant, their repeated violation with no effort to stop is. I enclosed screen shots of the repeated emails I had sent the practice, and the repeated privacy-violating emails I'd gotten from them.
OCR said they'd get in contact with the practice and help them implement a technical solution to stop contacting me, and could I please give them my email address to blacklist, and asked if that solution was satisfactory.
I said, no, no that's not fucking satisfactory. They could have fixed the email issue a year ago; it doesn't require technical assistance from the government. While I appreciate trying to assist small practices in remedying technical defects rather than just being punitive, this was exactly the time to be punitive - when the technical defect is simple and easy to remedy ("we have the wrong contact info; update it"), and there was plenty of opportunity to remedy and they willfully continued to engage in the activity. And blacklisting my email address does absolutely nothing to protect the next patient's privacy.
A few weeks later I got a letter in the mail that basically restated what had been in the email, and that no further action would be taken.
(Before anyone says "but you got no more information than you would have had if you'd been sitting in the waiting room when the guy came for his appointment":
HIPAA has an exception that basically says "reveal the minimum you need to run a functional clinic, but yeah, obviously you need to run a functional clinic." So things like "patients in the waiting room" is exempt from HIPAA because, well, you won't be able to keep an office open if you can't keep a waiting room full. That same information emailed out to a random stranger - that is, absolutely not needed to be shared with me to provide routine care - does not share that exemption.)
Look up how often HIPAA investigations turn into monetary fines. It’s comically small and essentially only affects big hospitals, universities, and insurance companies.
The agency likes to report “enforcement actions” which include fines but 99% of the time are some kind of promise to do better in the future.
HIPAA violations are one of those things the public thinks are super serious but in reality are all but a total joke.
And don’t get me started on HIPAA compliance consultants lol. Reminds me of Lisa Simpson selling Homer her magic rock that keeps away tigers.
