Miaoulis Note: The fines were California fines, not HITECH fines.
The California Department of Public Health (“CDPH”) recently announced its imposition of $675,000 in fines to six hospitals that had reported security breaches involving medical records (since January 1, 2009, the CDPH has issued fines totaling $1.1 million). The story has been extensively reported on in the media . You can listen to the CDPH’s press conference here. The total number of records exposed was only 244, for an average fine of around $2,766 per record. To put that in perspective, if a California hospital suffered a breach involving 100,000 medical records, using the average stated here, their potential fines could be $276 million (assuming no cap for fines and penalties -- the relevant laws do have a cap of $250,000 per incident).
In this post we take a deeper look at the CDPH fines and the legal framework that gave rise to them, and explore the concept of legally defensible security in this context.