The Department of Health and Human Services (HHS) hit hospitals and other healthcare delivery networks hard in the pocketbook with a wave of big fines zeroing in on security risk management issues between July and October. Is this the end of the fine tsunami? Don’t bet on it.

In the most recent example, St. Joseph Health (SJH) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules following reports that files containing electronic protected health information (ePHI) were publicly accessible through internet search engines for more than a year, ending in 2012. SJH, a nonprofit, integrated Catholic healthcare delivery system sponsored by the St. Joseph Health Ministry, will pay a settlement amount of $2.14 million and adopt a comprehensive corrective action plan.

 …