What? A HIPAA Violation?

This may not seem like an unusual news story, but an Oklahoma City woman was accused this month for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the federal law that requires companies to properly secure personal medical records of patients and employees, or face fines or criminal prosecution. What's unusual about this story is that in the nearly 12 years HIPAA has been around, the number of HIPAA violations and criminal cases has been extremely low -- almost non-existent.

Consider that a large portion of American corporations -- as much as 40 percent back in 2006 -- were not in compliance with the law, a lone violation seems even more incredulous. The reason for the non-compliance, privacy and security experts say, is because it pays not to comply. The risk of being caught is so low compared with the cost of compliance, which is high, that the business case argues for not complying. The return on investment for securing private health data just isn't there. Privacy experts may have a different point of view.