Slashdot Mirror

← Back to Stories (view on slashdot.org)

UCLA Hospital Hit With HIPAA Fine On Celeb Records

Posted by timothy on from the easier-than-getting-madonna's-pap-smear dept.

Trailrunner7 writes "The University of California at Los Angeles Health Services has agreed to pay a $865,000 fine and pledged to tweak their infrastructure after potentially violating the HIPAA regulation when several employees apparently accessed the health records of various celebrity patients at the hospital without valid justification. This is the third major HIPAA fine issued by the Department of Health and Human Services in 2011, following a fine of $4.3 million for Cignet and a penalty of $1 million for Massachusetts General Hospital."

57 comments

  1. Is that news? by spaceplanesfan · · Score: 0

    With enough money/power you can buy anything.

    So, if you are an papatatzi, and have loads of money, no security or whatever privacy rules are would stop you from sniffing the hot facts.
    Or if you are government and you just pass a law that allows you to spy on anybody without any prior reason.

    1. Re:Is that news? by Anonymous Coward · · Score: 0

      What is a papatatzi?

    2. Re:Is that news? by ColdWetDog · · Score: 1

      What is a papatatzi?

      Paparazzi with a tattoo?

      --
      Faster! Faster! Faster would be better!
  2. Information wants to be FREE by For+a+Free+Internet · · Score: 0

    Why is the government stopping us from following our dear stares? What do they have to hide? Probably druges and buttesex.

    --
    UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
  3. Pledged to tweak their infrastructure by shoehornjob · · Score: 1

    Sounds like hospital speak for slap a band aid on it and hope they don't get caught again.

    --
    "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
    1. Re:Pledged to tweak their infrastructure by Anonymous Coward · · Score: 0

      Well, I'd imagine it's a hard thing to fix. Someone accessed medical journals without a valid purpose? OK, insert at all terminals a brain scanner to detect whether the accesser has a valid purpose or not.

    2. Re:Pledged to tweak their infrastructure by ethanms · · Score: 4, Insightful

      I was thinking it sounds like "fire those involved and make it very clear too all remaining employees that those involved were fired and are unlikely to get another job in the medical field after being terminated for a HIPPA violation...

    3. Re:Pledged to tweak their infrastructure by ethanms · · Score: 1

      ugg... to...

    4. Re:Pledged to tweak their infrastructure by NeoMorphy · · Score: 2

      I agree!

      I work at a health insurance company and everyone in the company was required to take HIPPA training. It was very thorough, and I assume everyone else in the Health Industry had to go through something similar. On top of that, the pharmacy reminds you of it and whenever I see a new doctor I get to read yet more documentation regarding HIPPA and then sign it.

      The employees involved should have known they were doing something that was that was not only illegal, but that it would endanger their career.

      If you think about it, there is a lot of private data that is ultimately protected by people acting professionally and not disclosing that information to the wrong people. There is no way to proactively stop that, other than hiring the right people, doing background checks, and impressing upon them the importance of following the rules regarding privacy.

    5. Re:Pledged to tweak their infrastructure by scottv67 · · Score: 1

      >HIPPA training
      >regarding HIPPA

       The training must not have been very good if you did not learn how to spell the acronym.

    6. Re:Pledged to tweak their infrastructure by shoehornjob · · Score: 1

      Hmm... I think you just saved the company money by not putting a bandaid on the situation. Imagine if they actually had to rewrite some software to lock access to records etc. You're right, termination does work better.

      --
      "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
    7. Re:Pledged to tweak their infrastructure by NeoMorphy · · Score: 2

      Argghhh!

      My apologies, you are correct.

      HIPAA(Health Insurance Portability and Accountability Act)

      For some reason I often think "Health Insurance Portability and Privacy Act", which seems more appropriate. There is a lot of emphasis on privacy, and yet it's not in the acronym. I must confess that remembering what the acronym stood for was a question I got wrong, but I got the rest right.

    8. Re:Pledged to tweak their infrastructure by Anonymous Coward · · Score: 0

      Hospitals don't write the software they use to manage paper records, they purchase that software from vendors like Epic, Cerner, Siemens, McKesson, Meditech, and others.

      Regarding employees looking at records, it depends on the employee what their access is. Housekeeping can't see the records, but any admitting clerk authorized to register a patient can see patients in the system (but likely not their medical record). But any doctor, nurse, medical technician, or medical records person can see any record because their job requires that they use them. So locking records would require much more complexity than you might think. For example, if a consultation by an infectious disease doctor on call is requested, the person requesting the consultation may not know who's on call, so how can that be authorized? Additionally, in the event of a medical emergency, any person might need access to the record to provide emergency care.

      Note that the people who violated the HIPAA regulations were caught because these systems have logs which show who views the records.

    9. Re:Pledged to tweak their infrastructure by SonnyDog09 · · Score: 1

      The punishment depends on who you are. Clerks get fired. Nurses may get fired, depending on whether they are in a Union or not. They may also be suspended without pay. It varies. The last time that I really looked at this, I could not find a case of a doctor a being fired for a HIPAA (yes, that is the acronym....it has nothing to do with hippos) violation. They might be suspended without pay.

      --
      Your "fair share" is NOT in my wallet.
  4. Shocked, shocked I tell you! by overshoot · · Score: 4, Insightful
    Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.

    Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.

    --
    Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
    1. Re:Shocked, shocked I tell you! by Anonymous Coward · · Score: 0

      Anyone who accesses the information must have a justifiable reason for having done so. For example in Ireland some woman won 118 million euro on the Eurolottery and 108 accesses were made to find information on her at a government agency. Nothing ever happened.

    2. Re:Shocked, shocked I tell you! by Mindcontrolled · · Score: 2

      Well, generally, why shouldn't the files be open to every medical employee? They are bound to silence, anyway. I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine. You can learn from cases that are not your own, after all. Of course, the assumption that everyone will honor their obligation to silence is a bit far-fetched, I give you that. But post hoc the one that talked should be slapped, not the institution.

      --
      Ubi solitudinem faciunt, pacem appellant.
    3. Re:Shocked, shocked I tell you! by Saerko · · Score: 3, Interesting

      Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.

      Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.

      I'm not sure I'm all in for that statement. Almost all EMRs these days have pretty robust security controls, and it's rare that celebrity patients come in on unplanned visits where that "all access" kind of response is necessary. Where it is, it's usually handled in the ED, where the expectation of privacy is necessarily low. In the case that the patient is a regular admission, a pre-admit for a procedure/care, or anything other than getting hit by a bus or other trauma, there are well-established practices that protect their identity.

      For instance, my last employer had a case where a celebrity's wife came in for Labor & Delivery. The hospital admitted her under a pseudonym, and only her direct caregivers knew the true identity. An audit trail and special VIP protections were placed on her record, so that staff had to electronically "sign" and state a reason why they needed access to her chart if they weren't in the direct care group. For all intents and purposes, she was well protected.

      The problem came in when billing entered the picture. You can't bill against a pseudonym, and the local papers broke the story soon after she delivered. Once she left the hospital, her pseudonym was replaced by her real name, and her chart was promptly accessed over 200 times by various personnel across the hospital. In the next week, five people were fired outright for unauthorized access, and about a dozen put on disciplinary action because we couldn't fully prove that their access was unnecessary, if suspect. In an ideal world, the system would have been able to bill out under the pseudonym with the identity correction occurring downstream, but people still talk and the cover would get blown eventually anyway.

      Does this anecdote have a point? I'd like to think so: it's that there's only so much mitigation you can do, but a lot of hospitals and EMR vendors could certainly do more. There will always be people like me who have god-like access by necessity though, and as long as that exists, there will always be the potential for abuse and information leaks. I think the real benefit of electronic systems is that, previously, if someone absconded with the paper chart, there was no way to tell who accessed it. Even I leave entries in the logs, and there's pretty close to no way to effectively "leave no trace" of my presence in the system. The biggest benefit of modernization is accountability, but real privacy is a pipe dream that people need to abandon.

    4. Re:Shocked, shocked I tell you! by Anonymous Coward · · Score: 0

      "For instance, my last employer had a case where a celebrity's wife came in for Labor & Delivery. The hospital admitted her under a pseudonym, and only her direct caregivers knew the true identity. An audit trail and special VIP protections were placed on her record, so that staff had to electronically "sign" and state a reason why they needed access to her chart if they weren't in the direct care group." Nice to see your hospital is treating everyone equally, you know like the law says they are supposed to... This happened not because she was a person who deserved to keep her medical records private but because she was famous. Exactly why was she given special treatment?

    5. Re:Shocked, shocked I tell you! by Dilaudid · · Score: 1

      This all seems pretty simple. You record every access, all accesses will be audited at a later stage by an oversight committee. 99% of cases are automatically handled (e.g. doctor accessing records for his patient day after admission) but cases which are not clear are reviewed. Any employee who accesses records has to explain his rationale for doing so. If the rationale doesn't hold up, they are disciplined / sacked. A warning explaining this comes up when you try to access records. I would imagine the guarantee of losing your job would curtail the curiosity of most nosy employees, and while the sacking might be post-hoc, their apprehension will be before the fact.

    6. Re:Shocked, shocked I tell you! by Jawnn · · Score: 1

      Well, generally, why shouldn't the files be open to every medical employee? They are bound to silence, anyway. I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine. You can learn from cases that are not your own, after all. Of course, the assumption that everyone will honor their obligation to silence is a bit far-fetched, I give you that. But post hoc the one that talked should be slapped, not the institution.

      Well said, and artfully argued, I might add. It should be pointed out that since almost forever, medical records have lived on paper in large, poorly secured rooms. Audit trails, if they existed at all, were little more than a sign in sheet by the door. The breach that was caught and dealt with in this case would likely have gone undetected, or the perpetrators un-identified at least, before the advent of EMR. Then again, I did work in one hospital where the records of a certain class of patients were considered exceptionally sensitive and received an additional layer of security. It might be argued that the medical records of "celebrities" deserve a similar level of security. No one is likely to bribe a file clerk for access to the file on "Joe the shoe salesman", but Brittney Spears? All the time. Not that our fascination, as a society, with such celebrity details isn't sick in itself, but that's another discussion.

    7. Re:Shocked, shocked I tell you! by david_thornley · · Score: 2

      In a civilized country, there wouldn't have to be any billing for something like a delivery.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    8. Re:Shocked, shocked I tell you! by girlintraining · · Score: 1

      Obvious potential for abuse, so all of the protections have to be post hoc.

      In every other case, the employee would simply be fired and have to find a new line of work. Fining the employer for an infrastructure that is working as designed only increases medical costs for everyone. Worse, I highly doubt this fine would have been levied if it had been a homeless person instead of a celebrity. Effectively we're paying for celebrity ego here.

      --
      #fuckbeta #iamslashdot #dicemustdie
    9. Re:Shocked, shocked I tell you! by Anonymous Coward · · Score: 0

      you can choose not to get pregnant. why shouldn't you have to pay for burdening the planet with yet another useless human?

    10. Re:Shocked, shocked I tell you! by Anonymous Coward · · Score: 1

      As somebody who works in the medical record field as a 'consultant', this is grossly impractical.

      Records get accessed hundreds of times a day by hundreds of people for all sorts of reasons. It be a full time effort by a good sized team of people to even begin to look into the audit logs.

      Now any good EMR suite will allow the locking of sensitive records which prevents unauthorized access such as this. However, they typically will allow a 'break the glass' scenario where anybody CAN access the record in an emergent situation, but that access is reported immediately to a supervisor.

      Either way, there are already partial solutions to this sort of thing, but there is just too much data to manage manually. Plus the real sensitive information like SS numbers, addresses, etc, are so easily accessible without even technically looking at the record with zero accountability. Lots of paper floating around still too. Basically the only solution is good training, good people, and strong policy when the first two are ineffective. No different than anything else.

    11. Re:Shocked, shocked I tell you! by Anonymous Coward · · Score: 0

      The real benefit is in the availability of information (just like with the internet and porn, yay!): the record is available to the emergency medics and the radiographers and the gynae people and their regular doctor, and that is good for medical decisions.

      Locks and logs work so far, but ultimately this is a Layer 8 problem, as your anecdote shows. The problem I see with logs is that a minor offence becomes graven in stone, and it's hard to use it as a management stick: "Hey Bob, get that off your screen rightgoddamnnow" is something that I think is making way for formal disciplinaries.

    12. Re:Shocked, shocked I tell you! by swalve · · Score: 1

      In a more civilized country, you pay for the services you consume.

    13. Re:Shocked, shocked I tell you! by Anonymous Coward · · Score: 0

      And if you can't pay, you should just die in the street. All properly civilized.

  5. And so... by Anonymous Coward · · Score: 1

    This is why I'm against surveillance as a means to deal with crime.

    I don't necessarily have a problem with surveillance in and of itself; but I do have a problem when humans are the ones in control of it. You simply cannot trust that everybody who has access to information will not abuse it.

    Give people the opportunity to take advantage of other people, and it will happen.

    1. Re:And so... by swalve · · Score: 1

      The only way to stop crime is to stop people from wanting to do it, and increasing the chances they get caught is one of the ways to do that. You don't want a society of people who never have had to make "should I, shouldn't I" decisions. They will all run into traffic the second the styrofoam fence develops a hole.

  6. Why only celebrities? by Anonymous Coward · · Score: 0

    These are the ones that make the news and that are made obvious to investigators when confidential information escapes into public reporting. It implies it's just as easy to get the records of non-celebrities if people had enough reason to be interested.

  7. HIPAA is a travesty by Tony+Isaac · · Score: 4, Insightful

    I work in the electronic medical records industry, and I can tell you that HIPAA protects your privacy about as well as those multi-page "privacy policy" letters you get from your bank and other businesses...you know, the ones that tell you, in lots of fine print, that they will do whatever they want with your information.

    Sure, HIPAA requires doctors and hospitals to get your consent before sharing your information with others. That's why, when you see a doctor these days, you have to first sign that consent form! If you don't sign, you get sub-standard care, or have insurance hassles...basically, you have to sign. So tell me how THAT helps anything!

    What HIPAA DOES do well, is make it difficult for spouses (and other caring family members or friends) to find out what's going on with their loved ones when disaster strikes. It also costs hospitals and doctors tons of money to comply (I know, my company is the recipient of some of that money)...and that in turn drives up the cost of health care.

    HIPAA may have been created with good intentions in mind, but it is a travesty and can't be repealed fast enough!

    1. Re:HIPAA is a travesty by Anonymous Coward · · Score: 0

      Amen! It's just a law that can be used to punish people if stuff is released. It may cause some people to be more careful, which is good, but it won't provide protection from hacking into medical databases, and electronic medical records are about as secure as your computer is. (Ever have a virus?)

    2. Re:HIPAA is a travesty by flimflammer · · Score: 1

      Not saying you're bullshitting or anything but my father was hospitalized last year over a severe infection in his hand. He was so sick from it that he was out of it and unable to sign any paperwork. The doctors who saw him were very up front with me about their thoughts and fears about his health.

      Are you suggesting that they violated HIPAA by telling me? I was under the impression HIPAA was more about sharing information with non relatives, or to stop those who can access the information from accessing it without a valid reason.

    3. Re:HIPAA is a travesty by Tony+Isaac · · Score: 3, Insightful

      You are correct, that is what HIPAA was supposed to be about. You are fortunate.

      The problem is, it all depends on how the specific doctor or hospital interprets their obligations under HIPAA. Some of them are reasonable, but others grossly exaggerate the level of privacy required by the law.

      In our business, we often have to read document after document just to try to understand the requirements. If WE have to do that, how in the world can a small doctor's office apply the law correctly? The truth is, they often make their best guess and hope the lawyers don't come after them.

    4. Re:HIPAA is a travesty by Anonymous Coward · · Score: 1

      Regulation is intended to eliminate small and efficient competitors, see raw milk, beef industry, heck, even freaking barbers are regulated and need to study to get licensed.

      Well, barbers are more about exclusion of newcomers in terms of labor (i.e. unions), in comparison of the other examples where big business is putting hurdles for small businesses using the power of the state. Nevertheless, both have the goal of raising the bar to entry.

    5. Re:HIPAA is a travesty by Anonymous Coward · · Score: 0

      It seems to me that you are confusing the HIPAA Privacy Rule and the Security Rule. The consent forms and notice of privacy practices as well as the rules on disclosure are all part of the Privacy Rule. The HIPAA Security Rule, which you should be familiar with because you state that you work in the EMR industry is what is designed to protect your information and subsequently, what the case in TFA is about. The HIPAA Security Rule includes requirements for Administrative, Technical, and Physical safeguards designed to protect your information from unauthorized disclosure. These includes requirements for things like passwords, logging, auditing, information security policies, etc. and very much help to protect your health information.

      Perhaps you are not old enough to remember how things were prior to HIPAA. There were no transaction standards, so insurance claims, prescriptions, and referrals were fraught with errors and omissions thus putting people's health at risk. Physicians commonly released information to the media, employers, or anyone who asked regardless of the privacy concerns of the patient.

      Is it difficult to maintain compliance? Yes. Especially for small practices, but to suggest that the only thing HIPAA does is make life difficult and drive up costs is misleading at best.

    6. Re:HIPAA is a travesty by pete6677 · · Score: 1

      HIPAA does nothing more than create mountains of paperwork (or electronic forms). It makes no real difference in privacy in any meaningful way, but it sure does keep a lot of HIPAA consultants employed.

    7. Re:HIPAA is a travesty by Anonymous Coward · · Score: 0

      Sure, HIPAA requires doctors and hospitals to get your consent before sharing your information with others. That's why, when you see a doctor these days, you have to first sign that consent form! If you don't sign, you get sub-standard care, or have insurance hassles...basically, you have to sign. So tell me how THAT helps anything!

      What HIPAA DOES do well, is make it difficult for spouses (and other caring family members or friends) to find out what's going on with their loved ones when disaster strikes.

    8. Re:HIPAA is a travesty by Anonymous Coward · · Score: 0

      Nope, never had a virus. I switched to Linux before I connected to the Internet.

    9. Re:HIPAA is a travesty by android.dreamer · · Score: 1

      Look, let's hypothetically say you had the case above and it turned out your father had AIDS. I wouldn't want my kids to know that. "He's ill" should really be the only thing I would want my doctors to say.

    10. Re:HIPAA is a travesty by Anonymous Coward · · Score: 0

      It's not all bad. I have a relative who was out of work due to a back injury. A coworker didnt believe him and asked his wife (who worked at a doctors office) to get some info on him. My relative found out and sued. The lady lost her job and he got a nice settlement.

  8. Scope matters by overshoot · · Score: 1

    I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine.

    You can access the sealed filings from cases all across the country?

    No? Maybe that makes a difference.

    --
    Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
    1. Re:Scope matters by Mindcontrolled · · Score: 1

      Ok, you got a point there - Obviously I can only access stuff inside the firm. But then again, would it really change anything? In the end, it remains a matter of my professional obligation and honor to keep my mouth shut.

      --
      Ubi solitudinem faciunt, pacem appellant.
    2. Re:Scope matters by TheGratefulNet · · Score: 1

      You can access the sealed filings from cases all across the country?

      if he's lulzsec, I bet he could...

      --

      --
      "It is now safe to switch off your computer."
    3. Re:Scope matters by unkiereamus · · Score: 1

      You can access the sealed filings from cases all across the country?

      No? Maybe that makes a difference.

      I don't see the relevance here.

      The only thing I can figure, is that you have a vastly distorted view of EMR. I think a uncomfortably large portion of the populace has b\ought the shit that Siemens is shoveling in their ads.

      There isn't a vast network spanning the country of EMRs that can be accessed by anyone connected to it. Not ever spanning a city (with limited exceptions). Each hospital/dr office/whatever has their own system, with their own records. I can't work at SmallRegionalHospital and access the UCLA system,at best (And this is something of a stretch for most EMR systems), I might be able to access the records of SmallRegionalHospital'sOutreachClinic.

      Now, I've never worked for one of the huge healthcare corporations, so I don't know whether all of their EMR systems are linked, but I'm tempted to think that they aren't.

      Why?

      HIPAA.

      --
      I needed a sig so people would know who I am, but I was too drunk to make something witty, so you get this instead.
  9. Why not jail for the offenders? by schwit1 · · Score: 1

    The article states that the employees had no reason for accessing the records. How about puerile curiosity? What they didn't have was a legitimate reason.

    The hospital says it needs to conduct “regular and robust” trainings for employees that access sensitive information. What a load of crap. This is the same bullshit response police departments give when cops steal your camera when you record them. Both parties knew what they were doing was wrong BEFORE they did it. The answer is serious jail time.

    1. Re:Why not jail for the offenders? by Anonymous Coward · · Score: 0

      There can be jail time if it is proven that the person did it (viewed the EMR) knowing that it was a violation. Of the few cases that have gone to court, the people who got the jail time used the EMR data for ID theft.

  10. get rid the HMO bs and then billing will not be th by Joe_Dragon · · Score: 1

    get rid the HMO bs and then billing will not be the fall point for people who don't want there real name listed.

  11. But will they pay? by rbanzai · · Score: 1

    We read about fines like this all the time but there is no follow-up to see if they are ever paid. It's similar to the drug busts where law enforcement agencies assign an arbitrary massively inflated value to the confiscated material to make themselves look good. Agencies declare these fines so they look good in the press, but are they ever actually paid? In full? On time?

  12. Or as they say in the hospital... by tyler_larson · · Score: 1

    Knock knock!
    Who's there?
    HIPAA.
    HIPAA who?
    Sorry, I'm not allowed to say.

    --
    "With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
    RFC 1925
  13. A relatively simple solution to this by Anonymous Coward · · Score: 0

    It should be made a requirement for all electronic medical records systems that the identity of every person that views a record (along with a timestamp) should become part of the record. If everyone knows that they cannot anonymously view a record, they will very quickly stop looking at things they shouldn't.

  14. There's an easy solution. by Anonymous Coward · · Score: 0

    Why not just refuse to treat or admit celebrity patients?
    They're more trouble than they're worth.

    1. Re:There's an easy solution. by MLease · · Score: 1

      Hm. So being a celebrity is an offense potentially punishable by death now?

      -Mike

      --
      I'm sorry; I don't know what I was thinking!
  15. sounds like sound risk management to me. by KingAlanI · · Score: 2

    Because she's famous, it increased the risk that people would access the records unnecessarily, and this behavior seemed like a logical response to manage that risk.

    --
    I listen to both RIAA and non-RIAA stuff if I like the music, tangential business/politics nonwithstanding.
  16. I hate to break this to you, but by Whuffo · · Score: 1

    Much of the access to these protected records come from minimum-wage (or slightly better) data entry workers. There's a huge amount of paperwork generated for each hospital patient and they handle it all.

    Imagine if you're one of these people; working long days at a keyboard for barely enough to live on - and someone offers you a significant "bonus" for giving them a copy of this or that file.

    This goes on every day at your hospital, your motor vehicle licensing and driver's licensing department, etc. There's a booming market for private information; lawyers, collection agents, skip tracers, etc, etc. Each of them cultivates their own sources of inside information and pays them well.

    Security theater doesn't only go on at the airport...

  17. The hospitals don't fear the fine... by Anonymous Coward · · Score: 0

    With HIPAA, the actual civil fines are pretty trivial. In fact, if memory serves (from back in '02, when I worked at a hospital) it was less than $100/violation.

    But just one violation is enough to get an inspection. HIPAA auditors can come in and go over the entire facility with a fine-toothed comb. And they will assess a fine for Every Single Thing. There used to be some limits on how high the total fines can be, but those caps have been raised. Even so, a few million isn't really a horrific deterrent, especially with corporate entities which are remarkably adept at cushioning themselves from this sort of thing.

    The big issue, though, is the inspection itself. Even if an inspection does not yield a single violation, or if no fines come of an inspection, the entire facility is turned on its head. Every detail, every business process, can come under scrutiny. That threat, in my experience, had a far greater deterrent than the fine could manage.