This page contains a summary of HIPAA violation cases which led to settlements with the Department of Health and Human Services’ Office for Civil Rights (OCR).
These settlements were reached with HIPAA-covered entities/business associates following the discovery of HIPAA violations during investigations into data breaches or the investigation of complaints filed by patients, health plan members, and employees of HIPAA-covered entities.
These settlements show OCR is committed to enforcing HIPAA Rules and holding healthcare organizations to account when they fail to comply with HIPAA Rules. Further, the past two years have seen a significant increase in financial penalties – in terms of volume and settlement amounts.
In 2017, there were 9 HIPAA violation cases resolved with financial penalties, well above average for the past five years. 2016 was a record year for HIPAA violation penalties with 12 HIPAA violation cases resulting in settlements and one case resolved with a civil monetary penalty.
Penalties for Violations of HIPAA Rules
While most HIPAA violations are discovered during investigations into data breaches, OCR also investigates complaints made by patients and healthcare employees when there has not been a data breach. OCR also conducts random audits of HIPAA covered entities which could uncover HIPAA violations.
The financial penalties of violating HIPAA Rules are based on the covered entity’s degree of negligence, the severity of the violation, extent to which HIPAA Rules have been violated and, in the event of a breach, the number of exposed records and the harm caused.
There are four penalty tiers for HIPAA violations, which were increased when the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009. Those tiers are as follows:
- Tier 1: $100 – $50,000 per violation – When a covered entity, with a reasonable level of due diligence, would have been unaware that HIPAA Rules were violated.
- Tier 2: $1,000 – $50,000 per violation – When there is reasonable cause. The covered entity should have been aware that HIPAA Rules were violated.
- Tier 3: $10,000 – $50,000 per violation – When there has been willful neglect of HIPAA Rules, but when the violation was corrected within 30 days.
- Tier 4: $50,000 per violation – When there was willful neglect of HIPAA Rules and there was no attempt made to correct the violation within 30 days.
For all of the above tiers, the maximum financial penalty permitted is $1,500,000 per violation category, per year that the violation was allowed to persist.
In addition to financial penalties from OCR, fines for HIPAA violations can be issued by state attorneys general. In many states, the decision is taken to penalize healthcare organizations under state laws rather than issuing financial penalties for HIPAA violations. Financial penalties issued by state attorneys general have also increased in recent years.
Lawsuits may be filed by victims of data breaches following the exposure and theft of personal information. However, there is no private cause of action in HIPAA so legal action is taken for violations of state laws.
HIPAA Violation Cases in 2017
A summary of the HIPAA violation cases resolved by OCR in 2017.
Memorial Hermann Health System – Careless Handling of PHI
Memorial Hermann Health System agreed to pay OCR $2.4 million to settle a potential violation of the HIPAA Privacy Rule – The disclosure of a patient’s PHI on a press release in September 2015.
St. Luke’s-Roosevelt Hospital Center Inc. – Unauthorized PHI Disclosure
St. Luke’s-Roosevelt Hospital Center Inc., paid OCR $387,200 to settle a potential HIPAA violation uncovered during OCR’s investigation of a complaint about an impermissible disclosure of PHI.
The Center for Children’s Digestive Health – Business Associate Agreement Failure
The Center for Children’s Digestive Health agreed to pay OCR $31,000 after it was discovered PHI was shared with a business associate between 2003 and 2015 without a business associate agreement being in place.
CardioNet – Accidental PHI Disclosure
CardioNet, a health service provider located in Pennsylvania that offers remote wireless monitoring and rapid response services for patients at risk for cardiac arrhythmia. CardioNet agreed to settle potential HIPAA violations with OCR for $2.5 million. The settlement relates to the theft of an unencrypted laptop computer from an employee’s vehicle. The investigation also uncovered risk analysis failures.
Metro Community Provider Network –Security Management Process Failures
OCR took action against Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) based in Denver, CO over the lack of a HIPAA-compliant security management process which led to a 2011 data breach. MCPN agreed to pay OCR $400,000 to resolve its HIPAA violations.
Memorial Healthcare System – Inadequate ePHI Access Controls
OCR agreed a $5.5 million settlement with Memorial Healthcare Systems for potential violations of the HIPAA Security Rule. Inadequate access controls had been implemented to prevent employees from accessing ePHI and regular reviews of computer activity involving ePHI had not been conducted.
Children’s Medical Center of Dallas – Accidental ePHI Disclosure
Children’s Medical Center of Dallas paid OCR a civil monetary penalty of $3.2 million to settle multiple HIPAA violations committed over several years, including the failure to secure ePHI on portable devices and risk analysis failures. OCR tried to deal with the matter through informal negotiations from November 6, 2015 to August 30, 2016. The lack of a voluntary settlement meant a civil monetary penalty was required.
MAPFRE Life Insurance Company of Puerto Rico – Accidental ePHI Disclosure
MAPFRE agreed to pay OCR $2,200,000 to settle its case which stemmed from the impermissible disclosure of the ePHI of 2,209 patients in 2011. A portable USB storage device was stolen from MAPFRE’s IT department on September 29, 2011. The device was not encrypted nor password-protected.
Presense Health – Delayed Breach Notifications
Presence Health agreed to a settlement with OCR for $475,000 to resolve a violation of the HIPAA Breach Notification Rule. It took Presence Health three months to issue breach notifications, which is beyond the allowed 60 days from the date of discovering a breach.
HIPAA Violation Cases in 2016
A summary of the HIPAA violation cases resolved by OCR in 2016.
University of Massachusetts Amherst – Failure to Manage Security Risks
University of Massachusetts Amherst (UMass) agreed to a $650,000 settlement with OCR for HIPAA violations that contributed to UMass experiencing a malware attack in 2013 and the unauthorized disclosure of the ePHI of 1,670 people.
St. Joseph Health –Risk Analysis Failures
St. Joseph Health purchased a server and installed a file sharing application without making any change to the default security settings. This allowed the ePHI of patients to be accessed over the Internet. St. Joseph Health agreed to settle the case with OCR for $2,140,500.
Care New England Health System –Business Associate Agreement Failure
Care New England Health System agreed to pay OCR $400,000 after it was discovered that ePHI had been disclosed to a business associate without a HIPAA-compliant business associate agreement being in place.
Advocate Health Care Network – Multiple Violations of HIPAA Rules
Advocate Health Care Network agreed to pay the largest ever HIPAA settlement issued to a single entity – $5.55 million – to resolve multiple HIPAA violations that contributed to multiple data breaches. The violations included risk analysis failures, ePHI access control failures and the failure to enter into a HIPAA-compliant business associate agreement.
University of Mississippi Medical Center – Multiple Violations of HIPAA Rules
The University of Mississippi Medical Center agreed to pay $2.75 million as penalty to resolve multiple HIPAA violations including risk analysis failures, a lack of physical controls to prevent unauthorized PHI access, the failure to issue unique identifiers/usernames, and a breach notification failure.
Oregon Health & Science University –Business Associate Agreement Failure
Oregon Health & Science University agreed to settle with OCR for $2.7 million after it was discovered PHI had been disclosed to a business associate without a business associate agreement being in place. The violation was discovered during the investigation of two data breaches that occurred within 3 months of each other in 2013 and resulted in the exposure of the PHI of more than 7,000 patients.
Catholic Health Care Services of the Archdiocese of Philadelphia – Failure to Secure ePHI
Catholic Health Care Services of the Archdiocese of Philadelphia agreed to pay OCR $650,000 to settle alleged HIPAA violations. The HIPAA violations involved CHCS’ failure to conduct a comprehensive risk analysis and not implementing the necessary security measures to deal with risks to ePHI.
New York Presbyterian Hospital – Filming Patients Without Authorization
OCR settled with New York Presbyterian Hospital for $2.2 million after it was discovered that patients were filmed as part of a TV show without first getting patients’ permission.
Raleigh Orthopaedic Clinic, P.A. of North Carolina – Business Associate Agreement Failure
Raleigh Orthopaedic Clinic agreed to pay OCR $750,000 after it was discovered that a signed business associate agreement (BAA) was not obtained prior to giving the business associate access to the PHI of 17,300 patients in 2013.
Feinstein Institute for Medical Research – Unauthorized PHI Disclosure
Feinstein Institute for Medical Research agreed to settle potential violations of HIPAA Rules for $3.9 million. The violations included unauthorized disclosures of PHI, a non-compliant security management process, and other HIPAA Security Rule violations.
North Memorial Health Care of Minnesota –Business Associate Agreement Failure
North Memorial Health Care of Minnesota agreed to pay OCR $1,550,000 to settle alleged HIPAA violations that contributed to a 2011 data breach, including the failure to enter into a business associate agreement with a vendor prior to the disclosure of PHI.
Complete P.T., Pool & Land Physical Therapy, Inc. – Impermissible Disclosure of PHI
Complete P.T., Pool & Land Physical Therapy Inc., agreed to a settlement of $25,000 with OCR for posting the photos and names of patients in the testimonial section of its website without first getting patients’ permission.
Lincare, Inc. – Failure to Secure PHI
This was the second time OCR issued a civil monetary penalty to a covered entity for a HIPAA violation. Lincare Inc. had to pay $239,800 to resolve HIPAA Privacy Rule violations that were discovered when OCR conducted an investigation of a complaint regarding a breach of 278 patient records.
HIPAA Violation Cases in 2015
A summary of the HIPAA violation cases resolved by OCR in 2015.
University of Washington Medicine – Risk Analysis Failure
University of Washington Medicine agreed to settle HIPAA violations with OCR for $750,000. The violations, which included risk analysis failures, contributed to a data breach of 90,000 records in 2013.
Triple S Management Corporation – Multiple Violations of HIPAA Rules
Triple S Management Corporation, a licensee of Puerto Rico Blue Cross Blue Shield, agreed to pay OCR $3.5 million to settle multiple HIPAA violations were partially responsible for several data breaches. In addition, Triple S was fined $6.8 million by the Puerto Rico Health Insurance Administration for non-compliance with the HIPAA Privacy Rule last year. The amount was reduced to $1.5 million upon appeal.
Lahey Hospital and Medical Center – Multiple Violations of HIPAA Rules
Lahey Hospital and Medical Center paid a settlement of $850,000 to OCR to resolve six HIPAA violations that contributed to a data breach in October 2011, including the failure to safeguard ePHI and Breach Notification Rule failures.
Cancer Care Group, P.C. – Risk Analysis Failure
Cancer Care Group agreed to pay OCR $750,000 to resolve potential violations of HIPAA Rules associated with a data breach in 2012. In August 2012, an unencrypted Cancer Care Group laptop computer and backup drive were stolen from an employee’s vehicle. As a result, the PHI of 55,000 patients was exposed.
St. Elizabeth’s Medical Center – Multiple Violations of HIPAA Rules
St. Elizabeth Medical Center paid $218,400 to resolve violations of the HIPAA Privacy, Security and Breach Notification Rules related to two data breaches – the exposure of 498 healthcare records on a document sharing system exposing and the theft of an unencrypted flash drive containing 595 patients’ ePHI.
Cornell Prescription Pharmacy – Improper PHI Disposal
Cornell Pharmacy paid OCR $125,000 to settle a HIPAA violation relating to improper disposal of patient medical records.
HIPAA Violation Cases in 2014
A summary of the HIPAA violation cases resolved by OCR in 2014.
Anchorage Community Mental Health Services – Failure to Control Risks to ePHI
In 2012, Anchorage Community Mental Health Services (ACMHS) discovered malware had been installed on its network resulting in the exposure and possible theft of 2,700 patients’ ePHI. If software patches had been installed, the malware infection would have been avoided. ACMHS agreed pay OCR $150,000 to settle the case.
Parkview Health System, Inc. – Failure to Secure PHI
Parkview Healthcare System agreed to pay $800,000 to settle its HIPAA violations discovered during the investigation of a complaint from a patient. A doctor received 71 boxes of medical files that contained around 8,000 patient documents; but, the delivered boxes were left unsecured on the doctor’s driveway for several hours. .
New York and Presbyterian Hospital and Columbia University – Risk Analysis Failure
New York and Presbyterian Hospital and Columbia University jointly paid a settlement of $4,800,000 to OCR after it was discovered a server firewall was deactivated by a Columbia University physician, which exposed ePHI online.
QCA Health Plan, Inc., of Arkansas – Failure to Secure ePHI
QCA Health Plan, Inc. of Arkansas reported to OCR that an unencrypted laptop containing the ePHI of 148 patients was stolen from an employee’s car. Upon investigation, it was found that QCA Health Plan had committed several violations of the HIPAA Privacy and Security Rules. A settlement of $250,000 was agreed with OCR.
Concentra Health Services – Failure to Secure ePHI
Concentra Health Services was investigated by OCR after a reported theft of a laptop from Springfield Missouri Physical Therapy Center. Concentra Health Services had previously discovered critical security risks associated with its use of mobile devices, but failed to take action to reduce those risks resulting in a data breach. Concentra agreed to pay OCR $1,725,220 to settle the case.
Skagit County, Washington – Failure to Secure ePHI
Skagit County agreed to pay OCR $215,000 for its failure to implement suitable controls and safety measures to secure stored ePHI, which contributed to the exposure of seven patients’ health data. Unknown third parties accessed the data after it was inadvertently placed on a server that was accessible by the public.
HIPAA Violation Cases in 2013
A summary of the HIPAA violation cases resolved by OCR in 2013.
Adult & Pediatric Dermatology, P.C. – Failure to Secure ePHI
Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts agreed to pay OCR a settlement of $150,000 for the accidental disclosure of 2,200 patients’ ePHI. The ePHI was stored on an unencrypted memory stick that was stolen from an employee’s car.
Affinity Health Plan, Inc. – Failure to Permanently Delete ePHI
Affinity Health Plan, Inc. agreed to pay $1,215,780 to resolve potential HIPAA violations identified in the course of a breach investigation. The company returned a digital photocopier to the leasing company without first erasing ePHI stored on its hard drive.
WellPoint – Failure to Secure ePHI
WellPoint, a provider of affiliated health plans, left a database exposed and accessible over the Internet from October 23, 2009 to March 7, 2010. WellPoint agreed to pay OCR $1,700,000 to resolve the HIPAA violations that contributed to the breach.
Shasta Regional Medical Center – PHI Disclosure Without Consent
Shasta Regional Medical Center agreed to pay $275,000 to OCR to resolve HIPAA Privacy Rule violations. PHI was intentionally shared with the media on three separate occasions without authorization first being obtained from the patient.
Idaho State University – Failure to Secure ePHI
Idaho State University’s Pocatello Family Medicine Clinic deactivated the firewall that protected a server storing the medical records of 17,500 patients. For 10 months, the data was exposed and unauthorized third parties accessed PHI during the time that the protections were removed. A settlement of $400,000 was paid to OCR to resolve the case.