HIPAA Violation Fines

Both the Department of Health and Human Service’ Office for Civil Rights (OCR) and state attorneys general can issue HIPAA violation fines.

In most instances, covered entities and business associates agree to pay a settlement amount for a failure to adhere to particular components of HIPAA Rules and the violation case is resolved with no admission of liability. Besides the settlement, entities usually also agree to carry out a corrective action plan to resolve any HIPAA failures.

If HIPAA-covered entities don’t agree with the findings of an investigation and contents the penalty, and the financial penalty is justified by an administrative law judge, a civil monetary penalty will then be issued.

While OCR issues penalties for HIPAA violations, attorneys general often pursue financial penalties for violations of state laws rather than HIPAA, if there are equivalent regulations at the state level although there has been an increase in cases in recent years for violations of HIPAA Rules. However, relatively few states have used their right according to HIPAA/HITECH to seek financial penalties for HIPAA violations.

Penalty Structure for HIPAA Violations

Listed below are the HIPAA violation fines and settlements agreed with the HHS’ Office for Civil Rights since the signing of the HIPAA Enforcement Rule:

2018 HIPAA Violation Fines and Settlements

1. Fresenius Medical Care North America paid a $3,500,000 settlement fine for risk analysis failures, an impermissible ePHI disclosure; lack of policies covering electronic devices; lack of encryption; inadequate security policies; and lack of physical safeguards.

2. Filefax, Inc. agreed to a $100,000 settlement for an impermissible disclosure of PHI

3. University of Texas MD Anderson Cancer Center paid a $4,348,000 civil monetary penalty for an impermissible disclosure of ePHI and for not using encryption

4. Massachusetts General Hospital agreed to a $515,000 settlement for filming patients without consent

5. Brigham and Women’s Hospital agreed to a $384,000 settlement for filming patients without consent

6. Boston Medical Center agreed to a $100,000 settlement for filming patients without consent

7. Anthem Inc agreed to a $16,000,000 settlement for risk analysis failures; insufficient reviews of system activity; the failure to respond to a detected breach; and inadequate technical controls to stop unauthorized access of ePHI

8. Allergy Associates of Hartford agreed to a $125,000 settlement for a PHI disclosure to reporter and no sanctions against the employee concerned

9. Advanced Care Hospitalists agreed to a $500,000 settlement for an impermissible PHI disclosure; no business associate agreement (BAA); a lack of security controls; and no HIPAA compliance efforts before April 1, 2014

10. Pagosa Springs Medical Center agreed to a $111,400 settlement for the failure to stop employee access after termination and no BAA

11. Cottage Health agreed to a $3,000,000 settlement for risk analysis and risk management failures and no BAA

2017 HIPAA Violation Fines and Settlements

1. 21st Century Oncology agreed to a $2,300,000 settlement for multiple HIPAA violations

2. Memorial Hermann Health System agreed to a $2,400,000 settlement for careless handling of PHI

3. St. Luke’s-Roosevelt Hospital Center Inc. agreed to a $387,000 settlement for an unauthorized PHI disclosure

4. The Center for Children’s Digestive Health agreed to a $31,000 settlement for the lack of a business associate agreement

5. Cardionet agreed to a $2,500,000 settlement for an impermissible PHI disclosure

6. Metro Community Provider Network agreed to a $400,000 settlement for lack of a security management process

7. Memorial Healthcare System agreed to a $5,500,000 settlement for insufficient ePHI access controls

8. Children’s Medical Center of Dallas paid a $3,200,000 civil monetary penalty for an impermissible disclosure of ePHI

9. MAPFRE Life Insurance Company of Puerto Rico agreed to a $2,200,000 settlement for an impermissible ePHI disclosure

10. Presense Health agreed to a $475,000 settlement for delayed breach notifications

2016 HIPAA Violation Fines and Settlements

1. University of Massachusetts Amherst (UMass) agreed to a $650,000 settlement for the failure to manage security risks

2. St. Joseph Health agreed to a $2,140,500 settlement for failing to conduct a risk analysis

3. Care New England Health System agreed to a $400,000 settlement for having no business associate agreement

4. Advocate Health Care Network agreed to a $5,550,000 settlement for multiple HIPAA violations

5. University of Mississippi Medical Center agreed to a $2,750,000 settlement for multiple HIPAA violations

6. Oregon Health & Science University agreed to a $2,700,000 settlement for the lack of a business associate agreement

7. Catholic Health Care Services of the Archdiocese of Philadelphia agreed to a $650,000 settlement for the failure to secure ePHI

8. New York Presbyterian Hospital agreed to a $2,200,000 settlement for filming patients without consent

9. Raleigh Orthopaedic Clinic, P.A. of North Carolina agreed to a $750,000 settlement for having no business associate agreement

10. Feinstein Institute for Medical Research agreed to a $3,900,000 settlement for an impermissible disclosure of PHI

11. North Memorial Health Care of Minnesota agreed to a $1,550,000 settlement for not having a business associate agreement

12. Complete P.T., Pool & Land Physical Therapy, Inc. agreed to a $25,000 settlement for an impermissible disclosure of PHI

13. Lincare, Inc. paid a $239,800 civil monetary penalty for the failure to secure PHI

2015 HIPAA Violation Fines and Settlements

1. University of Washington Medicine agreed to a $750,000 settlement for the failure to perform risk analysis

2. Triple S Management Corporation agreed to a $3,500,000 settlement for multiple HIPAA voolations

3. Lahey Hospital and Medical Center agreed to a $850,000 settlement for multiple HIPAA violations

4. Cancer Care Group, P.C. agreed to a $750,000 settlement for failing to perform a risk analysis

5. St. Elizabeth’s Medical Center agreed to a $218,400 settlement for multiple HIPAA violations

6. Cornell Prescription Pharmacy agreed to a $125,000 settlement for improper PHI disposal

2014 HIPAA Violation Fines and Settlements

1. Anchorage Community Mental Health Services agreed to a $150,000 settlement for the failure to control risks to ePHI

2. Parkview Health System, Inc. agreed to a $800,000 settlement for the failure to secure PHI

3. New York and Presbyterian Hospital and Columbia University agreed to a $4,800,000 settlement for the failure to conduct a risk analysis

4. QCA Health Plan, Inc., of Arkansas agreed to a $250,000 settlement for the failure to secure ePHI

5. Concentra Health Services agreed to a $1,725,220 settlement for the failure to secure ePHI

6. Skagit County, Washington agreed to a $215,000 settlement for the failure to secure ePHI

2013 HIPAA Violation Fines and Settlements

1. Adult & Pediatric Dermatology, P.C. agreed to a $150,000 settlement for the failure to secure ePHI

2. Affinity Health Plan, Inc. agreed to a $1,215,780 settlement for the failure to permanently delete ePHI

3. WellPoint agreed to a $1,700,000 settlement for the failure to secure ePHI

4. Shasta Regional Medical Center agreed to a $275,000 settlement for a disclosure of PHI without patient authorization

5. Idaho State University agreed to a $400,000 settlement for the failure to secure ePHI

2012 HIPAA Violation Fines and Settlements

1. The Hospice of Northern Idaho agreed to a $50,000 settlement over the theft of an unencrypted laptop

2. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. agreed to a $1,500,000 settlement for multiple HIPAA violations

3. Alaska DHSS agreed to a $1,700,000 settlement for failure to complete a risk analysis and risk management failures

4. Phoenix Cardiac Surgery agreed to a $100,000 settlement due to the lack of HIPAA security measures

5. Blue Cross Blue Shield of Tennessee agreed to a $1,500,000 settlement for the failure to implement appropriate administrative safety measures

2011 HIPAA Violation Fines and Settlements

1. University of California at Los Angeles Health System agreed to a $865,500 settlement for the failure to limit access to healthcare records

2. General Hospital Corp. & Massachusetts General Physicians Organization Inc. agreed to a $1,000,000 settlement for the failure to secure PHI

3. Cignet Health of Prince George’s County paid a $4,300,000 civil monetary penalty for denying patients access to healthcare records

2010 HIPAA Violation Fines and Settlements

1. Management Services Organization Washington Inc. agreed to a $35,000 settlement for risk analysis failures and inadequate security measures

2. Rite Aid Corporation agreed to a $1,000,000 settlement for multiple HIPAA violations

2009 HIPAA Violation Fines and Settlements

1. CVS Pharmacy Inc. agreed to a $2,250,000 settlement for multiple HIPAA violations

2008 HIPAA Violation Fines and Settlements

1. Providence Health & Services agreed to a $100,000 settlement for the failure to implement appropriate administrative safety measures

Attorneys General HIPAA Fines and Settlements

Listed below are fines and settlements agreed between HIPAA covered entities and state attorneys general for violations of HIPAA Rules, although some of the cases below were pursued for violations of state laws.

2018

Massachusetts – McLean Hospital agreed to a $75,000 settlement for the loss of backup tapes resulting containing 1,500 records

New Jersey – EmblemHealth agreed to a $100,000 settlement for a mailing error that exposed SSNs and impacted 6,443 (81,000) people.

New Jersey – Best Transcription Medical agreed to a $200,000 settlement for the exposure of ePHI via search engines which impacted 1,650 people.

Washington – Aetna settlement pending for two mailings that exposed the PHI (Afib, HIV data) of 13,160 people.

Connecticut – Aetna agreed to a $99,959 settlement for 2 mailings that exposed the PHI (Afib, HIV data) of 13,160 people.

New Jersey – Aetna agreed to a $365,211.59 settlement for two mailings that exposed the PHI (Afib, HIV data) of 13,160 people.

District of Columbia – Aetna agreed to a $175,000 settlement for two mailings that exposed the PHI (Afib, HIV data) of 13,160 people.

Massachusetts – Mass Memorial Medical Group / UMass Memorial Medical Center agreed to a $230,000 settlement for the failure to protect ePHI and multiple breaches affecting 15,000 people.

New York – Arc of Erie County agreed to a $200,000 settlement for the failure to protect the ePHI of 3,751 people.

New Jersey – Virtua Medical Group agreed to a $417,816 settlement for multiple HIPAA violations and the exposure of the PHI of 1,654 people.

New York – EmblemHealth agreed to a $575,000 settlement for the impermissible disclosure of the ePHI of 81,122 people.

New York – Aetna agreed to a $1,150,000 settlement for two mailings that exposed the PHI (Afib, HIV data) of 12,000 people.

2017

California – Cottage Health System agreed to a $2,000,000 settlement fine for the failure to sufficiently secure the healthcare records of 54,000 people.

Massachusetts – Multi-State Billing Services agreed to a $100,000 settlement over the theft of an unencrypted laptop that contained the ePHI of 2,600 people.

New Jersey – Horizon Healthcare Services Inc. agreed to a $1,100,000 settlement over the loss of unencrypted laptop computers containing the ePHi of 3.7 million people.

Vermont – SAManage USA, Inc. agreed to a $264,000 settlement for allowing a spreadsheet to be indexed by search engines, which exposed the ePHI of 660 people.

New York – CoPilot Provider Support Services, Inc agreed to a $130,000 settlement for delayed breach notification to 221,178 people.

2015

New York – University of Rochester Medical Center agreed to a $15,000 settlement for allowing a list of 3,403 patients to be taken by a nurse to a new employer.

Connecticut – Hartford Hospital/ EMC Corporation agreed to a $90,000 settlement over the theft of an unencrypted laptop that contained the ePHI of 8,883 people.

2014

Massachusetts – Women & Infants Hospital of Rhode Island agreed to a $150,000 settlement for loss of backup tapes that contained the ePHI of 12,000 people.

Massachusetts – Boston Children’s Hospital agreed to a $40,000 settlement for loss of a laptop that contained the ePHI of 2,159 people.

Massachusetts – Beth Israel Deaconess Medical Center agreed to a $100,000 settlement for the loss of laptop that contained the ePHI of 3,796 people.

2013

Massachusetts – Goldthwait Associates agreed to a $140,000 settlement for the improper disposal of the PHI of 67,000 people.

2012

Minnesota – Accretive Health agreed to a $2,500,000 settlement for mishandling the PHI of 24,000 people.

Massachusetts – South Shore Hospital agreed to a $750,000 settlement for the loss of backup tapes that contained the ePHI of 800,000 people.

2011

Vermont – Health Net Inc. agreed to a $55,000 settlement for the loss of an unencrypted hard drive and late breach notifications to 1,500,000 people.

Indiana – WellPoint Inc. agreed to a $100,000 settlement for the failure to report a breach of 32,000 individuals PHI in a reasonable time period.

2010

Connecticut – Health Net Inc. agreed to a $250,000 settlement for the loss of an unencrypted hard drive and late breach notifications to 1,500,000 p people.