2018 HIPAA Fines and Settlements Summary

This post is a summary of the 2018 HIPAA fines and settlements that have been agreed with either the Department of Health and Human Services’ Office for Civil Rights (OCR) or state attorneys general to resolve violations of HIPAA Rules.

2016 had more HIPAA fines and settlements than any other year of HIPAA enforcement. OCR issued one civil monetary penalty and agreed to 12 financial settlements in 2016. The high level of HIPAA penalties continueed in 2015 with a further 9 settlement agreements between HIPAA covered entities and OCR and one civil monetary penalty was issued.

HIPAA enforcement started slowly in 2018. There were no settlements or fines issued in January, two in February, and nothing more until June, when one more settlement was agreed. by the start of September it was looking like OCR had scaled back its HIPAA enforcement activities. However, three settlements were agreed with hospitals in September, there was a further settlement agreed in November, one more in November and two in December. the year finished with 10 financial penalties – The same as 2017.

2018 saw the highest ever HIPAA violation penalty. A settlement was agreed with Anthem Inc., that saw the health insurer pay $16,000,000 to settle its HIPAA violations. The fine was for its 2015 breach of 78.8 million plan members’ records.

In 2018, OCR was paid $25,683,400 in HIPAA fines – The highest total of any year to date. The average financial penalty was $2,568,340 and the median HIPAA fine was $442,000.

Summary of 2018 HIPAA Fines and Settlements (OCR)

  • February 2018 –  Fresenius Medical Care North America paid OCR $3,500,000 to settle risk analysis failures, an impermissible ePHI disclosure; electronic device policy failures; lack of encryption; inadequate security policies; and inadequate physical safeguards
  • February 2018 – Filefax, Inc. paid $100,000 to settle an impermissible disclosure of PHI.
  • June 2018 – University of Texas MD Anderson Cancer Center paid a civil monetary penalty of $4,348,000 for an impermissible disclosure of ePHI and lack of encryption.
  • September 2018 – Massachusetts General Hospital paid $515,000 for allowing the filming of patients without prior consent being obtained.
  • September 2018 – Brigham and Women’s Hospital paid $384,000 for allowing the filming of patients without prior consent being obtained.
  • September 2018 – Boston Medical Center paid $100,000 for allowing the filming of patients without prior consent being obtained.
  • October 2018 – Anthem Inc paid $16,000,000 to settle failures in risk analyses; lack of system activity audits; failure to respond to an identified breach; and lack of technical controls to stop unauthorized ePHI access.
  • November 2018 – Allergy Associates of Hartford paid $125,000 for an impermissible PHI disclosure to reporter and the failure to sanction the physician responsible.
  • December 2018 – Advanced Care Hospitalists paid $500,000 over an impermissible PHI disclosure; lack of BAA; insufficient security measures; and lack of HIPAA compliance efforts before April 1, 2014.
  • December 2018 – Pagosa Springs Medical Center paid $111,400 over a failure to terminate employee PHI access after employment ended and the lack of a BAA.

2018 State Attorneys General HIPAA Enforcement Activities

State attorneys general are able to issue fines for HIPAA Rules violations, but in most cases, financial penalties are issued for violations of state laws but 2018 saw an increase in the number of settlements and fines for HIPAA violations. 12 HIPAA-related financial penalties were issued by state attorneys general in 2018.

  • Aetna was fined $1,150,000 by the New York Attorney General
  • Aetna was fined $365,211.59 by the New Jersey Attorney General
  • Aetna was fined $175,000 by the District of Columbia Attorney General
  • Aetna was fined $99,959 by the Connecticut Attorney General
  • Aetna has a fine pending with the Washington Attorney General
  • EmblemHealth was fined $575,000 by the New York Attorney General
  • EmblemHealth was fined $100,000 by the New Jersey Attorney General
  • Virtua Medical Group was fined $417,816 by the New Jersey Attorney General
  • UMass Memorial Medical Group / UMass Memorial Medical Center were fined $230,000 by the Massachusetts Attorney General
  • Arc of Erie County was fined $200,000 by the New York Attorney General
  • Best Transcription Medical was fined $200,000 by the New Jersey Attorney General
  • McLean Hospital fined $75,000 by the Massachusetts Attorney General