The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Violation Cases

There are many different types of HIPAA violation cases – for example:

  • Impermissible uses and disclosures of PHI.
  • Failure to comply with individuals´ rights.
  • Lack of Notice of Privacy Practices.
  • Workforce training and sanctions failures.
  • Failure to conduct a risk analysis.
  • Non-compliance with audit control standards.
  • Failure to develop a contingency plan.
  • Lack of physical or technical safeguards.
  • Business Associate Agreement failures.
  • Failure to comply with the General Provisions for Transactions.

Detailed below is a summary of all HIPAA violation cases that have resulted in settlements with the Department of Health and Human Services’ Office for Civil Rights (OCR), including cases that have been pursued by OCR after potential HIPAA violations were discovered during data breach investigations, and investigations of complaints submitted by patients and healthcare employees.

OCR has increased its enforcement activities in recent years. OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties. In 2016, 12 entities agreed to settle their compliance investigations and pay a financial penalty, with one case seeing civil monetary penalties imposed. The following three years saw similar numbers of financial penalties; however, there was another major increase in HIPAA fines in 2020 when 19 HIPAA violation cases were settled with OCR.

The 2020 increase is largely due to OCR’s HIPAA Right of Access enforcement initiative, which was launched in late 2019. Since then, OCR has been cracking down on entities that have failed to provide individuals with timely access to their medical records. As of July 2022, there have been 38 HIPAA Right of Access cases under this compliance initiative that resulted in financial penalties.

Get The HIPAA Violations Checklist

Free and Immediate Download

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

By increasing its enforcement activity, OCR is sending a message to all covered entities, large and small, that violations of HIPAA Rules will not be tolerated.

What are the Consequences of Violating HIPAA?

The consequences of violating HIPAA can be significant and it is important to note fines for a HIPAA violation can be applied by the HHS´ Office for Civil Rights (OCR) even if no breach of PHI has occurred. The financial consequences of violating HIPAA depend on the level of negligence and – if a breach has occurred – the number of records potentially exposed by the breach and the risk posed by the unauthorized disclosure:

  • A violation of HIPAA attributable to ignorance can attract a fine of $100 – $50,000.
  • A violation that occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000.
  • A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000.
  • A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000.

The figures listed above represent the fines that can be imposed by OCR. The maximum financial penalty, for willful neglect of the HIPAA Rules, is $1.5 million, per violation category, per year. The above penalties were implemented as demanded by the HITECH Act of 2009 and increase annually in line with inflation.

The last update to the HIPAA violation penalty amounts applies to cases assessed on or after March 17, 2022, as detailed in the table below:

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit 
Tier 1 Reasonable Efforts $127 $63,973 $1,919,173
Tier 2 Lack of Oversight $1,280 $63,973 $1,919,173
Tier 3 Neglect – Rectified within 30 days $12,794 $63,973 $1,919,173
Tier 4 Neglect – Not Rectified within 30 days $63,973 $63,973 $1,919,173

*Table last updated in March 2022. The cost-of-living adjustment multiplier for 2023 is 1.07745, but this has not officially been applied by the HHS. The table above will be updated when the new penalty amounts for 2023 are finalized by the HHS.

In April 2019, OCR reexamined the HITECH Act and determined the language had been misinterpreted and issued a Notice of Enforcement Discretion stating the maximum annual penalties in each penalty tier would be changed to reflect the seriousness of the violations. Under the Notice of Enforcement Discretion, the maximum annual penalty for a violation could be capped at $25,000 for tier 1, $100,000 for tier 2, and $250,000 for tier 3. Taking this into account, the figures OCR is working with are detailed in the table below and will apply indefinitely, until the next increase to account for inflation.

The Notice of Enforcement Discretion only applied a cap to each violation tier. It did not change the maximum penalty for a violation, which means that the maximum penalty for a tier 1 violation is higher than the annual penalty cap, but for as long as the notice of enforcement discretion is in effect, the maximum penalty per year applies. This discrepancy is expected to be addressed through further rulemaking to make the new penalty structure permanent.

Annual Penalty Limit  Annual Penalty Limit  Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Cap
Tier 1 Lack of Knowledge $127 $31,987 $31,987
Tier 2 Reasonable Cause  $1,280 $63,973 $127,974
Tier 3 Willful Neglect $12,794 $63,973 $319,865
Tier 4 Willful neglect (not corrected within 30 days $63,973 $63,973 $1,919,173

*Table last updated in March 2022. The cost-of-living adjustment multiplier for 2023 is 1.07745, but this has not officially been applied by the HHS. The table above will be updated when the new penalty amounts for 2023 are finalized by the HHS.

State Attorney Generals can also impose financial penalties on HIPAA-covered entities and business associates for violations of the HIPAA Rules. Alternatively, financial penalties can be imposed if a breach of ePHI violates state laws.  When state laws are violated, the individuals whose ePHI has been compromised may be able to take legal action against the breached entity if it can be proven that an individual has suffered harm due to the negligence of a Covered Entity or Business Associate. In some states, the amount of punitive damages awarded could far outweigh the maximum $1.5 million fine (per violation) that can be imposed by OCR.

Financial Penalties Imposed on Covered Entities and Business Associates by the HHS’ Office for Civil Rights

Penalties for HIPAA Violations 2008-2023

Listed below are all the OCR HIPAA violation cases that have resulted in a financial penalty. These cases include civil monetary penalties, where it has been established that HIPAA Rules have been violated, and settlements, where HIPAA violations have been alleged to have occurred but the covered entity or business associate has decided not to contest the case and has instead chosen to pay a financial penalty to resolve the potential HIPAA violations with no admission of liability.

HIPAA Violation Cases 2023

Banner Health

The Phoenix, Arizona-based non-profit health system, Banner Health, experienced a hacking incident that resulted in the impermissible disclosure of the PHI of 2.81 million individuals in 2016. OCR’s investigators identified a risk analysis failure, a lack of reviews of system activity, a failure to verify identity for access to PHI, and insufficient technical safeguards. The case was settled for $1,250,000. Read More…

Life Hope Labs, LLC

Life Hope Labs, LLC, in Sandy Springs, Georgia, failed to provide an individual with the medical records of her deceased father in a timely manner. It took 225 days from the initial request for the records to be provided. The diagnostic laboratory settled the case with OCR and paid a $16,500 financial penalty. Read More…

HIPAA Violation Cases 2022

Health Specialists of Central Florida Inc.

Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased father’s medical records. It took multiple requests and almost 5 months for all of the requested medical records to be provided. Health Specialists of Central Florida Inc. settled the case with OCR and paid a $20,000 penalty. Read More…

New Vision Dental

The Californian general dental practice, New Vision Dental, was investigated by OCR following reports about impermissible disclosures of patients’ protected health information on the review platform Yelp. OCR found that the owner of the practice had responded to several reviews and disclosed ePHI, even disclosing the names of patients in the responses who had chosen to post reviews anonymously. The disclosed information included details of patients’ visits, treatment, and insurance. OCR also found the Notice of Privacy Practices to be inadequate. The case was settled with OCR and a £23,000 financial penalty was imposed. Read More…

Great Expressions Dental Center of Georgia, P.C.

Great Expressions Dental Center of Georgia, P.C.  was investigated by OCR in response to a complaint from a patient that she would be charged a fee of $170 for her medical records. OCR determined this fee to be unreasonable and that there had been a 15-month delay in providing the patient with the requested records. the practice settled the case with OCR for $80,000.  Read More…

Family Dental Care, P.C.

Family Dental Care, P.C. in Chicago, Illinois, was investigated in response to a complaint from a patient who had only been provided with a partial copy of her requested medical records. It took 5 months from the initial request for the complete set of medical records to be provided. The case was settled with OCR for $30,000. Read More…

B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental

Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor child’s medical records, despite submitting multiple requests to the practice. It took 8 months from the date of the first request for the records to be provided. A settlement was agreed upon with OCR that included a $25,000 penalty. Read More…

New England Dermatology and Laser Center

New England Dermatology and Laser Center in Massachusetts disposed of empty specimen containers in regular dumpsters between  February 4, 2011, and March 31, 2021. The containers had labels that included the PHI of patients. The PHI of 58,106 patients was improperly disposed of during that timeframe. The case was settled with OCR for $300,640. Read More…

ACPM Podiatry

ACPM Podiatry in Illinois did not provide a former patient with his requested records, and despite the intervention of OCR, the patient was still not provided with the requested records due to the non-payment of a bill by the insurance company. OCR imposed a civil monetary penalty of $100,000. Read More…

Memorial Hermann Health System

Memorial Hermann Health System in Texas received five requests from a patient for complete records to be provided between June 2019 and January 2020. It took 564 days from the initial request for all of the records to be provided to the patient. OCR settled the case for $240,000. Read More…

Southwest Surgical Associates

Southwest Surgical Associates in Texas took 13 months to provide a patient with all of the requested records between February 11, 2020, and March 5, 2021. OCR settled the case for $65,000. Read More…

Hillcrest Nursing and Rehabilitation

Hillcrest Nursing and Rehabilitation in Massachusetts received a request from a parent for her son’s medical records on March 22, 2020, but the records were not provided until October 10, 2020. OCR settled the case for $55,000. Read More…

MelroseWakefield Healthcare

MelroseWakefield Healthcare in Massachusetts received a valid request from a personal representative of a patient on June 12, 2020, but it took until October 20, 2020, for the requested records to be provided due to an error regarding the legality of the durable power of attorney. OCR settled the case for $55,000. Read More…

Erie County Medical Center Corporation

Erie County Medical Center Corporation in Buffalo, NY, failed to provide a patient with timely access to his medical records. OCR settled the case for $50,000. Read More…

Fallbrook Family Health Center

Fallbrook Family Health Center in Nebraska failed to provide a patient with timely access to the requested medical records. OCR settled the case for $30,000. Read More…

Associated Retina Specialists

Associated Retina Specialists in New York took 5 months to provide a patient with the requested medical records. The records were provided within days of OCR intervening. OCR settled the case for $22,500. Read More…

Coastal Ear, Nose, and Throat

Coastal Ear, Nose, and Throat in Florida received a request from a patient for a copy of medical records on December 15, 2020, and again on January 8, 2021, but the records were not provided until May 20, 2021. OCR settled the case for $20,000. Read More…

Lawrence Bell, Jr. D.D.S

Lawrence Bell, Jr. D.D.S in Maryland failed to provide a patient with timely access to the requested medical records. OCR settled the case for $5,000. Read More…

Danbury Psychiatric Consultants

Danbury Psychiatric Consultants in Massachusetts received a request for medical records on March 24, 2020, but access to the records was refused due to an outstanding bill. The records were provided on September 14, 2020. OCR settled the case for $3,500. Read More…

Oklahoma State University – Center for Health Sciences

Oklahoma State University – Center for Health Sciences experienced a hacking incident that was reported to OCR in January 2018. The investigation revealed a failure to conduct an accurate risk analysis, noncompliance with the security incident response and reporting requirements of the HIPAA Security Rule, the failure to conduct an evaluation following changes that affected the security of ePHI, a lack of audit controls, breach notification delays, and the impermissible disclosure of the PHI of 279,865 individuals. The case was settled for $850,000. Read More…

Dr. Brockley

The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. After being notified by OCR about a proposed fine of $105,000, Dr. Brockley requested a hearing with an Administrative Law Judge, but settled out of court and agreed to a fine of $30,000. Read more…

Jacob & Associates

The California-based psychiatric medical services provider failed to provide a patient with timely access to the requested medical records and charged an unreasonable fee when the records were eventually provided. OCR also identified issues with the notice of privacy practices and a HIPAA privacy officer had not been appointed. The case was settled and a financial penalty of $28,000 was paid. Read more…

Northcutt Dental-Fairhope

The owner of the Fairhope, AL, dental practice impermissibly disclosed patients’ PHI to a campaign manager and a third-party marketing company in relation to a state senate election campaign. OCR also identified issues with the notice of privacy practices and there was no HIPAA privacy officer. The case was settled for $62,500. Read more…

Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A

The dental practice with offices in Charlotte and Monroe, NC, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review. The failure to cooperate with the investigation and respond to an administrative subpoena resulted in a civil monetary penalty of $50,000. Read more…

HIPAA Violation Cases 2021

Advanced Spine & Pain Management

Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $32,150. Read more…

Denver Retina Center

Denver Retina Center, a Denver, CO-based provider of ophthalmological services, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $30,000. Read more…

Dr. Robert Glaser

Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, failed to provide a patient with timely access to the requested medical records after repeated requests. Dr. Glazer did not cooperate with OCR during the investigation, resulting in OCR imposing a civil monetary penalty of $100,000 for the HIPAA Right of Access violation. Read more…

Rainrock Treatment Center LLC (dba monte Nido Rainrock)

Rainrock Treatment Center LLC (dba Monte Nido Rainrock), a Eugene, OR-based provider of residential eating disorder treatment services, failed to provide a patient with timely access to the requested medical records after repeated requests. The HIPAA Right of Access violation was settled with OCR for $160,000. Read more…

Wake Health Medical Group

Wake Health Medical Group, a Raleigh, NC-based provider of primary care and other health care services, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $10,000. Read more…

Children’s Hospital & Medical Center

Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, received a request from a parent for access to her daughter’s medical records but only provided part of the requested information, despite repeated requests. CHMC settled the HIPAA Right of Access case with OCR and paid an $80,000 penalty. Read more…

The Diabetes, Endocrinology & Lipidology Center, Inc.

The Diabetes, Endocrinology & Lipidology Center, Inc, a West Virginia-based healthcare provider specializing in treating endocrine disorders, failed to provide a parent with a copy of her minor child’s protected health information within 30 days. The HIPAA Right of Access violation was settled with OCR for $5,000. Read more…

AEON Clinical Laboratories (Peachstate)

OCR investigated a breach reported by the Department of Veteran Affairs involving a business associate, Authentidate Holding Corporation. During the investigation, OCR discovered the business associate had acquired Peachstate, a CLIA-certified laboratory that provides clinical and genetic testing services. OCR investigated Peachstate and uncovered multiple potential violations of the HIPAA Security Rule. The case was settled with OCR for $25,000. Read more…

Village Plastic Surgery

Ridgewood, NJ-based Village Plastic Surgery failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $30,000. Read more…

Arbour Hospital

Arbour Hospital, a mental health clinic in Boston, MA, failed to provide a patient with the requested medical records within 30 days. OCR provided technical assistance but received another complaint from the same patient that the records had still not been provided. The HIPAA Right of Access violation was settled with OCR for $65,000. Read more…

Sharp Healthcare

San Diego-based Sharp Healthcare, dba Sharp Rees-Stealy Medical Centers, failed to provide a patient’s medical records to a patient-specified third party for more than 2 months. OCR provided technical assistance and closed the case, but the records were still not provided. The HIPAA Right of Access violation was settled with OCR for $70,000. Read more…

Renown Health

Renown Health, a not-for-profit healthcare network in Northern Nevada, failed to provide a patient’s attorney with a copy of her medical and billing records within 30 days. The patient filed a complaint with OCR and the records were eventually provided more than 10 months later. The HIPAA Right of Access violation was settled with OR for $75,000. Read more…

Excellus Health Plan

In 2015, Excellus Health Plan reported a breach of the ePHI of 9,358,891 individuals. OCR investigated and uncovered multiple potential violations of the HIPAA Rules: A risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. The case was settled for $5,100,000. Read More…

Banner Health

Phoenix, AZ-based Banner Health is one of the largest healthcare systems in the United States. OCR received two complaints from patients in 2019 alleging they had to wait several months to receive a copy of their medical records. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $200,000. Read More…

Get The HIPAA Violations Checklist

Free and Immediate Download

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

HIPAA Violation Cases 2020

Premera Blue Cross

Mountlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest. In 2015, Premera discovered there had been a breach of the ePHI of 10,466,692 individuals. OCR investigated and found multiple potential HIPAA violations such as the failure to conduct a thorough risk analysis, risk management failures, and insufficient mechanisms to identify suspicious network activity. The case was settled for $6,850,000. Read More…

CHSPSC LLC

CHSPSC LLC is a Tennessee-based management company that provides services to affiliates of Community Health Systems. In 2014, hackers accessed its systems and stole the ePHI of 6,121,158 individuals. OCR investigated and found multiple violations of the HIPAA Rules including a delayed response to a known security breach, risk analysis and risk management failures, and a lack of procedures to monitor information system activity logs. The case was settled for $2,300,000. Read More…

Athens Orthopedic Clinic PA

Athens Orthopedic Clinic PA in Georgia had its systems hacked in 2016. The hacker stole data, attempted to extort money, and leaked the ePHI of 208,557 patients online when payment was not received. OCR investigated the incident and discovered risk analysis and risk management failures, insufficient information system activity logging and monitoring, missing business associate agreements, and employees had not been provided with HIPAA Privacy Rule training. The case was settled for $1,500,000. Read More…

Peter Wrobel, M.D., P.C., dba Elite Primary Care

Elite Primary Care is a provider of primary health services in Georgia. OCR received a complaint from a patient who alleged he had been denied access to his medical records. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the practice continued to deny him access. The case was settled for $36,000. Read More…

University of Cincinnati Medical Center

A patient of University of Cincinnati Medical Center filed a complaint with OCR after not being provided with her requested records more than 13 weeks after submitting a request. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the records had still not been provided. The case was settled for $65,000. Read More…

Dr. Rajendra Bhayani

OCR received a complaint from a patient of Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology, alleging he had not provided a patient with a copy of her medical records. OCR intervened and closed the case but received a second complaint a year later alleging the records had still not been provided. The case was settled for $15,000. Read More…

Riverside Psychiatric Medical Group

OCR received a complaint from a patient of California-based Riverside Psychiatric Medical Group in March 2019 alleging he had not been provided with a copy of his medical records. OCR intervened but received a second complaint a month later when the records had still not been provided. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $25,000. Read More…

City of New Haven, CT

The city of New Haven in Connecticut was investigated over an incident where a former employee accessed its systems after termination and copied a file containing the ePHI of 498 individuals. OCR determined the failure to terminate access rights when employment had ended was in violation of the HIPAA Security Rule. OCR also determined there had been a risk analysis failure, a failure to implement Privacy Rule policies, and unique IDs had not been provided to all employees to track information system activity. The case was settled for $202,400. Read More…

Aetna

Aetna Life Insurance Company and the affiliated covered entity (Aetna) were investigated over three data breaches that exposed the ePHI of 18,489 individuals. OCRs investigation revealed periodic technical and non-technical evaluations of operational changes affecting the security of their electronic PHI had not been performed, procedures had not been implemented to verify the identity of individuals accessing their ePHI, there was a lack of ePHI safeguards, and Aetna had violated the minimum necessary standard. The case was settled for $1,000,000. Read More…

NY Spine

OCR received a complaint from a patient of NY Spine, a private New York medical practice, who alleged she had not been provided with a copy of the diagnostic films that she specifically requested. OCR intervened and provided technical assistance, but it took 16 months for the records to be provided. The case was settled for $100,000. Read More…

Dignity Health, dba St. Joseph’s Hospital and Medical Center

OCR investigated a complaint from a mother who requested a copy of her son’s medical records from St. Joseph’s Hospital and Medical Center but had not been provided with a complete set of the records. After OCR intervened, the records were provided, but it took 22 months from the initial date of the request. The case was settled for $160,000. Read More…

Housing Works, Inc.

Housing Works, Inc. is a New York City-based non-profit healthcare organization that provides healthcare, homeless services, and legal aid support for people affected by HIV/AIDS. OCR received a complaint from a patient who had not been provided with a copy of his medical records. OCR intervened and closed the case but received a second complaint a month later when the records had still not been provided. The case was settled for $38,000. Read More…

All Inclusive Medical Services, Inc.

All Inclusive Medical Services, Inc. (AIMS) is a Carmichael, CA-based multi-specialty family medicine clinic. OCR received a complaint from a patient who alleged AIMS refused to give her a copy of her medical records. OCR determined this violated the HIPAA Right of Access provision of the HIPAA Privacy Rule. The case was settled for $15,000. Read More…

Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services (BILHBS) is the largest provider of mental health and substance use disorder services in eastern Massachusetts. OCR received a complaint from a patient alleging BILHBS had not provided a copy of her father’s medical records. OCR intervened and the records were provided 8 months after the initial request. The case was settled for $70,000. Read More…

King MD

King MD is a small provider of psychiatric services in Virginia. OCR received a complaint from a patient who had not been provided with her medical records after a 2-month wait. OCR intervened and closed the case but received a second complaint two months later when the records had still not been provided. The case was settled for $3,500. Read More…

Wise Psychiatry, PC

Wise Psychiatry is a small provider of psychiatric services in Colorado. A mother requested a copy of her son’s medical records, but the records had not been provided three months after submitting the request. OCR intervened and closed the case but received a second complaint 6 months after the first stating the records had still not been provided. The case was settled for $10,000. Read More…

Lifespan Health System Affiliated Covered Entity

Lifespan Health System Affiliated Covered Entity is a Rhode Island healthcare provider. OCR conducted an investigation into an incident involving a stolen laptop that contained the ePHI of 20,431 patients. OCR determined the lack of encryption was in violation of the HIPAA Security Rule, there were insufficient device and media controls, and a business associate agreement had not been entered into with its parent company. The case was settled for $1,040,000. Read More…

Metropolitan Community Health Services dba Agape Health Services

Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center. Operating as Agape Health Services, the company experienced a breach of the ePHI of 1,263 patients. OCR investigated and identified longstanding, systemic noncompliance with the HIPAA Security Rule, including risk analysis and risk management failures, and the failure to provide security awareness training to employees. The case was settled for $25,000. Read More…

Steven A. Porter, M.D

Steven A. Porter, M.D.’s gastroenterological practice in Ogden, UT reported a breach to OCR involving a medical record company that was blocking access to patients’ ePHI until a bill was paid. OCR investigated and found the EHR company had been allowed access to ePHI without signing a business associate agreement and risk analysis and risk management failures. The case was settled for $100,000. Read More…

HIPAA Violation Cases 2019

West Georgia Ambulance

OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR discovered a risk analysis failure, the lack of a security awareness training program, and a failure to implement HIPAA Security Rule policies and procedures. The case was settled for $65,000. Read More…

Bayfront Health St. Petersburg

Bayfront Health St. Petersburg was investigated following receipt of a complaint from a patient on August 14, 2018. The patient had requested a copy of her child’s fetal heart monitor records, but 9 months after the request had been submitted the records still had not been provided. A settlement of $85,000 was agreed upon with OCR to resolve the HIPAA violation. This was OCR’s first settlement under the 2019 HIPAA Right of Access enforcement initiative. Read More…

Korunda Medical, LLC

In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The investigation confirmed there had been a HIPAA Right of Access failure. A settlement of $85,000 was agreed upon to resolve the violation. Read More…

University of Rochester Medical Center

OCR launched an investigation of University of Rochester Medical Center following receipt of two breach reports concerning lost/stolen portable devices containing ePHI – a flash drive and a laptop computer. Technical assistance had previously been provided by OCR, but devices had still not been encrypted. In addition, OCR determined there had been risk analysis failures, a risk management failure, and a lack of device media controls. The case was settled for $3 million. Read More…

Sentara Hospitals

A patient submitted a complaint to OCR about an impermissible disclosure of PHI in a mailing. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. The OCR investigation determined 577 patients had been affected, but Sentara Hospitals refused to update its breach notice to reflect the correct number of patients affected. OCR also discovered a business associate failure. The case was settled for $2.175 million. Read More…

Elite Dental Associates

A patient of Elite Dental Associates submitted a complaint to OCR stating her PHI had been disclosed by Elite Dental Associates in response to a review on Yelp. OCR investigated and discovered similar privacy violations had occurred responding to patient reviews. The impermissible disclosures of PHI resulted in a $10,000 settlement. Read More…

Medical Informatics Engineering

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general and paid a penalty of $900,000. Read More…

Touchstone Medical Imaging

On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals. The OCR investigation revealed a lack of business associate agreements, insufficient access rights, a risk analysis failure, a failure to respond to a security incident, a breach notification failure, media notification failure. The case was settled for $3 million. Read More…

Texas Department of Aging and Disability Services

The Department of Health and Human Services’ Office for Civil Rights (OCR) imposed a $1.6 million civil monetary penalty (CMP) on Texas Health and Human Services Commission (TX HHSC) for multiple violations of HIPAA Rules discovered during the investigation of an exposed internal application containing ePHI. OCR determined there had been a risk analysis failure, access control failure, information system activity monitoring failure, and an impermissible disclosure of 6,617 patients’ ePHI. Read More…

Jackson Health System

OCR imposed a $2.154 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. OCR determined its compliance program had been in disarray for several years. Read More…

HIPAA Violation Cases 2018

Cottage Health – Exposure of ePHI Over the Internet

OCR agreed to settle multiple alleged HIPAA violations with Cottage Health for $3,000,000. In 2013 and 2015, protections on servers were accidentally removed and files containing ePHI could be accessed over the internet without the need for a username or password. The ePHI of 62,500 patients was exposed. OCR discovered risk analysis failures, risk management failures, a failure to conduct technical and non-technical evaluations following environmental or operational changes, and the disclosure of ePHI to a contractor without first entering into a business associate agreement. Read More…

Pagosa Springs Medical Center – Failure to Terminate Employee Access

OCR fined Pagosa Springs Medical Center $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI. The medical center had also failed to enter into a BAA with a business associate. Read More…

Advanced Care Hospitalists – Multiple Compliance Failures Resulting in Impermissible PHI Disclosure

An OCR investigation into an impermissible disclosure of 9,255 individuals’ PHI by Advanced Care Hospitalists, a business associate of a HIPAA-covered entity, revealed serious HIPAA compliance failures including a lack of a BAA, insufficient security measures to protect ePHI, and no documentation showing there had been any HIPAA compliance efforts prior to April 1, 2014. A settlement of $500,000 was agreed upon to resolve the alleged HIPAA violations. Read More…

Allergy Associates of Hartford – PHI Disclosure to Reporter

OCR investigated a complaint about an impermissible disclosure of a patient’s PHI to a reporter. OCR confirmed that PHI had been disclosed without an authorization from the patient and that there had been no sanctions against the physician responsible, despite being warned in advance not to disclose any PHI. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations. Read More…

Anthem Inc – Multiple Compliance Failures Contributing to 78.8 Million Record Breach

An investigation into Anthem Inc’s massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. OCR determined there had been risk analysis failures, insufficient reviews of system activity, a failure to respond adequately to a detected breach, and insufficient technical controls to prevent unauthorized ePHI access. Anthem agreed to a record-breaking settlement of $16,000,000 to resolve the case. Read More…

Boston Medical Center – Filming Patients Without Consent

Boston Medical Center was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Boston Medical Center agreed to settle the alleged HIPAA violations with OCR for $100,000. Read More…

Brigham and Women’s Hospital – Filming Patients Without Consent

Brigham and Women’s Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Brigham and Women’s Hospital agreed to settle the alleged HIPAA violations with OCR for $384,000. Read More…

Massachusetts General Hospital – Filming Patients Without Consent

Massachusetts General Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Massachusetts General Hospital agreed to settle the alleged HIPAA violations with OCR for $515,000. Read More…

Filefax, Inc. – Failure to Protect Physical PHI

After the permanent closure of the company, paperwork containing former patients’ PHI was discarded by FileFax. The paperwork was taken by a member of the public who sold the material to a recycling facility. OCR determined there had been a failure to protect patient information which resulted in an impermissible disclosure of 2,150 patient records. FileFax agreed to settle the alleged HIPAA violations for $100,000. Read More…

Fresenius Medical Care North America – Multiple Compliance Failures Contributing to 5 PHI Breaches

An investigation of five separate breaches at HIPAA-covered entities owned by Fresenius Medical Care North America revealed multiple HIPAA violations had contributed to the breaches. OCR discovered risk analysis failures, a lack of policies covering electronic devices, a lack of encryption or alternative safeguards, insufficient security policies, and insufficient physical safeguards, resulting in an impermissible disclosure of 521 individuals’ PHI. Fresenius Medical Care North America settled the case for $3,500,000. Read More…

University of Texas MD Anderson Cancer Center –Impermissible Disclosures of PHI

OCR investigated three breaches involving the loss of a laptop computer and two unencrypted thumb drives containing patients’ PHI. OCR determined that there had been an impermissible disclosure of 34,883 patients’ ePHI due to a lack of encryption. The case was contested, but an administrative law judge ruled in favor of OCR. University of Texas MD Anderson Cancer Center was ordered to pay a civil monetary penalty of $4,348,000. Read More…

HIPAA Violation Cases 2017

Memorial Hermann Health System – Careless Handling of PHI

Memorial Hermann Health System agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights for $2.4 million. The settlement stems from an impermissible disclosure in a press release issued by MHHS in September 2015. Memorial Hermann Health System has agreed to pay OCR $2,400,000. Read More…

St. Luke’s-Roosevelt Hospital Center Inc. – Unauthorized Disclosure of PHI

The Department of Health and Human Services’ Office for Civil Rights announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. St. Luke’s-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. Read More…

The Center for Children’s Digestive Health – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois has agreed to pay OCR $31,000 to resolve potential HIPAA violations. Read More…

CardioNet – Impermissible Disclosure of PHI

A $2.5 million settlement has been agreed upon with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Settlements have previously been agreed upon with healthcare providers, health plans, and business associates of covered entities, but this is the first time OCR has settled potential HIPAA violations with a wireless health services provider. Read More…

Metro Community Provider Network – Lack of Security Management Process

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. Read More…

Memorial Healthcare System – Insufficient ePHI Access Controls

OCR has announced a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. Read More…

Children’s Medical Center of Dallas – Impermissible Disclosure of ePHI

The Department of Health and Human Services’ Office for Civil Rights has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30, 2016, before issuing a Notice of Proposed Determination on September 30, 2016. Read More…

MAPFRE Life Insurance Company of Puerto Rico – Impermissible Disclosure of ePHI

The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers, and dates of birth. The device was not protected by a password and data on the device was not encrypted. MAPFRE has agreed to a $2,200,000 settlement with OCR. Read More…

Presense Health – Delayed Breach Notifications

Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. Presence Health took three months to issue breach notifications when the Breach Notification Rule requires notifications to be sent within 60 days of the discovery of a breach. Read More…

HIPAA Violation Cases 2016

University of Massachusetts Amherst – Failure to Manage Security Risks

The Department of Health and Human Services’ Office for Civil Rights has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Read More…

St. Joseph Health – Failure to Conduct Risk Analysis

Exposure of ePHI as a direct result of the failure to conduct a comprehensive risk analysis and a security assessment on a server prior to using it to share files containing ePHI. The server had been purchased and a file-sharing application was installed, yet no changes were made to the application. The default security settings were left in place, which allowed any individual with an Internet connection to gain access to the ePHI in the files. St. Joseph Health has agreed to pay OCR $2,140,500. Read More…

Care New England Health System – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. Read More…

Advocate Health Care Network – Multiple HIPAA Violations

OCR has just announced it has agreed to the largest ever HIPAA settlement with a single covered entity. Advocate Health Care Network will pay a record $5.55 million to settle multiple potential violations of the Health Insurance Portability and Accountability Act. The previous record was the $3.5 million settlement with Triple S Management Corporation agreed in November 2015. Read More…

University of Mississippi Medical Center – Multiple HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights announced yesterday that the University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also agreed to adopt a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA. Read More…

Oregon Health & Science University – Lack of a Business Associate Agreement

Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services’ Office for Civil Rights stemming from two data breaches experienced in 2013. A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability. The privacy breaches occurred shortly after each other in 2013. Within the space of three months, the protected health information of over 7,000 patients was exposed. Read More…

Catholic Health Care Services of the Archdiocese of Philadelphia – Failure to Safeguard ePHI

Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to settle alleged HIPAA violations with the OCR and implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS failed to perform a comprehensive risk analysis since September 23, 2013. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. § 164.308(a)(1)(ii)(B). Read More…

New York Presbyterian Hospital – Filming Patients without Authorization

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from patients. An ABC crew was permitted to film inside NYP facilities for the show “NY Med” featuring Dr. Mehmet Oz. A number of patients were filmed, but consent had not been obtained. Read More…

Raleigh Orthopaedic Clinic, P.A. of North Carolina – Lack of Business Associate Agreement

Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. Read More…

Feinstein Institute for Medical Research – Impermissible Disclosure of PHI

The Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. This is the second-largest settlement amount agreed with OCR. The data breach investigation revealed a substandard security management process and a catalog of HIPAA Security Rule violations. Read More…

North Memorial Health Care of Minnesota – Lack of a Business Associate Agreement

The Department of Health and Human Services’ Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Read More…

Complete P.T., Pool & Land Physical Therapy, Inc. – Impermissible Disclosure of PHI

Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Read More…

Lincare, Inc. – Failure to Safeguard PHI

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc. is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. Read More…

Get The HIPAA Violations Checklist

Free and Immediate Download

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

HIPAA Violation Cases 2015

University of Washington Medicine – Failure to Conduct Risk Analysis

The University of Washington Medicine has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013. Read More…

Triple S Management Corporation – Multiple HIPAA Violations

Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services’ Office for Civil Rights. Triple S was also required to pay a HIPAA violation penalty of $6.8 million to the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Act’s Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal. Read More…

Lahey Hospital and Medical Center – Multiple HIPAA Violations

The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights over alleged HIPAA violations following a data breach that occurred in October 2011. Lahey Hospital and Medical Center has agreed to pay $850,000 to settle the case without admission of liability. The nonprofit teaching hospital has also agreed to adopt the OCR’s corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. Read More…

Cancer Care Group, P.C. – Failure to Conduct Risk Analysis

Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services’ Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. In August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The data breach exposed the Protected Health Information of 55,000 patients. Read More…

St. Elizabeth’s Medical Center – Multiple HIPAA Violations

A HIPAA settlement of $218,400 has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security, and Breach Notification Rules. The settlement for HIPAA violations was reached with SEMC for violations that lead to a document sharing system data breach that exposed 498 records, and a data breach involving the theft of a flash drive containing unencrypted data of 595 patients. Read More…

Cornell Prescription Pharmacy – Improper Disposal of PHI

OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. Cornell Pharmacy is a single-location healthcare provider that mostly serves hospice care organizations in Denver and provides compound medications. Read More…

HIPAA Violation Cases 2014

Anchorage Community Mental Health Services – Failure to Manage Risks to ePHI

Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. In 2012 it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. Had software patches been installed on the computers the malware would not have been unable to infect the PCs. ACMHS has agreed to settle the case with OCR for $150,000.

Parkview Health System, Inc. – Failure to Safeguard PHI

Parkview Healthcare System has agreed to pay an $800,000 settlement for a violation of the HIPAA Privacy Rule. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one of its doctors. The doctor was retiring and received a delivery of 71 boxes of medical files containing up to 8,000 patient records; however, the delivery was made, and the boxes were left on the doctor’s driveway while he was out of the house. Read More…

New York and Presbyterian Hospital and Columbia University – Failure to Conduct Risk Analysis

Office for Civil Rights has agreed to its largest-ever financial penalty for a violation of the Health Insurance Portability and Accountability Act’s Privacy and Security Rules. The data breach was caused when a computer server firewall was deactivated by a physician at Columbia University leaving electronic PHI exposed and accessible via search engines. New York and Presbyterian Hospital (NYP) and Columbia University (CU) will jointly pay a penalty of $4,800,000. Read More…

QCA Health Plan, Inc., of Arkansas – Failure to Safeguard ePHI

QCA Health Plan, Inc. of Arkansas reported the theft of a laptop from a car that contained unencrypted data on 148 patients. OCR investigated the breach and discovered multiple violations of the HIPAA Privacy and Security Rules. QCA Health Plan has agreed to settle the HIPAA violations with OCR for $250,000. Read More…

Concentra Health Services – Failure to Safeguard ePHI

Following the report of the theft of a laptop from the Springfield Missouri Physical Therapy Center, Concentra Health Services was subjected to an investigation by the OCR. Documentation was uncovered that clearly showed that mobile devices were believed to represent a critical security risk, yet action was not taken to address this issue in time to prevent the data breach. Concentra has agreed to pay OCR $1,725,220 to resolve the case. Read More…

Skagit County, Washington – Failure to Safeguard ePHI

Skagit County, Washington is paying the price for failing to implement the appropriate controls and safeguards to protect the data it held. Skagit County agreed to pay OCR $215,000 following the exposure of data of seven individuals. Data were accessed by unknown third parties after ePHI data was unwittingly transferred to a server accessible to the public. Read More…

HIPAA Violation Cases 2013

Adult & Pediatric Dermatology, P.C. – Failure to Safeguard ePHI

Office for Civil Rights has issued a statement confirming that an agreement has been reached with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts following the accidental disclosure of approximately 2,200 patients after a memory stick was stolen from the car of one of the center’s employees. A settlement of $150,000 has been reached with OCR. Read More…

Affinity Health Plan, Inc. – Failure to Permanently Erase ePHI

Office for Civil Rights has announced a settlement of $1,215,780 has been reached with Affinity Health Plan, Inc., to resolve potential HIPAA violations discovered during a breach investigation. A digital photocopier was returned to a leasing company, but the PHI stored on its hard drive had not been erased before the device was returned. Read More…

WellPoint – Failure to Safeguard ePHI

WellPoint is one of the largest providers of Affiliated Health Plans, with almost 36 million policyholders across the United States. Between October 23, 2009, and March 7, 2010 part of its database of policyholders was accessible to unauthorized individuals. A settlement of $1,700,000 has been agreed upon with OCR to resolve the HIPAA violations that contributed to the cause of the breach. Read More…

Shasta Regional Medical Center – Disclosure of PHI Without Patient Consent

An article published in the LA Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. PHI had been intentionally provided to the media on three separate occasions. Read More…

Idaho State University – Failure to Safeguard ePHI

Idaho State University’s Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing the medical health records of 17,500 patients. The firewall was inactive for a period of 10 months leaving the data exposed and potentially accessible to unauthorized third parties for an unacceptable period of time. A settlement of $400,000 was agreed upon with OCR to resolve the HIPAA violations. Read More…

FAQs

How many HIPAA violation cases are there each year?

The number of alleged HIPAA violation cases received each year by HHS’ Office for Civil Rights is between 1,200 and 1,500. In the majority of cases, the agency resolves the complaints without the need for an investigation or finds no HIPAA violation exists. However, up to 500 cases per year result in a fine and/or corrective action being required.

It is important to note that these figures only represent the complaints and notifications received by HHS’ Office for Civil Rights. Complaints can also be made to individual Covered Entities and State Attorneys General, but there is no public record of these. Nor is there a public record of breach notifications sent to HHS’ Office for Civil Rights for breaches affecting fewer than 500 individuals.

How are the penalties for HIPAA violations calculated?

The penalties for HIPAA violations are calculated on the “factors considered in determining a civil monetary penalty” plus the “such other matters as justice may require” clause in 45 CFR §160.408. Generally, there are four HIPAA violation classifications which rank the level of an organization’s culpability, the organization’s attempts to mitigate the consequences of the violation, and the organization´s willingness to assist with an investigation.

Can you be fined more than once for the same violation?

You can be fined more than once for the same violation if an organization fails to take corrective action after having been issued an initial fine. An organization´s prior history with regard to HIPAA non-compliance can also be a contributory factor in the calculation of penalties for HIPAA violations and therefore a second or subsequent fine will likely be much larger than the first.

How do you know how much training to provide in order to avoid being in violation of HIPAA?

It can be difficult to know how much training to provide in order to avoid being in violation of HIPAA because, other than stipulating training should be provided “as necessary and appropriate for members of the workforce to carry out their functions” (HIPAA Privacy Rule) and that CEs and BAs should “implement a security awareness and training program for all members of the workforce” (HIPAA Security Rule), there are no specific HIPAA training requirements.

Your graphs indicate the penalties for HIPAA violations are increasing. Is this the case?

Although our graphs indicate the penalties for HIPAA violations are increasing, it is important to put the raw data into context. There are two key events to consider when looking at the timeline of penalties for HIPAA violations – the passage of the HITECH Act in 2009 which reversed the burden of proof for HIPAA violations, and the HIPAA Omnibus Rule in 2013 which enacted the passage of the HITECH Act making business associates liable for HIPAA violations that were their fault.

Are all the above cases real life HIPAA violation cases?

All the above cases are real life HIPAA violation cases that has been reported to and investigated by HHS’ Office for Civil Rights. As mentioned previously, there are many, many more real life HIPAA violation cases that do not get published in the public domain because either they affect fewer than 500 individuals or they are resolved internally by the Covered Entity they are reported to.

Where can I find recent HIPAA violation cases?

Recent HIPAA violation cases that result in a civil monetary penalty are added to this page as soon as details are publicly available. For details of recent HIPAA violation cases that have not resulted in a civil monetary penalty, visit HHS’ Breach Report and click on the link to the Archive. This database contains thousands of HIPAA violation cases that have not resulted in a civil monetary penalty.

Have there been any HIPAA lawsuit cases?

HIPAA lawsuit cases are not recorded as such because HIPAA has no private right of action. However, there have been cases in which a HIPAA data breach is subsequently pursued in court in a civil lawsuit – the best example being the Anthem breach of 2014. More than 100 private class action lawsuits were filed against Anthem – the ultimately consolidated case being settled for $115 million.

Why are there not more HIPAA violations in the news?

The reason there are not more HIPAA violations in the news is that only a few violations each year justify column inches because of their nature or the size of the penalty imposed by HHS’ Office for Civil Rights. Additionally, many HIPAA violations are not deliberate acts of theft, but rather mistakes that are resolved by the tightening up of security measures and further employee training.

Who investigates cases of HIPAA violations other than HHS’ Office for Civil Rights?

Cases of HIPAA violations are investigated most often by the Covered Entity to whom they are reported. Indeed, many Covered Entities don´t provide the contact details for HHS’ Office for Civil Rights on their Notices of Privacy Practices so most complaints about HIPAA violations are reported directly to them rather than HHS’  Office for Civil Rights or State Attorneys General.

Cases of HIPAA violations can also be reported internally by members of a Covered Entity’s workforce, and HIPAA requires Business Associates to report all security incidents to the Covered Entity – including those that do not constitute a HIPAA violation – so again, the Covered Entity gets to hear about violations first before deciding whether the events are notifiable.

HIPAA violations that are not violations of the Privacy, Security, and Breach Notification Rules are investigated by other federal agencies. For example, the Centers for Medicare and Medicaid Services investigates cases of Part 162 HIPAA violations, the Department of Labor investigates violations of HIPAA’s portability provisions, and the Federal Trade Commission investigates violations of the Breach Notification Rule by companies that are not Covered Entities or Business Associates.

What are the worst HIPAA violation cases?

The worst HIPAA violation cases are the ones which continue for long periods of time without being identified and corrected. This is especially true when individually identifiable health information is disclosed knowingly and wrongfully to commit identity theft and fraud as this type of HIPAA violation case can impact individuals’ lives for many years.

Why have patients’ rights violation cases been prioritized?

Patients’ rights violation cases appear to have prioritized in recent years because in 2019 HHS’ Office for Civil Rights announced a Right of Access enforcement initiative. The initiative aims to address issues related to patients being able to access a copy of their PHI and an Accounting of Disclosures to see who their PHI has been disclosed to up to six years previously.

Why are most HIPAA violation cases medical HIPAA violation cases?

Most HIPAA violation cases are medical HIPAA violation cases because there are many more medical facilities that qualify as Covered Entities as there are health plans or health care clearing houses that qualify as Covered Entities. There are more than 6,000 hospitals, 9.000 urgent care centers and 27,000 pharmacies that qualify as Covered Entities in the U.S. compared to fewer than 1,000 covered health plans and health care clearinghouses combined.

What can Covered Entities learn from HIPAA violation stories?

What Covered Entities can learn from HIPAA violation stories about other Covered Entities is what measures they may need to implement to mitigate the risk of a violation or data breach. Some HIPAA violation stories are quite unique in how they happened or how their consequences could have been prevented, and hearing about these stories helps Covered Entities conduct better informed risk analyses and implement reasonable and appropriate measures where necessary.

Is a breach of patient confidentiality a HIPAA violation?

A breach of patient confidentiality is not necessarily a HIPAA violation because some disclosures of PHI permitted by the Privacy Rule may be considered a breach of patient confidentiality by the patient, even though they are not. For example, under §164.512 of the Privacy Rule, there are a number of scenarios in which healthcare providers can disclose individually identifiable health information to public health agencies, law enforcement officers, and employers.

Additionally, there may be times when a healthcare provider breaches patient confidentiality – but does not violate HIPAA – because the information being disclosed is not protected by the Privacy Rule. For example, if a healthcare provider maintains a database of names and telephone numbers – and there is no health information maintained in the same database – the names and telephone numbers are not Protected Health Information and therefore not protected by the Privacy Rule.

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist