2017 HIPAA Enforcement Summary

Our 2017 HIPAA enforcement summary details the financial penalties paid by healthcare organizations to resolve HIPAA violation cases investigated by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general.

2017 saw OCR continue its aggressive pursuit of financial settlements for serious violations of HIPAA Rules. There have been 9 HIPAA settlements and one civil monetary penalty in 2017.

In total, OCR received $19,393,000 in financial settlements and civil monetary penalties from covered entities and business associates to resolve HIPAA violations discovered during the investigations of data breaches and complaints.

Last year, there were 12 settlements reached with HIPAA-covered entities and business associates, and one civil monetary penalty issued. In 2016, OCR received $25,505,300 from covered entities to resolve HIPAA violation cases.

Summary of 2017 HIPAA Enforcement by OCR

Listed below are the 2017 HIPAA enforcement activities of OCR that resulted in financial penalties for HIPAA-covered entities and their business associates.

Covered Entity Amount Type Violation Type
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
Presense Health $475,000 Settlement Delayed Breach Notifications
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement

OCR’s 2017 HIPAA enforcement activities have revealed covered entities are continuing to fail to comply with HIPAA Rules in key areas: Safeguarding PHI on portable devices, conducting an organization-wide risk analysis, implementing a security risk management process, and entering into HIPAA-compliant business associate agreements with all vendors.

Throughout 2016 and 2017, many covered entities have failed to issue breach notifications promptly. In 2017, OCR took action for this common HIPAA violation and agreed its first HIPAA settlement solely for delaying breach notifications to patients.

HIPAA Desk Audits Revealed Widespread HIPAA Violations

In late 2016, OCR commenced the much-delayed second phase of its HIPAA-compliance audit program. The first stage involved desk audits of 166 HIPAA-covered entities – 103 audits on the Privacy and Breach Notification Rules, and 63 audits on the Security Rule. 41 desk audits were conducted on business associates on the Breach Notification and Security Rules.

While the full results of the compliance audits have not been released, this fall OCR announced preliminary findings from the compliance audits.

Covered entities were given a rating from 1 to 5 for the completeness of compliance efforts on each control and implementation specification. A rating of 1 signifies full compliance with goals and objectives of the standards and implementation specifications that were audited. A rating of 5 indicates there was no evidence that the covered entity had made a serious attempt to comply with HIPAA Rules.

Preliminary Findings of HIPAA Compliance Audits on Covered Entities

Listed below are the findings from the HIPAA compliance audits. A rating of 5 being the worst possible score and 1 being the best.

Preliminary HIPAA Compliance Audit Findings (2016/2017)
HIPAA Rule Compliance Controls Audited Covered Entities Given Rating of 5 Covered Entities Given Rating of 1
Breach Notification Rule (103 audits) Timeliness of Breach Notifications 15 67
Breach Notification Rule (103 audits) Content of Breach Notifications 9 14
Privacy Rule (103 audits) Right to Access PHI 11 1
Privacy Rule (103 audits) Notice of Privacy Practices 16 2
Privacy Rule (103 audits) Electronic Notice 15 59
Security Rule (63 audits) Risk Analysis 13 0
Security Rule (63 audits) Risk Management 17 1


Almost a third of covered entities failed to issue breach notifications promptly and next to no covered entities were found to be fully compliant with the HIPAA Privacy and Security Rules.

OCR has delayed the full compliance reviews until 2018. While some organizations will be randomly selected for a full review – including a site visit – OCR has stated that poor performance in the desk audits could trigger a full compliance review. Financial penalties may be deemed appropriate, especially when there has been no attempt to comply with HIPAA Rules.

Attorneys General Fines for Privacy Breaches

The HITECH Act gave state attorneys general the authority to pursue financial penalties for HIPAA violations and assist OCR with the enforcement of HIPAA Rules. Relatively few state attorneys general exercise this right. Instead they choose to pursue cases under state laws, even if HIPAA Rules have been violated.

Notable 2017 settlements with healthcare organizations and business associates of HIPAA covered entities have been listed below.

Covered Entity State Amount Individuals affected Reason
Cottage Health System California $2,000,000 More than 54,000 Failure to Safeguard Personal Information
Horizon Healthcare Services Inc., New Jersey $1,100,000 3.7 million Failure to Safeguard Personal Information
SAManage USA, Inc. Vermont $264,000 660 Exposure of PHI on Internet
CoPilot Provider Support Services, Inc. New York $130,000 221,178 Late Breach Notifications
Multi-State Billing Services Massachusetts $100,000 2,600 Failure to Safeguard Personal Information

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.