HIPAA Violation Fines
HIPAA violation fines can be issued by the Department of Health and Human Service’ Office for Civil Rights (OCR) and state attorneys general.
In the majority of cases, covered entities and business associates accept there have been potential failures to comply with certain elements of HIPAA Rules and a settlement amount is agreed and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address HIPAA failures.
When HIPAA-covered entities disagree with the findings of the investigation, a civil monetary penalty may be issued.
While OCR issues fines for HIPAA violations, attorneys general tend to choose to pursue financial penalties against HIPAA covered entities under state laws rather than HIPAA, if equivalent laws exist at the state level. Actions for violations of state laws tend to be easier to win and the penalty structure at the state level may allow higher financial penalties to be issued.
Only a handful of states have exercised their right under HIPAA/HITECH to pursue financial penalties for violations of HIPAA Rules against HIPAA-covered entities and their business associates.
Penalty Structure for HIPAA Violations
State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year.
Listed below are the HIPAA violation fines and settlements issued by the HHS’ Office for Civil Rights since the HIPAA Enforcement Rule was signed into law.
2018 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
| 2018 | Fresenius Medical Care North America | $3,500,000 | Settlement | Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards |
| 2018 | Filefax, Inc. | $100,000 | Settlement | Impermissible disclosure of PHI |
| 2018 | University of Texas MD Anderson Cancer Center | $4,348,000 | Civil Monetary Penalty | Impermissible disclosure of ePHI; No Encryption |
| 2018 | Massachusetts General Hospital | $515,000 | Settlement | Filming patients without consent |
| 2018 | Brigham and Women’s Hospital | $384,000 | Settlement | Filming patients without consent |
| 2018 | Boston Medical Center | $100,000 | Settlement | Filming patients without consent |
| 2018 | Anthem Inc | $16,000,000 | Settlement | Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access |
| 2018 | Allergy Associates of Hartford | $125,000 | Settlement | PHI disclosure to reporter; No sanctions against employee |
| 2018 | Advanced Care Hospitalists | $500,000 | Settlement | Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014 |
| 2018 | Pagosa Springs Medical Center | $111,400 | Settlement | Failure to terminate employee access; No BAA |
| 2018 | Cottage Health | $3,000,000 | Settlement | Risk analysis failure; Risk management failure; No BAA |
2017 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2017 | 21st Century Oncology | $2,300,000 | Settlement | Multiple HIPAA Violations |
| 2017 | Memorial Hermann Health System | $2,400,000 | Settlement | Careless Handling of PHI |
| 2017 | St. Luke’s-Roosevelt Hospital Center Inc. | $387,000 | Settlement | Unauthorized Disclosure of PHI |
| 2017 | The Center for Children’s Digestive Health | $31,000 | Settlement | Lack of a Business Associate Agreement |
| 2017 | Cardionet | $2,500,000 | Settlement | Impermissible Disclosure of PHI |
| 2017 | Metro Community Provider Network | $400,000 | Settlement | Lack of Security Management Process |
| 2017 | Memorial Healthcare System | $5,500,000 | Settlement | Insufficient ePHI Access Controls |
| 2017 | Children’s Medical Center of Dallas | $3,200,000 | Civil Monetary Penalty | Impermissible Disclosure of ePHI |
| 2017 | MAPFRE Life Insurance Company of Puerto Rico | $2,200,000 | Settlement | Impermissible Disclosure of ePHI |
| 2017 | Presense Health | $475,000 | Settlement | Delayed Breach Notifications |
2016 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2016 | University of Massachusetts Amherst (UMass) | $650,000 | Settlement | Failure to Manage Security Risks |
| 2016 | St. Joseph Health | $2,140,500 | Settlement | Failure to Conduct Risk Analysis |
| 2016 | Care New England Health System | $400,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Advocate Health Care Network | $5,550,000 | Settlement | Multiple HIPAA Violations |
| 2016 | University of Mississippi Medical Center | $2,750,000 | Settlement | Multiple HIPAA Violations |
| 2016 | Oregon Health & Science University | $2,700,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Catholic Health Care Services of the Archdiocese of Philadelphia | $650,000 | Settlement | Failure to Safeguard ePHI |
| 2016 | New York Presbyterian Hospital | $2,200,000 | Settlement | Filming Patients without Authorization |
| 2016 | Raleigh Orthopaedic Clinic, P.A. of North Carolina | $750,000 | Settlement | Lack of Business Associate Agreement |
| 2016 | Feinstein Institute for Medical Research | $3,900,000 | Settlement | Impermissible Disclosure of PHI |
| 2016 | North Memorial Health Care of Minnesota | $1,550,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Complete P.T., Pool & Land Physical Therapy, Inc. | $25,000 | Settlement | Impermissible Disclosure of PHI |
| 2016 | Lincare, Inc. | $239,800 | Civil Monetary Penalty | Failure to Safeguard PHI |
2015 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2015 | University of Washington Medicine | $750,000 | Settlement | Failure to Conduct Risk Analysis |
| 2015 | Triple S Management Corporation | $3,500,000 | Settlement | Multiple HIPAA Violations |
| 2015 | Lahey Hospital and Medical Center | $850,000 | Settlement | Multiple HIPAA Violations |
| 2015 | Cancer Care Group, P.C. | $750,000 | Settlement | Failure to Conduct Risk Analysis |
| 2015 | St. Elizabeth’s Medical Center | $218,400 | Settlement | Multiple HIPAA Violations |
| 2015 | Cornell Prescription Pharmacy | $125,000 | Settlement | Improper Disposal of PHI |
2014 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2014 | Anchorage Community Mental Health Services | $150,000 | Settlement | Failure to Manage Risks to ePHI |
| 2014 | Parkview Health System, Inc. | $800,000 | Settlement | Failure to Safeguard PHI |
| 2014 | New York and Presbyterian Hospital and Columbia University | $4,800,000 | Settlement | Failure to Conduct Risk Analysis |
| 2014 | QCA Health Plan, Inc., of Arkansas | $250,000 | Settlement | Failure to Safeguard ePHI |
| 2014 | Concentra Health Services | $1,725,220 | Settlement | Failure to Safeguard ePHI |
| 2014 | Skagit County, Washington | $215,000 | Settlement | Failure to Safeguard ePHI |
2013 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2013 | Adult & Pediatric Dermatology, P.C. | $150,000 | Settlement | Failure to Safeguard ePHI |
| 2013 | Affinity Health Plan, Inc. | $1,215,780 | Settlement | Failure to Permanently Erase ePHI |
| 2013 | WellPoint | $1,700,000 | Settlement | Failure to Safeguard ePHI |
| 2013 | Shasta Regional Medical Center | $275,000 | Settlement | Disclosure of PHI Without Patient Consent |
| 2013 | Idaho State University | $400,000 | Settlement | Failure to Safeguard ePHI |
2012 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2012 | The Hospice of Northern Idaho | $50,000 | Settlement | Theft of an Unencrypted Laptop |
| 2012 | Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. | $1,500,000 | Settlement | Multiple HIPAA Violations |
| 2012 | Alaska DHSS | $1,700,000 | Settlement | Failure to Perform Risk Analysis/Risk Management Failures |
| 2012 | Phoenix Cardiac Surgery | $100,000 | Settlement | Lack of HIPAA Safeguards |
| 2012 | Blue Cross Blue Shield of Tennessee | $1,500,000 | Settlement | Failure to Implement Appropriate Administrative Safeguards |
2011 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2011 | University of California at Los Angeles Health System | $865,500 | Settlement | Failure to Restrict Access to Medical Records |
| 2011 | General Hospital Corp. & Massachusetts General Physicians Organization Inc. | $1,000,000 | Settlement | Failure to Safeguard PHI |
| 2011 | Cignet Health of Prince George’s County | $4,300,000 | Civil Monetary Penalty | Denying Patients Access to Medical Records |
2010 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2010 | Management Services Organization Washington Inc. | $35,000 | Settlement | Risk Analysis Failures / Insufficient Security Measures |
| 2010 | Rite Aid Corporation | $1,000,000 | Settlement | Multiple HIPAA Violations |
2009 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2009 | CVS Pharmacy Inc. | $2,250,000 | Settlement | Multiple HIPAA Violations |
2008 HIPAA Violation Fines and Settlements
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2008 | Providence Health & Services | $100,000 | Settlement | Failure to Implement Appropriate Administrative Safeguards |
Attorneys General HIPAA Fines and Settlements
Cases have been included if there have been potential violations of HIPAA Rules even if the financial penalty was issued for violations of state laws.
| Year | State | Covered Entity | Amount | Individuals affected | Settlement/CMP | Reason |
| 2018 | MA | McLean Hospital | $75,000 | 1,500 | Settlement | Loss of backup tapes |
| 2018 | NJ | EmblemHealth | $100,000 | 6,443 (81,000) | Settlement | Mailing error exposed SSNs |
| 2018 | NJ | Best Transcription Medical | $200,000 | 1,650 | Settlement | Exposure of ePHi via search engines |
| 2018 | WA | Aetna | TBA | 13,160 | Settlement (Multistate action) | 2 mailings exposed PHI (Afib, HIV data) |
| 2018 | CT | Aetna | $99,959 | 13,160 | Settlement (Multistate action) | 2 mailings exposed PHI (Afib, HIV data) |
| 2018 | NJ | Aetna | $365,211.59 | 13,160 | Settlement (Multistate action) | 2 mailings exposed PHI (Afib, HIV data) |
| 2018 | DC | Aetna | $175,000 | 13,160 | Settlement (Multistate action) | 2 mailings exposed PHI (Afib, HIV data) |
| 2018 | MA | UMass Memorial Medical Group / UMass Memorial Medical Center | $230,000 | 15,000 | Settlement | Failure to secure ePHI and multiple breaches |
| 2018 | NY | Arc of Erie County | $200,000 | 3,751 | Settlement | Failure to secure ePHI |
| 2018 | NJ | Virtua Medical Group | $417,816 | 1,654 | Settlement | Multiple violations of HIPAA Rules |
| 2018 | NY | EmblemHealth | $575,000 | 81,122 | Settlement | Impermissible disclosure of ePHI |
| 2018 | NY | Aetna | $1,150,000 | 12,000 | Settlement | 2 mailings exposed PHI (Afib, HIV data) |
| 2017 | CA | Cottage Health System | $2,000,000 | More than 54,000 | Settlement | Failure to adequately protect medical records |
| 2017 | MA | Multi-State Billing Services | $100,000 | 2,600 | Settlement | Theft of unencrypted laptop containing PHI |
| 2017 | NJ | Horizon Healthcare Services Inc., | $1,100,000 | 3.7 million | Settlement | Loss of unencrypted laptop computers |
| 2017 | VT | SAManage USA, Inc. | $264,000 | 660 | Settlement | Spreadsheet indexed by search engines and PHI viewable |
| 2017 | NY | CoPilot Provider Support Services, Inc | $130,000 | 221,178 | Settlement | Delayed breach notification |
| 2015 | NY | University of Rochester Medical Center | $15,000 | 3,403 | Settlement | List of patients provided to nurse who took it to a new employer |
| 2015 | CT | Hartford Hospital/ EMC Corporation | $90,000 | 8,883 | Settlement | Theft of unencrypted laptop containing PHI |
| 2014 | MA | Women & Infants Hospital of Rhode Island | $150,000 | 12,000 | Settlement | Loss of backup tapes containing PHI |
| 2014 | MA | Boston Children’s Hospital | $40,000 | 2,159 | Settlement | Loss of laptop containing PHI |
| 2014 | MA | Beth Israel Deaconess Medical Center | $100,000 | 3,796 | Settlement | Loss of laptop containing PHI |
| 2013 | MA | Goldthwait Associates | $140,000 | 67,000 | Settlement | Improper disposal |
| 2012 | MN | Accretive Health | $2,500,000 | 24,000 | Settlement | Mishandling of PHI |
| 2012 | MA | South Shore Hospital | $750,000 | 800,000 | Settlement | Loss of backup tapes containing PHI |
| 2011 | VT | Health Net Inc. | $55,000 | 1,500,000 | Settlement | Loss of unencrypted hard drive/delayed breach notifications |
| 2011 | IN | WellPoint Inc. | $100,000 | 32,000 | Settlement | Failure to report breach in a reasonable timeframe |
| 2010 | CT | Health Net Inc. | $250,000 | 1,500,000 | Settlement | Loss of unencrypted hard drive/delayed breach notifications |