HIPAA Violation Fines
HIPAA violation fines can be issued by the Department of Health and Human Service’ Office for Civil Rights (OCR) and state attorneys general.
In the majority of cases, covered entities and business associates accept there have been potential failures to comply with certain elements of HIPAA Rules and a settlement amount is agreed and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address HIPAA failures.
When HIPAA-covered entities disagree with the findings of the investigation, a civil monetary penalty may be issued.
While OCR issues fines for HIPAA violations, attorneys general tend to choose to pursue financial penalties against HIPAA covered entities under state laws rather than HIPAA, if equivalent laws exist at the state level. Actions for violations of state laws tend to be easier to win and the penalty structure at the state level may allow higher financial penalties to be issued.
Only a handful of states have exercised their right under HIPAA/HITECH to pursue financial penalties for violations of HIPAA Rules against HIPAA-covered entities and their business associates.
Penalty Structure for HIPAA Violations
State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year.
Listed below are the HIPAA violation fines and settlements issued by the HHS’ Office for Civil Rights since the HIPAA Enforcement Rule was signed into law.
2018 HIPAA Violation Fines
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2018 | Filefax, Inc. | $100,000 | Settlement | Impermissible disclosure of PHI |
| 2018 | Fresenius Medical Care North America | $3,500,000 | Settlement | Multiple HIPAA Violations |
2017 HIPAA Violation Fines
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2017 | 21st Century Oncology | $2,300,000 | Settlement | Multiple HIPAA Violations |
| 2017 | Memorial Hermann Health System | $2,400,000 | Settlement | Careless Handling of PHI |
| 2017 | St. Luke’s-Roosevelt Hospital Center Inc. | $387,000 | Settlement | Unauthorized Disclosure of PHI |
| 2017 | The Center for Children’s Digestive Health | $31,000 | Settlement | Lack of a Business Associate Agreement |
| 2017 | Cardionet | $2,500,000 | Settlement | Impermissible Disclosure of PHI |
| 2017 | Metro Community Provider Network | $400,000 | Settlement | Lack of Security Management Process |
| 2017 | Memorial Healthcare System | $5,500,000 | Settlement | Insufficient ePHI Access Controls |
| 2017 | Children’s Medical Center of Dallas | $3,200,000 | Civil Monetary Penalty | Impermissible Disclosure of ePHI |
| 2017 | MAPFRE Life Insurance Company of Puerto Rico | $2,200,000 | Settlement | Impermissible Disclosure of ePHI |
| 2017 | Presense Health | $475,000 | Settlement | Delayed Breach Notifications |
2016 HIPAA Violation Fines
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2016 | University of Massachusetts Amherst (UMass) | $650,000 | Settlement | Failure to Manage Security Risks |
| 2016 | St. Joseph Health | $2,140,500 | Settlement | Failure to Conduct Risk Analysis |
| 2016 | Care New England Health System | $400,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Advocate Health Care Network | $5,550,000 | Settlement | Multiple HIPAA Violations |
| 2016 | University of Mississippi Medical Center | $2,750,000 | Settlement | Multiple HIPAA Violations |
| 2016 | Oregon Health & Science University | $2,700,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Catholic Health Care Services of the Archdiocese of Philadelphia | $650,000 | Settlement | Failure to Safeguard ePHI |
| 2016 | New York Presbyterian Hospital | $2,200,000 | Settlement | Filming Patients without Authorization |
| 2016 | Raleigh Orthopaedic Clinic, P.A. of North Carolina | $750,000 | Settlement | Lack of Business Associate Agreement |
| 2016 | Feinstein Institute for Medical Research | $3,900,000 | Settlement | Impermissible Disclosure of PHI |
| 2016 | North Memorial Health Care of Minnesota | $1,550,000 | Settlement | Lack of a Business Associate Agreement |
| 2016 | Complete P.T., Pool & Land Physical Therapy, Inc. | $25,000 | Settlement | Impermissible Disclosure of PHI |
| 2016 | Lincare, Inc. | $239,800 | Civil Monetary Penalty | Failure to Safeguard PHI |
2015 HIPAA Violation Fines
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2015 | University of Washington Medicine | $750,000 | Settlement | Failure to Conduct Risk Analysis |
| 2015 | Triple S Management Corporation | $3,500,000 | Settlement | Multiple HIPAA Violations |
| 2015 | Lahey Hospital and Medical Center | $850,000 | Settlement | Multiple HIPAA Violations |
| 2015 | Cancer Care Group, P.C. | $750,000 | Settlement | Failure to Conduct Risk Analysis |
| 2015 | St. Elizabeth’s Medical Center | $218,400 | Settlement | Multiple HIPAA Violations |
| 2015 | Cornell Prescription Pharmacy | $125,000 | Settlement | Improper Disposal of PHI |
2014 HIPAA Violation Fines
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2014 | Anchorage Community Mental Health Services | $150,000 | Settlement | Failure to Manage Risks to ePHI |
| 2014 | Parkview Health System, Inc. | $800,000 | Settlement | Failure to Safeguard PHI |
| 2014 | New York and Presbyterian Hospital and Columbia University | $4,800,000 | Settlement | Failure to Conduct Risk Analysis |
| 2014 | QCA Health Plan, Inc., of Arkansas | $250,000 | Settlement | Failure to Safeguard ePHI |
| 2014 | Concentra Health Services | $1,725,220 | Settlement | Failure to Safeguard ePHI |
| 2014 | Skagit County, Washington | $215,000 | Settlement | Failure to Safeguard ePHI |
2013 HIPAA Violation Fines
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2013 | Adult & Pediatric Dermatology, P.C. | $150,000 | Settlement | Failure to Safeguard ePHI |
| 2013 | Affinity Health Plan, Inc. | $1,215,780 | Settlement | Failure to Permanently Erase ePHI |
| 2013 | WellPoint | $1,700,000 | Settlement | Failure to Safeguard ePHI |
| 2013 | Shasta Regional Medical Center | $275,000 | Settlement | Disclosure of PHI Without Patient Consent |
| 2013 | Idaho State University | $400,000 | Settlement | Failure to Safeguard ePHI |
2012 HIPAA Violation Fines
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2012 | The Hospice of Northern Idaho | $50,000 | Settlement | Theft of an Unencrypted Laptop |
| 2012 | Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. | $1,500,000 | Settlement | Multiple HIPAA Violations |
| 2012 | Alaska DHSS | $1,700,000 | Settlement | Failure to Perform Risk Analysis/Risk Management Failures |
| 2012 | Phoenix Cardiac Surgery | $100,000 | Settlement | Lack of HIPAA Safeguards |
| 2012 | Blue Cross Blue Shield of Tennessee | $1,500,000 | Settlement | Failure to Implement Appropriate Administrative Safeguards |
2011 HIPAA Violation Fines
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2011 | University of California at Los Angeles Health System | $865,500 | Settlement | Failure to Restrict Access to Medical Records |
| 2011 | General Hospital Corp. & Massachusetts General Physicians Organization Inc. | $1,000,000 | Settlement | Failure to Safeguard PHI |
| 2011 | Cignet Health of Prince George’s County | $4,300,000 | Civil Monetary Penalty | Denying Patients Access to Medical Records |
2010 HIPAA Violation Fines
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2010 | Management Services Organization Washington Inc. | $35,000 | Settlement | Risk Analysis Failures / Insufficient Security Measures |
| 2010 | Rite Aid Corporation | $1,000,000 | Settlement | Multiple HIPAA Violations |
2009 HIPAA Violation Fines
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2009 | CVS Pharmacy Inc. | $2,250,000 | Settlement | Multiple HIPAA Violations |
2008 HIPAA Violation Fines
| Year | Covered Entity | Amount | Settlement/CMP | Reason |
|---|---|---|---|---|
| 2008 | Providence Health & Services | $100,000 | Settlement | Failure to Implement Appropriate Administrative Safeguards |
Attorneys General HIPAA Fines
Cases have been included if there have been potential violations of HIPAA Rules even if the financial penalty was issued for violations of state laws.
| Year | State | Covered Entity | Amount | Individuals affected | Settlement/CMP | Reason |
|---|---|---|---|---|---|---|
| 2018 | NJ | Virtua Medical Group | $417,816 | 1,654 | Settlement | Server misconfiguration |
| 2018 | NY | EmblemHealth | $575,000 | 81,122 | Settlement | Mailing error |
| 2018 | NY | Aetna | $1,150,000 | 12,000 | Settlement | Mailing error |
| 2017 | CA | Cottage Health System | $2,000,000 | More than 54,000 | Settlement | Failure to adequately protect medical records |
| 2017 | MA | Multi-State Billing Services | $100,000 | 2,600 | Settlement | Theft of unencrypted laptop containing PHI |
| 2017 | NJ | Horizon Healthcare Services Inc., | $1,100,000 | 3.7 million | Settlement | Loss of unencrypted laptop computers |
| 2017 | VT | SAManage USA, Inc. | $264,000 | 660 | Settlement | Spreadsheet indexed by search engines and PHI viewable |
| 2017 | NY | CoPilot Provider Support Services, Inc | $130,000 | 221,178 | Settlement | Delayed breach notification |
| 2015 | NY | University of Rochester Medical Center | $15,000 | 3,403 | Settlement | List of patients provided to nurse who took it to a new employer |
| 2015 | CT | Hartford Hospital/ EMC Corporation | $90,000 | 8,883 | Settlement | Theft of unencrypted laptop containing PHI |
| 2014 | MA | Women & Infants Hospital of Rhode Island | $150,000 | 12,000 | Settlement | Loss of backup tapes containing PHI |
| 2014 | MA | Boston Children’s Hospital | $40,000 | 2,159 | Settlement | Loss of laptop containing PHI |
| 2014 | MA | Beth Israel Deaconess Medical Center | $100,000 | 3,796 | Settlement | Loss of laptop containing PHI |
| 2013 | MA | Goldthwait Associates | $140,000 | 67,000 | Settlement | Improper disposal |
| 2012 | MN | Accretive Health | $2,500,000 | 24,000 | Settlement | Mishandling of PHI |
| 2012 | MA | South Shore Hospital | $750,000 | 800,000 | Settlement | Loss of backup tapes containing PHI |
| 2011 | VT | Health Net Inc. | $55,000 | 1,500,000 | Settlement | Loss of unencrypted hard drive/delayed breach notifications |
| 2011 | IN | WellPoint Inc. | $100,000 | 32,000 | Settlement | Failure to report breach in a reasonable timeframe |
| 2010 | CT | Health Net Inc. | $250,000 | 1,500,000 | Settlement | Loss of unencrypted hard drive/delayed breach notifications |