HIPAA Violation Fines

HIPAA violation fines can be issued by the Department of Health and Human Service’ Office for Civil Rights (OCR) and state attorneys general.

In the majority of cases, covered entities and business associates accept there have been potential failures to comply with certain elements of HIPAA Rules and a settlement amount is agreed and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address HIPAA failures.

When HIPAA-covered entities disagree with the findings of the investigation, a civil monetary penalty may be issued.

While OCR issues fines for HIPAA violations, attorneys general tend to choose to pursue financial penalties against HIPAA-covered entities under state laws rather than HIPAA, if equivalent laws exist at the state level. Actions for violations of state laws tend to be easier to win and the penalty structure at the state level may allow higher financial penalties to be issued.

Only a handful of states have exercised their right under HIPAA/HITECH to pursue financial penalties for violations of HIPAA Rules against HIPAA-covered entities and their business associates.

Penalty Structure for HIPAA Violations

The penalty amounts are adjusted annually to account for cost of living increases. The last update was in November 2021 and saw the maximum penalties increased in line with inflation to the amounts shown in the table below.

Penalty Tier Level of Culpability Minimum Penalty per Violation (adjusted for inflation) Max Penalty per Violation (adjusted for inflation) Annual Penalty Limit (adjusted for inflation)
Tier 1 Lack of Knowledge $120 $60,226 $30,113
Tier 2 Reasonable Cause $1,205 $60,226 $120,452
Tier 3 Willful Neglect $12,045 $60,226 $301,130
Tier 4 Willful neglect (not corrected within 30 days0 $60,226 $1,806,757 $1,806,757

Further, OCR issued a Notice of Enforcement Discretion in April 2019 stating the annual penalty limits in three of the penalty tiers would be reduced following a reexamination of the language of the HITECH Act. The cap on the annual penalty limit was changed to $25,000 (now $30,113) for tier 1, $100,000 (now $120,452) for tier 2, and $250, 000 (now $301,130) for tier 3. The maximum annual penalty for tier 4 remains unchanged at $1,500,000 (now $1,806,757).

State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year. The maximum penalty is also adjusted annually in line with inflation.

Listed below are the HIPAA violation fines and settlements issued by the HHS’ Office for Civil Rights since the HIPAA Enforcement Rule was signed into law.

healthcare data breach statistics - OCR HIPAA penalties 2008-2021

OCR HIPAA fines and civil monetary penalties 2008-2021

2022 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement/CMP Reason
2022 ACPM Podiatry $100,000 Civil Monetary Penalty HIPAA Right of Access failure
2022 Memorial Hermann Health System $240,000 Settlement HIPAA Right of Access failure
2022 Southwest Surgical Associates $65,000 Settlement HIPAA Right of Access failure
2022 Hillcrest Nursing and Rehabilitation $55,000 Settlement HIPAA Right of Access failure
2022 MelroseWakefield Healthcare $55,000 Settlement HIPAA Right of Access failure
2022 Erie County Medical Center Corporation $50,000 Settlement HIPAA Right of Access failure
2022 Fallbrook Family Health Center $30,000 Settlement HIPAA Right of Access failure
2022 Associated Retina Specialists $22,500 Settlement HIPAA Right of Access failure
2022 Coastal Ear, Nose, and Throat $20,000 Settlement HIPAA Right of Access failure
2022 Lawrence Bell, Jr. D.D.S $5,000 Settlement HIPAA Right of Access failure
2022 Danbury Psychiatric Consultants $3,500 Settlement HIPAA Right of Access failure
2022 Oklahoma State University – Center for Health Sciences $875,000 Settlement Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
2022 Dr. Brockley $30,000 Settlement HIPAA Right of Access
2022 Jacob & Associates $28,000 Settlement HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer
2022 Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., $50,000 Civil Monetary Penalty Impermissible disclosure on social media
2022 Northcutt Dental-Fairhope $62,500 Settlement Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer

2021 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement/CMP Reason
2021 Advanced Spine & Pain Management $32,150 Settlement HIPAA Right of Access failure
2021 Denver Retina Center $30,000 Settlement HIPAA Right of Access failure
2021 Dr. Robert Glaser $100,000 Civil Monetary Penalty HIPAA Right of Access failure
2021 Rainrock Treatment Center LLC (dba monte Nido Rainrock) $160,000 Settlement HIPAA Right of Access failure
2021 Wake Health Medical Group $10,000 Settlement HIPAA Right of Access failure
2021 Children’s Hospital & Medical Center $80,000 Settlement HIPAA Right of Access failure
2021 The Diabetes, Endocrinology & Lipidology Center, Inc. $5,000 Settlement HIPAA Right of Access failure
2021 AEON Clinical Laboratories (Peachstate) $25,000 Settlement HIPAA Security Rule failures (risk assessment, risk management, audit controls, and lack of documentation of HIPAA Security Rule policies and procedures)
2021 Village Plastic Surgery $30,000 Settlement HIPAA Right of Access failure
2021 Arbour Hospital $65,000 Settlement HIPAA Right of Access failure
2021 Sharpe Healthcare $70,000 Settlement HIPAA Right of Access failure
2021 Renown Health $75,000 Settlement HIPAA Right of Access failure
2021 Excellus Health Plan $5,100,000 Settlement Multiple violations: Risk analysis failure, risk management failure, lack of information system activity reviews, lack of technical policies to prevent unauthorized ePHI access, and a breach of 9,358,891 records.
2021 Banner Health $200,000 Settlement HIPAA Right of Access failure

2020 HIPAA Violation Fines and Settlements

Year Entity Amount Settlement/CMP Reason
2020 Peter Wrobel, M.D., P.C., dba Elite Primary Care $36,000 Settlement HIPAA Right of Access failure
2020 University of Cincinnati Medical Center $65,000 Settlement HIPAA Right of Access failure
2020 Dr. Rajendra Bhayani $15,000 Settlement HIPAA Right of Access failure
2020 Riverside Psychiatric Medical Group $25,000 Settlement HIPAA Right of Access failure
2020 City of New Haven, CT $202,400 Settlement Failure to terminate access rights, risk analysis failure, failure to implement Privacy Rule policies, failure to issue unique IDs, impermissible disclosure of the PHI of 498 individuals
2020 Aetna $1,000,000 Settlement Failure to conduct an evaluation in response to environmental or operational changes affecting ePHI security, identity check failure, minimum necessary information failure, lack of admin, technical, and physical safeguards
2020 NY Spine $100,000 Settlement HIPAA Right of Access failure
2020 Dignity Health, dba St. Joseph’s Hospital and Medical Center $160,000 Settlement HIPAA Right of Access failure
2020 Premera Blue Cross $6,850,000 Settlement Risk assessment failure, risk management failure, insufficient hardware, and software controls,
2020 CHSPSC LLC $2,300,000 Settlement Risk analysis failure, failure to implement information system activity reviews, security incident procedure failure, and insufficient access controls.
2020 Athens Orthopedic Clinic PA $1,500,000 Settlement Failures to conduct a risk analysis, risk management failure, lack of audit controls, no HIPAA policies and procedures, lack of business associate agreements, and no HIPAA Privacy Rule training to the workforce.
2020 Housing Works, Inc. $38,000 Settlement HIPAA Right of Access failure
2020 All Inclusive Medical Services, Inc. $15,000 Settlement HIPAA Right of Access failure
2020 Beth Israel Lahey Health Behavioral Services $70,000 Settlement HIPAA Right of Access failure
2020 King MD $3,500 Settlement HIPAA Right of Access failure
2020 Wise Psychiatry, PC $10,000 Settlement HIPAA Right of Access failure
2020 Lifespan Health System Affiliated Covered Entity $1,040,000 Settlement Lack of encryption, device and media controls, and business associate agreement failures.
2020 Metropolitan Community Health Services dba Agape Health Services $25,000 Settlement Systemic noncompliance with the HIPAA Security Rule
2020 Steven A. Porter, M.D $100,000 Settlement Risk analysis and risk management failures

2019 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2019 West Georgia Ambulance $65,000 Settlement Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures.
2019 Korunda Medical, LLC $85,000 Settlement HIPAA Right of Access failure.
2019 Sentara Hospitals $2,175,000 Settlement Breach notification failure; business associate agreement failure
2019 University of Rochester Medical Center $3,000,000 Settlement Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls.
2019 Elite Dental Associates $10,000 Settlement Social media disclosure; notice of privacy practices; impermissible PHI disclosure.
2019 Bayfront Health St Petersburg $85,000 Settlement HIPAA Right of Access failure
2019 Medical Informatics Engineering $100,000 Settlement Risk analysis failure; impermissible disclosure of 3.5 million records
2019 Touchstone Medical imaging $3,000,000 Settlement No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI.
2019 Texas Department of Aging and Disability Services $1,600,000 Civil Monetary Penalty Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI
2019 Jackson Health System $2,154,000 Civil Monetary Penalty Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations

2018 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2018 Fresenius Medical Care North America $3,500,000 Settlement Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
2018 Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
2018 University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Impermissible disclosure of ePHI; No Encryption
2018 Massachusetts General Hospital $515,000 Settlement Filming patients without consent
2018 Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
2018 Boston Medical Center $100,000 Settlement Filming patients without consent
2018 Anthem Inc $16,000,000 Settlement Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
2018 Allergy Associates of Hartford $125,000 Settlement PHI disclosure to a reporter; No sanctions against employees
2018 Advanced Care Hospitalists $500,000 Settlement Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
2018 Pagosa Springs Medical Center $111,400 Settlement Failure to terminate employee access; No BAA
2018 Cottage Health $3,000,000 Settlement Risk analysis failure; Risk management failure; No BAA

2017 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2017 21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
2017 Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
2017 St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
2017 The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement
2017 Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
2017 Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
2017 Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
2017 MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
2017 Presense Health $475,000 Settlement Delayed Breach Notifications

2016 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2016 University of Massachusetts Amherst (UMass) $650,000 Settlement Failure to Manage Security Risks
2016 St. Joseph Health $2,140,500 Settlement Failure to Conduct Risk Analysis
2016 Care New England Health System $400,000 Settlement Lack of a Business Associate Agreement
2016 Advocate Health Care Network $5,550,000 Settlement Multiple HIPAA Violations
2016 University of Mississippi Medical Center $2,750,000 Settlement Multiple HIPAA Violations
2016 Oregon Health & Science University $2,700,000 Settlement Lack of a Business Associate Agreement
2016 Catholic Health Care Services of the Archdiocese of Philadelphia $650,000 Settlement Failure to Safeguard ePHI
2016 New York Presbyterian Hospital $2,200,000 Settlement Filming Patients without Authorization
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000 Settlement Lack of Business Associate Agreement
2016 Feinstein Institute for Medical Research $3,900,000 Settlement Impermissible Disclosure of PHI
2016 North Memorial Health Care of Minnesota $1,550,000 Settlement Lack of a Business Associate Agreement
2016 Complete P.T., Pool & Land Physical Therapy, Inc. $25,000 Settlement Impermissible Disclosure of PHI
2016 Lincare, Inc. $239,800 Civil Monetary Penalty Failure to Safeguard PHI

2015 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2015 University of Washington Medicine $750,000 Settlement Failure to Conduct Risk Analysis
2015 Triple S Management Corporation $3,500,000 Settlement Multiple HIPAA Violations
2015 Lahey Hospital and Medical Center $850,000 Settlement Multiple HIPAA Violations
2015 Cancer Care Group, P.C. $750,000 Settlement Failure to Conduct Risk Analysis
2015 St. Elizabeth’s Medical Center $218,400 Settlement Multiple HIPAA Violations
2015 Cornell Prescription Pharmacy $125,000 Settlement Improper Disposal of PHI

2014 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2014 Anchorage Community Mental Health Services $150,000 Settlement Failure to Manage Risks to ePHI
2014 Parkview Health System, Inc. $800,000 Settlement Failure to Safeguard PHI
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement Failure to Conduct Risk Analysis
2014 QCA Health Plan, Inc., of Arkansas $250,000 Settlement Failure to Safeguard ePHI
2014 Concentra Health Services $1,725,220 Settlement Failure to Safeguard ePHI
2014 Skagit County, Washington $215,000 Settlement Failure to Safeguard ePHI

2013 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2013 Adult & Pediatric Dermatology, P.C. $150,000 Settlement Failure to Safeguard ePHI
2013 Affinity Health Plan, Inc. $1,215,780 Settlement Failure to Permanently Erase ePHI
2013 WellPoint $1,700,000 Settlement Failure to Safeguard ePHI
2013 Shasta Regional Medical Center $275,000 Settlement Disclosure of PHI Without Patient Consent
2013 Idaho State University $400,000 Settlement Failure to Safeguard ePHI

2012 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2012 The Hospice of Northern Idaho $50,000 Settlement Theft of an Unencrypted Laptop
2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. $1,500,000 Settlement Multiple HIPAA Violations
2012 Alaska DHSS $1,700,000 Settlement Failure to Perform Risk Analysis/Risk Management Failures
2012 Phoenix Cardiac Surgery $100,000 Settlement Lack of HIPAA Safeguards
2012 Blue Cross Blue Shield of Tennessee $1,500,000 Settlement Failure to Implement Appropriate Administrative Safeguards

2011 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2011 University of California at Los Angeles Health System $865,500 Settlement Failure to Restrict Access to Medical Records
2011 General Hospital Corp. & Massachusetts General Physicians Organization Inc. $1,000,000 Settlement Failure to Safeguard PHI
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty Denying Patients Access to Medical Records

2010 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2010 Management Services Organization Washington Inc. $35,000 Settlement Risk Analysis Failures / Insufficient Security Measures
2010 Rite Aid Corporation $1,000,000 Settlement Multiple HIPAA Violations

2009 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2009 CVS Pharmacy Inc. $2,250,000 Settlement Multiple HIPAA Violations

2008 HIPAA Violation Fines and Settlements

Year Covered Entity Amount Settlement/CMP Reason
2008 Providence Health & Services $100,000 Settlement Failure to Implement Appropriate Administrative Safeguards

Attorneys General HIPAA Fines and Settlements

Year State Entity Amount Individuals affected Settlement/CMP Reason
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000 105,000 Settlement Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program.
2021 New Jersey Command Marketing Innovations, LLC and Strategic Content Imaging LLC $130,000 (Plus $65,000 suspended) 55,715 Settlement Failure to ensure the confidentiality of PHI, lack of PHI safeguards, failure to review security measures following changes to procedures.
2021 New Jersey Diamond Institute for Infertility and Menopause $495,000 14,663 Settlement Multiple Privacy Rule and Security Rule failures, and violations of Consumer Fraud Act.
2021 Multistate American Medical Collection Agency $21 million (suspended) 21,000,000 Settlement Security failures including the failure to detect a data breach.
2020 Multistate CHSPSC LLC $5,000,000 6.1 million Settlement Failure to implement and maintain reasonable security practices
2020 Multistate Anthem Inc $48.2 million 78.8 million Settlement Multiple violations of HIPAA and state laws
2019 Multistate Premera Blue Cross $10,000,000 10.4 million Settlement Multiple HIPAA violations
2019 Multistate Medical Informatics Engineering $900,000 3.5 million Settlement Multiple HIPAA violations
2019 CA Aetna $935,000 1,991 Settlement 2 mailings exposed PHI (Afib, HIV)
2018 MA McLean Hospital $75,000 1,500 Settlement Loss of backup tapes
2018 NJ EmblemHealth $100,000 6,443 (81,000) Settlement Mailing error exposed SSNs
2018 NJ Best Transcription Medical $200,000 1,650 Settlement Exposure of ePHi via search engines
2018 CT Aetna $99,959 13,160 Settlement (Multistate action) 2 mailings exposed PHI (Afib, HIV data)
2018 NJ Aetna $365,211.59 13,160 Settlement (Multistate action) 2 mailings exposed PHI (Afib, HIV data)
2018 DC Aetna $175,000 13,160 Settlement (Multistate action) 2 mailings exposed PHI (Afib, HIV data)
2018 MA UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Settlement Failure to secure ePHI  and multiple breaches
2018 NY Arc of Erie County $200,000 3,751 Settlement Failure to secure ePHI
2018 NJ Virtua Medical Group $417,816 1,654 Settlement Multiple violations of HIPAA Rules
2018 NY EmblemHealth $575,000 81,122 Settlement Impermissible disclosure of ePHI
2018 NY Aetna $1,150,000 12,000 Settlement 2 mailings exposed PHI (Afib, HIV data)
2017 CA Cottage Health System $2,000,000 More than 54,000 Settlement Failure to adequately protect medical records
2017 MA Multi-State Billing Services $100,000 2,600 Settlement Theft of unencrypted laptop containing PHI
2017 NJ Horizon Healthcare Services Inc., $1,100,000 3.7 million Settlement Loss of unencrypted laptop computers
2017 VT SAManage USA, Inc. $264,000 660 Settlement Spreadsheet indexed by search engines and PHI viewable
2017 NY CoPilot Provider Support Services, Inc $130,000 221,178 Settlement Delayed breach notification
2015 NY University of Rochester Medical Center $15,000 3,403 Settlement List of patients provided to nurse who took it to a new employer
2015 CT Hartford Hospital/ EMC Corporation $90,000 8,883 Settlement Theft of unencrypted laptop containing PHI
2014 MA Women & Infants Hospital of Rhode Island $150,000 12,000 Settlement Loss of backup tapes containing PHI
2014 MA Boston Children’s Hospital $40,000 2,159 Settlement Loss of laptop containing PHI
2014 MA Beth Israel Deaconess Medical Center $100,000 3,796 Settlement Loss of laptop containing PHI
2013 MA Goldthwait Associates $140,000 67,000 Settlement Improper disposal
2012 MN Accretive Health $2,500,000 24,000 Settlement Mishandling of PHI
2012 MA South Shore Hospital $750,000 800,000 Settlement Loss of backup tapes containing PHI
2011 VT Health Net Inc. $55,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications
2011 IN WellPoint Inc. $100,000 32,000 Settlement Failure to report a breach in a reasonable timeframe
2010 CT Health Net Inc. $250,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications

Cases have been included if there have been potential violations of HIPAA Rules even if the financial penalty was issued for violations of state laws.

HIPAA Violation Fines. FAQs

Does the above list represent all the HIPAA violation fines issued by OCR?

As of June 2022, despite receiving more than 300,00 complaints and reports of data breaches, the HHS´ Office for Civil Rights has only issued fines or agreed settlements in 110 cases. Most of the other cases – in which a violation of HIPAA is considered to have occurred – have been resolved by technical assistance and/or corrective action plans.

Can OCR also pursue criminal charges for violations of HIPAA?

If the Office for Civil Rights reviews a case and believes there are grounds for a possible criminal conviction, the case is referred to the Department of Justice. The Department of Justice has the authority to pursue criminal charges for violations of HIPAA and several individuals responsible for violating HIPAA have received jail sentences. These include:

Why are so many of the latest settlements for HIPAA Right of Access failures?

Since 2019, the Office for Civil Rights has been running a Right of Access enforcement initiative to address the increasing number of complaints from patients who have experienced obstacles or delays in accessing copies of PHI. This does not mean OCR is turning a blind eye to other types of HIPAA violation and the agency continues to investigate other violations and data breaches.

Why are some HIPAA violation fines more than the annual penalty limit?

The annual penalty limit applies per violation type. Therefore, if a covered entity is found non-compliant in (for example) four areas, the non-compliant covered entity could receive four fines, each up to the maximum penalty per violation or annual penalty limit (per violation) depending on their level of culpability.

What do the four penalty/level of culpability tiers represent?

Tier 1: A violation that a Covered Entity or Business Associate was unaware of and could not have realistically avoided had a reasonable amount of care had been taken to comply with HIPAA.

Tier 2: A violation that a Covered Entity or Business Associate should have been aware of but could not have avoided even with a reasonable amount of care to comply with HIPAA.

Tier 3: A violation suffered as a direct result of “willful neglect” in cases where a Covered Entity or Business Associate has been an attempt made to correct the violation.

Tier 4: A violation of HIPAA attributable to willful neglect, where no attempt has been made to correct the violation by a Covered Entity or Business Associate.