HIPAA Violation Fines

HIPAA violation fines can be issued by the Department of Health and Human Service’ Office for Civil Rights (OCR) and state attorneys general.

In the majority of cases, covered entities and business associates accept there have been potential failures to comply with certain elements of HIPAA Rules and a settlement amount is agreed and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address HIPAA failures.

When HIPAA-covered entities disagree with the findings of the investigation, a civil monetary penalty may be issued.

While OCR issues fines for HIPAA violations, attorneys general tend to choose to pursue financial penalties against HIPAA covered entities under state laws rather than HIPAA, if equivalent laws exist at the state level. Actions for violations of state laws tend to be easier to win and the penalty structure at the state level may allow higher financial penalties to be issued.

Only a handful of states have exercised their right under HIPAA/HITECH to pursue financial penalties for violations of HIPAA Rules against HIPAA-covered entities and their business associates.

Penalty Structure for HIPAA Violations

Penalty Structure for HIPAA Violations

State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year.

Listed below are the HIPAA violation fines and settlements issued by the HHS’ Office for Civil Rights since the HIPAA Enforcement Rule was signed into law.

2018 HIPAA Violation Fines

Year Covered Entity Amount Settlement/CMP Reason
2018 Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
2018 Fresenius Medical Care North America $3,500,000 Settlement Multiple HIPAA Violations

2017 HIPAA Violation Fines

Year Covered Entity Amount Settlement/CMP Reason
2017 21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations
2017 Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI
2017 St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI
2017 The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement
2017 Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI
2017 Metro Community Provider Network $400,000 Settlement Lack of Security Management Process
2017 Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI
2017 MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI
2017 Presense Health $475,000 Settlement Delayed Breach Notifications

2016 HIPAA Violation Fines

Year Covered Entity Amount Settlement/CMP Reason
2016 University of Massachusetts Amherst (UMass) $650,000 Settlement Failure to Manage Security Risks
2016 St. Joseph Health $2,140,500 Settlement Failure to Conduct Risk Analysis
2016 Care New England Health System $400,000 Settlement Lack of a Business Associate Agreement
2016 Advocate Health Care Network $5,550,000 Settlement Multiple HIPAA Violations
2016 University of Mississippi Medical Center $2,750,000 Settlement Multiple HIPAA Violations
2016 Oregon Health & Science University $2,700,000 Settlement Lack of a Business Associate Agreement
2016 Catholic Health Care Services of the Archdiocese of Philadelphia $650,000 Settlement Failure to Safeguard ePHI
2016 New York Presbyterian Hospital $2,200,000 Settlement Filming Patients without Authorization
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000 Settlement Lack of Business Associate Agreement
2016 Feinstein Institute for Medical Research $3,900,000 Settlement Impermissible Disclosure of PHI
2016 North Memorial Health Care of Minnesota $1,550,000 Settlement Lack of a Business Associate Agreement
2016 Complete P.T., Pool & Land Physical Therapy, Inc. $25,000 Settlement Impermissible Disclosure of PHI
2016 Lincare, Inc. $239,800 Civil Monetary Penalty Failure to Safeguard PHI

2015 HIPAA Violation Fines

Year Covered Entity Amount Settlement/CMP Reason
2015 University of Washington Medicine $750,000 Settlement Failure to Conduct Risk Analysis
2015 Triple S Management Corporation $3,500,000 Settlement Multiple HIPAA Violations
2015 Lahey Hospital and Medical Center $850,000 Settlement Multiple HIPAA Violations
2015 Cancer Care Group, P.C. $750,000 Settlement Failure to Conduct Risk Analysis
2015 St. Elizabeth’s Medical Center $218,400 Settlement Multiple HIPAA Violations
2015 Cornell Prescription Pharmacy $125,000 Settlement Improper Disposal of PHI

2014 HIPAA Violation Fines

Year Covered Entity Amount Settlement/CMP Reason
2014 Anchorage Community Mental Health Services $150,000 Settlement Failure to Manage Risks to ePHI
2014 Parkview Health System, Inc. $800,000 Settlement Failure to Safeguard PHI
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement Failure to Conduct Risk Analysis
2014 QCA Health Plan, Inc., of Arkansas $250,000 Settlement Failure to Safeguard ePHI
2014 Concentra Health Services $1,725,220 Settlement Failure to Safeguard ePHI
2014 Skagit County, Washington $215,000 Settlement Failure to Safeguard ePHI

2013 HIPAA Violation Fines

Year Covered Entity Amount Settlement/CMP Reason
2013 Adult & Pediatric Dermatology, P.C. $150,000 Settlement Failure to Safeguard ePHI
2013 Affinity Health Plan, Inc. $1,215,780 Settlement Failure to Permanently Erase ePHI
2013 WellPoint $1,700,000 Settlement Failure to Safeguard ePHI
2013 Shasta Regional Medical Center $275,000 Settlement Disclosure of PHI Without Patient Consent
2013 Idaho State University $400,000 Settlement Failure to Safeguard ePHI

2012 HIPAA Violation Fines

Year Covered Entity Amount Settlement/CMP Reason
2012 The Hospice of Northern Idaho $50,000 Settlement Theft of an Unencrypted Laptop
2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. $1,500,000 Settlement Multiple HIPAA Violations
2012 Alaska DHSS $1,700,000 Settlement Failure to Perform Risk Analysis/Risk Management Failures
2012 Phoenix Cardiac Surgery $100,000 Settlement Lack of HIPAA Safeguards
2012 Blue Cross Blue Shield of Tennessee $1,500,000 Settlement Failure to Implement Appropriate Administrative Safeguards

2011 HIPAA Violation Fines

Year Covered Entity Amount Settlement/CMP Reason
2011 University of California at Los Angeles Health System $865,500 Settlement Failure to Restrict Access to Medical Records
2011 General Hospital Corp. & Massachusetts General Physicians Organization Inc. $1,000,000 Settlement Failure to Safeguard PHI
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty Denying Patients Access to Medical Records

2010 HIPAA Violation Fines

Year Covered Entity Amount Settlement/CMP Reason
2010 Management Services Organization Washington Inc. $35,000 Settlement Risk Analysis Failures / Insufficient Security Measures
2010 Rite Aid Corporation $1,000,000 Settlement Multiple HIPAA Violations

2009 HIPAA Violation Fines

Year Covered Entity Amount Settlement/CMP Reason
2009 CVS Pharmacy Inc. $2,250,000 Settlement Multiple HIPAA Violations

2008 HIPAA Violation Fines

Year Covered Entity Amount Settlement/CMP Reason
2008 Providence Health & Services $100,000 Settlement Failure to Implement Appropriate Administrative Safeguards

Attorneys General HIPAA Fines

Cases have been included if there have been potential violations of HIPAA Rules even if the financial penalty was issued for violations of state laws.

Year State Covered Entity Amount Individuals affected Settlement/CMP Reason
2018 NJ Virtua Medical Group $417,816 1,654 Settlement Server misconfiguration
2018 NY EmblemHealth $575,000 81,122 Settlement Mailing error
2018 NY Aetna $1,150,000 12,000 Settlement Mailing error
2017 CA Cottage Health System $2,000,000 More than 54,000 Settlement Failure to adequately protect medical records
2017 MA Multi-State Billing Services $100,000 2,600 Settlement Theft of unencrypted laptop containing PHI
2017 NJ Horizon Healthcare Services Inc., $1,100,000 3.7 million Settlement Loss of unencrypted laptop computers
2017 VT SAManage USA, Inc. $264,000 660 Settlement Spreadsheet indexed by search engines and PHI viewable
2017 NY CoPilot Provider Support Services, Inc $130,000 221,178 Settlement Delayed breach notification
2015 NY University of Rochester Medical Center $15,000 3,403 Settlement List of patients provided to nurse who took it to a new employer
2015 CT Hartford Hospital/ EMC Corporation $90,000 8,883 Settlement Theft of unencrypted laptop containing PHI
2014 MA Women & Infants Hospital of Rhode Island $150,000 12,000 Settlement Loss of backup tapes containing PHI
2014 MA Boston Children’s Hospital $40,000 2,159 Settlement Loss of laptop containing PHI
2014 MA Beth Israel Deaconess Medical Center $100,000 3,796 Settlement Loss of laptop containing PHI
2013 MA Goldthwait Associates $140,000 67,000 Settlement Improper disposal
2012 MN Accretive Health $2,500,000 24,000 Settlement Mishandling of PHI
2012 MA South Shore Hospital $750,000 800,000 Settlement Loss of backup tapes containing PHI
2011 VT Health Net Inc. $55,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications
2011 IN WellPoint Inc. $100,000 32,000 Settlement Failure to report breach in a reasonable timeframe
2010 CT Health Net Inc. $250,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications