HIPAA violation fines can be issued by the Department of Health and Human Service’ Office for Civil Rights (OCR) and state attorneys general.
In the majority of cases, covered entities and business associates accept there have been potential failures to comply with certain elements of HIPAA Rules and a settlement amount is agreed and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address HIPAA failures.
When HIPAA-covered entities disagree with the findings of the investigation, a civil monetary penalty may be issued.
While OCR issues fines for HIPAA violations, attorneys general tend to choose to pursue financial penalties against HIPAA-covered entities under state laws rather than HIPAA, if equivalent laws exist at the state level. Actions for violations of state laws tend to be easier to win and the penalty structure at the state level may allow higher financial penalties to be issued.
Only a handful of states have exercised their right under HIPAA/HITECH to pursue financial penalties for violations of HIPAA Rules against HIPAA-covered entities and their business associates.
Penalty Structure for HIPAA Violations
The penalty amounts are adjusted annually to account for cost of living increases. The last update was in November 2021 and saw the maximum penalties increased in line with inflation to the amounts shown in the table below.
Penalty Tier
Level of Culpability
Minimum Penalty per Violation (adjusted for inflation)
Max Penalty per Violation (adjusted for inflation)
Annual Penalty Limit (adjusted for inflation)
Tier 1
Lack of Knowledge
$120
$60,226
$30,113
Tier 2
Reasonable Cause
$1,205
$60,226
$120,452
Tier 3
Willful Neglect
$12,045
$60,226
$301,130
Tier 4
Willful neglect (not corrected within 30 days0
$60,226
$1,806,757
$1,806,757
Further, OCR issued a Notice of Enforcement Discretion in April 2019 stating the annual penalty limits in three of the penalty tiers would be reduced following a reexamination of the language of the HITECH Act. The cap on the annual penalty limit was changed to $25,000 (now $30,113) for tier 1, $100,000 (now $120,452) for tier 2, and $250, 000 (now $301,130) for tier 3. The maximum annual penalty for tier 4 remains unchanged at $1,500,000 (now $1,806,757).
State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year. The maximum penalty is also adjusted annually in line with inflation.
Listed below are the HIPAA violation fines and settlements issued by the HHS’ Office for Civil Rights since the HIPAA Enforcement Rule was signed into law.
2022 HIPAA Violation Fines and Settlements
Year
Entity
Amount
Settlement/CMP
Reason
2022
Dr. Brockley
$30,000
Settlement
HIPAA Right of Access
2022
Jacob & Associates
$28,000
Settlement
HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer
2022
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A.,
$50,000
Civil Monetary Penalty
Impermissible disclosure on social media
2022
Northcutt Dental-Fairhope
$62,500
Settlement
Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer
2021 HIPAA Violation Fines and Settlements
Year
Entity
Amount
Settlement/CMP
Reason
2021
Advanced Spine & Pain Management
$32,150
Settlement
HIPAA Right of Access failure
2021
Denver Retina Center
$30,000
Settlement
HIPAA Right of Access failure
2021
Dr. Robert Glaser
$100,000
Civil Monetary Penalty
HIPAA Right of Access failure
2021
Rainrock Treatment Center LLC (dba monte Nido Rainrock)
$160,000
Settlement
HIPAA Right of Access failure
2021
Wake Health Medical Group
$10,000
Settlement
HIPAA Right of Access failure
2021
Children’s Hospital & Medical Center
$80,000
Settlement
HIPAA Right of Access failure
2021
The Diabetes, Endocrinology & Lipidology Center, Inc.
$5,000
Settlement
HIPAA Right of Access failure
2021
AEON Clinical Laboratories (Peachstate)
$25,000
Settlement
HIPAA Security Rule failures (risk assessment, risk management, audit controls, and lack of documentation of HIPAA Security Rule policies and procedures)
2021
Village Plastic Surgery
$30,000
Settlement
HIPAA Right of Access failure
2021
Arbour Hospital
$65,000
Settlement
HIPAA Right of Access failure
2021
Sharpe Healthcare
$70,000
Settlement
HIPAA Right of Access failure
2021
Renown Health
$75,000
Settlement
HIPAA Right of Access failure
2021
Excellus Health Plan
$5,100,000
Settlement
Multiple violations: Risk analysis failure, risk management failure, lack of information system activity reviews, lack of technical policies to prevent unauthorized ePHI access, and a breach of 9,358,891 records.
2021
Banner Health
$200,000
Settlement
HIPAA Right of Access failure
2020 HIPAA Violation Fines and Settlements
Year
Entity
Amount
Settlement/CMP
Reason
2020
Peter Wrobel, M.D., P.C., dba Elite Primary Care
$36,000
Settlement
HIPAA Right of Access failure
2020
University of Cincinnati Medical Center
$65,000
Settlement
HIPAA Right of Access failure
2020
Dr. Rajendra Bhayani
$15,000
Settlement
HIPAA Right of Access failure
2020
Riverside Psychiatric Medical Group
$25,000
Settlement
HIPAA Right of Access failure
2020
City of New Haven, CT
$202,400
Settlement
Failure to terminate access rights, risk analysis failure, failure to implement Privacy Rule policies, failure to issue unique IDs, impermissible disclosure of the PHI of 498 individuals
2020
Aetna
$1,000,000
Settlement
Failure to conduct an evaluation in response to environmental or operational changes affecting ePHI security, identity check failure, minimum necessary information failure, lack of admin, technical, and physical safeguards
2020
NY Spine
$100,000
Settlement
HIPAA Right of Access failure
2020
Dignity Health, dba St. Joseph’s Hospital and Medical Center
Risk analysis failure, failure to implement information system activity reviews, security incident procedure failure, and insufficient access controls.
2020
Athens Orthopedic Clinic PA
$1,500,000
Settlement
Failures to conduct a risk analysis, risk management failure, lack of audit controls, no HIPAA policies and procedures, lack of business associate agreements, and no HIPAA Privacy Rule training to the workforce.
2020
Housing Works, Inc.
$38,000
Settlement
HIPAA Right of Access failure
2020
All Inclusive Medical Services, Inc.
$15,000
Settlement
HIPAA Right of Access failure
2020
Beth Israel Lahey Health Behavioral Services
$70,000
Settlement
HIPAA Right of Access failure
2020
King MD
$3,500
Settlement
HIPAA Right of Access failure
2020
Wise Psychiatry, PC
$10,000
Settlement
HIPAA Right of Access failure
2020
Lifespan Health System Affiliated Covered Entity
$1,040,000
Settlement
Lack of encryption, device and media controls, and business associate agreement failures.
2020
Metropolitan Community Health Services dba Agape Health Services
$25,000
Settlement
Systemic noncompliance with the HIPAA Security Rule
2020
Steven A. Porter, M.D
$100,000
Settlement
Risk analysis and risk management failures
2019 HIPAA Violation Fines and Settlements
Year
Covered Entity
Amount
Settlement/CMP
Reason
2019
West Georgia Ambulance
$65,000
Settlement
Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures.
2019
Korunda Medical, LLC
$85,000
Settlement
HIPAA Right of Access failure.
2019
Sentara Hospitals
$2,175,000
Settlement
Breach notification failure; business associate agreement failure
2019
University of Rochester Medical Center
$3,000,000
Settlement
Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls.
2019
Elite Dental Associates
$10,000
Settlement
Social media disclosure; notice of privacy practices; impermissible PHI disclosure.
2019
Bayfront Health St Petersburg
$85,000
Settlement
HIPAA Right of Access failure
2019
Medical Informatics Engineering
$100,000
Settlement
Risk analysis failure; impermissible disclosure of 3.5 million records
2019
Touchstone Medical imaging
$3,000,000
Settlement
No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI.
2019
Texas Department of Aging and Disability Services
$1,600,000
Civil Monetary Penalty
Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI
2019
Jackson Health System
$2,154,000
Civil Monetary Penalty
Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations
2018 HIPAA Violation Fines and Settlements
Year
Covered Entity
Amount
Settlement/CMP
Reason
2018
Fresenius Medical Care North America
$3,500,000
Settlement
Risk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
2018
Filefax, Inc.
$100,000
Settlement
Impermissible disclosure of PHI
2018
University of Texas MD Anderson Cancer Center
$4,348,000
Civil Monetary Penalty
Impermissible disclosure of ePHI; No Encryption
2018
Massachusetts General Hospital
$515,000
Settlement
Filming patients without consent
2018
Brigham and Women’s Hospital
$384,000
Settlement
Filming patients without consent
2018
Boston Medical Center
$100,000
Settlement
Filming patients without consent
2018
Anthem Inc
$16,000,000
Settlement
Risk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
2018
Allergy Associates of Hartford
$125,000
Settlement
PHI disclosure to a reporter; No sanctions against employees
2018
Advanced Care Hospitalists
$500,000
Settlement
Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
2018
Pagosa Springs Medical Center
$111,400
Settlement
Failure to terminate employee access; No BAA
2018
Cottage Health
$3,000,000
Settlement
Risk analysis failure; Risk management failure; No BAA
2017 HIPAA Violation Fines and Settlements
Year
Covered Entity
Amount
Settlement/CMP
Reason
2017
21st Century Oncology
$2,300,000
Settlement
Multiple HIPAA Violations
2017
Memorial Hermann Health System
$2,400,000
Settlement
Careless Handling of PHI
2017
St. Luke’s-Roosevelt Hospital Center Inc.
$387,000
Settlement
Unauthorized Disclosure of PHI
2017
The Center for Children’s Digestive Health
$31,000
Settlement
Lack of a Business Associate Agreement
2017
Cardionet
$2,500,000
Settlement
Impermissible Disclosure of PHI
2017
Metro Community Provider Network
$400,000
Settlement
Lack of Security Management Process
2017
Memorial Healthcare System
$5,500,000
Settlement
Insufficient ePHI Access Controls
2017
Children’s Medical Center of Dallas
$3,200,000
Civil Monetary Penalty
Impermissible Disclosure of ePHI
2017
MAPFRE Life Insurance Company of Puerto Rico
$2,200,000
Settlement
Impermissible Disclosure of ePHI
2017
Presense Health
$475,000
Settlement
Delayed Breach Notifications
2016 HIPAA Violation Fines and Settlements
Year
Covered Entity
Amount
Settlement/CMP
Reason
2016
University of Massachusetts Amherst (UMass)
$650,000
Settlement
Failure to Manage Security Risks
2016
St. Joseph Health
$2,140,500
Settlement
Failure to Conduct Risk Analysis
2016
Care New England Health System
$400,000
Settlement
Lack of a Business Associate Agreement
2016
Advocate Health Care Network
$5,550,000
Settlement
Multiple HIPAA Violations
2016
University of Mississippi Medical Center
$2,750,000
Settlement
Multiple HIPAA Violations
2016
Oregon Health & Science University
$2,700,000
Settlement
Lack of a Business Associate Agreement
2016
Catholic Health Care Services of the Archdiocese of Philadelphia
$650,000
Settlement
Failure to Safeguard ePHI
2016
New York Presbyterian Hospital
$2,200,000
Settlement
Filming Patients without Authorization
2016
Raleigh Orthopaedic Clinic, P.A. of North Carolina
$750,000
Settlement
Lack of Business Associate Agreement
2016
Feinstein Institute for Medical Research
$3,900,000
Settlement
Impermissible Disclosure of PHI
2016
North Memorial Health Care of Minnesota
$1,550,000
Settlement
Lack of a Business Associate Agreement
2016
Complete P.T., Pool & Land Physical Therapy, Inc.
$25,000
Settlement
Impermissible Disclosure of PHI
2016
Lincare, Inc.
$239,800
Civil Monetary Penalty
Failure to Safeguard PHI
2015 HIPAA Violation Fines and Settlements
Year
Covered Entity
Amount
Settlement/CMP
Reason
2015
University of Washington Medicine
$750,000
Settlement
Failure to Conduct Risk Analysis
2015
Triple S Management Corporation
$3,500,000
Settlement
Multiple HIPAA Violations
2015
Lahey Hospital and Medical Center
$850,000
Settlement
Multiple HIPAA Violations
2015
Cancer Care Group, P.C.
$750,000
Settlement
Failure to Conduct Risk Analysis
2015
St. Elizabeth’s Medical Center
$218,400
Settlement
Multiple HIPAA Violations
2015
Cornell Prescription Pharmacy
$125,000
Settlement
Improper Disposal of PHI
2014 HIPAA Violation Fines and Settlements
Year
Covered Entity
Amount
Settlement/CMP
Reason
2014
Anchorage Community Mental Health Services
$150,000
Settlement
Failure to Manage Risks to ePHI
2014
Parkview Health System, Inc.
$800,000
Settlement
Failure to Safeguard PHI
2014
New York and Presbyterian Hospital and Columbia University
$4,800,000
Settlement
Failure to Conduct Risk Analysis
2014
QCA Health Plan, Inc., of Arkansas
$250,000
Settlement
Failure to Safeguard ePHI
2014
Concentra Health Services
$1,725,220
Settlement
Failure to Safeguard ePHI
2014
Skagit County, Washington
$215,000
Settlement
Failure to Safeguard ePHI
2013 HIPAA Violation Fines and Settlements
Year
Covered Entity
Amount
Settlement/CMP
Reason
2013
Adult & Pediatric Dermatology, P.C.
$150,000
Settlement
Failure to Safeguard ePHI
2013
Affinity Health Plan, Inc.
$1,215,780
Settlement
Failure to Permanently Erase ePHI
2013
WellPoint
$1,700,000
Settlement
Failure to Safeguard ePHI
2013
Shasta Regional Medical Center
$275,000
Settlement
Disclosure of PHI Without Patient Consent
2013
Idaho State University
$400,000
Settlement
Failure to Safeguard ePHI
2012 HIPAA Violation Fines and Settlements
Year
Covered Entity
Amount
Settlement/CMP
Reason
2012
The Hospice of Northern Idaho
$50,000
Settlement
Theft of an Unencrypted Laptop
2012
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc.
$1,500,000
Settlement
Multiple HIPAA Violations
2012
Alaska DHSS
$1,700,000
Settlement
Failure to Perform Risk Analysis/Risk Management Failures
2012
Phoenix Cardiac Surgery
$100,000
Settlement
Lack of HIPAA Safeguards
2012
Blue Cross Blue Shield of Tennessee
$1,500,000
Settlement
Failure to Implement Appropriate Administrative Safeguards
2011 HIPAA Violation Fines and Settlements
Year
Covered Entity
Amount
Settlement/CMP
Reason
2011
University of California at Los Angeles Health System
$865,500
Settlement
Failure to Restrict Access to Medical Records
2011
General Hospital Corp. & Massachusetts General Physicians Organization Inc.
Failure to Implement Appropriate Administrative Safeguards
Attorneys General HIPAA Fines and Settlements
Year
State
Entity
Amount
Individuals affected
Settlement/CMP
Reason
2021
New Jersey
Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC)
$425,000
105,000
Settlement
Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program.
2021
New Jersey
Command Marketing Innovations, LLC and Strategic Content Imaging LLC
$130,000 (Plus $65,000 suspended)
55,715
Settlement
Failure to ensure the confidentiality of PHI, lack of PHI safeguards, failure to review security measures following changes to procedures.
2021
New Jersey
Diamond Institute for Infertility and Menopause
$495,000
14,663
Settlement
Multiple Privacy Rule and Security Rule failures, and violations of Consumer Fraud Act.
2021
Multistate
American Medical Collection Agency
$21 million (suspended)
21,000,000
Settlement
Security failures including the failure to detect a data breach.
2020
Multistate
CHSPSC LLC
$5,000,000
6.1 million
Settlement
Failure to implement and maintain reasonable security practices
2020
Multistate
Anthem Inc
$48.2 million
78.8 million
Settlement
Multiple violations of HIPAA and state laws
2019
Multistate
Premera Blue Cross
$10,000,000
10.4 million
Settlement
Multiple HIPAA violations
2019
Multistate
Medical Informatics Engineering
$900,000
3.5 million
Settlement
Multiple HIPAA violations
2019
CA
Aetna
$935,000
1,991
Settlement
2 mailings exposed PHI (Afib, HIV)
2018
MA
McLean Hospital
$75,000
1,500
Settlement
Loss of backup tapes
2018
NJ
EmblemHealth
$100,000
6,443 (81,000)
Settlement
Mailing error exposed SSNs
2018
NJ
Best Transcription Medical
$200,000
1,650
Settlement
Exposure of ePHi via search engines
2018
CT
Aetna
$99,959
13,160
Settlement (Multistate action)
2 mailings exposed PHI (Afib, HIV data)
2018
NJ
Aetna
$365,211.59
13,160
Settlement (Multistate action)
2 mailings exposed PHI (Afib, HIV data)
2018
DC
Aetna
$175,000
13,160
Settlement (Multistate action)
2 mailings exposed PHI (Afib, HIV data)
2018
MA
UMass Memorial Medical Group / UMass Memorial Medical Center
$230,000
15,000
Settlement
Failure to secure ePHI and multiple breaches
2018
NY
Arc of Erie County
$200,000
3,751
Settlement
Failure to secure ePHI
2018
NJ
Virtua Medical Group
$417,816
1,654
Settlement
Multiple violations of HIPAA Rules
2018
NY
EmblemHealth
$575,000
81,122
Settlement
Impermissible disclosure of ePHI
2018
NY
Aetna
$1,150,000
12,000
Settlement
2 mailings exposed PHI (Afib, HIV data)
2017
CA
Cottage Health System
$2,000,000
More than 54,000
Settlement
Failure to adequately protect medical records
2017
MA
Multi-State Billing Services
$100,000
2,600
Settlement
Theft of unencrypted laptop containing PHI
2017
NJ
Horizon Healthcare Services Inc.,
$1,100,000
3.7 million
Settlement
Loss of unencrypted laptop computers
2017
VT
SAManage USA, Inc.
$264,000
660
Settlement
Spreadsheet indexed by search engines and PHI viewable
2017
NY
CoPilot Provider Support Services, Inc
$130,000
221,178
Settlement
Delayed breach notification
2015
NY
University of Rochester Medical Center
$15,000
3,403
Settlement
List of patients provided to nurse who took it to a new employer
2015
CT
Hartford Hospital/ EMC Corporation
$90,000
8,883
Settlement
Theft of unencrypted laptop containing PHI
2014
MA
Women & Infants Hospital of Rhode Island
$150,000
12,000
Settlement
Loss of backup tapes containing PHI
2014
MA
Boston Children’s Hospital
$40,000
2,159
Settlement
Loss of laptop containing PHI
2014
MA
Beth Israel Deaconess Medical Center
$100,000
3,796
Settlement
Loss of laptop containing PHI
2013
MA
Goldthwait Associates
$140,000
67,000
Settlement
Improper disposal
2012
MN
Accretive Health
$2,500,000
24,000
Settlement
Mishandling of PHI
2012
MA
South Shore Hospital
$750,000
800,000
Settlement
Loss of backup tapes containing PHI
2011
VT
Health Net Inc.
$55,000
1,500,000
Settlement
Loss of unencrypted hard drive/delayed breach notifications
2011
IN
WellPoint Inc.
$100,000
32,000
Settlement
Failure to report a breach in a reasonable timeframe
2010
CT
Health Net Inc.
$250,000
1,500,000
Settlement
Loss of unencrypted hard drive/delayed breach notifications
Cases have been included if there have been potential violations of HIPAA Rules even if the financial penalty was issued for violations of state laws.