Blue Cross and Hartford Healthcare Come to a Settlement
What are the Penalties for HIPAA Violations?
Penalties for HIPAA violations can be issued by the Department of Health and Human Services' Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.
The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom.
Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to HIPAA covered entities that fail to comply with HIPAA Rules.
Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect on March 26, 2013.
Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations apply to healthcare providers, health plans, healthcare clearinghouses, and all other covered entities, as well as business associates (BAs) of covered entities that are found to have violated HIPAA Rules.
Financial penalties are intended to act as a deterrent to prevent the violation of HIPAA laws, while also ensuring covered entities are held accountable for their actions – or lack of them – when it comes to protecting the privacy of patients and the confidentiality of health data, and providing patients with access to their health records on request.
The penalty structure for a violation of HIPAA laws is tiered, based on the knowledge a covered entity had of the violation. The OCR sets the penalty based on a number of "general factors" and the seriousness of the HIPAA violation.
Ignorance of HIPAA Rules is no excuse for failing to comply with HIPAA Rules. It is the responsibility of each covered entity to ensure that HIPAA Rules are understood and followed. In cases when a covered entity is discovered to committed a willful violation of HIPAA laws, the maximum fines apply.
What Constitutes a HIPAA Violation?
There is much talk of HIPAA violations in the media, but what constitutes a HIPAA violation? A HIPAA violation is when a HIPAA-covered entity – or a business associate – fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules.
A violation may be deliberate or unintentional. An example of an unintentional HIPAA violation is when too much PHI is disclosed and the minimum necessary information standard is violated. When PHI is disclosed, it must be limited to the minimum necessary information to achieve the purpose for which it is disclosed. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although the penalties will be at a lower rate to willful violations of HIPAA Rules.
An example of a deliberate violation is unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications – A violation of the HIPAA Breach Notification Rule.
Many HIPAA violations are the result of negligence, such as the failure to perform an organization-wide risk assessment. Financial penalties for HIPAA violations have frequently been issued for risk assessment failures.
Penalties for HIPAA violations can potentially be issued for all HIPAA violations, although OCR typically resolves most cases through voluntary compliance, issuing technical guidance, or accepting a covered entity or business associate's plan to address the violations and change policies and procedures to prevent future violations from occurring. Financial penalties for HIPAA violations are reserved for the most serious violations of HIPAA Rules.
What Happens if you Violate HIPAA? – HIPAA Violation Classifications
What happens if you violate HIPAA? That depends on the severity of the violation. OCR prefers to resolve HIPAA violations using non-punitive measures, such as voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.
The four categories used for the penalty structure are as follows:
- Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
- Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Tier 3: A violation suffered as a direct result of "willful neglect" of HIPAA Rules, in cases where an attempt has been made to correct the violation
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
In the case of unknown violations, where the covered entity could not have been expected to avoid a data breach, it may seem unreasonable for a covered entity to be issued with a fine. OCR appreciates this and has the discretion to waive a financial penalty. The penalty cannot be waived if the violation involved willful neglect of the Privacy, Security, and Breach Notification Rules.
HIPAA Violation Penalty Structure
Each category of violation carries a separate HIPAA penalty. It is up to OCR to determine a financial penalty within the appropriate range. OCR considers a number of factors when determining penalties, such as the length of time a violation was allowed to persist, the number of people affected, and the nature of the data exposed. An organization's willingness to assist with an OCR investigation is also taken into account. The general factors that can affect the amount of the financial penalty also include prior history, the organization's financial condition, and the level of harm caused by the violation.
- Tier 1: Minimum fine of $100 per violation up to $50,000
- Tier 2: Minimum fine of $1,000 per violation up to $50,000
- Tier 3: Minimum fine of $10,000 per violation up to $50,000
- Tier 4: Minimum fine of $50,000 per violation
The above fines for HIPAA violations are those stipulated by the HITECH Act. It should be noted that these are adjusted annually to take inflation into account.
The HIPAA violation penalties that were updated by the HITECH Act, as indicated in the image above, are adjusted annually for inflation to take into account the increase in the cost of living. In November 2021, the Adjustment for 2021, 45 CFR Part 102, 86 Fed. Reg. 62928 was 1.01182%
With the latest inflation increases and those applied in previous years, the minimum and maximum HIPAA violation penalty amounts are now as follows:
| Penalty Tier | Culpability | Minimum Penalty per Violation – Inflation Adjusted | Max Penalty per Violation – Inflation Adjusted | Maximum Penalty Per Year (cap) – Inflation Adjusted |
| Tier 1 | Lack of Knowledge | $120 | $60,226 | $1,806,757 |
| Tier 2 | Reasonable Cause | $1,205 | $60,226 | $1,806,757 |
| Tier 3 | Willful Neglect | $12,045 | $60,226 | $1,806,757 |
| Tier 4 | Willful Neglect (not corrected within 30 days) | $60,226 | $1,806,757 | $1,806,757 |
The HITECH Act increased the potential penalties for HIPAA violations to strengthen enforcement of HIPAA compliance and to give HIPAA-covered entities a greater incentive to press forward with their compliance programs. OCR interpreted the text of the HITECH Act to mean maximum and minimum penalties should be set in each of the four penalty tiers based on the level of culpability. However, there were some ambiguities with respect to the maximum possible annual fines in each of the violation tiers.
OCR interpreted the HITECH Act requirements to mean the maximum penalty in each violation category should be $1,500,000 per year for violations of an identical provision (adjusted annually for inflation). However, in April 2019, OCR re-evaluated the HITECH Act text and interpreted the maximum fines differently. From April 2019 onward, the maximum fines that can be applied for violations of an identical provision in a calendar year are different in each penalty tier. The maximum fine per violation category, per year, is still $1,500,000 for a Tier 4 violation. The maximum annual fine has been reduced in each of the other tiers, as detailed in the infographic below. The new maximum penalty amounts are detailed in an April 2019 Notice of Enforcement Discretion published in the Federal Register which will remain in effect indefinitely.
Under OCR's 2019 Notice of Enforcement Discretion, the minimum and maximum penalties for HIPAA violations in 2021 are detailed in the table below.
| Penalty Tier | Level of Culpability | Minimum Penalty per Violation (adjusted for inflation) | Max Penalty per Violation (adjusted for inflation) | Annual Penalty Limit (adjusted for inflation) |
| Tier 1 | Lack of Knowledge | $120 | $30,113 | $30,113 |
| Tier 2 | Reasonable Cause | $1,205 | $60,226 | $120,452 |
| Tier 3 | Willful Neglect | $12,045 | $60,226 | $301,130 |
| Tier 4 | Willful neglect (not corrected within 30 days0 | $60,226 | $1,806,757 | $1,806,757 |
A data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, in theory, be issued for any violation of HIPAA rules; however minor.
A fine may also be applied on a daily basis. For example, if a covered entity has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the covered entity has been in violation of the law. The penalty would be multiplied by 365, not by the number of patients that have been refused access to their medical records.
Attorneys General Can Also Issue HIPAA Violation Fines
Since the introduction of the HITECH Act (Section 13410(e) (1)) in February 2009, state attorneys general have the authority to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents and can file civil actions with the federal district courts. HIPAA violation fines can be issued up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.
A covered entity suffering a data breach affecting residents in multiple states may be ordered to pay HIPAA violation fines to attorneys general in multiple states. Relatively few states have taken action against HIPAA-regulated entities for violations of the HIPAA Rules – California, Connecticut, Indiana, Massachusetts, Minnesota, New Jersey, New York, Vermont, and the District of Columbia. In recent years attorneys general have joined forces and have pursued penalties for HIPAA violations in response to large-scale data breaches that have affected individuals across the United States, and have pooled their resources and taken a cut of any settlements or civil monetary penalties. While only a small number of states have exercised their authority to issue fines for HIPAA violations, that does not mean HIPAA violations are going unpunished. Many states have pursued financial penalties for equivalent violations of state laws.
Can HIPAA Violations be Criminal?
When a HIPAA-covered entity or business associate violates HIPAA Rules, civil penalties can be imposed. When healthcare professionals violate HIPAA, it is usually their employer that receives the penalty, but not always. If healthcare professionals knowingly obtain or use protected health information for reasons that are not permitted by the HIPAA Privacy Rule, they may be found to be criminally liable for the HIPAA violation under the criminal enforcement provision of the Administrative Simplification subtitle of HIPAA.
Criminal HIPAA violations are prosecuted by the Department of Justice, which is increasingly taking action against individuals that have knowingly violated HIPAA Rules. There have been several cases that have resulted in substantial fines and prison sentences.
Criminal HIPAA violations include theft of patient information for financial gain and wrongful disclosures with intent to cause harm. A lack of understanding of HIPAA requirements may not be a valid defense. When an individual "knowingly" violates HIPAA, knowingly means that they have some knowledge of the facts that constitute the offense, not that they definitely know that they are violating HIPAA Rules.
Criminal Penalties for HIPAA Violations
Criminal penalties for HIPAA violations are divided into three separate tiers, with the term – and an accompanying fine – decided by a judge based on the facts of each individual case. As with OCR, a number of general factors are considered which will affect the penalty issued. If an individual has profited from the theft, access, or disclosure of PHI, it may be necessary for all money received to be refunded, in addition to the payment of a fine.
The tiers of criminal penalties for HIPAA violations are:
Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail
Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail
In recent months, the number of employees discovered to be accessing or stealing PHI – for various reasons – has increased. The value of PHI on the black market is considerable, and this can be a big temptation for some individuals. It is therefore essential that controls are put in place to limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to ensure improper access and theft of PHI is identified promptly.
All staff likely to come into contact with PHI as part of their work duties should be informed of the HIPAA criminal penalties and that violations will not only result in loss of employment but potentially also a lengthy jail term and a heavy fine.
State attorneys general are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely.
Convictions and Jail Time for HIPAA Violations
Florida Medical Clinic Worker Sentenced to 48 Months in Jail over Theft of PHI
3-Year Jail Term for VA Employee Who Stole Patient Data
Former New York Dental Practice Receptionist Sentenced to 2-6 years for HIPAA Violation
UPMC Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation
Employee Sanctions for HIPAA Violations
Not all HIPAA violations are a result of insider theft, and many Covered Entities and Business Associates apply a scale of employee sanctions for HIPAA violations depending on factors such as whether the violation was intentional or accidental, whether it was reported by the employee as soon as the violation was realized, and the magnitude of the breach. Some Covered Entities also apply employee sanctions for HIPAA violations on employees who were aware a violation (by another employee) had occurred but failed to report it.
Employee sanctions for HIPAA Violations vary in gravity from further training to dismissal. The decision should be taken in consultation with HIPAA Privacy and Security Officers, who may have to conduct interviews with the employee, investigate audit trails, and review telephone logs – including the telephone logs of the employee´s mobile phone. Because of the expense and disruption attributable to applying employee sanctions for HIPAA violations, it is worthwhile dedicating more resources to initial employee training in order to prevent HIPAA violations – whether intentional or accidental – from occurring.
Receiving a Civil Penalty for Unknowingly Violating HIPAA
Although it was mentioned above that OCR has the discretion to waive a civil penalty for unknowingly violating HIPAA, ignorance of the HIPAA regulations is not regarded as a justifiable excuse for failing to implement the appropriate safeguards. In April 2017, the remote cardiac monitoring service CardioNet was fined $2.5 million for failing to fully understand the HIPAA requirements and subsequently failing to conduct a complete risk assessment.
As a result of the incomplete risk assessment, the PHI of 1,391 individuals was potentially disclosed without authorization when a laptop containing the data was stolen from a car parked outside an employee´s home. Speaking after details of the fine had been announced, OCR Director Roger Severino described the civil penalty for unknowingly violating HIPAA as a penalty for disregarding security.
It may also be possible for a CE or BA to receive a civil penalty for unknowingly violating HIPAA if the state in which the violation occurs allows individuals to bring legal action against the person(s) responsible for the violation. Although HIPAA lacks a private right of action, individuals can still use the regulations to establish a standard of care under common law. Several cases of this nature are currently in progress.
HIPAA Compliance Audits are Likely to Result in Penalties for HIPAA Violations
If a CE or BA is found not to have complied with HIPAA regulations, OCR has the authority to issue penalties for HIPAA noncompliance – even if there has been no breach of PHI or no complaint.
After much delay, OCR is now conducting the second phase of HIPAA compliance audits. The audits are not being conducted specifically to find HIPAA violations and to issue financial penalties, although if serious violations of HIPAA Rules are discovered, financial penalties may be deemed appropriate.
The first phase of HIPAA compliance audits was conducted in 2011/2012 and revealed many covered entities were struggling with compliance. OCR provided technical assistance to help those entities correct areas of noncompliance and no penalties for HIPAA violations were issued.
Now, 5 years on, covered entities have had ample time to develop their compliance programs. This time around, OCR is not expected to be so lenient.
One of the biggest areas of noncompliance with HIPAA Rules discovered during the first phase of compliance audits was the failure to conduct a comprehensive, organization-wide risk assessment.
The risk assessment is fundamental to developing a good security posture. If a risk assessment is not conducted, a covered entity will be unaware whether any security vulnerabilities exist that pose a risk to the confidentiality, integrity, and availability of ePHI. Those risks will therefore not be managed and reduced to an acceptable level.
A look at the penalties for HIPAA violations issued by OCR shows just how common risk assessment violations occur. Risk assessment failures frequently attract financial penalties.
The failure to complete Business Associate Agreements (BAAs) with third-party service providers can attract penalties for HIPAA noncompliance. Several covered entities have been fined for failing to revise BAAs written before September 2014, when all existing contracts were invalidated by the Final Omnibus Rule. In September 2016, the Care New England Health System was fined $400,000 for HIPAA noncompliance that included the failure to revise a BAA originally signed in March 2005.
BAAs are a key area that OCR will be keeping an eye on throughout its audit program. BAAs – contracts that lay out the permitted uses and allowable disclosures of PHI – should be signed with every third-party service provider with whom PHI is disclosed (including lawyers).
Penalties for Non-Compliance with HIPAA
When deciding on an appropriate settlement, OCR considers the severity of the violation, the extent of non-compliance with HIPAA Rules, the number of individuals impacted, and the impact a breach has had on those individuals. OCR also considers the financial position of the covered entity. Punitive measures may be necessary, but penalties for HIPAA violations should not result in a covered entity being forced out of business.
The purpose of these penalties for HIPAA violations is in part to punish covered entities for serious violations of HIPAA Rules, but also to send a message to other healthcare organizations that noncompliance with HIPAA Rules is not acceptable.
HIPAA Penalties 2022
OCR is continuing to crack down on violations of the HIPAA Rules, with violations of the HIPAA Right of Access one of OCR's main enforcement priorities in 2021, as it has been since the HIPAA Right of Access enforcement initiative was launched in late 2019. It is likely that HIPAA violation fines in 2022 will continue to be imposed at high levels for violations of the HIPAA Right of Access, although questions have been raised about HIPAA fines for other violations.
The HIPAA violation penalty that was imposed in 2018 on the University of Texas MD Anderson Cancer Center for a data breach and lack of encryption was overturned on appeal in 2021. On January 14, 2021, a three-member panel for the Fifth Circuit Court of Appeals unanimously vacated the $4,348,000 penalty. Since then, only one HIPAA penalty has been imposed for violations of the HIPAA Rules other than the HIPAA Right of Access. The decision by the Court of Appeals could be affecting OCR's willingness to pursue financial penalties for certain HIPAA violations and may encourage HIPAA-covered entities subject to HIPAA violation cases in 2022 to appeal any proposed penalties.
OCR now has a new Director, Lisa J. Pino, who at the time of writing has only been in the position for a short time. it is therefore too early to tell what approach when will take regarding HIPAA enforcement. As and when 2022 HIPAA penalties are announced they will be listed below.
We will list the latest HIPAA penalties in 2022 as and when they are announced by OCR.
2022 HIPAA Fines and Settlements
There have been four HIPAA enforcement actions so far in 2022 that have resulted in financial penalties. OCR has continued with its 2019 HIPAA enforcement initiative targeting noncompliance with the HIPAA Right of Access, and penalties have also been imposed for other HIPAA violations, such as impermissible disclosures of ePHI.
In 2021, the HITECH Act was amended to include a 'safe harbor' for HIPAA-regulated entities that have implemented 'recognized security practices' for not fewer than 12 months prior to a data security incident occurring. If those security practices have been adopted, they will be considered by OCR when deciding on financial penalties and other actions in response to data incidents and could result in financial penalties being avoided altogether.
2022 HIPAA Settlements
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| Dr. Brockley | HIPAA Right of Access | 1 | $30,000 |
| Jacob & Associates | HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer | 1 | $28,000 |
| Northcutt Dental-Fairhope | Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer | 5,385 | $62,500 |
2021 Civil Monetary Penalties for HIPAA Violations
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A | Impermissible disclosure on social media | 1 | $50,000 |
OCR HIPAA Fines 2021
There was a reduction in the number of financial penalties for HIPAA violations in 2021 from the record number of penalties of 2020, with OCR's decision to finalize penalties potentially being affected by the COVID-19 pandemic. That said, penalties have continued to be imposed at relatively high levels, with most of the recent HIPAA violation cases 2021 imposed for violations of the HIPAA Right of Access. Out of the 14 HIPAA violation cases in 2021 that have resulted in financial penalties, 12 have been for HIPAA Right of Access violations.
In January 2021, one of the largest ever HIPAA fines was imposed on Excellus Health Plan. The settlement resolved a HIPAA case that stemmed from an investigation of a breach of the PHI of 9,358,891 individuals that was reported to OCR in 2015. Aside from that penalty, most of the settlements and civil monetary penalties have been for relatively small amounts and have resulted from investigations of complaints from patients than reports of data breaches. As well as the 2021 HIPAA fines being lower, there was a much higher percentage of financial penalties imposed on small healthcare providers than in previous years. That trend is likely to continue in 2022.
2021 HIPAA Settlements
| HIPAA Regulated Entity | Reason | Individuals Impacted | Amount |
| Advanced Spine & Pain Management | HIPAA Right of Access failure | 1 | $32,150 |
| Denver Retina Center | HIPAA Right of Access failure | 1 | $30,000 |
| Rainrock Treatment Center LLC (dba monte Nido Rainrock) | HIPAA Right of Access failure | 1 | $160,000 |
| Wake Health Medical Group | HIPAA Right of Access failure | 1 | $10,000 |
| Children's Hospital & Medical Center | HIPAA Right of Access failure | 1 | $80,000 |
| The Diabetes, Endocrinology & Lipidology Center, Inc. | HIPAA Right of Access failure | 1 | $5,000 |
| AEON Clinical Laboratories (Peachstate) | HIPAA Security Rule failures (risk assessment, risk management, audit controls, and documentation of HIPAA Security Rule policies and procedures | Unknown | $25,000 |
| Village Plastic Surgery | HIPAA Right of Access failure | 1 | $30,000 |
| Arbour Hospital | HIPAA Right of Access failure | 1 | $65,000 |
| Sharpe Healthcare | HIPAA Right of Access failure | 1 | $70,000 |
| Renown Health | HIPAA Right of Access failure | 1 | $75,000 |
| Excellus Health Plan | Multiple HIPAA Violations: Risk analysis, risk management, information system activity reviews, technical policies to prevent unauthorized ePHI access, breach of 9,358,891 records. | 9,358,891 | $5,100,000 |
| Banner Health | HIPAA Right of Access failure | 2 | $200,000 |
2021 Civil Monetary Penalties for HIPAA Violations
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| Dr. Robert Glaser | HIPAA Right of Access failure | 1 | $100,000 |
OCR HIPAA Fines 2020
2020 saw more financial penalties imposed on HIPAA-covered entities and business associates than in any other year since OCR started enforcing HIPAA compliance. 19 settlements were reached to resolve potential violations of the HIPAA Rules. OCR continued with its HIPAA Right of Access enforcement initiative that commenced in late 2019 and by year-end had settled 11 cases where patients had not been provided with timely access to their medical records for a reasonable cost-based fee.
2020 saw the second-largest settlement to resolve HIPAA violations. The health insurer Premera Blue Cross paid OCR $6,850,000 to resolve potential HIPAA violations discovered during the investigation of its 2015 breach of the ePHI of 10,466,692 individuals.
2020 OCR HIPAA Settlements
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| Peter Wrobel, M.D., P.C., dba Elite Primary Care | HIPAA Right of Access failure | 2 | $36,000 |
| University of Cincinnati Medical Center | HIPAA Right of Access failure | 1 | $65,000 |
| Dr. Rajendra Bhayani | HIPAA Right of Access failure | 1 | $15,000 |
| Riverside Psychiatric Medical Group | HIPAA Right of Access failure | 1 | $25,000 |
| City of New Haven, CT | Failure to terminate access rights; risk analysis failure; failure to implement Privacy Rule policies; failure to issue unique IDs to allow system activity to be tracked; impermissible disclosure of the PHI of 498 individuals | 498 | $202,400 |
| Aetna | Lack of technical and nontechnical evaluation in response to environmental or operational changes; identity check failure; minimum necessary information failure; impermissible disclosure of 18,849 records; lack of administrative, technical, and physical safeguards | 18,849 | $1,000,000 |
| NY Spine | HIPAA Right of Access failure | 1 | $100,000 |
| Dignity Health, dba St. Joseph's Hospital and Medical Center | HIPAA Right of Access failure | 1 | $160,000 |
| Premera Blue Cross | Risk assessment failure; risk management failure; insufficient hardware and software controls; unauthorized access to the PHI of 10,466,692 individuals | 10,466,692 | $6,850,000 |
| CHSPSC LLC | Failure to conduct a risk analysis; failures to implement information system activity reviews, security incident procedures, and access controls, and a breach of the ePHI of more than 6 million individuals | 6,121,158 | $2,300,000 |
| Athens Orthopedic Clinic PA | Failure to conduct a risk analysis; lack of risk management and audit controls; failure to maintain HIPAA policies and procedures; business associate agreement failure; and the failure to provide HIPAA Privacy Rule training to the workforce. | 208,557 | $1,500,000 |
| Housing Works, Inc. | HIPAA Right of Access failure | 1 | $38,000 |
| All Inclusive Medical Services, Inc. | HIPAA Right of Access failure | 1 | $15,000 |
| Beth Israel Lahey Health Behavioral Services | HIPAA Right of Access failure | 1 | $70,000 |
| King MD | HIPAA Right of Access failure | 1 | $3,500 |
| Wise Psychiatry, PC | HIPAA Right of Access failure | 1 | $10,000 |
| Lifespan Health System Affiliated Covered Entity | Lack of encryption; insufficient device and media controls; lack of business associate agreements; impermissible disclosure of 20,431 patients' ePHI | 20,431 | $1,040,000 |
| Metropolitan Community Health Services dba Agape Health Services | Longstanding, systemic noncompliance with the HIPAA Security Rule | 1,263 | $25,000 |
OCR HIPAA Fines 2019
HIPAA enforcement continued at a high level in 2019. Eight settlements were reached with HIPAA-covered entities and business associates to resolve HIPAA violations and two civil monetary penalties were issued. The financial penalties were imposed to resolve similar violations of HIPAA Rules as previous years, but 2019 also saw the first financial penalties issued under OCR's new HIPAA Right of Access initiative. Two covered entities settled cases over the failure to provide patients with a copy of their medical records, in the requested format, in a reasonable time frame.
2019 OCR HIPAA Settlements
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| West Georgia Ambulance | Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures. | 500 | $65,000 |
| Korunda Medical, LLC | HIPAA Right of Access failure. | 1 or more | $85,000 |
| Sentara Hospitals | Breach notification failure; business associate agreement failure | 577 | $2,175,000 |
| University of Rochester Medical Center | Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls. | 43 | $3,000,000 |
| Elite Dental Associates | Social media disclosure; notice of privacy practices; impermissible PHI disclosure. | Unconfirmed | $10,000 |
| Bayfront Health St Petersburg | HIPAA Right of Access failure | 1 | $85,000 |
| Medical Informatics Engineering | Risk analysis failure; impermissible disclosure of 3.5 million records | 3,500,000 | $100,000 |
| Touchstone Medical imaging | No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals' PHI. | 307,839 | $3,000,000 |
2019 OCR Civil Monetary Penalties
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| Texas Department of Aging and Disability Services | Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI | 6,617 | $1,600,000 |
| Jackson Health System | Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations | 25,661 | $2,154,000 |
OCR HIPAA Fines 2018
There was a year-over-year increase in HIPAA violation penalties in 2018. 11 financial penalties were agreed in 2018: 10 settlements and one civil monetary penalty. Two records were broken in 2018. 2018 saw the largest ever HIPAA settlement agreed – A $16 million financial penalty for Anthem Inc., to resolve HIPAA violations discovered during the investigation of its 78.8 million record breach in 2015. HIPAA-covered entities also paid more in fines than in any other year since OCR started enforcing compliance with HIPAA Rules: $28,683,400.
2018 OCR HIPAA Settlements
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| Cottage Health | Risk analysis and risk management failures; No BAA | 62,500 | $3,000,000 |
| Pagosa Springs Medical Center | Failure to terminate employee access; No BAA | 557+ | $111,400 |
| Advanced Care Hospitalists | Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014 | 9,255 | $500,000 |
| Allergy Associates of Hartford | PHI disclosure to a reporter; No sanctions against employees | 1 | $125,000 |
| Anthem Inc | Risk analysis failure; Insufficient reviews of system activity; Failure to respond to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access | 78,800,000 | $16,000,000 |
| Boston Medical Center | Filming patients without consent | Unspecified | $100,000 |
| Brigham and Women's Hospital | Filming patients without consent | Unspecified | $384,000 |
| Massachusetts General Hospital | Filming patients without consent | Unspecified | $515,000 |
| Filefax, Inc. | Impermissible disclosure of physical PHI – Left unprotected in truck | 2,150 | $100,000 |
| Fresenius Medical Care North America | 5 breaches: Investigation revealed risk analysis failures; Impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards | 521 | $3,500,000 |
2018 Civil Monetary Penalties for HIPAA Violations
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| University of Texas MD Anderson Cancer Center | 3 breaches resulting in an impermissible disclosure of ePHI; No Encryption | 34,883 | $4,348,000 |
OCR HIPAA Fines 2017
A summary of the 2017 OCR penalties for HIPAA violations.
2017 OCR HIPAA Settlements
| HIPAA-Regulated Entity | Breach Summary | Individuals Impacted | Settlement Amount |
| Memorial Healthcare System | Impermissible access of PHI by employees; Impermissible disclosure of PHI to affiliated physicians' offices | 115,143 | $5,500,000 |
| Cardionet | Theft of an unencrypted laptop computer | 1,391 | $2,500,000 |
| Memorial Hermann Health System | Disclosure of patient's PHI to the media | 1 | $2,400,000 |
| 21st Century Oncology | Multiple HIPAA violations | 2,213,597 | $2,300,000 |
| MAPFRE Life Insurance Company of Puerto Rico | Theft of an unencrypted USB storage device | 2,209 | $2,200,000 |
| Presense Health | Delayed breach notifications | 836 | $475,000 |
| Metro Community Provider Network | Lack of a security management process to safeguard ePHI | 3,200 | $400,000 |
| Luke's-Roosevelt Hospital Center Inc. | Impermissible disclosure of PHI to patient's employer | 1 | $387,000 |
| The Center for Children's Digestive Health | Lack of a business associate agreement | N/A | $31,000 |
2017 Civil Monetary Penalties for HIPAA Violations
| HIPAA-Regulated Entity | Breach Summary | Individuals Impacted | Penalty Amount |
| Children's Medical Center of Dallas | Theft of unencrypted devices | 6,262 | $3,200,000 |
OCR HIPAA Fines 2016
2016 was a record year for financial penalties to resolve violations of HIPAA Rules. 2016 saw 12 settlements agreed and one civil monetary penalty issued by OCR.
2016 OCR HIPAA Settlements
| HIPAA-Regulated Entity | Breach Summary | Individuals Impacted | Settlement Amount |
| Feinstein Institute for Medical Research | Improper disclosure of research participants' PHI | 13,000 | $3,900,000 |
| Advocate Health Care Network | Theft of desktop computers; Loss of laptop; Improper accessing of data at a business associate | 3,994,175 | $5,550,000 |
| University of Mississippi Medical Center | Unprotected network drive | 10,000 | $2,750,000 |
| Oregon Health & Science University | Loss of unencrypted laptop; Storage on cloud server without BAA | 4,361 | $2,700,000 |
| New York Presbyterian Hospital | Filming of patients by a TV crew | Unconfirmed | $2,200,000 |
| North Memorial Health Care of Minnesota | Theft of laptop computer; Improper disclosure to a business associate | 299,401 | $1,550,000 |
| St. Joseph Health | PHI made available through search engines | 31,800 | $2,140,500 |
| Raleigh Orthopaedic Clinic, P.A. of North Carolina | Improper disclosure to a business associate | 17,300 | $750,000 |
| University of Massachusetts Amherst (UMass) | Malware infection | 1,670 | $650,000 |
| Catholic Health Care Services of the Archdiocese of Philadelphia | Theft of mobile device | 412 | $650,000 |
| Care New England Health System | Loss of two unencrypted backup tapes | 14,000 | $400,000 |
| Complete P.T., Pool & Land Physical Therapy, Inc. | Improper disclosure of PHI (website testimonials) | Unconfirmed | $25,000 |
2016 Civil Monetary Penalties for HIPAA Violations
| HIPAA-Regulated Entity | Breach Summary | Individuals Impacted | Penalty Amount |
| Lincare, Inc. | Improper disclosure (unprotected documents) | 278 | $239,800 |
What are the Penalties for HIPAA Violations? FAQs
What does a correct action plan consist of?
The purpose of a corrective action plan is to address the underlying issue that led to a HIPAA violation and therefore what the action plan consists of will be relevant to the nature of the violation. Typically, Covered Entities and Business Associates will be required to develop or revise policies to fill gaps in their compliance; and, when new or revised policies affect the functions of the workforce, provide training on the policies.
Are penalties for HIPAA violations always related to data breaches?
No. As you will see from the tables above, several Covered Entities have been fined or reached settlement resolutions for failing to provide patients with access to their healthcare records within the permitted 30 days. One Covered Entity was fined for failing to have a Business Associate Agreement in place before disclosing ePHI to a Business Associate. None of these penalties for HIPAA violations involved the unauthorized disclosure of unsecured PHI.
How does the Office for Civil Rights find out about HIPAA violations?
The Office for Civil Rights finds out about HIPAA violations in a number of ways. For example, Covered Entities are required to report breaches of unsecured PHI within 60 days (or annually if the breach involves fewer than 500 patients), patients can use the OCR complaints portal to report a delay or refusal to access health information, and members of Covered Entities´ workforces are granted whistle blower protection for reporting non-compliance.
What if a violation occurs due to a common non-compliant practice?
Organizations that fail to monitor compliance run the risk of non-compliant practices developing in the workplace "to get the job done". When a HIPAA violation occurs due to a common non-compliant practice, the penalty will depend on the nature of the violation, but it will most likely consist of refresher training and a compliance monitoring program – potentially by a third-party organization at the organization´s own cost.
Has anybody ever received a custodial sentence for violating HIPAA?
Custodial sentences for HIPAA violations are rare, but they do occur – especially when an employee steals PHI to commit identify theft or to sell on for personal gain. Even when a violation does not result in a custodial sentence, the offending employee will likely be fined, lose their job, and have their license to practice withdrawn. Depending on how the employee accessed the data, Covered Entities and Business Associates can also be fined for the same violation.
wilsonthadectives.blogspot.com
Source: https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
Post a Comment for "Blue Cross and Hartford Healthcare Come to a Settlement"