Detailed here is a summary of all HIPAA violation cases that have lead to in settlements with the Department of Health and Human Services’ Office for Civil Rights (OCR), incorporating actions that have been pursued by OCR after possible HIPAA violations were discovered during data breach reviews, and investigations of complaints filed by patients and healthcare workers.
OCR has enhanced its enforcement activities recently, with more HIPAA violation cases leading to financial penalties, including settlements and civil monetary fines.
In growing its enforcement activity, OCR is sharing a message to all covered entities, large and small, that breaches of HIPAA Rules will not go unpunished.
What are the Penalties for Breaching HIPAA?
The consequences of violating HIPAA can be massive and it is crucial to remember fines for a HIPAA violation can be applied by the HHS’ Office for Civil Rights (OCR) even if no breach of PHI has taken place. The financial consequences of breaching HIPAA are calculated based on the level of negligence and – if a breach has taken place – the number of records that may have been exposed by the breach and the risk posed by the unauthorized sharing:
- A violation of HIPAA attributable to ignorance can lead to a fine of $100 – $50,000.
- A violation that occurred despite reasonable vigilance lead to a fine of $1,000 – $50,000.
- A violation that occurred due to willful neglect which is corrected within thirty days will lead to a fine of between $10,000 and $50,000.
- A violation due to willful neglect which is not addressed within thirty days will lead to the maximum fine of $50,000.
The figures here are the fines that can be issued by OCR. Attorney Generals can also sanction fines if a breach of PHI breaches state legislation; and – if it can be shown that an individual has suffered harm due to the negligence of a Covered Entity or Business Associate – it is also possible for the individual to submit a civil legal action for compensation. In some jurisdictions, the extent of punitive damages awarded could far outweigh the maximum $1.5 million fine (per violation) that can be applied by the OCR.
2018 HIPAA Violation Cases
Cottage Health – Exposure of ePHI Over Internet
OCR agreed to settle a number of alleged HIPAA violations with Cottage Health for $3,000,000. In 2013 and 2015, protections on servers were accidentally deleted and files containing ePHI could be accessed over the internet without the requirement for a username or password. The ePHI of 62,500 patients was exposed. OCR found risk analysis failures, risk management failures, a failure to carry out technical and non-technical evaluations following environmental or operational changes, and the disclosure of ePHI to a contractor without first completing into a business associate agreement.
Pagosa Springs Medical Center – Failure to Turn Off Employee Access
OCR fined Pagosa Springs Medical Center $111,400 for not turning off a former employee’s access to a web-based scheduling calendar, which lead to an impermissible disclosure of 557 patients’ ePHI. The medical center had also failed to complete a BAA with a business associate.
Advanced Care Hospitalists – Numerous Compliance Failures Resulting in PHI Breaches
An OCR review into an impermissible disclosure of 9,255 individuals’ PHI by Advanced Care Hospitalists, a business associate of a HIPAA-covered entity, discovered major HIPAA compliance failures including a lack of a BAA, insufficient security measures to safeguard ePHI, and no documentation proving there had been any HIPAA compliance efforts before April 1, 2014. A settlement of $500,000 was agreed to resolve the alleged HIPAA breaches.
Allergy Associates of Hartford – Sharing PHI with Reporter
OCR examined a complaint about an impermissible disclosure of a patient’s PHI to a journalist. OCR confirmed that PHI had been shared without permission from the patient and that there had been no penalties against the physician responsible, despite being warned in advance not to share any PHI. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations.