HIPAA Violations, Breach Fines, and Enforcement Resolutions by OCR

View all recent HIPAA compliance audits conducted by the OCR with recent violations for non-compliance with the business associate agreement, HIPAA privacy security policies, lack of employee training, and many more

Failure to comply with HIPAA can result in civil and criminal penalties (42 USC § 1320d-5). The DHHS Office of Civil Rights (OCR) enforces privacy & security standards. Following are some of the recent HIPAA compliance fines, penalties, and enforcement activities by OCR.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently announced that the Raleigh Orthopedic Clinic of North Carolina has agreed to pay $750,000 in settlement fees. The clinic faced charges that it had potentially violated HIPAA privacy rules. The “potential violation” as released by the OCR is meant to obfuscate the role the Raleigh Clinic had in its infraction of HIPAA privacy rules, the company unequivocally broke the law. The violation occurred when the Raleigh clinic handed over the protected health information of approximately 17,300 patients to a potential business associate without first executing a business associate agreement—a requirement necessary of all entities when disclosing such information to unauthorized persons. https://www.hipaatraining.net/raleigh-orthopedic-loses-thousands-hipaa-paperwork-error/

Washington, D.C. – The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it reached a $2.2M court settlement with the New York-Presbyterian Hospital for its calamitous infraction of HIPAA privacy rules. This settlement was announced on April 21, 2016. https://www.hipaatraining.net/hipaa-certification-training-certified-hipaa-privacy-security-expert-chpse-couldve-saved-new-york-presbyterian-2-2m/

Complete P.T., Pool & Land Physical Therapy, Inc. has agreed to settle violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Complete P.T. is a physical therapy practice located in the Los Angeles area. The settlement agreement is an admission of civil liability by Complete P.T., requiring payment of $25,000, adoption and implementation of a corrective action plan, and annual reporting of compliance efforts for a one-year period. https://www.hipaatraining.net/physical-therapy-provider-to-pay-25000-for-adding-patient-testimonials-with-images-without-proper-authorization/

HIPAA, (Health Insurance Portability and Accountability Act of 1996), on the report dated November 27, 2013, of The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), that The University of Washington Medicine (UWM) has potentially violated its Security Rule by not implementing policies and procedures to prevent, detect, contain, and correct security violations. UWM has agreed to settle by paying $750,000, a corrective action plan, and annual reports on the organization’s compliance efforts. https://www.hipaatraining.net/wp-content/uploads/2016/05/UWM-agreed-to-settle-charges-that-it-potentially-violated-HIPAA.pdf

TRIPLE-S Management Corporation (TRIPLE-S), an insurance holding company, formerly known as American Health Medicare Inc. TRIPLE-S based in San Juan, Puerto Rico, dealing with a wide range of insurance products and services to residents of Puerto Rico through its subsidiaries such as Triple-S Salud Inc., Triple-C Inc., and Triple-S Advantage Inc., has agreed to set imminent violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). https://www.hipaatraining.net/wp-content/uploads/2016/05/Triple-S-OCR-Resolution-Agreement-and-Corrective-Action-Plan-in-Final.pdf

A small pharmacy, Cornell Prescription Pharmacy, in Denver, Colorado is being fined for HIPAA violations. The pharmacy is a small, single-location business that will have to pay $125,000 in fees and fines for large HIPAA violations. They have been violating the HIPAA privacy rule. The local media found out about the violations and reported them. That report drew the attention of the HHS Office for Civil Rights, which launched an immediate investigation. The local media had reported that the pharmacy was disposing of patient records in an open container on the premises. The records contained large amounts of patient health information. https://www.hipaatraining.net/wp-content/uploads/2016/05/Cornell-will-pay-125000-to-OCR.pdf

The Anchorage Community Mental Health Services (ACMHS) Organization has been fined for their violations of the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA). The total fines ACMHS has been ordered to pay equal $150,000. They will have to undertake a plan to correct all areas that are lacking in the HIPAA Security Rule compliance requirements. The organization, located in Anchorage, Alaska, provides behavioral health care services to clients of all ages. https://www.hipaatraining.net/wp-content/uploads/2016/05/ACMHS-150000settlement.pdf

Park-view Health System, Inc. has agreed to settle potential violations of HIPAA Privacy Rule with the U.S. Office for Civil Rights (OCR). Parkview will pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program. Park-view will review & update its HIPAA privacy policies and ensure all employees are trained with the HIPAA Privacy policies and procedures to ensure that similar violations don’t occur. https://www.hipaatraining.net/wp-content/uploads/2016/05/ViolationofHIPAAPrivacyPolicy.pdf

Concentra Health Services to pay The U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,725,220 to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices. https://www.hipaatraining.net/wp-content/uploads/2016/05/concentra-health-services-resolution-agreement.pdf

New York and Presbyterian Hospital (NYP) and Columbia University (CU) have agreed to settle charges by The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date. https://www.hipaatraining.net/wp-content/uploads/2016/05/ny-and-presbyterian-hospital-settlement-agreement.pdf

Skagit County is located in Northwest Washington and is home to approximately 118,000 residents. County Public Health Department provides essential services to many individuals who would otherwise not be able to afford health care. Skagit County, Washington to pay $215000 to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. https://www.hipaatraining.net/wp-content/uploads/2016/05/skagit-county-settlement-agreement.pdf

Feinstein Institute for Medical Research agreed to pay Office for Civil Rights (OCR) $3.9 million

North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges

Lincare, Inc. (Lincare) violated HIPAA agreed to pay to pay $239,800 in civil money penalties (CMPs) imposed by OCR

Cancer Care Group, P.C. agreed to pay $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program

SEMC has agreed to pay $218,400 to settle potential violations of HIPAA

QCA Health Plan resolution agreement

HIPAA penalty of $4.8 Million

$800,000 HIPAA Settlement in Medical Records Dumping Case

HHS Strengthens Patients’ Right to Access Lab Test Reports

Resolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts

WellPoint Settles HIPAA Security Case for $1,700,000

Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000

Idaho State University Settles HIPAA Security Case for $400,000

Settlement agreement reached with Genesis HealthCare, one of the largest U.S. providers of senior care

Compliance report 2011-2012

Breach report 2011-2012