HIPAA Violation Fines - Updated for 2022 (2022)

HIPAA violation fines can be issued by the Department of Health and Human Service’ Office for Civil Rights (OCR) and state attorneys general.

(Video) 10 Common HIPAA Violations to Avoid in 2022

In the majority of cases, covered entities and business associates accept there have been potential failures to comply with certain elements of HIPAA Rules and a settlement amount is agreed and the case is resolved with no admission of liability. In addition to the settlement, a corrective action plan is issued to address HIPAA failures.

When HIPAA-covered entities disagree with the findings of the investigation, a civil monetary penalty may be issued.

While OCR issues fines for HIPAA violations, attorneys general tend to choose to pursue financial penalties against HIPAA-covered entities under state laws rather than HIPAA, if equivalent laws exist at the state level. Actions for violations of state laws tend to be easier to win and the penalty structure at the state level may allow higher financial penalties to be issued.

Only a handful of states have exercised their right under HIPAA/HITECH to pursue financial penalties for violations of HIPAA Rules against HIPAA-covered entities and their business associates.

(Video) HIPAA Rules 2022 Update: Post-Pandemic Guidelines for HIPAA

Penalty Structure for HIPAA Violations

The penalty amounts are adjusted annually to account for cost of living increases. The last update was in November 2021 and saw the maximum penalties increased in line with inflation to the amounts shown in the table below.

Penalty TierLevel of CulpabilityMinimum Penalty per Violation (adjusted for inflation)Max Penalty per Violation (adjusted for inflation)Annual Penalty Limit (adjusted for inflation)
Tier 1Lack of Knowledge$120$60,226$30,113
Tier 2Reasonable Cause$1,205$60,226$120,452
Tier 3Willful Neglect$12,045$60,226$301,130
Tier 4Willful neglect (not corrected within 30 days0$60,226$1,806,757$1,806,757

Further, OCR issued a Notice of Enforcement Discretion in April 2019 stating the annual penalty limits in three of the penalty tiers would be reduced following a reexamination of the language of the HITECH Act. The cap on the annual penalty limit was changed to $25,000 (now $30,113) for tier 1, $100,000 (now $120,452) for tier 2, and $250, 000 (now $301,130) for tier 3. The maximum annual penalty for tier 4 remains unchanged at $1,500,000 (now $1,806,757).

State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year. The maximum penalty is also adjusted annually in line with inflation.

(Video) HIPAA Privacy and Breach Compliance in 2022: Everything You Need to Know

Listed below are the HIPAA violation fines and settlements issued by the HHS’ Office for Civil Rights since the HIPAA Enforcement Rule was signed into law.

2022 HIPAA Violation Fines and Settlements

YearEntityAmountSettlement/CMPReason
2022ACPM Podiatry$100,000Civil Monetary PenaltyHIPAA Right of Access failure
2022Memorial Hermann Health System$240,000SettlementHIPAA Right of Access failure
2022Southwest Surgical Associates$65,000SettlementHIPAA Right of Access failure
2022Hillcrest Nursing and Rehabilitation$55,000SettlementHIPAA Right of Access failure
2022MelroseWakefield Healthcare$55,000SettlementHIPAA Right of Access failure
2022Erie County Medical Center Corporation$50,000SettlementHIPAA Right of Access failure
2022Fallbrook Family Health Center$30,000SettlementHIPAA Right of Access failure
2022Associated Retina Specialists$22,500SettlementHIPAA Right of Access failure
2022Coastal Ear, Nose, and Throat$20,000SettlementHIPAA Right of Access failure
2022Lawrence Bell, Jr. D.D.S$5,000SettlementHIPAA Right of Access failure
2022Danbury Psychiatric Consultants$3,500SettlementHIPAA Right of Access failure
2022Oklahoma State University – Center for Health Sciences$875,000SettlementRisk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
2022Dr. Brockley$30,000SettlementHIPAA Right of Access
2022Jacob & Associates$28,000SettlementHIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer
2022Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A.,$50,000Civil Monetary PenaltyImpermissible disclosure on social media
2022Northcutt Dental-Fairhope$62,500SettlementImpermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer

2021 HIPAA Violation Fines and Settlements

YearEntityAmountSettlement/CMPReason
2021Advanced Spine & Pain Management$32,150SettlementHIPAA Right of Access failure
2021Denver Retina Center$30,000SettlementHIPAA Right of Access failure
2021Dr. Robert Glaser$100,000Civil Monetary PenaltyHIPAA Right of Access failure
2021Rainrock Treatment Center LLC (dba monte Nido Rainrock)$160,000SettlementHIPAA Right of Access failure
2021Wake Health Medical Group$10,000SettlementHIPAA Right of Access failure
2021Children’s Hospital & Medical Center$80,000SettlementHIPAA Right of Access failure
2021The Diabetes, Endocrinology & Lipidology Center, Inc.$5,000SettlementHIPAA Right of Access failure
2021AEON Clinical Laboratories (Peachstate)$25,000SettlementHIPAA Security Rule failures (risk assessment, risk management, audit controls, and lack of documentation of HIPAA Security Rule policies and procedures)
2021Village Plastic Surgery$30,000SettlementHIPAA Right of Access failure
2021Arbour Hospital$65,000SettlementHIPAA Right of Access failure
2021Sharpe Healthcare$70,000SettlementHIPAA Right of Access failure
2021Renown Health$75,000SettlementHIPAA Right of Access failure
2021Excellus Health Plan$5,100,000SettlementMultiple violations: Risk analysis failure, risk management failure, lack of information system activity reviews, lack of technical policies to prevent unauthorized ePHI access, and a breach of 9,358,891 records.
2021Banner Health$200,000SettlementHIPAA Right of Access failure

2020 HIPAA Violation Fines and Settlements

YearEntityAmountSettlement/CMPReason
2020Peter Wrobel, M.D., P.C., dba Elite Primary Care$36,000SettlementHIPAA Right of Access failure
2020University of Cincinnati Medical Center$65,000SettlementHIPAA Right of Access failure
2020Dr. Rajendra Bhayani$15,000SettlementHIPAA Right of Access failure
2020Riverside Psychiatric Medical Group$25,000SettlementHIPAA Right of Access failure
2020City of New Haven, CT$202,400SettlementFailure to terminate access rights, risk analysis failure, failure to implement Privacy Rule policies, failure to issue unique IDs, impermissible disclosure of the PHI of 498 individuals
2020Aetna$1,000,000SettlementFailure to conduct an evaluation in response to environmental or operational changes affecting ePHI security, identity check failure, minimum necessary information failure, lack of admin, technical, and physical safeguards
2020NY Spine$100,000SettlementHIPAA Right of Access failure
2020Dignity Health, dba St. Joseph’s Hospital and Medical Center$160,000SettlementHIPAA Right of Access failure
2020Premera Blue Cross$6,850,000SettlementRisk assessment failure, risk management failure, insufficient hardware, and software controls,
2020CHSPSC LLC$2,300,000SettlementRisk analysis failure, failure to implement information system activity reviews, security incident procedure failure, and insufficient access controls.
2020Athens Orthopedic Clinic PA$1,500,000SettlementFailures to conduct a risk analysis, risk management failure, lack of audit controls, no HIPAA policies and procedures, lack of business associate agreements, and no HIPAA Privacy Rule training to the workforce.
2020Housing Works, Inc.$38,000SettlementHIPAA Right of Access failure
2020All Inclusive Medical Services, Inc.$15,000SettlementHIPAA Right of Access failure
2020Beth Israel Lahey Health Behavioral Services$70,000SettlementHIPAA Right of Access failure
2020King MD$3,500SettlementHIPAA Right of Access failure
2020Wise Psychiatry, PC$10,000SettlementHIPAA Right of Access failure
2020Lifespan Health System Affiliated Covered Entity$1,040,000SettlementLack of encryption, device and media controls, and business associate agreement failures.
2020Metropolitan Community Health Services dba Agape Health Services$25,000SettlementSystemic noncompliance with the HIPAA Security Rule
2020Steven A. Porter, M.D$100,000SettlementRisk analysis and risk management failures

2019 HIPAA Violation Fines and Settlements

YearCovered EntityAmountSettlement/CMPReason
2019West Georgia Ambulance$65,000SettlementRisk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures.
2019Korunda Medical, LLC$85,000SettlementHIPAA Right of Access failure.
2019Sentara Hospitals$2,175,000SettlementBreach notification failure; business associate agreement failure
2019University of Rochester Medical Center$3,000,000SettlementLoss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls.
2019Elite Dental Associates$10,000SettlementSocial media disclosure; notice of privacy practices; impermissible PHI disclosure.
2019Bayfront Health St Petersburg$85,000SettlementHIPAA Right of Access failure
2019Medical Informatics Engineering$100,000SettlementRisk analysis failure; impermissible disclosure of 3.5 million records
2019Touchstone Medical imaging$3,000,000SettlementNo BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI.
2019Texas Department of Aging and Disability Services$1,600,000Civil Monetary PenaltyRisk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI
2019Jackson Health System$2,154,000Civil Monetary PenaltyMultiple Privacy Rule, Security Rule, and Breach Notification Rule violations

2018 HIPAA Violation Fines and Settlements

YearCovered EntityAmountSettlement/CMPReason
2018Fresenius Medical Care North America$3,500,000SettlementRisk analysis failures, impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards
2018Filefax, Inc.$100,000SettlementImpermissible disclosure of PHI
2018University of Texas MD Anderson Cancer Center$4,348,000Civil Monetary PenaltyImpermissible disclosure of ePHI; No Encryption
2018Massachusetts General Hospital$515,000SettlementFilming patients without consent
2018Brigham and Women’s Hospital$384,000SettlementFilming patients without consent
2018Boston Medical Center$100,000SettlementFilming patients without consent
2018Anthem Inc$16,000,000SettlementRisk Analysis failures; Insufficient reviews of system activity; Failure related to response to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access
2018Allergy Associates of Hartford$125,000SettlementPHI disclosure to a reporter; No sanctions against employees
2018Advanced Care Hospitalists$500,000SettlementImpermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014
2018Pagosa Springs Medical Center$111,400SettlementFailure to terminate employee access; No BAA
2018Cottage Health$3,000,000SettlementRisk analysis failure; Risk management failure; No BAA

2017 HIPAA Violation Fines and Settlements

YearCovered EntityAmountSettlement/CMPReason
201721st Century Oncology$2,300,000SettlementMultiple HIPAA Violations
2017Memorial Hermann Health System$2,400,000SettlementCareless Handling of PHI
2017St. Luke’s-Roosevelt Hospital Center Inc.$387,000SettlementUnauthorized Disclosure of PHI
2017The Center for Children’s Digestive Health$31,000SettlementLack of a Business Associate Agreement
2017Cardionet$2,500,000SettlementImpermissible Disclosure of PHI
2017Metro Community Provider Network$400,000SettlementLack of Security Management Process
2017Memorial Healthcare System$5,500,000SettlementInsufficient ePHI Access Controls
2017Children’s Medical Center of Dallas$3,200,000Civil Monetary PenaltyImpermissible Disclosure of ePHI
2017MAPFRE Life Insurance Company of Puerto Rico$2,200,000SettlementImpermissible Disclosure of ePHI
2017Presense Health$475,000SettlementDelayed Breach Notifications

2016 HIPAA Violation Finesand Settlements

YearCovered EntityAmountSettlement/CMPReason
2016University of Massachusetts Amherst (UMass)$650,000SettlementFailure to Manage Security Risks
2016St. Joseph Health$2,140,500SettlementFailure to Conduct Risk Analysis
2016Care New England Health System$400,000SettlementLack of a Business Associate Agreement
2016Advocate Health Care Network$5,550,000SettlementMultiple HIPAA Violations
2016University of Mississippi Medical Center$2,750,000SettlementMultiple HIPAA Violations
2016Oregon Health & Science University$2,700,000SettlementLack of a Business Associate Agreement
2016Catholic Health Care Services of the Archdiocese of Philadelphia$650,000SettlementFailure to Safeguard ePHI
2016New York Presbyterian Hospital$2,200,000SettlementFilming Patients without Authorization
2016Raleigh Orthopaedic Clinic, P.A. of North Carolina$750,000SettlementLack of Business Associate Agreement
2016Feinstein Institute for Medical Research$3,900,000SettlementImpermissible Disclosure of PHI
2016North Memorial Health Care of Minnesota$1,550,000SettlementLack of a Business Associate Agreement
2016Complete P.T., Pool & Land Physical Therapy, Inc.$25,000SettlementImpermissible Disclosure of PHI
2016Lincare, Inc.$239,800Civil Monetary PenaltyFailure to Safeguard PHI

2015 HIPAA Violation Finesand Settlements

YearCovered EntityAmountSettlement/CMPReason
2015University of Washington Medicine$750,000SettlementFailure to Conduct Risk Analysis
2015Triple S Management Corporation$3,500,000SettlementMultiple HIPAA Violations
2015Lahey Hospital and Medical Center$850,000SettlementMultiple HIPAA Violations
2015Cancer Care Group, P.C.$750,000SettlementFailure to Conduct Risk Analysis
2015St. Elizabeth’s Medical Center$218,400SettlementMultiple HIPAA Violations
2015Cornell Prescription Pharmacy$125,000SettlementImproper Disposal of PHI

2014 HIPAA Violation Finesand Settlements

YearCovered EntityAmountSettlement/CMPReason
2014Anchorage Community Mental Health Services$150,000SettlementFailure to Manage Risks to ePHI
2014Parkview Health System, Inc.$800,000SettlementFailure to Safeguard PHI
2014New York and Presbyterian Hospital and Columbia University$4,800,000SettlementFailure to Conduct Risk Analysis
2014QCA Health Plan, Inc., of Arkansas$250,000SettlementFailure to Safeguard ePHI
2014Concentra Health Services$1,725,220SettlementFailure to Safeguard ePHI
2014Skagit County, Washington$215,000SettlementFailure to Safeguard ePHI

2013 HIPAA Violation Finesand Settlements

YearCovered EntityAmountSettlement/CMPReason
2013Adult & Pediatric Dermatology, P.C.$150,000SettlementFailure to Safeguard ePHI
2013Affinity Health Plan, Inc.$1,215,780SettlementFailure to Permanently Erase ePHI
2013WellPoint$1,700,000SettlementFailure to Safeguard ePHI
2013Shasta Regional Medical Center$275,000SettlementDisclosure of PHI Without Patient Consent
2013Idaho State University$400,000SettlementFailure to Safeguard ePHI

2012 HIPAA Violation Finesand Settlements

YearCovered EntityAmountSettlement/CMPReason
2012The Hospice of Northern Idaho$50,000SettlementTheft of an Unencrypted Laptop
2012Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc.$1,500,000SettlementMultiple HIPAA Violations
2012Alaska DHSS$1,700,000SettlementFailure to Perform Risk Analysis/Risk Management Failures
2012Phoenix Cardiac Surgery$100,000SettlementLack of HIPAA Safeguards
2012Blue Cross Blue Shield of Tennessee$1,500,000SettlementFailure to Implement Appropriate Administrative Safeguards

2011 HIPAA Violation Finesand Settlements

YearCovered EntityAmountSettlement/CMPReason
2011University of California at Los Angeles Health System$865,500SettlementFailure to Restrict Access to Medical Records
2011General Hospital Corp. & Massachusetts General Physicians Organization Inc.$1,000,000SettlementFailure to Safeguard PHI
2011Cignet Health of Prince George’s County$4,300,000Civil Monetary PenaltyDenying Patients Access to Medical Records

2010 HIPAA Violation Finesand Settlements

YearCovered EntityAmountSettlement/CMPReason
2010Management Services Organization Washington Inc.$35,000SettlementRisk Analysis Failures / Insufficient Security Measures
2010Rite Aid Corporation$1,000,000SettlementMultiple HIPAA Violations

2009 HIPAA Violation Finesand Settlements

YearCovered EntityAmountSettlement/CMPReason
2009CVS Pharmacy Inc.$2,250,000SettlementMultiple HIPAA Violations

2008 HIPAA Violation Finesand Settlements

YearCovered EntityAmountSettlement/CMPReason
2008Providence Health & Services$100,000SettlementFailure to Implement Appropriate Administrative Safeguards

Attorneys General HIPAA Finesand Settlements

YearStateEntityAmountIndividuals affectedSettlement/CMPReason
2021New JerseyRegional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC)$425,000105,000SettlementFailure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program.
2021New JerseyCommand Marketing Innovations, LLC and Strategic Content Imaging LLC$130,000 (Plus $65,000 suspended)55,715SettlementFailure to ensure the confidentiality of PHI, lack of PHI safeguards, failure to review security measures following changes to procedures.
2021New JerseyDiamond Institute for Infertility and Menopause$495,00014,663SettlementMultiple Privacy Rule and Security Rule failures, and violations of Consumer Fraud Act.
2021MultistateAmerican Medical Collection Agency$21 million (suspended)21,000,000SettlementSecurity failures including the failure to detect a data breach.
2020MultistateCHSPSC LLC$5,000,0006.1 millionSettlementFailure to implement and maintain reasonable security practices
2020MultistateAnthem Inc$48.2 million78.8 millionSettlementMultiple violations of HIPAA and state laws
2019MultistatePremera Blue Cross$10,000,00010.4 millionSettlementMultiple HIPAA violations
2019MultistateMedical Informatics Engineering$900,0003.5 millionSettlementMultiple HIPAA violations
2019CAAetna$935,0001,991Settlement2 mailings exposed PHI (Afib, HIV)
2018MAMcLean Hospital$75,0001,500SettlementLoss of backup tapes
2018NJEmblemHealth$100,0006,443 (81,000)SettlementMailing error exposed SSNs
2018NJBest Transcription Medical$200,0001,650SettlementExposure of ePHi via search engines
2018CTAetna$99,95913,160Settlement (Multistate action)2 mailings exposed PHI (Afib, HIV data)
2018NJAetna$365,211.5913,160Settlement (Multistate action)2 mailings exposed PHI (Afib, HIV data)
2018DCAetna$175,00013,160Settlement (Multistate action)2 mailings exposed PHI (Afib, HIV data)
2018MAUMass Memorial Medical Group / UMass Memorial Medical Center$230,00015,000SettlementFailure to secure ePHI and multiple breaches
2018NYArc of Erie County$200,0003,751SettlementFailure to secure ePHI
2018NJVirtua Medical Group$417,8161,654SettlementMultiple violations of HIPAA Rules
2018NYEmblemHealth$575,00081,122SettlementImpermissible disclosure of ePHI
2018NYAetna$1,150,00012,000Settlement2 mailings exposed PHI (Afib, HIV data)
2017CACottage Health System$2,000,000More than 54,000SettlementFailure to adequately protect medical records
2017MAMulti-State Billing Services$100,0002,600SettlementTheft of unencrypted laptop containing PHI
2017NJHorizon Healthcare Services Inc.,$1,100,0003.7 millionSettlementLoss of unencrypted laptop computers
2017VTSAManage USA, Inc.$264,000660SettlementSpreadsheet indexed by search engines and PHI viewable
2017NYCoPilot Provider Support Services, Inc$130,000221,178SettlementDelayed breach notification
2015NYUniversity of Rochester Medical Center$15,0003,403SettlementList of patients provided to nurse who took it to a new employer
2015CTHartford Hospital/ EMC Corporation$90,0008,883SettlementTheft of unencrypted laptop containing PHI
2014MAWomen & Infants Hospital of Rhode Island$150,00012,000SettlementLoss of backup tapes containing PHI
2014MABoston Children’s Hospital$40,0002,159SettlementLoss of laptop containing PHI
2014MABeth Israel Deaconess Medical Center$100,0003,796SettlementLoss of laptop containing PHI
2013MAGoldthwait Associates$140,00067,000SettlementImproper disposal
2012MNAccretive Health$2,500,00024,000SettlementMishandling of PHI
2012MASouth Shore Hospital$750,000800,000SettlementLoss of backup tapes containing PHI
2011VTHealth Net Inc.$55,0001,500,000SettlementLoss of unencrypted hard drive/delayed breach notifications
2011INWellPoint Inc.$100,00032,000SettlementFailure to report a breach in a reasonable timeframe
2010CTHealth Net Inc.$250,0001,500,000SettlementLoss of unencrypted hard drive/delayed breach notifications

Cases have been included if there have been potential violations of HIPAA Rules even if the financial penalty was issued for violations of state laws.

HIPAA Violation Fines. FAQs

Does the above list represent all the HIPAA violation fines issued by OCR?

As of June 2022, despite receiving more than 300,00 complaints and reports of data breaches, the HHS´ Office for Civil Rights has only issued fines or agreed settlements in 110 cases. Most of the other cases – in which a violation of HIPAA is considered to have occurred – have been resolved by technical assistance and/or corrective action plans.

(Video) HIPAA in 2022 | Complete Staff Training

Can OCR also pursue criminal charges for violations of HIPAA?

If the Office for Civil Rights reviews a case and believes there are grounds for a possible criminal conviction, the case is referred to the Department of Justice. The Department of Justice has the authority to pursue criminal charges for violations of HIPAA and several individuals responsible for violating HIPAA have received jail sentences. These include:

  • Florida Medical Clinic Worker Sentenced to 48 Months in Jail over Theft of PHI
  • 3-Year Jail Term for VA Employee Who Stole Patient Data
  • Former New York Dental Practice Receptionist Sentenced to 2-6 years for HIPAA Violation
  • UPMC Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation

Why are so many of the latest settlements for HIPAA Right of Access failures?

Since 2019, the Office for Civil Rights has been running a Right of Access enforcement initiative to address the increasing number of complaints from patients who have experienced obstacles or delays in accessing copies of PHI. This does not mean OCR is turning a blind eye to other types of HIPAA violation and the agency continues to investigate other violations and data breaches.

Why are some HIPAA violation fines more than the annual penalty limit?

The annual penalty limit applies per violation type. Therefore, if a covered entity is found non-compliant in (for example) four areas, the non-compliant covered entity could receive four fines, each up to the maximum penalty per violation or annual penalty limit (per violation) depending on their level of culpability.

What do the four penalty/level of culpability tiers represent?

Tier 1: A violation that a Covered Entity or Business Associate was unaware of and could not have realistically avoided had a reasonable amount of care had been taken to comply with HIPAA.

(Video) HIPAA Compliance Regulations in 2022: Updates to Proposed Privacy Laws and Security

Tier 2: A violation that a Covered Entity or Business Associate should have been aware of but could not have avoided even with a reasonable amount of care to comply with HIPAA.

Tier 3: A violation suffered as a direct result of “willful neglect” in cases where a Covered Entity or Business Associate has been an attempt made to correct the violation.

Tier 4: A violation of HIPAA attributable to willful neglect, where no attempt has been made to correct the violation by a Covered Entity or Business Associate.

FAQs

HIPAA Violation Fines - Updated for 2022? ›

The maximum annual penalty for tier 4 remains unchanged at $1,500,000 (now $1,806,757). State attorneys general can issue fines for HIPAA violations up to a maximum of $25,000 per violation category, per year. The maximum penalty is also adjusted annually in line with inflation.

What is the highest fine for the worst HIPAA violation? ›

HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision.

What is the largest HIPAA fine to date? ›

The largest HIPAA violation penalty – $16 million – was paid by Anthem Inc. in 2018 and resolved an investigation into its 78.8 million record data breach that was discovered in 2015. Following on from that settlement, in 2020 Anthem Inc settled a multi-state action and paid $48.2 million in penalties.

What company has paid the highest fines in HIPAA violations? ›

1. 2018 Anthem, $16 million. In 2018, Anthem, one of the nation's largest health benefits companies, had the largest health data breach, followed by the largest HIPAA settlement in history. Their $16 million dollar fine accompanied a corrective action plan to bring them into compliance with HIPAA requirements.

What are the consequences of not being compliant with HIPAA? ›

The penalties for HIPAA noncompliance are based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a max penalty of $1.5 million per calendar year for violations. Additionally, violations can also result in jail time for the individuals responsible.

Can I get fired for an accidental HIPAA violation? ›

Depending on the nature of the violation, the incident may warrant disciplinary action against the individual concerned which could see the employee suspended pending an investigation. Termination for a HIPAA violation is a possible outcome.

What is the most costly HIPAA violation in history? ›

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark.

What was the largest HIPAA fine ever paid to OCR? ›

Largest HIPAA Settlement to Date – Anthem Pays Millions After Cyber Attack
  • In the largest HIPAA settlement to date, Anthem Inc., a division of Blue Cross Blue Shield, will pay the Office of Civil Rights $16 million. ...
  • Prior to this settlement, the largest fine ever paid to OCR for violations of HIPAA law was $5.5 million.

Is there a database for HIPAA violations? ›

ProPublica has created and launched a new database that allows consumers to search for privacy violations by health care providers after an investigation revealed hundreds of repeat HIPAA offenders, Charles Ornstein and Annie Waldman report for ProPublica.

Can PHI be disclosed to family members? ›

Thus, whether a family member or other person is a personal representative of the individual, and therefore has a right to access the individual's PHI under the Privacy Rule, generally depends on whether that person has authority under State law to act on behalf of the individual.

Is telling a story about a patient a HIPAA violation? ›

Even if you mean no harm or don't think the patient will ever find out, it still violates the person's privacy. You'll always need to get a client's expressed consent when sharing anything that potentially exposes their protected health information (PHI). Even if you're asking for their testimonial.

Why is PHI so valuable? ›

PHI is important to individuals and valuable to hackers which makes it vital for organizations to protect. HIPAA lays out all the requirements and safeguards that should be put in place so that each person's identifiable health information is kept secure from cyber criminals.

What are 3 common HIPAA violations? ›

5 Most Common HIPAA Violations
  • The 5 Most Common HIPAA Violations.
  • HIPAA Violation 1: A Non-Encrypted Lost or Stolen Device. ...
  • HIPAA Violation 2: Lack of Employment Training. ...
  • HIPAA Violation 3: Database Breaches. ...
  • HIPAA Violation 4: Gossiping and Sharing PHI. ...
  • HIPAA Violation 5: Improper disposal of PHI.
Jul 8, 2022

What are the 3 types of HIPAA violations? ›

Impermissible disclosures of PHI. Improper disposal of PHI. Failure to conduct a risk analysis.

What happens if an employee violates HIPAA? ›

Those who violate HIPAA may face fines from $100-250,000 per offense (with an annual cap at $1.5 million) and/or a 1-10 year prison sentence. Employers may find it difficult to enforce sanctions on employees who break the rules. However, it is important to do so consistently for the wellbeing of the company.

What is a Tier 1 HIPAA violation? ›

The tiers for HIPAA criminal penalties are: Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail. Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail. Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail.

Is a first name a HIPAA violation? ›

Patient names (first and last name or last name and initial) are one of the 18 identifiers classed as protected health information (PHI) in the HIPAA Privacy Rule. HIPAA does not prohibit the electronic transmission of PHI.

What are the 3 types of HIPAA violations? ›

Impermissible disclosures of PHI. Improper disposal of PHI. Failure to conduct a risk analysis.

What is the maximum monetary civil penalty for the HIPAA violation of uncorrected willful neglect? ›

Where a violation is due to willful neglect (a conscious and intentional failure to comply or a reckless indifference to the obligation to comply), but was corrected in a timely manner (generally within 30 days of discovery), the penalty range is $10,000 to $50,000 for each violation.

What is the most serious consequence for intentionally breaching PHI? ›

Personal gain – if the offense is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000, imprisoned for not more than 10 years, or both.

What is the most serious consequence for intentionally breaching PHI security quizlet? ›

What is the most serious consequence for intentionally breaching PHI security? You can be fined and fired.

Is saying a patient name a HIPAA violation? ›

Under HIPAA, use or disclosure of PHI, for the purpose of calling a patient's name in a waiting room, without patient authorization, is generally permitted. Several conditions must be met for this general rule to apply. When a name is called, other patients may hear the identity of the person whose name is called.

Is gossiping a HIPAA violation? ›

Similarly, if the subject of the gossip is not a patient who has rights under the HIPAA Privacy Rule, the gossip is not a violation of HIPAA; and, even if the individual is an employee of a Covered Entity and the gossip relates to a patient in their care, gossip is not a violation of HIPAA if none of the 18 identifiers ...

What is the most common HIPAA violation? ›

HIPAA Violation 1: A Non-Encrypted Lost or Stolen Device

One of the most common HIPAA violations is that a lost or stolen device can easily result in theft or unauthorized access to PHI. Fines of up to $1.5 million – per violation category, per year that the violation has been allowed to persist.

Videos

1. What is HIPAA? [HIPAA + Violation Penalties Explained]
(Business Solutions Academy by JD Young Technologies)
2. Preparing for Major HIPAA Changes in 2022
(McGuireWoods LLP)
3. HIPAA Compliance in the News January 2022
(ClarityVenturesVideo)
4. What Are the Consequences of a HIPAA Violation?
(Jotform)
5. HIPAA Compliance in 2021: Reviewing the Basics
(NVHealthFoundation)
6. Your Complete HIPAA Compliance Checklist for 2022
(ResolveData)

You might also like

Latest Posts

Article information

Author: Otha Schamberger

Last Updated: 11/16/2022

Views: 6316

Rating: 4.4 / 5 (55 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Otha Schamberger

Birthday: 1999-08-15

Address: Suite 490 606 Hammes Ferry, Carterhaven, IL 62290

Phone: +8557035444877

Job: Forward IT Agent

Hobby: Fishing, Flying, Jewelry making, Digital arts, Sand art, Parkour, tabletop games

Introduction: My name is Otha Schamberger, I am a vast, good, healthy, cheerful, energetic, gorgeous, magnificent person who loves writing and wants to share my knowledge and understanding with you.