Besides our HIPAA Violations & Fines Map the US Department of Health and Human Services publishes press releases on major violations.
Here are just a few recent examples of HIPAA Violations.
Banner Health has reached a settlement with the US Department of Health and Human Services' Office for Civil Rights (OCR) following a cybersecurity breach in 2016. The breach affected 2.81 million consumers, and a hacker accessed protected health information including patient names, dates of birth, addresses, and Social Security numbers. Banner Health has agreed to pay $1.25m and take corrective action to address violations of the HIPAA Security Rule...
Read more »The US Department of Health and Human Services' Office for Civil Rights (OCR) has settled with a California-based dental practice, B. Brandon Au, DDS, Inc., over its disclosure of patient protected health information (PHI) in response to online reviews on social media, violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The dental practice paid $23,000 to OCR and agreed to implement a corrective action plan to resolve the investigation. OCR Director, Melanie Fontes Rainer, warned that providers cannot disclose protected health information when responding to negative online reviews and emphasized the importance of appropriately safeguarding patients' PHI...
Read more »The Office for Civil Rights (OCR) at the Department of Health and Human Services has settled with New England Dermatology P.C. over the improper disposal of protected health information. NEDLC paid $300,640 to OCR and agreed to implement a corrective action plan after empty specimen containers with patient information were placed in a garbage bin in the parking lot. OCR’s investigation found potential violations of the HIPAA Privacy Rule including the impermissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the privacy of PHI. In addition to the monetary settlement, NEDLC will undertake a corrective action plan, which includes two years of monitoring...
Read more »The Oklahoma State University – Center for Health Sciences (OSU-CHS) has reached a settlement with the U.S. Department of Health and Human Services (HHS) over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. The settlement involves the payment of $875,000 and the implementation of a corrective action plan. The settlement was reached after OSU-CHS reported that an unauthorized third party gained access to a web server that contained electronic protected health information (ePHI) of nearly 280,000 individuals. The investigation found several potential HIPAA Rule violations, including the failure to conduct an accurate and thorough risk analysis, the failure to implement audit controls, and the failure to provide timely breach notification to affected individuals and HHS...
Read more »The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced the resolution of three investigations and one matter before an Administration Law Judge related to compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Two of the cases are part of OCR’s HIPAA Right of Access Initiative, which supports individuals' right to timely access their health records under the HIPAA Privacy Rule. The other enforcement actions resulted from healthcare providers impermissibly disclosing their patients’ protected health information (PHI). OCR Director Lisa J. Pino emphasized the importance of compliance with HIPAA Rules, and announced that OCR will continue to protect individuals’ health information privacy and security through enforcement and pursue civil money penalties for violations that are not addressed. The enforcement actions include a settlement with Dr. Donald Brockley, D.D.M., a solo dental practitioner, and a $50,000 civil money penalty imposed on Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), a dental practice in North Carolina, among others...
Read more »Children's Hospital & Medical Center in Omaha, Nebraska has agreed to pay $80,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services resolved its twentieth investigation in its HIPAA Right of Access Initiative, which aims to support individuals' right to timely access their health records at a reasonable cost. The parent of a minor child filed a complaint with OCR in May 2020, alleging that CHMC failed to provide her with timely access to her daughter's medical records. OCR found that CHMC's failure to provide timely access was a potential violation of the HIPAA right of access standard. In addition to the monetary settlement, CHMC will undertake a corrective action plan that includes one year of monitoring...
Read more »Peachstate Health Management, LLC, which provides diagnostic and laboratory-developed tests, has agreed to pay $25,000 and implement a corrective action plan to resolve potential violations of the HIPAA Security Rule. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) conducted a compliance review of Peachstate and found systemic noncompliance with the HIPAA Security Rule. The investigation revealed the failure to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures. In addition to the monetary settlement, Peachstate has agreed to a corrective action plan that includes three years of monitoring...
Read more »The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has settled its eighteenth enforcement action in the HIPAA Right of Access Initiative. Village Plastic Surgery, located in New Jersey, has agreed to pay $30,000 and take corrective actions to resolve a potential violation of the HIPAA Privacy Rule's right of access standard. The violation came to light after a patient's complaint that VPS failed to take timely action in response to their medical records access request. Following OCR's investigation, VPS provided the patient with their requested records. OCR has emphasized its commitment to enforcing individuals' rights to timely access to their health records at a reasonable cost under HIPAA, with appropriate remedial action against covered entities that fail to comply with their obligations...
Read more »Excellus Health Plan has reached a $5.1 million settlement with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) over a data breach that affected more than 9.3 million people. The New York health services corporation disclosed in 2015 that cyber-attackers had unauthorized access to its information technology systems, compromising sensitive information such as Social Security numbers, health plan claims, and clinical treatment information. OCR's investigation found potential HIPAA violations related to risk analysis, risk management, information system activity review, and access controls...
Read more »The Office for Civil Rights (OCR) has settled another case as part of its HIPAA Right of Access Initiative. Peter Wrobel, M.D., P.C., doing business as Elite Primary Care, has agreed to pay $36,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. The case was initiated in April 2019 after a patient complained that Elite had failed to respond to their request for access to medical records. The OCR provided technical assistance in May 2019, but another complaint was received in October 2019 alleging that access had still not been granted. OCR initiated an investigation and found that Elite's failure to provide the requested medical records was a potential violation of the HIPAA right of access standard. In addition to the settlement, Elite will undertake a corrective action plan that includes two years of monitoring...
Read more »The University of Cincinnati Medical Center, LLC (UCMC), which is an academic medical center providing healthcare services to the Greater Cincinnati community, has agreed to take corrective actions and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard...
Read more »The City of New Haven, Connecticut (New Haven) has agreed to pay $202,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules...
Read more »Aetna Life Insurance Company and affiliated covered entity (Aetna) has agreed to pay $1,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules…
Read more »Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people...
Read more »A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted...
Read more »The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet has...
Read more »The Center for Children’s Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care...
Read more »The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the lack of a security management process to safeguard electronic protected health information (ePHI). Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) of Denver, Colorado has...
Read more »Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule after the theft of a CHCS mobile device compromised the protected health information...
Read more »And the list goes on...