OCR is continuing to crack down on violations of the HIPAA Rules, with violations of the HIPAA Right of Access one of OCR’s main enforcement priorities in 2021, as it has been since the HIPAA Right of Access enforcement initiative was launched in late 2019. It is likely that HIPAA violation fines in 2022 will continue to be imposed at high levels for violations of the HIPAA Right of Access, although questions have been raised about HIPAA fines for other violations.
The HIPAA violation penalty that was imposed in 2018 on the University of Texas MD Anderson Cancer Center for a data breach and lack of encryption was overturned on appeal in 2021. On January 14, 2021, a three-member panel for the Fifth Circuit Court of Appeals unanimously vacated the $4,348,000 penalty. Since then, only one HIPAA penalty has been imposed for violations of the HIPAA Rules other than the HIPAA Right of Access. The decision by the Court of Appeals could be affecting OCR’s willingness to pursue financial penalties for certain HIPAA violations and may encourage HIPAA-covered entities subject to HIPAA violation cases in 2022 to appeal any proposed penalties.
OCR now has a new Director, Lisa J. Pino, who at the time of writing has only been in the position for a short time. it is therefore too early to tell what approach when will take regarding HIPAA enforcement. As and when 2022 HIPAA penalties are announced they will be listed below.
We will list the latest HIPAA penalties in 2022 as and when they are announced by OCR.
No HIPAA penalties announced to date
There was a reduction in the number of financial penalties for HIPAA violations in 2021 from the record number of penalties of 2020, with OCR’s decision to finalize penalties potentially being affected by the COVID-19 pandemic. That said, penalties have continued to be imposed at relatively high levels, with most of the recent HIPAA violation cases 2021 imposed for violations of the HIPAA Right of Access. Out of the 14 HIPAA violation cases in 2021 that have resulted in financial penalties, 12 have been for HIPAA Right of Access violations.
In January 2021, one of the largest ever HIPAA fines was imposed on Excellus Health Plan. The settlement resolved a HIPAA case that stemmed from an investigation of a breach of the PHI of 9,358,891 individuals that was reported to OCR in 2015. Aside from that penalty, most of the settlements and civil monetary penalties have been for relatively small amounts and have resulted from investigations of complaints from patients than reports of data breaches. As well as the 2021 HIPAA fines being lower, there was a much higher percentage of financial penalties imposed on small healthcare providers than in previous years. That trend is likely to continue in 2022.
| HIPAA Regulated Entity | Reason | Individuals Impacted | Amount |
| Advanced Spine & Pain Management | HIPAA Right of Access failure | 1 | $32,150 |
| Denver Retina Center | HIPAA Right of Access failure | 1 | $30,000 |
| Rainrock Treatment Center LLC (dba monte Nido Rainrock) | HIPAA Right of Access failure | 1 | $160,000 |
| Wake Health Medical Group | HIPAA Right of Access failure | 1 | $10,000 |
| Children’s Hospital & Medical Center | HIPAA Right of Access failure | 1 | $80,000 |
| The Diabetes, Endocrinology & Lipidology Center, Inc. | HIPAA Right of Access failure | 1 | $5,000 |
| AEON Clinical Laboratories (Peachstate) | HIPAA Security Rule failures (risk assessment, risk management, audit controls, and documentation of HIPAA Security Rule policies and procedures | Unknown | $25,000 |
| Village Plastic Surgery | HIPAA Right of Access failure | 1 | $30,000 |
| Arbour Hospital | HIPAA Right of Access failure | 1 | $65,000 |
| Sharpe Healthcare | HIPAA Right of Access failure | 1 | $70,000 |
| Renown Health | HIPAA Right of Access failure | 1 | $75,000 |
| Excellus Health Plan | Multiple HIPAA Violations: Risk analysis, risk management, information system activity reviews, technical policies to prevent unauthorized ePHI access, breach of 9,358,891 records. | 9,358,891 | $5,100,000 |
| Banner Health | HIPAA Right of Access failure | 2 | $200,000 |
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| Dr. Robert Glaser | HIPAA Right of Access failure | 1 | $100,000 |
2020 saw more financial penalties imposed on HIPAA-covered entities and business associates than in any other year since OCR started enforcing HIPAA compliance. 19 settlements were reached to resolve potential violations of the HIPAA Rules. OCR continued with its HIPAA Right of Access enforcement initiative that commenced in late 2019 and by year-end had settled 11 cases where patients had not been provided with timely access to their medical records for a reasonable cost-based fee.
2020 saw the second-largest settlement to resolve HIPAA violations. The health insurer Premera Blue Cross paid OCR $6,850,000 to resolve potential HIPAA violations discovered during the investigation of its 2015 breach of the ePHI of 10,466,692 individuals.
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| Peter Wrobel, M.D., P.C., dba Elite Primary Care | HIPAA Right of Access failure | 2 | $36,000 |
| University of Cincinnati Medical Center | HIPAA Right of Access failure | 1 | $65,000 |
| Dr. Rajendra Bhayani | HIPAA Right of Access failure | 1 | $15,000 |
| Riverside Psychiatric Medical Group | HIPAA Right of Access failure | 1 | $25,000 |
| City of New Haven, CT | Failure to terminate access rights; risk analysis failure; failure to implement Privacy Rule policies; failure to issue unique IDs to allow system activity to be tracked; impermissible disclosure of the PHI of 498 individuals | 498 | $202,400 |
| Aetna | Lack of technical and nontechnical evaluation in response to environmental or operational changes; identity check failure; minimum necessary information failure; impermissible disclosure of 18,849 records; lack of administrative, technical, and physical safeguards | 18,849 | $1,000,000 |
| NY Spine | HIPAA Right of Access failure | 1 | $100,000 |
| Dignity Health, dba St. Joseph’s Hospital and Medical Center | HIPAA Right of Access failure | 1 | $160,000 |
| Premera Blue Cross | Risk assessment failure; risk management failure; insufficient hardware and software controls; unauthorized access to the PHI of 10,466,692 individuals | 10,466,692 | $6,850,000 |
| CHSPSC LLC | Failure to conduct a risk analysis; failures to implement information system activity reviews, security incident procedures, and access controls, and a breach of the ePHI of more than 6 million individuals | 6,121,158 | $2,300,000 |
| Athens Orthopedic Clinic PA | Failure to conduct a risk analysis; lack of risk management and audit controls; failure to maintain HIPAA policies and procedures; business associate agreement failure; and the failure to provide HIPAA Privacy Rule training to the workforce. | 208,557 | $1,500,000 |
| Housing Works, Inc. | HIPAA Right of Access failure | 1 | $38,000 |
| All Inclusive Medical Services, Inc. | HIPAA Right of Access failure | 1 | $15,000 |
| Beth Israel Lahey Health Behavioral Services | HIPAA Right of Access failure | 1 | $70,000 |
| King MD | HIPAA Right of Access failure | 1 | $3,500 |
| Wise Psychiatry, PC | HIPAA Right of Access failure | 1 | $10,000 |
| Lifespan Health System Affiliated Covered Entity | Lack of encryption; insufficient device and media controls; lack of business associate agreements; impermissible disclosure of 20,431 patients’ ePHI | 20,431 | $1,040,000 |
| Metropolitan Community Health Services dba Agape Health Services | Longstanding, systemic noncompliance with the HIPAA Security Rule | 1,263 | $25,000 |
HIPAA enforcement continued at a high level in 2019. Eight settlements were reached with HIPAA-covered entities and business associates to resolve HIPAA violations and two civil monetary penalties were issued. The financial penalties were imposed to resolve similar violations of HIPAA Rules as previous years, but 2019 also saw the first financial penalties issued under OCR’s new HIPAA Right of Access initiative. Two covered entities settled cases over the failure to provide patients with a copy of their medical records, in the requested format, in a reasonable time frame.
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| West Georgia Ambulance | Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures. | 500 | $65,000 |
| Korunda Medical, LLC | HIPAA Right of Access failure. | 1 or more | $85,000 |
| Sentara Hospitals | Breach notification failure; business associate agreement failure | 577 | $2,175,000 |
| University of Rochester Medical Center | Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls. | 43 | $3,000,000 |
| Elite Dental Associates | Social media disclosure; notice of privacy practices; impermissible PHI disclosure. | Unconfirmed | $10,000 |
| Bayfront Health St Petersburg | HIPAA Right of Access failure | 1 | $85,000 |
| Medical Informatics Engineering | Risk analysis failure; impermissible disclosure of 3.5 million records | 3,500,000 | $100,000 |
| Touchstone Medical imaging | No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI. | 307,839 | $3,000,000 |
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| Texas Department of Aging and Disability Services | Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI | 6,617 | $1,600,000 |
| Jackson Health System | Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations | 25,661 | $2,154,000 |
There was a year-over-year increase in HIPAA violation penalties in 2018. 11 financial penalties were agreed in 2018: 10 settlements and one civil monetary penalty. Two records were broken in 2018. 2018 saw the largest ever HIPAA settlement agreed – A $16 million financial penalty for Anthem Inc., to resolve HIPAA violations discovered during the investigation of its 78.8 million record breach in 2015. HIPAA-covered entities also paid more in fines than in any other year since OCR started enforcing compliance with HIPAA Rules: $28,683,400.
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| Cottage Health | Risk analysis and risk management failures; No BAA | 62,500 | $3,000,000 |
| Pagosa Springs Medical Center | Failure to terminate employee access; No BAA | 557+ | $111,400 |
| Advanced Care Hospitalists | Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014 | 9,255 | $500,000 |
| Allergy Associates of Hartford | PHI disclosure to a reporter; No sanctions against employees | 1 | $125,000 |
| Anthem Inc | Risk analysis failure; Insufficient reviews of system activity; Failure to respond to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access | 78,800,000 | $16,000,000 |
| Boston Medical Center | Filming patients without consent | Unspecified | $100,000 |
| Brigham and Women’s Hospital | Filming patients without consent | Unspecified | $384,000 |
| Massachusetts General Hospital | Filming patients without consent | Unspecified | $515,000 |
| Filefax, Inc. | Impermissible disclosure of physical PHI – Left unprotected in truck | 2,150 | $100,000 |
| Fresenius Medical Care North America | 5 breaches: Investigation revealed risk analysis failures; Impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards | 521 | $3,500,000 |
| HIPAA-Regulated Entity | Reason | Individuals Impacted | Amount |
| University of Texas MD Anderson Cancer Center | 3 breaches resulting in an impermissible disclosure of ePHI; No Encryption | 34,883 | $4,348,000 |
A summary of the 2017 OCR penalties for HIPAA violations.
| HIPAA-Regulated Entity | Breach Summary | Individuals Impacted | Settlement Amount |
| Memorial Healthcare System | Impermissible access of PHI by employees; Impermissible disclosure of PHI to affiliated physicians’ offices | 115,143 | $5,500,000 |
| Cardionet | Theft of an unencrypted laptop computer | 1,391 | $2,500,000 |
| Memorial Hermann Health System | Disclosure of patient’s PHI to the media | 1 | $2,400,000 |
| 21st Century Oncology | Multiple HIPAA violations | 2,213,597 | $2,300,000 |
| MAPFRE Life Insurance Company of Puerto Rico | Theft of an unencrypted USB storage device | 2,209 | $2,200,000 |
| Presense Health | Delayed breach notifications | 836 | $475,000 |
| Metro Community Provider Network | Lack of a security management process to safeguard ePHI | 3,200 | $400,000 |
| Luke’s-Roosevelt Hospital Center Inc. | Impermissible disclosure of PHI to patient’s employer | 1 | $387,000 |
| The Center for Children’s Digestive Health | Lack of a business associate agreement | N/A | $31,000 |
| HIPAA-Regulated Entity | Breach Summary | Individuals Impacted | Penalty Amount |
| Children’s Medical Center of Dallas | Theft of unencrypted devices | 6,262 | $3,200,000 |
2016 was a record year for financial penalties to resolve violations of HIPAA Rules. 2016 saw 12 settlements agreed and one civil monetary penalty issued by OCR.
| HIPAA-Regulated Entity | Breach Summary | Individuals Impacted | Settlement Amount |
| Feinstein Institute for Medical Research | Improper disclosure of research participants’ PHI | 13,000 | $3,900,000 |
| Advocate Health Care Network | Theft of desktop computers; Loss of laptop; Improper accessing of data at a business associate | 3,994,175 | $5,550,000 |
| University of Mississippi Medical Center | Unprotected network drive | 10,000 | $2,750,000 |
| Oregon Health & Science University | Loss of unencrypted laptop; Storage on cloud server without BAA | 4,361 | $2,700,000 |
| New York Presbyterian Hospital | Filming of patients by a TV crew | Unconfirmed | $2,200,000 |
| North Memorial Health Care of Minnesota | Theft of laptop computer; Improper disclosure to a business associate | 299,401 | $1,550,000 |
| St. Joseph Health | PHI made available through search engines | 31,800 | $2,140,500 |
| Raleigh Orthopaedic Clinic, P.A. of North Carolina | Improper disclosure to a business associate | 17,300 | $750,000 |
| University of Massachusetts Amherst (UMass) | Malware infection | 1,670 | $650,000 |
| Catholic Health Care Services of the Archdiocese of Philadelphia | Theft of mobile device | 412 | $650,000 |
| Care New England Health System | Loss of two unencrypted backup tapes | 14,000 | $400,000 |
| Complete P.T., Pool & Land Physical Therapy, Inc. | Improper disclosure of PHI (website testimonials) | Unconfirmed | $25,000 |
| HIPAA-Regulated Entity | Breach Summary | Individuals Impacted | Penalty Amount |
| Lincare, Inc. | Improper disclosure (unprotected documents) | 278 | $239,800 |
Source: What are the Penalties for HIPAA Violations? (hipaajournal.com)
Service Areas
344 N. Washington Street
Saint Croix Falls, WI 54024
Hours: Mon-Fri, 10AM to 6PM
24/7/365 – Business Premium Partners ONLY