It’s been more than 25 years since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted. Since the compliance date of HIPAA’s Privacy Rule in April 2003, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received over 291,366 complaints and has initiated over 1,107 compliance reviews.
Although HIPAA violations aren’t always intentional, they still can be costly for healthcare organizations, both providers and payers. Most financial penalties for HIPAA violations are issued to those with the most serious violations, such as Tier 4 of OCR’s penalty structure.
Along with financial penalties, covered entities that commit HIPAA violations must develop and implement a corrective action plan to bring policies and procedures up to the law’s standards. Federal fines for noncompliance are based on the level of perceived negligence found within the healthcare organization at the time of the HIPAA violation, and there are different penalties for both civil and criminal HIPAA violations.
The Hefty Cost of a HIPAA Violation
The second-highest number of HIPAA fines of any year since OCR started enforcing compliance with HIPAA occurred in 2021, with penalty amounts totaling $5,982,150. The HIPAA Right of Access settlements in 2021 brought the total violation number to 25 and dollars collected to $1,505,650 since the government announced their initiative back in 2019.
Following is a list of the top ten biggest HIPAA violation penalties issued by OCR and state attorneys general since HIPAA was enacted.
1. Provider/payer: Anthem, Inc.
Penalty amount: $16 million
Reason(s) for violation: Cyber-attackers stole the electronic protected health information (PHI) of approximately 78.8 million individuals.
Year of violation: 2015
Resolution: In addition to the $48.2 million financial penalty (OCR fine and lawsuit settlements), Anthem agreed to implement a number of corrective actions to improve data security practices.
2. Provider/payer: Premera Blue Cross
Penalty amount: $6.85 million
Reason(s) for violation: Hackers procured the PHI of 10,466,692 individuals.
Year of violation: 2015
Resolution: The payer adopted a corrective action plan to address all areas of non-compliance and agreed to settle a $10 million lawsuit over the breach and a $74 million one filed on behalf of individuals whose ePHI was exposed in the breach.
3. Provider/payer: Advocate Health Care
Penalty amount: $5.5 million
Reason(s) for violation: In one of multiple HIPAA violations, four desktop computers were stolen from the health system’s administrative buildings, impacting 4,029,530 of its patients.
Year of violation: 2013
Resolution: The healthcare provider was required to adopt a corrective action plan to address all of its HIPAA failures.
4. Provider/payer: Memorial Healthcare Systems
Penalty amount: $5.5 million
Reason(s) for violation: PHI was accessed for almost one year between 2011 and 2012 because a former employee’s login credentials were used without notice. A total of 115,143 individuals’ PHI was affected by the violation.
Year of violation: 2012
Resolution: OCR imposed a CAP requiring the health system to develop and implement a risk analysis and management plan.
5. Provider/payer: Excellus Health Plan
Penalty amount: $5.1 million
Reason(s) for violation: Hackers installed malware and mined data that exposed the information of more than 9.3 individuals.
Year of violation: 2013-2015
Resolution: The payer was required to adopt a corrective action plan covering all areas of potential noncompliance identified by OCR and was monitored closely by the agency for two years to ensure continued compliance.
6. Provider/payer: Columbia University Medical Center and New York Presbyterian Hospital
Penalty amount: $4.8 million combined ($3.3 million for NYP, $1.5 million for CUMC)
Reason(s) for violation: Due to a data breach, the health records of approximately 6,800 patients ended up online. The breach occurred when a CUMC physician who had developed applications for both organizations attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI).
Year of violation: 2010
Resolution: The hospitals were required to upgrade their systems and create appropriate policies and defenses for future cyberattacks.
7. Provider/payer: Cignet Health of St. George County
Penalty amount: $4.3 million total (first HIPAA violation civil money penalty; $1.3 million fine for violations, additional $3 million for failure to cooperate with the OCR)
Reason(s) for violation: OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested and willfully failed to cooperate with the agency’s attempts to resolve the complaints.
Year of violation: 2008-2009
Resolution: Because Cignet refused to cooperate with OCR during the investigation of the complaints, OCR filed a petition to enforce its subpoena in United States District Court and obtained default judgment against the organization.
8. Provider/payer: Feinstein Research
Penalty amount: $3.5 million
Reason(s) for violation: In 2012, a laptop that contained the ePHI of about 13,000 patients and research participants was stolen from the car of one of the biomedical research nonprofit’s employees. After that theft was reported, an OCR investigation found that the institute’s security management process was “limited in scope, incomplete and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity.”
Year of violation: 2012
Resolution: The organization agreed to provide OCR with a risk analysis of all electronic equipment, develop an evaluation process for environmental and operational changes that could affect ePHI security and implement policies and procedures based on the findings from the risk analysis and actions identified in HHS’ Risk Management Plan.
9. Provider/payer: Triple-S Management
Penalty amount: $3.5 million
Reason(s) for violation: The payer sent a mailing to around 70,000 Medicare Advantage beneficiaries, and the mailing included Medicare Health Insurance Claim Numbers, which are classified as PHI. OCR investigated TRIPLE-S and discovered “widespread non-compliance,” This Puerto Rico Blue Cross Blue Shield licensee also incurred a $6.8 million fine from the Puerto Rico Health Insurance Administration for a failure to comply with the HIPAA’s Privacy Rule
Year of violation: 2013
Resolution: Triple-S Management was required to establish a comprehensive compliance program designed to protect the security, confidentiality and integrity of the personal information it collects from its beneficiaries. The payer also had to implement a training program for all of its workforce and business associates.
10. Provider/payer: Children’s Medical Center of Dallas
Penalty amount: $3.2 million
Reason(s) for violation: Data breaches resulted from the losses of an unencrypted BlackBerry device and laptop in 2009 and 2013, respectively, that contained the unsecured ePHI of about 6,260 individuals.
Year of violations: 2009, 2013
Resolution: Because OCR determined that the violations were due to reasonable cause and not willful neglect of HIPAA Rules, CMCD was given the minimum possible penalty of $3.2 million.
How to Ensure HIPAA Compliance and Avoid Common HIPAA Violations
Utilizing technology offers both healthcare providers and payers numerous benefits. However, if these solutions aren’t HIPAA-compliant, costly fees and fines may occur – along with a diminished reputation and decreased patient satisfaction.
At Providertech, our CareCommunity platform allows you to connect with your patients and staff in real-time using two-way texting. It’s a secure and convenient way to:
- Manage patient appointments
- Distribute post-visit instructions
- Answer patient questions and concerns in real-time
- Improve clinical outcomes by delivering education and navigation tips
- More efficiently support population health
- Respond to routine requests (e.g. medication refills and physician referrals) via secure SMS to reduce phone tag frustration
- Decrease incoming call volume
Check out our blog to learn about the importance of HIPAA-compliant technology and how you can keep data secure while conducting patient outreach.
