In 2020, the Department of Health and Human Services’ (HHS) Office for Civil Rights issued a record 19 fines for failure to comply with the HIPAA regulations. Two of the fines issued were hybrids – based on violations of the HIPAA Privacy and Security Rules in equal measure. These HIPAA fines are discussed below.

Aetna and Violations of the HIPAA Privacy and Security Rules

Violations of the HIPAA Privacy and Security Rules

The first hybrid fine was issued to Aetna. OCR found several Security Rule violations. OCR found that:

  • Aetna failed to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of protected health information.
  • Aetna failed to implement procedures (access controls) to verify that a person or entity seeking access to PHI is the one claimed.

Aetna also violated the Privacy Rule:

  • Aetna impermissibly disclosed the PHI of 18,489 individuals in total across three separate breaches (notably, the breaches revealed patient HIV and research study participant status). 
  • Aetna failed to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure.
  • Aetna failed to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. 

For these three Privacy Rule breaches, which involve noncompliant behavior that ran the gamut, Aetna was fined $1,000,000.00.

Let’s Simplify Compliance

Avoid OCR fines by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

New Haven Health Department and Violations of the HIPAA Privacy and Security Rules

The second hybrid fine was imposed on the city of New Haven, Connecticut, in the amount of $202,400. The lesson of this fine: when an employee is terminated, their network access must be terminated with them. In January 2017, the New Haven Health Department filed a breach report with OCR stating that a former employee may have accessed a file on a New Haven computer containing the protected health information (PHI) of 498 individuals.