HIPAA Fines Listed by Year

HIPAA Settlements and Fines

HIPAA settlements are hard to keep track of–that’s why we’ve created this simple directory of large-scale HIPAA fines listed by year. All information is provided by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on their HIPAA Resolution Agreements overview.

For the full list of HIPAA breaches and fines, you can visit OCR’s Breach Portal, or “Wall of Shame“. This is where OCR lists the countless other small-scale HIPAA breaches and fines. View our HIPAA fines chart below for the full HIPAA settlements list.

Remember that large-scale settlements are only a fraction of the fines levied by federal investigators every year. Once you’ve had a HIPAA breach, the name of your practice is permanently listed on The Wall of Shame–including the offense, date, and number of individuals affected.

What is the Penalty for a HIPAA Violation?

HIPAA violations cost your practice. The federal fines for noncompliance are based on the level of perceived negligence found within your organization at the time oft he HIPAA violation. These fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation. View our HIPAA fines chart below for the full HIPAA fines list.

OCR has also levied criminal charges for HIPAA violations in the past. Director of OCR, Jocelyn Samuels, went on record in February of 2016, saying that:

“While OCR prefers to resolve issues through voluntary compliance, […] we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.”

Source: HHS, Federal Register.gov

2017 HIPAA Fines

Date Organization Fine Total Link to OCR Settlement
January 9, 2017 Presence Health $475,000 First HIPAA enforcement action for lack of timely breach notification settles for $475,000
January 18, 2017 MAPFRE $2,200,000 HIPAA settlement demonstrates importance of implementing safeguards for ePHI
February 1, 2017 Children’s Medical Center of Dallas $3,200,000 Lack of timely action risks security and costs money
February 16, 2017 Memorial Healthcare Systems $5,500,000 $5.5 million HIPAA settlement shines light on the importance of audit controls
April 12, 2017 Metro Community Provider Network (MCPN) $400,000 Overlooking risks leads to breach, $400,000 settlement
April 20, 2017 The Center for Children’s Digestive Health (CCDH) $31,000 No Business Associate Agreement?  $31K Mistake
April 24, 2017 CardioNet $2,500,000 $2.5 million settlement shows that not understanding HIPAA requirements creates risk
 May, 10 2017  Memorial Hermann Health System (MHHS)  $2,400,000  Texas health system settles potential HIPAA violations for disclosing patient information
 2017 TOTAL: $16,706,000

2016 HIPAA Fines

Date Organization Fine Total Link to OCR Settlement
February 3, 2016 Lincare, Inc. $239,800 Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800
February 16, 2016 Physical Therapy $25,000 Physical therapy provider settles violations that it impermissibly disclosed patient information
March 16, 2016 North Memorial $1,550,000 $1.55 million settlement underscores the importance of executing HIPAA business associate agreements
March 17, 2016 Feinstein Research $3,900,000 Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement
 April 20, 2016 Raleigh Orthopaedic $750,000 $750,000 settlement highlights the need for HIPAA business associate agreements
April 21, 2016 New York Presbyterian $2,200,000 Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital
June 29, 2016 Catholic Health Services of Philadelphia $650,000 Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement
July 18, 2016 Oregon Health & Science University $2,700,000 Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University
July 21, 2016 Univeristy of Mississippi Medical Center $2,750,000 Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC)
August 4, 2016 Advocate Health $5,550,000 Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million
September 23, 2016 Care New England Health System $400,000 HIPAA settlement illustrates the importance of reviewing and updating, as necessary, business associate agreements
October 17, 2016 St. Joseph’s $2,140,000 $2.14 million HIPAA settlement underscores importance of managing security risk
November 22, 2016 UMass $650,000 UMass settles potential HIPAA violations following malware infection
2016 TOTAL: $23,504,800  

2015 HIPAA Fines

Date Organization Fine Total Link to OCR Settlement
April 22, 2015 Cornell Prescription Pharmacy $125,000 HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records
June 10, 2015 St. Elizabeth’s Medical Center $218,000 HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications
August 31, 2015 Cancer Care Group, P.C. $750,000 750,000 HIPAA Settlement Emphasizes the Importance of Risk Analysis and Device and Media Control Policies
November 24, 2015 Lahey Hospital and Medical Center $850,000 HIPAA Settlement Reinforces Lessons for Users of Medical Devices
November 30, 2015 Triple-S Management $3,500,000 Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement
December 14, 2015 University of Washington Medicine $750,000 $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis
2015 TOTAL: $6,193,000