The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to protect individuals’ health information. The HIPAA Privacy Rule ensures the protection of “individually identifiable health information” kept by a covered entity or a business associate. This protects patient information such as an individual’s physical or mental health, the distribution of healthcare, and the payment for healthcare. Such information is considered Protected Health Information (PHI). 

OCR Settlements in 2018 Regarding HIPAA

The severity of HIPAA’s implementation seems to be increasing with its age. In fact, in 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) settled 10 different cases surrounding HIPAA violations. There was a total of $28.7 million in payments allotted to the OCR for HIPAA violations. This number surpassed 2016’s total amount in settlements by 22%. Furthermore, the OCR gained the largest settlement in history with Anthem Inc. with a total of $16 million alone. This number more than triples the highest settlement amount in 2016.

Most of these violations involved electronic security breaches and the haphazard handling of patient information.  

Who Was Involved? 

There were several healthcare organizations involved in these cases in 2018. These businesses include:

  • Filefax
  • MD Anderson
  • Boston Medical Center
  • Brigham and Women’s Hospital
  • Massachusetts General Hospital
  • Advanced Care Hospitalists
  • Allergy Associates of Hartford
  • Anthem Inc.
  • Pagosa Springs
  • Cottage Health


In January of 2018, OCR reached settlements coming from two different cases of HIPAA violations. The first settlement came from FileFax, a medical records maintenance and storage facility. They discovered that FileFax had either left PHI accessible in an unlocked truck or that they gave an unauthorized person permission to remove said information from the Filefax facility. The Filefax case was settled for $100,000. During the same month, OCR settled a case with Fresenius Medical Care North America (FMCNA), a facility that specializes in products for chronic kidney failure. The facility had filed five breach reports of electronic PHI (ePHI) in 2012. After investigation, it was determined that FMCNA did not thoroughly inspect their systems for any potential breaches that could occur. They settled this matter for $3.5 million.


In June, an HHS Administrative Law Judge required the University of Texas MD Anderson, a cancer treatment center, to pay $4.3 million to OCR as a penalty for HIPAA violations. It was discovered that MD Anderson had three different data breaches between the years of 2012 and 2013. These breaches were the result of a stolen employee laptop and two USB thumb drives that contained unencrypted ePHI of over 33,500 patients. MD Anderson had encryption policies in place since 2006, however, they did not begin to adopt these policies until 2011. Furthermore, they failed to encrypt their electronic devices containing ePHI. Of the many cases that occurred during 2018, this is the only one to have ended by means of judgment as opposed to a settlement.


In September, OCR attained three different settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH), totaling to $999,000. This happened as a result of inviting an ABC film crew to record a documentary series without first gaining permission from patients. This, in turn, put the privacy of patients’ PHI at risk. 

During the same month, OCR also reached a settlement with Advanced Care Hospitalists (ACH) for $500,000. After ACH filed a breach report stating that patient ePHI was viewable on a medical billing service website, OCR conducted further investigation. They discovered that even though ACH has been in business since 2005, ACH did not take measures to prevent security breaches until April of 2014.


In October, OCR reached a settlement of $125,000 with Allergy Associates, a practice dedicated to treating patients with allergies. Three years prior to, a patient contacted a television station to speak out about an issue that had ensued between said patient and a doctor from Allergy Associates. When a reporter contacted the doctor for further information, the doctor gave out private information about the patient without obtaining permission first. 

During the same month, Anthem, Inc. paid $16 million to OCR after dealing with cyberattacks that led to the largest U.S. health data breach in history. Anthem, Inc. initially filed a breach report when they discovered that cyberattackers had gained access to their IT system. However, after the filing, Anthem, Inc. further discovered that these persistent attacks stemmed from spear phishing emails. Because at least one employee had opened and responded to these emails, cyberattackers were able to gain access to Anthem, Inc’s IT system. The attackers stole ePHI of nearly 79 million individuals.


In November, OCR discovered that a former employee of Pagosa Springs Medical Center (PSMC) had remote access to PSMC’s web-based scheduling calendar. This calendar contained the ePHI of 557 individuals. Thus, PSMC paid $111,400 to OCR as a settlement. 


Lastly, in December, Cottage Health violated HIPAA regulations with two security breaches that left the ePHI of over 62,500 individuals unsecured. After investigation, they discovered that Cottage Health failed to do thorough assessments to reduce the chances of a breach happening. As a result, they agreed to pay OCR $3,000,000 and adopt a plan to help ensure that such breaches wouldn’t occur again in the future.


In total, eleven different organizations broke HIPAA regulations within the year of 2018. As a consequence, each of these businesses paid a lump sum of money to the OCR as a settlement. 

OCR takes any offense pertaining to the mishandling of information seriously. So, it is important that you take the proper measures to make sure that your organization is HIPAA compliant. 

PS… Do you want to learn more about equipment that can help you dispose of PHI?

Whitaker Brothers Business Machines supports HIPAA compliance and provides the right equipment to maintain compliance.

Here are a few different machines that can help dispose of data quickly and effectively:

Wipe your hard drives and maintain compliance!

Degaussers are excellent tools that can be used to ensure that your organization follows HIPAA standards.  Learn more about degaussers and how they can help you protect private information here
Crush hard drives fast and destroy data with a Datastroyer!

Hard drive crushers are a quick and effective way to ensure that sensitive patient information doesn’t get into the wrong hands. These machines are easy for anybody to operate and they bend hard drives in half.

HIPAA and State Privacy Compliance

Satisfy state and federal HIPAA laws with streamlined software.

Global CTAs Image