HHS' Office for Civil Rights is becoming more aggressive in enforcing HIPAA regulations. In the first seven months of 2016 alone, HHS recorded close to $15 million in settlement payments. As HIPAA audits ramp up, hospitals and health systems are bolstering safeguards and security practices to avoid multimillion dollar fines.
Here is a look back at 10 of the biggest HIPAA penalties and settlement agreements between healthcare organizations and HHS.
1. Advocate Health System (Downers Grove, Ill.): $5.55 million
The latest HIPAA settlement is also the biggest. In the first week of August, Advocate Health System agreed to settle HIPAA violation claims related to three data breaches that occurred in 2013. In total, the three incidents compromised the protected health information of 4 million individuals. Read more
2. NewYork-Presbyterian Hospital and Columbia University (New York City): $4.8 million
In May 2014, these organizations agreed to pay a combined $4.8 million to settle charges from a 2010 breach when a Columbia-based physician attempted to deactivate a personal computer connected to the NewYork-Presbyterian network that contained patient information. The attempt left protected health information accessible on internet search engines. While separate entities, the organizations have an affiliation where Columbia professors work as attending physicians at NewYork-Presbyterian, and the two share a data network and firewall. NewYork-Presbyterian paid $3.3 million and Columbia paid $1.5 million. Read more
3. Cignet Health (Prince George's County, Md.): $4.3 million
HHS determined Cignet Health violated HIPAA by denying 41 patients' access to their medical records. The HIPAA Privacy Rule requires covered entities provide patients copies of records within 30 dates of a patient's request. The agency investigated Cignet Health, and the system allegedly refused to respond to OCR's demands to give patients the records. Read more
4. Triple-S (San Juan, Puerto Rico): $3.5 million
This insurance holding company settled alleged widespread noncompliance with HIPAA throughout its subsidiaries. The OCR investigated Triple-S after receiving multiple breach notifications. Read more
5. University of Mississippi Medical Center (Jackson): $2.75 million
The OCR launched an investigation into UMMC in March 2013 after the health system reported a missing password-protected laptop that contained protected health information. The breach affected approximately 10,000 individuals. The investigation found UMMC did not notify each individual whose information was compromised, nor did it initiate any risk management activity until after the breach. Read more
6. Oregon Health & Science University (Portland): $2.7 million
OHSU's HIPAA fine follows investigations into two 2013 data breaches affecting more than 7,000 patients total. In the first breach, an unencrypted laptop containing patient information was stolen from a surgeon's vacation home. In the second breach, residents and physicians-in-training had stored patient information in a Google-based cloud system that was not approved for storing such data. Read more
7. CVS Pharmacy (Woonsocket, R.I.): $2.25 million
In 2009, CVS paid $2.25 million to settle allegations that it failed to take reasonable and appropriate security measure to protect sensitive information of customers and employees. The Federal Trade Commission opened an investigation into the pharmacy chain after allegations it was throwing pill bottles containing patient names, addresses, medications and personal information into open dumpsters. HHS also opened an investigation into the disposal of health information protected by HIPAA. HHS and the FTC coordinated their investigations. Read more
8. NewYork-Presbyterian Hospital: $2.2 million
NewYork-Presbyterian was hit with another HIPAA settlement fine in April 2016 after television film crews for the show "NY Med" filmed two patients in the hospital without obtaining their authorization. OCR found the hospital also allowed film crews "virtually unfettered access to its healthcare facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff," according to HHS. Read more
9. Concentra Health Services (Addison, Texas): $1.7 million
This subsidiary of Louisville, Ky.-based Humana that provides occupational medicine and other services faced HIPAA violation allegations after an unencrypted laptop was stolen from one of its facilities in 2012. The $1.725 million settlement was finalized in April 2014. Read more
10. Alaska Department of Health and Social Services: $1.7 million
Tied for the 10th biggest HIPAA fine is Alaska's health agency which reported a stolen USB hard drive containing protected health information. The OCR's investigation found ADHSS did not have adequate policies and procedures in place to safeguard electronic protected health information. The settlement was reached June 2012. Read more
10. WellPoint (Indianapolis): $1.7 million
Another $1.7 million settlement came from WellPoint (now Anthem) in July 2013. OCR launched an investigation into the health plan after a data breach exposed the protected health information of more than 612,000 individuals in a database. The investigation found WellPoint did not adequately implement policies or safeguards to protect such information. Read more
More articles on health IT:
Banner Health suffers year's largest data breach; 3.7M affected
25 hospitals, health systems seeking Cerner, MEDITECH, Epic talent
Physician files class-action lawsuit against Banner over data breach