The HHS Office for Civil Rights has reported three HIPAA fines this year, resolving allegations against a hospital, healthcare company and medical records storage vendor.
Here are the three fines, beginning with the costliest:
1. MD Anderson slapped with $4.3M penalty for HIPAA violations
An HHS administrative law judge upheld an HHS Office for Civil Rights finding requiring the University of Texas MD Anderson Cancer Center in Houston to pay $4,348,000 in civil penalties for HIPAA violations related to the organization's encryption policies, HHS confirmed June 18. The violations include three data breaches in 2012 and 2013, which exposed health information of more than 33,500 people.
2. HHS to collect millions in settlement costs resolving 5 breaches at a single entity
Waltham, Mass.-based Fresenius Medical Care North America agreed to pay the HHS Office for Civil Rights $3.5 million to settle allegations it violated HIPAA rules after data breaches at five sites in 2012, HHS confirmed Feb. 1. The healthcare company's network comprises dialysis facilities, outpatient cardiac and vascular labs, urgent care centers, and hospitalist and post-acute providers.
3. HHS imposes $100K fine on shuttered facility for 2015 HIPAA violation
A receiver appointed to liquidate the assets of Filefax, a now-closed medical records management company, will pay $100,000 out of the receivership estate to the HHS Office for Civil Rights to settle potential HIPAA violations related to a 2015 breach, HHS confirmed Feb. 13. The civil rights office determined Filefax had disclosed information of 2,150 patients by leaving medical records at a shredding and recycling facility.