HIPAA Violation Cases

Nobody knows the true number of HIPAA violation cases, for although the Department of Health and Human Services (HHS) updates the statistics on its Enforcement Highlights web page every month, HHS´ Office for Civil Rights is not the only agency that receives reports of HIPAA violations or investigates HIPAA violation cases.

Depending on the nature of the violation, HIPAA violation cases can also be investigated by the Centers for Medicare and Medicaid, the Federal Trade Commission, or by State Attorneys General. Additionally, complaints and allegations of HIPAA violations can be made directly to an organization by individuals (an option encouraged by some Covered Entities).

It is also the case that many Covered Entities and Business Associates have implemented internal reporting systems that enables member of the workforce to alert compliance officers to potential HIPAA violations – in some cases, anonymously. Consequently, the HIPAA violation cases that the public does hear about may only be the tip of the iceberg.

Many Alleged Violations are Not Violations at All

One thing we can determine from HHS´ Enforcement Highlights web page is that many alleged violations are not violations at all. Of more than 300,000 complaints received by HHS´ Office for Civil Rights since 2003, more than 200,000 have been rejected because “they did not present an eligible case for enforcement”. Among the reasons given by HHS for rejecting alleged violations are:

  • The complaint was made against an organization not subject to HIPAA
  • The activity described in the complaint did not violate any HIPAA Rules
  • The complaint was withdrawn by the individual on review.

Although two-thirds of complaints to HHS do not present an eligible case for enforcement, it does not necessarily mean that two-thirds of complaints to other agencies and organizations are also unjustified. However, because HHS is the only agency to report resolutions of HIPAA violation cases in which data breaches have occurred, this is the only information there is to go on.

Reported Resolutions of HIPAA Violations Cases

When the HITECH Act was passed in 2009, it instructed HHS to publish a list of data breaches in which 500 or more individuals were affected by a breach of unsecured PHI. The subsequent “Breach Report” comes in two sections – HIPAA violation cases that are currently under review and those which have been resolved and are now archived.

By downloading the Breach Report archive, it is possible to determine the nature of violation responsible for each data breach and how the HIPAA violation cases were resolved. However, it is important to be aware that the archive does not include HIPAA violation cases in which fewer than 500 individuals have been affected (63,571 cases in 2021).

However, in 2019, HHS commenced a campaign to reduce the number of HIPAA violations attributable to right of access failures. To date, the agency has reached a settlement or imposed a civil monetary penalty in more than twenty HIPAA violation cases involving just one or two individuals, with penalty amounts ranging in value from $5,000 to $200,000.

Other HIPAA Violation Penalties

HHS does not settle or impose civil monetary penalties in the majority of cases – preferring to offer technical assistance or enforce a corrective action plan to prevent violations reoccurring. It may also be the case that an organization is able to demonstrate compliance with a recognized security framework, which allows HHS to apply enforcement discretion under §13412 of the HITECH Act.

From the cases in which HIPAA violation penalties have been imposed, it can be difficult to establish a pattern of how the penalty amounts have been calculated. This is because HHS´ Office for Civil Rights is required to take into account multiple factors when calculating the amount of a civil monetary penalty – including an organization´s previous compliance record, the length of time the violation(s) was allowed to continue, and the organization´s ability to pay a penalty.

Consequently, the following selection of HIPAA violation cases that have been resolved may appear to be random. However, while it may not be possible to determine how the penalties have been calculated, the cases listed below represent a cross-section of enforcement actions to illustrate the types of violations organizations can be penalized for.

St Joseph Health, California/New Mexico/Texas – 31,800 patients

The healthcare facility was investigated in 2012 following a self- reported data breach. It was found that files created under the Meaningful Use program were not encrypted and were accessible via Google Drive. The breach was considered to be a direct result of failing to conduct a comprehensive risk assessment. A fine of $2.14 million was imposed on St. Joseph Health and the organization was also required to comply with a corrective action plan.

Presense Health, Illinois – 836 patients

In 2013, it was discovered that operating schedules had been removed from a facility managed by Presence Health. The physical documents detailed the health records of 836 patients. However, although it was discovered the documents were missing on the 22nd of October 2013, the breach was not reported until the 31st of January 2014. This far exceeded the 60-day limit required by the Breach Notification Rule and the resulted in an inflated $475,000 settlement.

Lincare Home Health, Florida – 278 patients

The $239,800 fine for leaving documents containing the PHI of 278 patients unattended and accessible to unauthorized personnel may seem excessive, but the HIPAA violation occurred in 2008 and was never reported by the organization – HHS only finding out about it many years later following a complaint from a patient. Additionally, HHS investigators found that, despite the violation occurring seven years previously, Lincare had made minimal event to prevent a repeat.

Cardionet, Pennsylvania – 1,391 patients

Prior to the explosion of cloud computing, the theft of media and devices containing unencrypted PHI was one of the most common HIPAA violation cases. Cardionet – a provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias – was one of the final Covered Entities to be fined for such an event, settling its case for $2.5 million after an employee´s laptop containing the unencrypted PHI of 1,391 patients was stolen from his car.

Touchstone Medical Imaging, Tennessee – 307,839 patients

Security incidents are most often claimed to be due to the actions of external actors, but it is often the case they are attributable to insider negligence. Such was the case with Touchstone Medical Imaging, who failed to secure an FTB server containing the unsecured PHI of 307,809 – only discovering the violation when alerted to the publicly-accessible server by the FBI. The organization agreed to pay $3 million in penalties to resolve ten separate HIPAA violation cases.

Premera Blue Cross, Washington – 10,466,692 patients

The biggest HIPAA violation penalty this decade ($6,850,000) was imposed on the Premera Blue Cross health plan following an advanced persistent threat that remained undetected for almost 9 months. OCR´s investigators identified a series of HIPAA failings which led to the company also having to comply with a corrective action plan for two years. Additionally, Premera Blue Cross settled actions bought by 30 State Attorneys General for $10 million and a class action lawsuit for a further $74 million.