How Many Violations of HIPAA Rules Result in Financial Penalties in 2017?

How many healthcare data breaches occurred in 2017 and how many of those violated HIPAA rules resulted in financial penalties? It’s difficult to get accurate data about HIPAA violations for several reasons.

First, many data breaches are not reported. The Department of Health and Human Services’ Office for Civil Rights only publish on its breach portal the reported HIPAA breaches that impacted over 50 persons. The OCR breach portal is called the “Wall of Shame.” It’s a name that is not fitting because the healthcare organizations published on this page had data breaches and not necessarily HIPAA Rules violations. Organizations may have spent on cybersecurity defenses and employee security training programs but still experience data breaches. It could be because of a patch not applied immediately or a phishing scam that an employee failed to avert.

Second, there are a few state attorneys general that publish details of data breaches. Many of the breaches are due to HIPAA violations but many breaches also happened to healthcare organizations that are totally HIPAA-compliant. It’s not easy to say how many actually violated HIPAA rules unless there’s a detailed investigation. OCR becomes aware of some potential violations because of submitted complaints from patients or employees who believe that there was a violation of HIPAA rules. But many complaints are unfounded and cannot be proven beyond reasonable doubt.

Third, the settlements and civil monetary penalties are not reliable gauges of HIPAA violations. Data breaches that end up with financial settlements usually include only cases with particularly strong evidence of HIPAA violations. In addition, cases usually take years before reaching settlements. So, it’s almost impossible to really know how many actual HIPAA violations resulting to monetary penalties occur per year.

Nevertheless, we can get a list of healthcare organizations that paid settlements and civil monetary penalties in 2017. See the table below.

Covered Entity Penalty Amount Penalty Type Reason for Penalty Date of Violation(s)
21st Century Oncology $2,300,000 Settlement Multiple HIPAA Violations 2015
Memorial Hermann Health System $2,400,000 Settlement Careless Handling of PHI 2015
St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement Unauthorized Disclosure of PHI 2014
The Center for Children’s Digestive Health $31,000 Settlement Lack of a Business Associate Agreement 2003-2015
Cardionet $2,500,000 Settlement Impermissible Disclosure of PHI 2011
Metro Community Provider Network $400,000 Settlement Lack of Security Management Process 2011
Memorial Healthcare System $5,500,000 Settlement Insufficient ePHI Access Controls 2007-2012
Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty Impermissible Disclosure of ePHI 2006-2013
MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement Impermissible Disclosure of ePHI 2011
Presense Health $475,000 Settlement Delayed Breach Notifications 2013

From the list, we can see that the violations occurred since 2003 up to 2015. But healthcare organizations only paid the settlement fees in 2017.