In 2018, Office for Civil Rights (OCR) settled 10 cases and was granted summary judgment in a case in Health Insurance Portability and Accountability Act (HIPAA) enforcement. The enforcement actions resulted in an all-time record year for OCR, with enforcement penalties collected totaling $28.7 million—a 22 percent increase from the last record year.
Enforcement Highlights of the Year
Out of the cases OCR was involved with, here are the most costly enforcement actions:
- Fresenius Medical Care North America (FMCNA): In January 2018, FMCNA settled for $3.5 million with OCR for the five separate data breaches that occurred between Feb. 23, 2012, and July 18, 2012.
- The University of Texas MD Anderson Cancer Center (MD Anderson): In June 2018, a Department of Health and Human Services (HHS) judge ruled in favor of OCR and ordered MD Anderson to pay $4.3 million in penalties for their HIPAA violations.
- Anthem Inc.: In October 2018, Anthem paid $16 million to OCR, an all-time record for most costly penalty, after a series of cyber-attacks allowed criminals to steal the electronic personal health information (ePHI) from nearly 79 million individuals from Dec. 2, 2014 to Jan. 27, 2015.
- Cottage Health: In December 2018, Cottage Health agreed to pay $3 million to OCR after two breaches exposed unsecured ePHI for 62,500 individuals.
What Does This Mean for My Organization?
The HIPAA Privacy and Security Rules are complex and violations can trigger expensive penalties. Fortunately, there are resources available from HHS to help covered entities comply with the HIPAA Rules. These resources are available through HHS’ website on the following topic pages:
- Guidance on the HIPAA Privacy Rules
- HIPAA Security Rule Guidance
- Cyber Security Guidance
- Breach Notification Guidance
- Compliance & Enforcement
How do I know if We are at Risk?
To know if your company is at risk, you can do a self-check of a few items. We have compiled these into a downloadable PDF scorecard. Your score is based on a set of yes or no questions.