Noncompliance With HIPAA: Costs for Healthcare Organizations

Noncompliance with HIPAA can cost healthcare organizations dearly. If regulators discover willful violations of HIPAA Rules, multi-million-dollar fines are possible.

Fines for Noncompliance with HIPAA Rules

The Department of Health and Human Services’ Office for Civil Rights is the primary enforcer of HIPAA Rules and investigates all data breaches that impact more than 500 individuals. When a data breach is experienced, the breached entity will be required to provide evidence to OCR that the breach was not a result of the failure to comply with HIPAA Rules.

If insufficient documentation can be provided to demonstrate compliance, a full audit could be conducted to determine whether there has been willful neglect of HIPAA Rules. While HIPAA Rules are discovered to have been violated financial penalties may be considered appropriate. OCR increased the number of financial penalties it issued in 2015 and 2016 with several multi-million dollar fines issued.

2016/2017 HIPAA Fines and Settlements

YearCovered EntityPenalty AmountPenalty TypeReason
2017Memorial Hermann Health System$2,400,000SettlementCareless Handling of PHI
2017St. Luke’s-Roosevelt Hospital Center Inc.$387,000SettlementUnauthorized Disclosure of PHI
2017The Center for Children’s Digestive Health$31,000SettlementLack of a Business Associate Agreement
2017Cardionet$2,500,000SettlementImpermissible Disclosure of PHI
2017Metro Community Provider Network$400,000SettlementLack of Security Management Process
2017Memorial Healthcare System$5,500,000SettlementInsufficient ePHI Access Controls
2017Children’s Medical Center of Dallas$3,200,000Civil Monetary PenaltyImpermissible Disclosure of ePHI
2017MAPFRE Life Insurance Company of Puerto Rico$2,200,000SettlementImpermissible Disclosure of ePHI
2017Presense Health$475,000SettlementDelayed Breach Notifications
2016University of Massachusetts Amherst (UMass)$650,000SettlementFailure to Manage Security Risks
2016St. Joseph Health$2,140,500SettlementFailure to Conduct Risk Analysis
2016Care New England Health System$400,000SettlementLack of a Business Associate Agreement
2016Advocate Health Care Network$5,550,000SettlementMultiple HIPAA Violations
2016University of Mississippi Medical Center$2,750,000SettlementMultiple HIPAA Violations
2016Oregon Health & Science University$2,700,000SettlementLack of a Business Associate Agreement
2016Catholic Health Care Services of the Archdiocese of Philadelphia$650,000SettlementFailure to Safeguard ePHI
2016New York Presbyterian Hospital$2,200,000SettlementFilming Patients without Authorization
2016Raleigh Orthopaedic Clinic, P.A. of North Carolina$750,000SettlementLack of Business Associate Agreement
2016Feinstein Institute for Medical Research$3,900,000SettlementImpermissible Disclosure of PHI
2016North Memorial Health Care of Minnesota$1,550,000SettlementLack of a Business Associate Agreement
2016Complete P.T., Pool & Land Physical Therapy, Inc.$25,000SettlementImpermissible Disclosure of PHI
2016Lincare, Inc.$239,800Civil Monetary PenaltyFailure to Safeguard PHI


Compliance with HIPAA Rules will not mean a healthcare organization will prevent all breaches, but it will ensure that penalties for noncompliance with HIPAA Rules will be avoided.

Class Action Lawsuits

The Ponemon Institute/IBM Security’s annual cost of a data breach study suggests the average cost of a data breach is now $3.62 million, with the cost per record calculated to be $380 for the healthcare industry.

Using the Ponemon Institute’s figures as a guide, the massive data breaches of 2015 – Anthem’s 78.8 million record breach; the 10 million record breach at Excellus BlueCross BlueShield; and the 11 million record breach at CareFirst BlueCross BlueShield – would see breach mitigation costs of $29.9 billion for Anthem, $4,1 billion for CareFirst, and $3,8 billion for Excellus.

A class action lawsuit, where every victim of the breach only received $100 in restitution, would see Anthem have to cover a bill of $8 billion.

Fortunately for Anthem, the cost of resolving the class action lawsuits were nowhere near that high, but they were still considerable and broke records. Several class action lawsuits were filed in the wake of the breach, and the consolidated lawsuit has now been settled for $113 million, which was the largest ever settlement over a data breach in the United States. The settlement will be used to pay for breach victims to be provided with two years of credit monitoring services.

Compliance with HIPAA Rules will not stop lawsuits from being filed after a data breach, but it will be harder for plaintiffs to prove there has been negligence.

Improvements to Security

Security must be improved after a data breach is experienced. The vulnerability that was exploited to gain access to data must be addressed, and new security controls will need to be implemented. Many companies have found that the cost of making such improvements are substantially higher after a data breach than if the same solutions were implemented prior to a breach. Post-breach is not the best time to be negotiating contracts with cybersecurity firms. The breached entity will be at a considerable disadvantage.

If healthcare organizations make reasonable efforts to ensure that HIPAA Rules are followed, and they invest in appropriate security solutions, data breaches can be prevented and financial penalties from regulators will be avoided.

Author: NetSec Editor