The State Attorney General HIPAA Fines Continue

State attorney general HIPAA fines continue to be issued, as the University of Rochester Medical Center agrees to pay a HIPAA settlement of $15,000 for a 2015 patient privacy breach.

Earlier this year, the University of Rochester Medical Center suffered a data breach that affected 3,403 patients. The breach involved an employee of URMC taking patient data to her new employer, who used that information to send a mailing offering the patients the option of switching healthcare provider. Many patients were unhappy about being contacted, specifically about how the healthcare provider came to obtain their contact information. Action has now been taken over that HIPAA privacy breach.

This month, New York Attorney General Eric T. Schneiderman agreed to a settlement with URMC for the HIPAA privacy rule violations behind that privacy breach. URMC managers had provided a nurse with a list of the patient PHI prior to her employment coming to an end. The list was provided to the nurse with patients’ best interests in mind, but sufficient effort had not been made to ensure their PHI was not disclosed to an external third party; in this case, Greater Rochester Neurology.

According to a statement issued by Schneiderman, “This settlement strengthens protections for patients at URMC, and it puts other health care entities on notice that my office will enforce HIPAA data breach provisions.”

In addition to the fine of $15,000, URMC must adhere to an action plan which will serve to improve privacy protections for patients, such as further training, tighter controls for PHI, and far stricter reporting requirements. URMC will be required to report any breach of PHI to Schneiderman’s office within 60 days if that breach affects more than 14 individuals.

Maximum Allowable State Attorney General HIPAA Fines

Relatively few state attorney general HIPAA fines have been issued to covered entities, even with the huge volume of data breaches that have been reported in recent years. The majority of those data breaches stemmed from violations of HIPAA Rules.

Any healthcare organization that suffers a data breach as a result of HIPAA violations can potentially be fined by the Department of Health and Human Services’ Office for Civil Rights. The allowable fines are dependent on the degree of culpability for the violation. The highest fines of up to $1.5 million, per violation category, per calendar year, are reserved for organizations that have willfully violated HIPAA Rules.

State attorney general HIPAA fines can similarly be issued, albeit at a lower level. A maximum fine of $25,000 per violation category, per calendar year is possible.

If a covered entity is determined to have violated HIPAA rules, such as by failing to implement administrative controls to prevent the exposure of ePHI, and the violation first occurred in 2011, the covered entity could be fined 4 x $25,000: A maximum fine of $100,000. However, covered entities are often discovered to have violated numerous “categories” of HIPAA Rules, so state attorney general HIPAA fines can potentially be considerable higher.

While many states have been slow to take action over HIPAA violations, that is not necessarily a situation that will continue. OCR has been offering training to state AGs on HIPAA enforcement, and has made training material available for state AGs to allow them to further assist with HIPAA enforcement.

Connecticut, Vermont, Massachusetts, Montana, Indiana, and now New York have all taken action over violations of HIPAA Rules that have impacted residents of their states. Further state attorney general HIPAA fines can be expected, and those fines may not be limited to organizations suffering breaches stemming from HIPAA violations in the above states.

With the OCR having reached two settlements with covered entities in the space of a week, it would appear that enforcement of HIPAA Rules is being stepped up. With the OCR HIPAA-compliance audits now just a few weeks away from commencing, we may well see a flurry of civil monetary fines issued in 2016.

OCR has been under pressure to step up its enforcement of HIPAA Rules in recent years. Since lawsuits can take many months or even years to be resolved, a step up in enforcement may only become apparent in a few years’ time. Once thing is for sure. State attorney general HIPAA fines are likely to increase in frequency, and civil monetary fines issued by the OCR likewise. Covered entities must therefore make sure that HIPAA Rules are followed, or be prepared to dig deep and cover the fines.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of