Throughout 2020, healthcare organizations have agreed to pay millions of dollars to settle HIPAA violations with HHS’ Office for Civil Rights.
Here are four of the largest HIPAA settlements so far this year.
1. Premera Blue Cross agreed to pay OCR $6.85 million to settle potential violations related to a HIPAA breach that affected more than 10.4 million people. The settlement is the second largest payment to resolve a HIPAA investigation, which centered on a 2014 email phishing attack on Premera’s systems that lasted for nine months and exposed 10.4 million individuals’ protected health information.
2. A Community Hospital Systems’ entity that provides business associate services to hospitals and clinics agreed in September to settle violations related to a potential HIPAA breach for $2.3 million. The company provides IT, health information management and other services to the hospitals and clinics owned by Franklin, Tenn.-based CHS.
3. Athens (Ga.) Orthopedic in September agreed to pay $1.5 million to settle HIPAA noncompliance related to a 2016 EHR hacking incident that exposed 208,557 individuals’ information. The patient records were posted online for sale by the hackers.
4. Providence, R.I.-based Lifespan agreed in July to settle a potential HIPAA violation related to a stolen laptop for just over $1 million. Lifespan reported the breach in April 2017 as affecting 20,431 individuals, and OCR found that the health system had systemic noncompliance with HIPAA rules, including failure to encrypt electronic protected health information as well as a lack of device and media controls.