HIPAA Enforcement News — 2018

February 12, 2019

by Nick Jaworski, Digital Community Builder of Circle Social, Inc.

a photo of a key going into a keyhole. Text reads 'HIPAA Enforcement News - 2018'

Successful HIPAA enforcement is on the rise

In 2018, HIPAA violation settlements reach an ALL TIME HIGH, with combined fines nearly reaching $30 million.

HIPAA violations are enforced by the Department of Health and Human Services' Office for Civil Rights (OCR), often teaming up with a state's Attorney General.

New enforcement initiatives and new regulations like the HITECH Act, a part of the American Recovery and Reinvestment Act (ARRA) have been springing up since 2014, and staying on top of the current laws has never been more important.

Here are some examples of settlements made after HIPAA violations last year

Just from 2017 to 2018, the average HIPAA settlement increased from just under $2 million to just over $2.5 million. Meaning that the settlements are increasing by $500,000 per violation case.

The most notable cases are found below:

Allergy Associates of Hartford: In November, Allergy Associates of Hartford settled with the OCR for $125,000 after an employee released PHI to a reporter, and then faced no sanctions from the facility.

One of their patients reported a dispute to a news station, and when the news station requested a comment from the doctor, she revealed the patient's medical information.

"When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media," said OCR Director Roger Severino. "Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA's privacy rules, especially when responding to press inquiries."

Pagosa Springs Medical Center: In December, Pagosa Springs Medical Center settled for $111,400 for failing to terminate employee access at the appropriate time, and not having a BAA in place.

A BAA created shared responsibility between a covered party (usually a health facility) and a third party vendor, like a marketing/advertising agency.

Brigham and Women's Hospital, Massachusetts General Hospital, and Massachusetts General Hospital
As a reminder that getting patient permission before filming them is of the utmost importance, three different facilities had to pay large settlements after filming for the series "NY Med" and "Save My Life: Boston Trauma" went awry.

Brigham and Women's Hospital settled at $384,000, Massachusetts General Hospital settled for $515,000, and Boston Medical Center settled at $100,000, each for filming patients without consent.

Altogether, the settlements totaled nearly $1 million.

Fresenius Medical Care North America: In February, Fresenius Medical Care North America settled with the OCR for $3.5 million after committing five infractions.

  • Inappropriate disclosure of electronic Personal Health Information (ePHI)
  • Failure to perform risk analysis
  • Lack of data encryption
  • Lack physical data protections
  • Omissions in policy for security and electronic devices

The violations occurred across 9 facilities in Florida, Alabama, and Arizona.

It is always important for a company that handles PHI to have a comprehensive policy regarding patient privacy, and implement it across all locations.

Anthem Inc.: In September, Anthem Inc., one of the United States' biggest health insurance companies was compromised, and they had to settle for $16 million dollars.

After the data breach, it was revealed that the company had committed several violations before and after the information was compromised.

  • Failure to complete a full risk analysis
  • Insufficient monitoring of system activity
  • Insufficient protections against unauthorized ePHI access
  • Failure to respond to a detected breach

Managing PHI is a huge responsibility that requires monitoring, and standard procedures need to be determined and followed when potential breaches occur.

Protect YOUR company from HIPAA violations and their consequences

Regulations are hard enough to keep up with, especially when one can make the other harder to follow. For instance, the HITECH Act required practices to have accessible electronic records, but HIPAA compliance requires strict protection of all records. Even if your employees do not have the technical know-how to protect digital information.

Wouldn't it be great if there was a service that kept you up-to-date on the legal climate right down to your specific state of operation, AND helped you figure out best practices to avoid violations? Join NBHAP. We do just that.

We also have addiction treatment marketing classes that help you and any third party marketers grow your business within safe, legal bounds of information sharing.

2018 was a crazy year for HIPAA violations. Know the law. Protect patient information. Avoid hefty fines. Keep your business' doors open.


A national membership association that provides education and advocacy for those in the behavioral health and addiction treatment industries.

We are the leading and unifying voice of addiction-focused treatment programs.

Join Now

Contact Us

Monday - Friday
8:30 am - 4:30 pm Pacific
(closed major holidays)

Mergers & Acquisitions (M&A) Services