An Overview of HIPAA Settlements in 2016

Hospital Laptop

HIPAA settlements reached record highs in 2016. This is in part due to the Department of Health and Human Services’ Office for Civil Rights increasing its enforcement activities in recent years. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. This included seven unique settlements which were in excess of $1,500,000.

In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. The Administrative Law Judge ruled that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total number of violations settled by the OCR to thirteen for 2016. Only two healthcare organizations-including Lincare-have been required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act (HIPAA). All other organizations opted to settle with OCR voluntarily.

The OCR does not always deem financial penalties appropriate for the cases they deal with. The body often prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, such as when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.

Large-scale breaches of PHI may warrant financial penalties and the size of the breach will affect the severity of the penalty imposed. The OCR has also resorted to financial penalties when relatively small-scale breaches have occurred, with few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.

A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:

Summary of 2016 HIPAA Settlements

Covered Entity



Breach that triggered OCR investigation

Individuals impacted

University of Massachusetts Amherst (UMass)

November, 2016


Malware infection


St. Joseph Health

October, 2016


PHI made available through search engines


Care New England Health System

September, 2016


Loss of two unencrypted backup tapes


Advocate Health Care Network

August, 2016


Theft of desktop computers, loss of laptop, improper access of data at business associate

3,994,175 (combined total of three separate breaches)

University of Mississippi Medical Center

July, 2016


Unprotected network drive


Oregon Health & Science University

July, 2016


Loss of unencrypted laptop / Storage on cloud server without BAA

4,361 (combined total of two breaches)

Catholic Health Care Services of the Archdiocese of Philadelphia

June, 2016


Theft of mobile device

412 (Combined total)

New York Presbyterian Hospital

April, 2016


Filming of patients by TV crew


Raleigh Orthopaedic Clinic, P.A. of North Carolina

April, 2016


Improper disclosure to business associate


Feinstein Institute for Medical Research

March, 2016


Improper disclosure of research participants’ PHI


North Memorial Health Care of Minnesota

March, 2016


Theft of laptop computer / Improper disclosure to business associate (discovered during investigation)


Complete P.T., Pool & Land Physical Therapy, Inc.

February, 2016


Improper disclosure of PHI (website testimonials)


Lincare, Inc.

February, 2016*


Improper disclosure (unprotected documents)

Last August saw the largest HIPAA settlement ever agreed with a single covered entity occur. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.
The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, split into $3.3 million paid by the New York-Presbyterian Hospital and $1.5 million paid by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.

This year’s first settlement was agreed to with Presence Health. The settlement-amounting to$475,000-was solely based on delayed breach notifications . This is the first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.

The future of HIPAA enforcement activities is unclear. Funding for the OCR may be cut under the new administration, which would likely have an impact on HIPAA enforcement and may see fewer violations be followed up by an investigation.

This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will start any time in the near future.

Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”

Jocelyn Samuels will be standing down as head of OCR later in 2017. No replacement has yet been announced. While there are a number of suitable candidates for the position, incoming president Trump has yet expressed any opinions on the matter. The future OCR director is likely not to be high on his priority list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.

HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.


About Ryan Coyne 218 Articles
Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan’s professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter