The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced a record year for Health Insurance Portability and Accountability Act (HIPAA) enforcement activity. OCR was a party to ten settlements and a summary judgment granted by an Administrative Law Judge, resulting in $28.7 million in penalties for the year. That total surpassed the previous record of $23.5 million in 2016 and includes the $16 million Anthem, Inc. settlement, the single largest OCR HIPAA settlement in history.
The final OCR settlement in 2018 was with Cottage Health, a California hospital system, that agreed to pay OCR $3 million for two potential HIPAA violations from breaches of unsecured electronic protected health information (ePHI). The first ePHI breach occurred in December 2013 when, due to an error in Cottage Health’s Windows operating system security configuration settings, anyone with access to the Cottage Health server could view ePHI without a username or password. The second breach occurred in December 2015, when an IT response to a troubleshooting ticket led to a misconfigured server, causing ePHI to be exposed over the internet. The two breach notifications affected over 62,500 individuals. To ensure future HIPAA compliance, Cottage Health is required to undertake a robust corrective action plan in addition to the $3 million settlement.
The HHS press release is available at:
A summary of all 2018 OCR HIPAA enforcement actions is available at: