Resolution Agreements and Civil Money Penalties
A resolution agreement is a settlement agreement signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity.
- HHS Office for Civil Rights Settles with Health Care Clearinghouse, Inmediata Health Group, Over HIPAA Impermissible Disclosure - December 10, 2024
- HHS Office for Civil Rights Imposes a $548,265 Penalty Against Children’s Hospital Colorado for HIPAA Privacy and Security Rules Violations - December 5, 2024
- HHS Office for Civil Rights Imposes a $1.19 Million Penalty Against Gulf Coast Pain Consultants for HIPAA Security Rule Violations - December 3, 2024
- HHS Office for Civil Rights Settles with Holy Redeemer Family Medicine Over Disclosure of Patient’s Protected Health Information, Including Reproductive Health Information - November 26, 2024
- HHS Office for Civil Rights Imposes a $100,000 Penalty Against Mental Health Center for Failure to Provide Timely Access to Patient Records - November 19, 2024
- HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $90,000 - October 31, 2024
- HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000 - October 31, 2024
- HHS Office for Civil Rights Imposes a $70,000 Civil Monetary Penalty Against Gums Dental Care for Failure to Provide Timely Access to Patient Records - October 17, 2024
- HHS Office for Civil Rights Imposes a $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation - October 3, 2024
- HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation under HIPAA Security Rule for $250,000 - September 26, 2024
- HHS Office for Civil Rights Settles HIPAA Security Rule Failures for $950,000 – July 1, 2024
- HHS OCR Imposes a CMP on NJ Nursing Facility for Failing to Provide Timely Access to Patient Records - April 1, 2024
- HHS’ OCR Settles HIPAA Investigation with Phoenix Healthcare - March 29, 2024
- HHS OCR Work with Hospital to Improve Access to Kosher Electronic Devices Use for Virtual Patient Visitation- March 5, 2024
- HHS Finalizes New Provisions to Enhance Integrated Care and Confidentiality for Patients with Substance Use Conditions – February 8, 2024
- HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million - February 6, 2024
- Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and Montiefore – November 16, 2023
- HHS’ Office for Civil Rights Settles Optum Medical Care - November 15, 2023
- HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter - November 20, 2023
- HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation with Doctors’ Management Services - October 31, 2023
- Green Ridge Behavioral Health, LLC Resolution Agreement and Corrective Action Plan - October 30, 2023
- HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations - September 11, 2023
- Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and UnitedHealthcare Insurance Company – August 24, 2023
- HHS Office for Civil Rights Settles HIPAA Investigation with iHealth Solutions Regarding Disclosure of Protected Health Information on an Unsecured Server for $75,000 – June 28, 2023
- Snooping in Medical Records by Hospital Security Guards Leads to $240,000 HIPAA Settlement – June 15, 2023
- HHS Office for Civil Rights Reaches Agreement with Health Care Provider in New Jersey That Disclosed Patient Information in Response to Negative Online Reviews – June 5, 2023
- HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000 – May 16, 2023
- HHS Office for Civil Rights Enters Into $15,000 Settlement Resolving Potential HIPAA Violation Under the Right of Access Initiative – May 8, 2023
- HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking - February 2, 2023
- Lab Pays $16,500 Settlement to HHS, Resolving Potential HIPAA Violation over Medical Records Request - January 3, 2023
- HHS Civil Rights Office Resolves HIPAA Right of Access Investigation with $20,000 Settlement - December 15, 2022
- HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information - December 14, 2022
- OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA - September 20, 2022
- OCR Settles Case Concerning Improper Disposal of Protected Health Information - August 23, 2022
- Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA - July 15, 2022
- Oklahoma State University - Center for Health Services Pays $875,000 to Settle Hacking Breach - July 14, 2022
- Four HIPAA enforcement actions hold healthcare providers accountable with compliance - March 28, 2022
- Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access - November 30, 2021
- OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement - September 10, 2021
- OCR Settles Nineteenth Investigation in HIPAA Right of Access Initiative - June 2, 2021
- Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations - May 25, 2021
- OCR Settles Eighteenth Investigation in HIPAA Right of Access Initiative - March 26, 2021
- OCR Settles Seventeenth Investigation in HIPAA Right of Access Initiative - March 24, 2021
- OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative - February 12, 2021
- OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative - February 10, 2021
- Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People - January 15, 2021
- OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative - January 12, 2021
- OCR Settles Thirteenth Investigation in HIPAA Right of Access Initiative - December 22, 2020
- OCR Settles Twelfth Investigation in HIPAA Right of Access Initiative - November 19, 2020
- OCR Settles Eleventh Investigation in HIPAA Right of Access Initiative - November 12, 2020
- OCR Settles Tenth Investigation in HIPAA Right of Access Initiative - November 6, 2020
- City Health Department failed to terminate former employee’s access to protected health information - October 30, 2020
- Aetna Pays $1,000,000 to Settle Three HIPAA Breaches - October 28, 2020
- OCR Settles Ninth Investigation in HIPAA Right of Access Initiative - October 9, 2020
- OCR Settles Eighth Investigation in HIPAA Right of Access Initiative - October 7, 2020
- Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People - September 25, 2020
- HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual - September 23, 2020
- Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance with HIPAA Rules - September 21, 2020
- OCR Settles Five More Investigations in HIPAA Right of Access Initiative - September 15, 2020
- Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach - July 27, 2020
- Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements – July 23, 2020
- Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements - March 3, 2020
- Ambulance Company Pays $65,000 to Settle Allegations of Longstanding HIPAA Noncompliance - December 30, 2019
- OCR Settles Second Case in HIPAA Right of Access Initiative - December 12, 2019
- OCR Secures $2.175 Million HIPAA Settlement After Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information - November 26, 2019
- OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations - November 7, 2019
- Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement - November 5, 2019
- OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations - October 23, 2019
- Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information - October 2, 2019
- OCR Settles First Case in HIPAA Right of Access Initiative - September 9, 2019
- Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach - May 23, 2019
- Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing Over 300,000 Patients' Protected Health Information - May 6, 2019
- OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement - February7, 2019
- Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million - February 7, 2019
- Colorado hospital failed to terminate former employee’s access to electronic protected health information - December 11, 2018
- Florida contractor physicians' group shares protected health information with unknown vendor without a business associate agreement - December 4, 2018
- Allergy Practice pays $125,000 to settle doctor's disclosure of patient information to a reporter - November 26, 2018
- Anthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history – October 15, 2018
- Unauthorized Disclosure of Patients’ Protected Health Information During ABC Documentary Filming Results in Multiple HIPAA Settlements Totaling $999,000 – September 20, 2018
- Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations - June 18, 2018
- Consequences for HIPAA violations don’t stop when a business closes - February 13, 2018
- Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules - February 1, 2018
- Failure to protect the health records of millions of people costs entity millions of dollars - December 28, 2017
- Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k - May 23, 2017
- Texas health system settles potential HIPAA violations for disclosing patient information - May 10, 2017
- $2.5 million settlement shows that not understanding HIPAA requirements creates risk - April 24, 2017
- No Business Associate Agreement? $31K Mistake - April 20, 2017
- Overlooking risks leads to breach, $400,000 settlement - April 12, 2017
- $5.5 million HIPAA settlement shines light on the importance of audit controls - February 16, 2017
- Lack of timely action risks security and costs money - February 1, 2017
- HIPAA settlement demonstrates importance of implementing safeguards for ePHI - January 18, 2017
- First HIPAA enforcement action for lack of timely breach notification settles for $475,000 - January 9, 2017
- UMass settles potential HIPAA violations following malware infection - November 22, 2016
- $2.14 million HIPAA settlement underscores importance of managing security risk - October 17, 2016
- HIPAA settlement illustrates the importance of reviewing and updating, as necessary, business associate agreements - September 23, 2016
- Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million - August 4, 2016
- Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC) - July 21, 2016
- Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University - July 18, 2016
- Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement - June 29, 2016
- Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital - April 21, 2016
- $750,000 settlement highlights the need for HIPAA business associate agreements
- Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement - March 17, 2016
- $1.55 million settlement underscores the importance of executing HIPAA business associate agreements - March 16, 2016
- Physical therapy provider settles violations that it impermissibly disclosed patient information - February 16, 2016
- Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800 - February 3, 2016
- $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis - December 14, 2015
- Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement - November 30, 2015
- HIPAA Settlement Reinforces Lessons for Users of Medical Devices - November 24, 2015
- 750,000 HIPAA Settlement Emphasizes the Importance of Risk Analysis and Device and Media Control Policies - August 31, 2015
- HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications - June 10, 2015
- HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records - April 22, 2015
- HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software - December 2, 2014
- $800,000 HIPAA Settlement in Medical Records Dumping Case - June 23, 2014
- Data Breach Results in $4.8 Million HIPAA Settlements - May 7, 2014
- Concentra Settles HIPAA Case for $1,725,220 - April 22, 2014
- QCA Settles HIPAA Case for $250,000 - April 22, 2014
- County Government Settles Potential HIPAA Violations - March 7, 2014
- Resolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts - December 20, 2013
- HHS Settles with Health Plan in Photocopier Breach Case - August 14, 2013
- WellPoint Settles HIPAA Security Case for $1,700,000 - July 11, 2013
- Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000 - June 13, 2013
- Idaho State University Settles HIPAA Security Case for $400,000 - May 21, 2013
- HHS announces first HIPAA breach settlement involving less than 500 patients - December 31, 2012
- Massachusetts Provider Settles HIPAA Case for $1.5 Million - September 17, 2012
- Alaska DHSS Settles HIPAA Security Case for $1,700,000 - June 26, 2012
- HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards - April 13, 2012
- HHS settles HIPAA case with BCBST for $1.5 million - March 13, 2012
- Resolution Agreement with the University of California at Los Angeles Health System - July 6, 2011
- Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc. - February 14, 2011
- Civil Money Penalty issued to Cignet Health of Prince George's County, MD - February 4, 2011
- Resolution Agreement with Management Services Organization Washington, Inc. - December 13, 2010
- Resolution Agreement with Rite Aid Corporation - July 27, 2010
- Resolution Agreement with CVS Pharmacy, Inc. - January 16, 2009
- Resolution Agreement with Providence Health & Services - July 16, 2008