U.S. Health and Human Services OCR enforcement results in nationwide trend of six and seven-figure effacements against nonprofit healthcare providers and business associates

Blog Post

Over the past 24 months, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has brought notable enforcement efforts against several non-profit covered entities and business associates, resulting in instances of six and seven-figure penalties against providers across the county for incidents involving breaches of protected health information (PHI).

By way of background, the OCR’s authority to investigate covered entities and business associates for violations of the HIPAA Privacy and Security Rules includes the OCR’s power to propose a monetary settlement to resolve investigations as well as the OCR’s authority to subject covered entities and business associates to civil money penalties (CMP), which, as of 2024, range from $141 to $71,162 per violation.[1]

Since the compliance date of the HIPAA Privacy Rule set in April of 2003 through April of 2023, the OCR received over 328,151 HIPAA complaints, resulting in a cumulative total of roughly $134,828,772 for settlements or CMPs.

Concerning enforcement action taken against non-profit organizations, in 2023 alone the OCR initiated and settled several notable investigations. On February 2, 2023, for example, the OCR took action against the Arizona-based non-profit health system Banner Health, which agreed to a $1.25 million resolution following a 2016 data breach that involved the electronic protected health information (ePHI) of 2.81 million individuals. Specifically, the OCR found several potential violations on the part of Banner Health, including “insufficient monitoring of its health information systems’ activity to protect against a cyber-attack,” “failure to implement an authentication process to safeguard its electronic protected health information,” and “failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.”

Similarly, on May 15, 2023, the OCR reached a settlement in the amount of $240,000 with Yakima Valley Memorial Hospital, a nonprofit healthcare system located in the state of Washington, for a matter the OCR described as involving “snooping in medical records” in which – according to the OCR– twenty-three (23) security guards impermissibly accessed patient records “without a job-related purpose.”

In addition to non-profit covered entities, the OCR also continues to exercise its enforcement power against business associates, such as organizations that typically provide functions that involve processing ePHI on behalf of healthcare providers.

For example, shortly after the Yakima Valley Memorial Hospital settlement, on May 16, 2023, OCR reached a settlement with the Arkansas-based business associate MedEvolve, Inc. As part of the settlement, MedEvolve, Inc. agreed to pay a $350,000 resolution amount stemming from a 2018 incident involving a file transfer protocol (FTP) server that was “openly accessible to the internet,” leaving the PHI of some 230,572 individuals accessible. In addition to the underlying facts of the breach, OCR also took issue with MedEvolve, Inc.’s “lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization” and their “failure to enter into a business associate agreement with a subcontractor.”

Recent enforcement actions in 2024 demonstrate that the OCR is continuing to move forward with enforcement actions against non-profit organizations and business associates for violations of both the HIPAA Privacy Rule[2] and the HIPAA Security Rule.[3] For example, on February 6, 2024, OCR settled with Montefiore Medical Center, a New York City-based non-profit hospital system, for several potential violations of the HIPAA Security Rule, resulting in a monetary penalty of $4.75 million dollars. According to the OCR, the potential violations at issue in this complaint were the result of data security failures by Montefiore leading to a Montefiore employee stealing and selling patients’ PHI over the course of six months.

The OCR similarly reached another settlement on October 3, 2024, with the non-profit organization Providence Medical Institute located in Southern California. According to the OCR, this settlement in the amount of $240,000 arose following a series of three (3) ransomware attacks that, per the OCR, impacted internal systems and the ePHI of 85,000 individuals between February and March of 2018. This case marked the fifth OCR enforcement action against an organization due to a ransomware-related breach since 2018.

Considering the increase in ransomware attacks on hospitals and other HIPAA-covered entities, the stringent requirements of the HIPAA Security Rule, and the expanded scope of organizations within the OCR’s focus, we should expect the cadence of enforcement actions brought by the OCR  to continue to rise. McDonald Hopkins’ Cybersecurity and Data Privacy team is prepared to assist with rapid response and representation of HIPAA covered entities and business associates addressing privacy/security incident or subjected to investigations brought by the OCR.  

[1] 45 C.F.R. § 102.3.

[2] The Privacy Rule is located 45 CFR Part 160 and Part 164, Subparts A and E.

[3] The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.