Resolution Agreements

Resolution Agreements and Civil Money Penalties

A resolution agreement is a settlement agreement signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity.

• Lack of timely action risks security and costs money - February 1, 2017

• HIPAA settlement demonstrates importance of implementing safeguards for ePHI - January 18, 2017

• First HIPAA enforcement action for lack of timely breach notification settles for $475,000 - January 9, 2017

• UMass settles potential HIPAA violations following malware infection – November 22, 2016

• $2.14 million HIPAA settlement underscores importance of managing security risk – October 17, 2016

• HIPAA settlement illustrates the importance of reviewing and updating, as necessary, business associate agreements – September 23, 2016

• Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million - August 4, 2016

• Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC) - July 21, 2016

• Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University - July 18, 2016

• Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement – June 29, 2016

• Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital - April 21, 2016

• $750,000 settlement highlights the need for HIPAA business associate agreements

• Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement - March 17, 2016

• $1.55 million settlement underscores the importance of executing HIPAA business associate agreements - March 16, 2016

• Physical therapy provider settles violations that it impermissibly disclosed patient information - February 16, 2016

• Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800 - February 3, 2016

• $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis - December 14, 2015

• Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement - November 30, 2015

• HIPAA Settlement Reinforces Lessons for Users of Medical Devices - November 24, 2015

• 750,000 HIPAA Settlement Emphasizes the Importance of Risk Analysis and Device and Media Control Policies - August 31, 2015

• HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications - June 10, 2015

• HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records - April 22, 2015

• HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software - December 2, 2014

• $800,000 HIPAA Settlement in Medical Records Dumping Case - June 23, 2014

• Data Breach Results in $4.8 Million HIPAA Settlements - May 7, 2014

• Concentra Settles HIPAA Case for $1,725,220 - April 22, 2014

• QCA Settles HIPAA Case for $250,000 – April 22, 2014

• County Government Settles Potential HIPAA Violations - March 7, 2014

• Resolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts - December 20, 2013

• HHS Settles with Health Plan in Photocopier Breach Case - August 14, 2013

• WellPoint Settles HIPAA Security Case for $1,700,000 - July 11, 2013

• Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000 - June 13, 2013

• Idaho State University Settles HIPAA Security Case for $400,000 - May 21, 2013

• HHS announces first HIPAA breach settlement involving less than 500 patients - December 31, 2012

• Massachusetts Provider Settles HIPAA Case for $1.5 Million – September 17, 2012

• Alaska DHSS Settles HIPAA Security Case for $1,700,000 – June 26, 2012

• HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards - April 13, 2012

• HHS settles HIPAA case with BCBST for $1.5 million - March 13, 2012

• Resolution Agreement with the University of California at Los Angeles Health System - July 6, 2011 

• Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc. - February 14, 2011

• Civil Money Penalty issued to Cignet Health of Prince George's County, MD - February 4, 2011

• Resolution Agreement with Management Services Organization Washington, Inc. - December 13, 2010

• Resolution Agreement with Rite Aid Corporation - July 27, 2010

• Resolution Agreement with CVS Pharmacy, Inc. - January 16, 2009

• Resolution Agreement with Providence Health & Services - July 16, 2008