Resolution Agreements

Resolution Agreements and Civil Money Penalties

A resolution agreement is a settlement agreement signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity.

• HHS’ Office for Civil Rights Settles HIPAA Investigation of MMG Fusion, LLC Breach - March 5, 2026

• HHS’ Office for Civil Rights Settles HIPAA Ransomware Security Rule Investigation with BST & Co. CPAs, LLP - August 18, 2025

• HHS’ Office for Civil Rights Settles HIPAA Ransomware Investigation with Syracuse ASC - July 23, 2025
• HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with a Behavioral Health Provider - July 7, 2025
• HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Comstar, LLC - May 30, 2025
• HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with a Florida Health Care Provider - May 28, 2025
• HHS Office for Civil Rights Settles HIPAA Cybersecurity Investigation with Vision Upright MRI - May 15, 2025
• HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Neurology Practice - April 25, 2025
• HHS Office for Civil Rights Settles Phishing Attack Breach with Health Care Network for $600,000 - April 23, 2025
• HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Public Hospital - April 17, 2025
• HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with Northeast Radiology - April 4, 2025
• HHS’ Office for Civil Rights Settles HIPAA Security Rule Investigation with Health Fitness Corporation - March 21, 2025
• HHS Office for Civil Rights Imposes a $200,000 Penalty Against Oregon Health & Science University for Failure to Provide Timely Access to Patient Records - March 6, 2025
• HHS Office for Civil Rights Imposes a $1,500,000 Civil Money Penalty Against Warby Parker in HIPAA Cybersecurity Hacking Investigation - February 20, 2025
• HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $10,000 - January 15, 2025
• HHS Office for Civil Rights Settles HIPAA Case Against Memorial Healthcare System Over Patient Access to Records - January 15, 2025
• HHS Office for Civil Rights Settles HIPAA Phishing Cybersecurity Investigation with Solara Medical Supplies, LLC for $3,000,000 - January 14, 2025
• HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with USR Holdings, LLC Concerning the Deletion of Electronic Protected Health Information - January 8, 2025
• HHS Office for Civil Rights Settles 9th Ransomware Investigation with Virtual Private Network Solutions - January 7, 2025
• HHS Office for Civil Rights Settles 8th Ransomware Investigation with Elgon Information Systems - January 7, 2025
• HHS Office for Civil Rights Settles with Health Care Clearinghouse, Inmediata Health Group, Over HIPAA Impermissible Disclosure - December 10, 2024
• HHS Office for Civil Rights Imposes a $548,265 Penalty Against Children’s Hospital Colorado for HIPAA Privacy and Security Rules Violations - December 5, 2024
• HHS Office for Civil Rights Imposes a $1.19 Million Penalty Against Gulf Coast Pain Consultants for HIPAA Security Rule Violations - December 3, 2024
• HHS Office for Civil Rights Settles with Holy Redeemer Family Medicine Over Disclosure of Patient’s Protected Health Information, Including Reproductive Health Information - November 26, 2024
• HHS Office for Civil Rights Imposes a $100,000 Penalty Against Mental Health Center for Failure to Provide Timely Access to Patient Records - November 19, 2024
• HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $90,000 - October 31, 2024
• HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000 - October 31, 2024
• HHS Office for Civil Rights Imposes a $70,000 Civil Monetary Penalty Against Gums Dental Care for Failure to Provide Timely Access to Patient Records - October 17, 2024
• HHS Office for Civil Rights Imposes a $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation - October 3, 2024
• HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation under HIPAA Security Rule for $250,000 - September 26, 2024
• HHS Office for Civil Rights Settles HIPAA Security Rule Failures for $950,000 – July 1, 2024
• HHS OCR Imposes a CMP on NJ Nursing Facility for Failing to Provide Timely Access to Patient Records - April 1, 2024
• HHS’ OCR Settles HIPAA Investigation with Phoenix Healthcare - March 29, 2024
• HHS OCR Work with Hospital to Improve Access to Kosher Electronic Devices Use for Virtual Patient Visitation- March 5, 2024
• HHS Finalizes New Provisions to Enhance Integrated Care and Confidentiality for Patients with Substance Use Conditions – February 8, 2024
• HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million - February 6, 2024
• Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and Montiefore – November 16, 2023
• HHS’ Office for Civil Rights Settles Optum Medical Care - November 15, 2023
• HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter - November 20, 2023
• HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation with Doctors’ Management Services - October 31, 2023
• Green Ridge Behavioral Health, LLC Resolution Agreement and Corrective Action Plan - October 30, 2023
• HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations - September 11, 2023
• Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and UnitedHealthcare Insurance Company  – August 24, 2023
• HHS Office for Civil Rights Settles HIPAA Investigation with iHealth Solutions Regarding Disclosure of Protected Health Information on an Unsecured Server for $75,000  – June 28, 2023
• Snooping in Medical Records by Hospital Security Guards Leads to $240,000 HIPAA Settlement – June 15, 2023
• HHS Office for Civil Rights Reaches Agreement with Health Care Provider in New Jersey That Disclosed Patient Information in Response to Negative Online Reviews – June 5, 2023
• HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000 – May 16, 2023
• HHS Office for Civil Rights Enters Into $15,000 Settlement Resolving Potential HIPAA Violation Under the Right of Access Initiative – May 8, 2023
• HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking - February 2, 2023
• Lab Pays $16,500 Settlement to HHS, Resolving Potential HIPAA Violation over Medical Records Request - January 3, 2023
• HHS Civil Rights Office Resolves HIPAA Right of Access Investigation with $20,000 Settlement - December 15, 2022
• HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information - December 14, 2022
• OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA - September 20, 2022
• OCR Settles Case Concerning Improper Disposal of Protected Health Information - August 23, 2022
  • Read OCR's FAQs concerning HIPAA and the disposal of protected health information
• Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA - July 15, 2022
• Oklahoma State University - Center for Health Services Pays $875,000 to Settle Hacking Breach - July 14, 2022
• Four HIPAA enforcement actions hold healthcare providers accountable with compliance - March 28, 2022
• Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access - November 30, 2021
• OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement - September 10, 2021
• OCR Settles Nineteenth Investigation in HIPAA Right of Access Initiative - June 2, 2021
• Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations - May 25, 2021
• OCR Settles Eighteenth Investigation in HIPAA Right of Access Initiative - March 26, 2021
• OCR Settles Seventeenth Investigation in HIPAA Right of Access Initiative - March 24, 2021
• OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative - February 12, 2021
• OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative - February 10, 2021
• Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People - January 15, 2021
• OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative - January 12, 2021
• OCR Settles Thirteenth Investigation in HIPAA Right of Access Initiative - December 22, 2020
• OCR Settles Twelfth Investigation in HIPAA Right of Access Initiative - November 19, 2020
• OCR Settles Eleventh Investigation in HIPAA Right of Access Initiative - November 12, 2020
• OCR Settles Tenth Investigation in HIPAA Right of Access Initiative - November 6, 2020
• City Health Department failed to terminate former employee’s access to protected health information - October 30, 2020
• Aetna Pays $1,000,000 to Settle Three HIPAA Breaches - October 28, 2020
• OCR Settles Ninth Investigation in HIPAA Right of Access Initiative - October 9, 2020
• OCR Settles Eighth Investigation in HIPAA Right of Access Initiative - October 7, 2020
• Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People - September 25, 2020
• HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual - September 23, 2020
• Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance with HIPAA Rules - September 21, 2020
• OCR Settles Five More Investigations in HIPAA Right of Access Initiative - September 15, 2020
• Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach - July 27, 2020
• Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements – July 23, 2020
• Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements - March 3, 2020
• Ambulance Company Pays $65,000 to Settle Allegations of Longstanding HIPAA Noncompliance - December 30, 2019
• OCR Settles Second Case in HIPAA Right of Access Initiative - December 12, 2019
• OCR Secures $2.175 Million HIPAA Settlement After Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information - November 26, 2019
• OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations - November 7, 2019
• Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement - November 5, 2019
• OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations - October 23, 2019
• Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information - October 2, 2019
• OCR Settles First Case in HIPAA Right of Access Initiative - September 9, 2019
• Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach - May 23, 2019
• Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing Over 300,000 Patients' Protected Health Information - May 6, 2019
• OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement - February7, 2019
• Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million - February 7, 2019
• Colorado hospital failed to terminate former employee’s access to electronic protected health information - December 11, 2018
• Florida contractor physicians' group shares protected health information with unknown vendor without a business associate agreement - December 4, 2018
• Allergy Practice pays $125,000 to settle doctor's disclosure of patient information to a reporter - November 26, 2018
• Anthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history – October 15, 2018
• Unauthorized Disclosure of Patients’ Protected Health Information During ABC Documentary Filming Results in Multiple HIPAA Settlements Totaling $999,000 – September 20, 2018
• Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations - June 18, 2018
• Consequences for HIPAA violations don’t stop when a business closes - February 13, 2018
• Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules - February 1, 2018
• Failure to protect the health records of millions of people costs entity millions of dollars - December 28, 2017
• Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k  - May 23, 2017
• Texas health system settles potential HIPAA violations for disclosing patient information - May 10, 2017
• $2.5 million settlement shows that not understanding HIPAA requirements creates risk - April 24, 2017
• No Business Associate Agreement?  $31K Mistake - April 20, 2017
• Overlooking risks leads to breach, $400,000 settlement - April 12, 2017
• $5.5 million HIPAA settlement shines light on the importance of audit controls - February 16, 2017
• Lack of timely action risks security and costs money - February 1, 2017
• HIPAA settlement demonstrates importance of implementing safeguards for ePHI - January 18, 2017
• First HIPAA enforcement action for lack of timely breach notification settles for $475,000 - January 9, 2017
• UMass settles potential HIPAA violations following malware infection - November 22, 2016
• $2.14 million HIPAA settlement underscores importance of managing security risk - October 17, 2016
• HIPAA settlement illustrates the importance of reviewing and updating, as necessary, business associate agreements - September 23, 2016
• Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million - August 4, 2016
• Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC) - July 21, 2016
• Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University - July 18, 2016
• Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement - June 29, 2016
• Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital - April 21, 2016
• $750,000 settlement highlights the need for HIPAA business associate agreements
• Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement - March 17, 2016
• $1.55 million settlement underscores the importance of executing HIPAA business associate agreements - March 16, 2016
• Physical therapy provider settles violations that it impermissibly disclosed patient information - February 16, 2016
• Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800 - February 3, 2016
• $750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis - December 14, 2015
• Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement - November 30, 2015
• HIPAA Settlement Reinforces Lessons for Users of Medical Devices - November 24, 2015
• 750,000 HIPAA Settlement Emphasizes the Importance of Risk Analysis and Device and Media Control Policies - August 31, 2015
• HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications - June 10, 2015
• HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records - April 22, 2015
• HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software - December 2, 2014
• $800,000 HIPAA Settlement in Medical Records Dumping Case - June 23, 2014
• Data Breach Results in $4.8 Million HIPAA Settlements - May 7, 2014
• Concentra Settles HIPAA Case for $1,725,220 - April 22, 2014
• QCA Settles HIPAA Case for $250,000 - April 22, 2014
• County Government Settles Potential HIPAA Violations - March 7, 2014
• Resolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts - December 20, 2013
• HHS Settles with Health Plan in Photocopier Breach Case - August 14, 2013
• WellPoint Settles HIPAA Security Case for $1,700,000 - July 11, 2013
• Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000 - June 13, 2013
• Idaho State University Settles HIPAA Security Case for $400,000 - May 21, 2013
• HHS announces first HIPAA breach settlement involving less than 500 patients - December 31, 2012
• Massachusetts Provider Settles HIPAA Case for $1.5 Million - September 17, 2012
• Alaska DHSS Settles HIPAA Security Case for $1,700,000 - June 26, 2012
• HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards - April 13, 2012
• HHS settles HIPAA case with BCBST for $1.5 million - March 13, 2012
• Resolution Agreement with the University of California at Los Angeles Health System - July 6, 2011
• Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc. - February 14, 2011
• Civil Money Penalty issued to Cignet Health of Prince George's County, MD - February 4, 2011
• Resolution Agreement with Management Services Organization Washington, Inc. - December 13, 2010
• Resolution Agreement with Rite Aid Corporation - July 27, 2010
• Resolution Agreement with CVS Pharmacy, Inc. - January 16, 2009
• Resolution Agreement with Providence Health & Services - July 16, 2008