HIPAA News Releases

UnitedHealthcare Pays $80,000 Settlement to HHS to Resolve HIPAA Matter over Patient Medical Records Request – August 24, 2023

HHS OCR & FTC Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Tech – July 20, 2023

OCR/FTC Letters*

* People using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing OCRMail@hhs.gov.

HHS Office for Civil Rights Settles HIPAA Investigation with iHealth Solutions Regarding Disclosure of Protected Health Information on an Unsecured Server for $75,000 – June 28, 2023

Snooping in Medical Records by Hospital Security Guards Leads to $240,000 HIPAA Settlement – June 15, 2023

HHS Office for Civil Rights Reaches Agreement with Health Care Provider in New Jersey That Disclosed Patient Information in Response to Negative Online Reviews – June 5, 2023

HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000 – May 16, 2023

HHS Office for Civil Rights Enters Into $15,000 Settlement Resolving Potential HIPAA Violation Under the Right of Access Initiative – May 8, 2023

HHS Proposes Measures to Bolster Patient-Provider Confidentiality Around Reproductive Health Care - April 12, 2023

OCR Announces Expiration of COVID-19 PHE HIPAA Notifications of Enforcement Discretion - April 11, 2023

HHS Office for Civil Rights Delivers Annual Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information - February 17, 2023

HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking - February 2, 2023

HHS Office for Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information - December 1, 2022

HHS Office for Civil Rights and SAMHSA Propose New Protections to Help Increase Care Coordination and Confidentiality for Patient Substance Use Disorder Records - November 28, 2022

OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA - September 20, 2022

OCR Settles Case Concerning Improper Disposal of Protected Health Information - August 23, 2022

Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA - July 15, 2022

Oklahoma State University - Center for Health Services Pays $875,000 to Settle Hacking Breach - July 14, 2022

HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe - June 29, 2022

HHS Issues Guidance on HIPAA and Audio-Only Telehealth - June 13, 2022

HHS' Office for Civil Rights Seeks Public Comment on Recognized Security Practices and Sharing Civil Money Penalties and Monetary Settlements Under the HITECH Act - April 6, 2022

Four HIPAA enforcement actions hold healthcare providers accountable with compliance - March 28, 2022

HHS Notice and Guidance on Gender Affirming Care, Civil Rights, and Patient Privacy - March 2, 2022

Statement by HHS Secretary Xavier Becerra Reaffirming HHS Support and Protection for LGBTQI+ Children and Youth - March 2, 2022

Improving the Cybersecurity Posture of Healthcare in 2022 - February 28, 2022

HHS Issues Guidance on HIPAA and Disclosures of Protected Health Information for Extreme Risk Protection Orders - December 20, 2021

HHS Office for Civil Rights Commemorates World AIDS Day - December 1, 2021

Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access - November 30, 2021

OCR Issues Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace - September 30, 2021

U.S. Department of Health and Human Services Announces Lisa J. Pino as Director for Office for Civil Rights - September 27, 2021

El Departamento de Salud y Servicios Humanos de los EE. UU. Anuncia a Lisa J. Pino como Directora de la Oficina de Derechos Civiles - 27 de septiembre de 2021

OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement - September 10, 2021

OCR Settles Nineteenth Investigation in HIPAA Right of Access Initiative - June 2, 2021

Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations - May 25, 2021

OCR Settles Eighteenth Investigation in HIPAA Right of Access Initiative - March 26, 2021

OCR Settles Seventeenth Investigation in HIPAA Right of Access Initiative - March 24, 2021

Extension of the Public Comment Period for Proposed Modifications to the HIPAA Privacy Rule - March 9, 2021

OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative - February 12, 2021

OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative - February 10, 2021

OCR Announces Notification of Enforcement Discretion for Use of Online or Web-Based Scheduling Applications for the Scheduling of COVID-19 Vaccination Appointments - January 19, 2021

Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People - January 15, 2021

OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative - January 12, 2021

OCR Settles Thirteenth Investigation in HIPAA Right of Access Initiative - December 22, 2020

OCR Issues Guidance on HIPAA, Health Information Exchanges, and Disclosures of Protected Health Information for Public Health Purposes - December 18, 2020

OCR Issues Audit Report on Health Care Industry Compliance with the HIPAA Rules - December 17, 2020

HHS Proposes Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens - December 10, 2020

OCR Settles Twelfth Investigation in HIPAA Right of Access Initiative - November 19, 2020

OCR Settles Eleventh Investigation in HIPAA Right of Access Initiative - November 12, 2020

OCR Settles Tenth Investigation in HIPAA Right of Access Initiative - November 6, 2020

City Health Department failed to terminate former employee’s access to protected health information - October 30, 2020

Aetna Pays $1,000,000 to Settle Three HIPAA Breaches - October 28, 2020

OCR Settles Ninth Investigation in HIPAA Right of Access Initiative - October 9, 2020

OCR Settles Eighth Investigation in HIPAA Right of Access Initiative - October 7, 2020

Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People - September 25, 2020

HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual - September 23, 2020

Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance with HIPAA Rules - September 21, 2020

OCR Settles Five More Investigations in HIPAA Right of Access Initiative - September 15, 2020

Trump Administration Adds Health Plans to June 2020 Plasma Donation Guidance - August 24, 2020

Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach - July 27, 2020

Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements - July 23, 2020

OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities - June 12, 2020

OCR Issues Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities - May 5, 2020

OCR Announces Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency - April 9, 2020

OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency - April 2, 2020

OCR Issues Bulletin on Civil Rights Laws and HIPAA Flexibilities That Apply During the COVID-19 Emergency - March 28, 2020

OCR Issues Guidance to Help Ensure First Responders and Others Receive Protected Health Information about Individuals Exposed to COVID-19 - March 24, 2020

OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion - March 20, 2020

OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency - March 17, 2020

Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements - March 3, 2020

OCR Issues Guidance to Help Ensure Equal Access to Emergency Services and the Appropriate Sharing of Medical Information Following Puerto Rico Earthquakes - January 09, 2020

Ambulance Company Pays $65,000 to Settle Allegations of Longstanding HIPAA Noncompliance - December 30, 2019

OCR Settles Second Case in HIPAA Right of Access Initiative - December 12, 2019

OCR Secures $2.175 Million HIPAA Settlement After Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information - November 26, 2019

OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations - November 7, 2019

Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement - November 5, 2019

OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations - October 23, 2019

Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information - October 2, 2019

OCR Settles First Case in HIPAA Right of Access Initiative - September 9, 2019

OCR Issues Guidance to Help Ensure Equal Access to Emergency Services and the Appropriate Sharing of Medical Information during Hurricane Dorian - September 3, 2019

Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach - May 23, 2019

Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing Over 300,000 Patients' Protected Health Information - May 6, 2019

OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement - February 7, 2019

Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million - February 7, 2019

Colorado hospital failed to terminate former employee’s access to electronic protected health information - December 11, 2018

Florida contractor physicians' group shares protected health information with unknown vendor without a business associate agreement - December 4, 2018

Allergy Practice pays $125,000 to settle doctor's disclosure of patient information to a reporter - November 26, 2018

OCR provides FAQs on Patient Access and APIs

OCR released frequently asked questions about the Health Insurance Portability and Accountability Act (HIPAA) right of access related to apps designated by the individual and application programming interfaces (APIs) used by the provider’s electronic health record system. This release was in conjunction with CMS and ONC announcing that they are extending the public comment period by 30 days for two proposed regulations aimed at promoting the interoperability of health information technology and enabling patients to electronically access their health information.

OCR Launches Public Education Campaign About Civil Rights Protections in Response to the National Opioid Crisis - October 25, 2018

Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) launched a public education campaign on civil rights protections in response to the national opioid crisis. The materials inform the public about civil rights protections that may apply to a person in recovery from an opioid addiction and ensure that covered entities are aware of their obligation to comply with federal nondiscrimination laws.

Anthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history – October 15, 2018

Unauthorized Disclosure of Patients’ Protected Health Information During ABC Doumentary Filming Results in Multiple HIPAA Settlements Totaling $999,000 – September 20, 2018

A previous version of this release mistakenly identified the TV series as “Boston Med.” “Boston Med,” also an ABC television series, was not involved in this investigation.

OCR Issues Guidance to Help Ensure Equal Access to Emergency Services and the Appropriate Sharing of Medical Information During Hurricane Florence

In preparation for Hurricane Florence, OCR has issued a press release providing resources and effective practices to help emergency responders and officials effectively serve at-risk populations and ensure that the whole community is included in emergency response and recovery efforts. OCR continues to coordinate with our sister agencies and federal partners to make sure that responsible officials are mindful of all segments of the community as they prepare for disaster response in the areas affected by Hurricane Florence.

Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations - June 18, 2018

Consequences for HIPAA violations don’t stop when a business closes - February 13, 2018

Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules - February 1, 2018

Failure to protect the health records of millions of people costs entity millions of dollars - December 28, 2017

HHS Office for Civil Rights Issues Guidance on how HIPAA Allows Information Sharing to Address the Opioid Crisis - October 27, 2017

Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k - May 23, 2017

Texas health system settles potential HIPAA violations for disclosing patient information - May 10, 2017

$2.5 million settlement shows that not understanding HIPAA requirements creates risk - April 24, 2017

No Business Associate Agreement? $31K Mistake - April 20, 2017

Overlooking risks leads to breach, $400,000 settlement - April 12, 2017

$5.5 million HIPAA settlement shines light on the importance of audit controls - February 16, 2017

Lack of timely action risks security and costs money - February 1, 2017