<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

HIPAA Lessons from HHS OCR

HIPAA violation penalties include fines, mandated remediations, and vital lessons for all healthcare providers

HIPAA violations settled this year by the Health & Human Services Office for Civil Rights (HHS OCR) include important lessons for all healthcare providers. Three settlements offer typical examples of the penalties imposed, corrective actions mandated, and lessons delivered.

  • February 6, 2024. HHS OCR settles malicious insider cybersecurity investigation with Montefiore Medical Center for $4.75 Million, including resolution of multiple HIPAA Security Rule violations.
  • March 29, 2024. HHS OCR settles HIPAA investigation into Phoenix Healthcare’s failure to provide timely patient access to medical records. Phoenix faces reduced fine, from $250,000, due to tenuous financial circumstances documented to the OCR.
  • April 1, 2024. HHS OCR imposes a HIPAA violation penalty of $100,000 on Essex Residential Care LLC, of New Jersey, for failing to provide timely access to patient records as required by HIPAA.

Below are the pertinent details of the violations of the Health Insurance Portability and Accountability Act (HIPAA) along with the lessons delivered as part of each HHS OCR settlement. Disregard at your own risk.


Employee Theft and Sale of PHI Not Discovered for Two Years

Montefiore Medical Center, a non-profit hospital system based in New York City, was found by the OCR to be in violation of several requirements of the HIPAA Security Rule. The $4.75 million monetary settlement and required corrective action plan resolves multiple potential violations by the hospital system. The HIPAA violations created data security failures that enabled an employee to steal and sell patients’ protected health information (PHI) over a six-month period.

It started in May 2015, when the New York Police Department informed Montefiore Medical Center they had obtained evidence that a specific patient’s medical information had been stolen. Montefiore launched an internal investigation, during which they discovered that in 2013 one of their employees had stolen the electronic PHI of 12,517 patients and then sold the information to an identity theft ring. Montefiore Medical Center filed a data breach report with the OCR as required by the Breach Notification Rule.

OCR’s investigation into the data breach found multiple potential violations of the HIPAA Security Rule at Montefiore, including:  HIPAA violation penalties can be avoided with help from our Practical Guide to HIPAA Compliance

  • Failure to analyze and identify potential risks and vulnerabilities to PHI,
  • Failure to monitor and safeguard its health information systems’ activity, and
  • Failure to implement policies and procedures that record and examine activity in information systems containing or using protected health information.

According to the OCR Press Release dated February 6, 2024, “without these safeguards in place, Montefiore Medical Center was unable to prevent the cyberattack or even detect the attack had happened until years later.”

Under the terms of the settlement, Montefiore will pay $4,750,000 to the OCR and implement a corrective action plan that meets HIPAA requirements for the protection and security of PHI. These mandatory corrective actions include:

  • Conducting an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI,
  • Developing a written risk management plan to address and mitigate the risks and vulnerabilities identified in the risk assessment,
  • Developing a plan to implement hardware, software, and/or other procedural mechanisms that record and examine activity in all information systems that contain or use electronic PHI,
  • Reviewing and revising written policies and procedures to comply with the HIPAA Privacy and Security Rules, and
  • Providing training to its workforce on HIPAA policies and procedures.

OCR will monitor Montefiore Medical Center for two years to ensure compliance with the corrective action plan.


Delaying Right of Access to Medical Records a Serious HIPAA Violation

Residential Care LLC / Hackensack Meridian Health

On April 1, 2024, the HHS Office for Civil Rights imposed a HIPAA violation penalty of $100,000 on Essex Residential Care LLC of New Jersey (doing business as Hackensack Meridian Health) for failing to provide a patient’s personal representative with timely access to patient records as required by the HIPAA Privacy Rule. The Rule’s Right of Access provision specifies a 30-day response window, with one 30-day extension allowable in certain circumstances.

In May 2020, the OCR received a complaint that Hackensack Meridian Health failed to provide a personal representative with access to his mother’s medical records. The records were allegedly withheld even after Hackensack Meridian Health received sufficient documentation demonstrating that the son was serving as his mother’s personal representative. The requested records were finally sent to the personal representative in November 2020 as a result of OCR’s investigation.

HIPAA violation penalties are one way OCR enforces HIPAA compliance“The Office for Civil Rights continues to receive complaints from individuals and personal representatives on behalf of individuals who do not receive timely access to their health records,” said OCR Director Melanie Fontes Rainer in a press release. “OCR will continue to vigorously enforce this essential right to ensure compliance by healthcare facilities across the country.”

Phoenix Healthcare

On March 29, 2024, the OCR settled a HIPAA investigation into Phoenix Healthcare’s failure to provide timely patient access to medical records. The fine was reduced from a proposed $250,000 to $75,000 due to documented claims of the healthcare organization’s tenuous financial circumstances.

OCR’s investigation involved a daughter, serving as a personal representative for her mother, who was not able to obtain access to her mother’s PHI for nearly a year, despite multiple requests. In April 2019, a complaint was filed with the OCR. Phoenix Healthcare finally sent the requested records on January 30, 2020—more than 10 months after the initial request.


How to Avoid HIPAA Violation Penalties from HHS OCR

Analysis of data breach reports submitted to the OCR in 2022 revealed that 55 million individuals had been affected by large breaches. In 2023, that number spiked to 134 million. And in the first month of 2024, 57 data breaches affecting 500 or more individuals were reported to the OCR, putting 2024 on pace to exceed 2023 in reported data breaches.

Against this disturbing backdrop, the OCR urges healthcare providers, health plans, business associates, and clearinghouses to implement the following safeguards to reduce their vulnerability to cyberthreats.

  • Review all vendor and contractor relationships to ensure business associate agreements are in place, appropriate, and address breach reporting requirements.
  • Integrate risk analysis and risk management into business processes; ensure risk assessments are conducted regularly and when new technologies and business operations are planned; and ensure audit controls are in place to record and examine information system activity.
  • Implement regular reviews of information system activity.
  • Employ multi-factor authentication to ensure only authorized users are accessing protected health information.
  • Encrypt PHI to guard against unauthorized access.
  • Incorporate lessons from previous incidents into the overall security management process.
  • Provide training specific to organization and job responsibilities on a regular basis and reinforce the critical role employees play in protecting data privacy and security.

According to a press release, the OCR is “committed to helping healthcare entities understand health information regulations and to collaboratively working with entities to navigate the serious challenges we face together. OCR encourages all to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected.”

To that end, numerous resources have been created and made available at the OCR website to assist covered entities in the increasingly urgent quest to implement cybersecurity recommendations to properly safeguard PHI.



As the enforcement arm of the Department of Health & Human Services, the Office for Civil Rights receives and investigates complaints of HIPAA violations and reports of data breaches. According to an OCR statement on March 13, 2024, ransomware and hacking are the primary cyberthreats in healthcare. “Over the past five years, there has been a 256% increase in large breaches reported to the OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR.”

Ongoing hacks, thefts, insider crimes, and other data breaches continue to plague the healthcare industry as providers, business associates, and other covered entities struggle to achieve full HIPAA compliance. Until they do, the OCR will investigate, report its findings in press releases, impose HIPAA violation penalties, mandate detailed corrective action plans, and closely monitor compliance.Meet with our HIPAA Experts



Sanjay Deo
Sanjay Deo

Sanjay Deo is the President and Founder of 24by7Security Inc. Sanjay holds a Master's degree in Computer Science from Texas A&M University, and is a Certified Information Systems Security Professional (CISSP), Healthcare Information Security and Privacy Practitioner (HCISPP), Certified Information Systems Auditor (CISA) and PCI Qualified Security Assessor (QSA). Sanjay is also a co-chair on the CISO council and Technology Sector Chief at FBI InfraGard South Florida Chapter. In 2022 Sanjay was honored with a Lifetime Achievement Award from the President of the United States. Subscribe to the 24by7Security blog to learn more from Sanjay.

Related posts

May, 21 2024
May, 14 2024
May, 7 2024

Comments are closed.

How Vulnerability Assessments Strengthen Security
HIPAA Violations Settled in 2024 Teach Us Important Lessons
Subscribe to our Blog!