Resolution Agreements — Corrective action / RA

Full description

Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process Enforcement Data Resolution Agreements Case Examples Audit Reports to Congress State Attorneys General Special Topics Parental Access Mental and Behavioral Health Change Healthcare Cybersecurity Incident FAQs HIPAA and COVID-19 HIPAA and Reproductive Health HIPAA and Final Rule Notice HIPAA and Telehealth HIPAA and FERPA Research Public Health Emergency Response Health Information Technology Health Apps Patient Safety Covered Entities & Business Associates Business Associate Contracts Business Associates Training & Resources FAQs for Professionals Other Administrative Simplification Rules Substance Use Disorder Confidentiality Resolution Agreements Resolution Agreements and Civil Money PenaltiesA resolution agreement is a settlement agreement signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity.HHS’ Office for Civil Rights Settles HIPAA Investigation of MMG Fusion, LLC Breach - March 5, 2026HHS’ Office for Civil Rights Settles HIPAA Ransomware Security Rule Investigation with BST & Co. CPAs, LLP - August 18, 2025HHS’ Office for Civil Rights Settles HIPAA Ransomware Investigation with Syracuse ASC - July 23, 2025HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with a Behavioral Health Provider - July 7, 2025HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Comstar, LLC - May 30, 2025HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with a Florida Health Care Provider - May 28, 2025HHS Office for Civil Rights Settles HIPAA Cybersecurity Investigation with Vision Upright MRI - May 15, 2025HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Neurology Practice - April 25, 2025HHS Office for Civil Rights Settles Phishing Attack Breach with Health Care Network for $600,000 - April 23, 2025HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Public Hospital - April 17, 2025HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with Northeast Radiology - April 4, 2025HHS’ Office for Civil Rights Settles HIPAA Security Rule Investigation with Health Fitness Corporation - March 21, 2025HHS Office for Civil Rights Imposes a $200,000 Penalty Against Oregon Health & Science University for Failure to Provide Timely Access to Patient Records - March 6, 2025HHS Office for Civil Rights Imposes a $1,500,000 Civil Money Penalty Against Warby Parker in HIPAA Cybersecurity Hacking Investigation - February 20, 2025HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $10,000 - January 15, 2025HHS Office for Civil Rights Settles HIPAA Case Against Memorial Healthcare System Over Patient Access to Records - January 15, 2025HHS Office for Civil Rights Settles HIPAA Phishing Cybersecurity Investigation with Solara Medical Supplies, LLC for $3,000,000 - January 14, 2025HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with USR Holdings, LLC Concerning the Deletion of Electronic Protected Health Information - January 8, 2025HHS Office for Civil Rights Settles 9th Ransomware Investigation with Virtual Private Network Solutions - January 7, 2025HHS Office for Civil Rights Settles 8th Ransomware Investigation with Elgon Information Systems - January 7, 2025HHS Office for Civil Rights Settles with Health Care Clearinghouse, Inmediata Health Group, Over HIPAA Impermissible Disclosure - December 10, 2024HHS Office for Civil Rights Imposes a $548,265 Penalty Against Children’s Hospital Colorado for HIPAA Privacy and Security Rules Violations - December 5, 2024HHS Office for Civil Rights Imposes a $1.19 Million Penalty Against Gulf Coast Pain Consultants for HIPAA Security Rule Violations - December 3, 2024HHS Office for Civil Rights Settles with Holy Redeemer Family Medicine Over Disclosure of Patient’s Protected Health Information, Including Reproductive Health Information - November 26, 2024HHS Office for Civil Rights Imposes a $100,000 Penalty Against Mental Health Center for Failure to Provide Timely Access to Patient Records - November 19, 2024HHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation for $90,000 - October 31, 2024HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000 - October 31, 2024HHS Office for Civil Rights Imposes a $70,000 Civil Monetary Penalty Against Gums Dental Care for Failure to Provide Timely Access to Patient Records - October 17, 2024HHS Office for Civil Rights Imposes a $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation - October 3, 2024HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation under HIPAA Security Rule for $250,000 - September 26, 2024HHS Office for Civil Rights Settles HIPAA Security Rule Failures for $950,000 – July 1, 2024HHS OCR Imposes a CMP on NJ Nursing Facility for Failing to Provide Timely Access to Patient Records - April 1, 2024HHS’ OCR Settles HIPAA Investigation with Phoenix Healthcare - March 29, 2024HHS OCR Work with Hospital to Improve Access to Kosher Electronic Devices Use for Virtual Patient Visitation- March 5, 2024HHS Finalizes New Provisions to Enhance Integrated Care and Confidentiality for Patients with Substance Use Conditions – February 8, 2024HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million - February 6, 2024Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and Montiefore – November 16, 2023HHS’ Office for Civil Rights Settles Optum Medical Care - November 15, 2023HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter - November 20, 2023HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation with Doctors’ Management Services - October 31, 2023Green Ridge Behavioral Health, LLC Resolution Agreement and Corrective Action Plan - October 30, 2023HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations - September 11, 2023Voluntary Resolution Agreement Between The United States Department of Health and Human Services, Office for Civil Rights (“HHS”) and UnitedHealthcare Insurance Company – August 24, 2023HHS Office for Civil Rights Settles HIPAA Investigation with iHealth Solutions Regarding Disclosure of Protected Health Information on an Unsecured Server for $75,000 – June 28, 2023Snooping in Medical Records by Hospital Security Guards Leads to $240,000 HIPAA Settlement – June 15, 2023HHS Office for Civil Rights Reaches Agreement with Health Care Provider in New Jersey That Disclosed Patient Information in Response to Negative Online Reviews – June 5, 2023HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000 – May 16, 2023HHS Office for Civil Rights Enters Into $15,000 Settlement Resolving Potential HIPAA Violation Under the Right of Access Initiative – May 8, 2023HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking - February 2, 2023Lab Pays $16,500 Settlement to HHS, Resolving Potential HIPAA Violation over Medical Records Request - January 3, 2023HHS Civil Rights Office Resolves HIPAA Right of Access Investigation with $20,000 Settlement - December 15, 2022HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information - December 14, 2022OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA - September 20, 2022OCR Settles Case Concerning Improper Disposal of Protected Health Information - August 23, 2022Read OCR's FAQs concerning HIPAA and the disposal of protected health informationEleven Enforcement Actions Uphold Patients’ Rights Under HIPAA - July 15, 2022Oklahoma State University - Center for Health Services Pays $875,000 to Settle Hacking Breach - July 14, 2022Four HIPAA enforcement actions hold healthcare providers accountable with compliance - March 28, 2022Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access - November 30, 2021OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement - September 10, 2021OCR Settles Nineteenth Investigation in HIPAA Right of Access Initiative - June 2, 2021Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations - May 25, 2021OCR Settles Eighteenth Investigation in HIPAA Right of Access Initiative - March 26, 2021OCR Settles Seventeenth Investigation in HIPAA Right of Access Initiative - March 24, 2021OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative - February 12, 2021OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative - February 10, 2021Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People - January 15, 2021OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative - January 12, 2021OCR Settles Thirteenth Investigation in HIPAA Right of Access Initiative - December 22, 2020OCR Settles Twelfth Investigation in HIPAA Right of Access Initiative - November 19, 2020OCR Settles Eleventh Investigation in HIPAA Right of Access Initiative - November 12, 2020OCR Settles Tenth Investigation in HIPAA Right of Access Initiative - November 6, 2020City Health Department failed to terminate former employee’s access to protected health information - October 30, 2020Aetna Pays $1,000,000 to Settle Three HIPAA Breaches - October 28, 2020OCR Settles Ninth Investigation in HIPAA Right of Access Initiative - October 9, 2020OCR Settles Eighth Investigation in HIPAA Right of Access Initiative - October 7, 2020Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People - September 25, 2020HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual - September 23, 2020Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance with HIPAA Rules - September 21, 2020OCR Settles Five More Investigations in HIPAA Right of Access Initiative - September 15, 2020Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach - July 27, 2020Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements – July 23, 2020Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements - March 3, 2020Ambulance Company Pays $65,000 to Settle Allegations of Longstanding HIPAA Noncompliance - December 30, 2019OCR Settles Second Case in HIPAA Right of Access Initiative - December 12, 2019OCR Secures $2.175 Million HIPAA Settlement After Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information - November 26, 2019OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations - November 7, 2019Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement - November 5, 2019OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations - October 23, 2019Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information - October 2, 2019OCR Settles First Case in HIPAA Right of Access Initiative - September 9, 2019Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach - May 23, 2019Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing Over 300,000 Patients' Protected Health Information - May 6, 2019OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement - February7, 2019Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million - February 7, 2019Colorado hospital failed to terminate former employee’s access to electronic protected health information - December 11, 2018Florida contractor physicians' group shares protected health information with unknown vendor without a business associate agreement - December 4, 2018Allergy Practice pays $125,000 to settle doctor's disclosure of patient information to a reporter - November 26, 2018Anthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history – October 15, 2018Unauthorized Disclosure of Patients’ Protected Health Information During ABC Documentary Filming Results in Multiple HIPAA Settlements Totaling $999,000 – September 20, 2018Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations - June 18, 2018Consequences for HIPAA violations don’t stop when a business closes - February 13, 2018Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules - February 1, 2018Failure to protect the health records of millions of people costs entity millions of dollars - December 28, 2017Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k - May 23, 2017Texas health system settles potential HIPAA violations for disclosing patient information - May 10, 2017$2.5 million settlement shows that not understanding HIPAA requirements creates risk - April 24, 2017No Business Associate Agreement? $31K Mistake - April 20, 2017Overlooking risks leads to breach, $400,000 settlement - April 12, 2017$5.5 million HIPAA settlement shines light on the importance of audit controls - February 16, 2017Lack of timely action risks security and costs money - February 1, 2017HIPAA settlement demonstrates importance of implementing safeguards for ePHI - January 18, 2017First HIPAA enforcement action for lack of timely breach notification settles for $475,000 - January 9, 2017UMass settles potential HIPAA violations following malware infection - November 22, 2016$2.14 million HIPAA settlement underscores importance of managing security risk - October 17, 2016HIPAA settlement illustrates the importance of reviewing and updating, as necessary, business associate agreements - September 23, 2016Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million - August 4, 2016Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC) - July 21, 2016Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University - July 18, 2016Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement - June 29, 2016Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital - April 21, 2016$750,000 settlement highlights the need for HIPAA business associate agreementsImproper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement - March 17, 2016$1.55 million settlement underscores the importance of executing HIPAA business associate agreements - March 16, 2016Physical therapy provider settles violations that it impermissibly disclosed patient information - February 16, 2016Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800 - February 3, 2016$750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis - December 14, 2015Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement - November 30, 2015HIPAA Settlement Reinforces Lessons for Users of Medical Devices - November 24, 2015750,000 HIPAA Settlement Emphasizes the Importance of Risk Analysis and Device and Media Control Policies - August 31, 2015HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications - June 10, 2015HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records - April 22, 2015HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software - December 2, 2014$800,000 HIPAA Settlement in Medical Records Dumping Case - June 23, 2014Data Breach Results in $4.8 Million HIPAA Settlements - May 7, 2014Concentra Settles HIPAA Case for $1,725,220 - April 22, 2014QCA Settles HIPAA Case for $250,000 - April 22, 2014County Government Settles Potential HIPAA Violations - March 7, 2014Resolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts - December 20, 2013HHS Settles with Health Plan in Photocopier Breach Case - August 14, 2013WellPoint Settles HIPAA Security Case for $1,700,000 - July 11, 2013Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000 - June 13, 2013Idaho State University Settles HIPAA Security Case for $400,000 - May 21, 2013HHS announces first HIPAA breach settlement involving less than 500 patients - December 31, 2012Massachusetts Provider Settles HIPAA Case for $1.5 Million - September 17, 2012Alaska DHSS Settles HIPAA Security Case for $1,700,000 - June 26, 2012HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards - April 13, 2012HHS settles HIPAA case with BCBST for $1.5 million - March 13, 2012Resolution Agreement with the University of California at Los Angeles Health System - July 6, 2011Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc. - February 14, 2011Civil Money Penalty issued to Cignet Health of Prince George's County, MD - February 4, 2011Resolution Agreement with Management Services Organization Washington, Inc. - December 13, 2010Resolution Agreement with Rite Aid Corporation - July 27, 2010Resolution Agreement with CVS Pharmacy, Inc. - January 16, 2009Resolution Agreement with Providence Health & Services - July 16, 2008 Content last reviewed March 5, 2026