Calendar year 2024 brought a range of high-impact HIPAA enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). By the year’s end, OCR had collected over $9 million through various settlements and final determinations. Interestingly, 2024 stands out for having the most final determinations (i.e., definitive impositions of a Civil Money Penalty) in OCR’s HIPAA enforcement history. However, it remains the case that most matters are resolved cooperatively through settlement agreements. Across hospitals, nursing facilities, EMS providers, physician offices (including dental and specialty practices), and even a health care clearinghouse, OCR’s actions highlighted the ongoing importance of thorough risk analyses, timely patient access to records, comprehensive workforce training, and secure system configurations.
Final Enforcement Outcomes and Total Amount Collected
By December 31, OCR announced fourteen resolved actions—eight (8) via Settlement Agreements (also known as Resolution Agreements) and six (6) through Final Determinations (i.e., CMPs were imposed). Collectively, these final outcomes yielded $9,108,846 in monetary payments.
Among the largest of these was a $4.75 million settlement with Montefiore Medical Center for a breach involving the sale of patient information by an employee. Other settlements addressed issues like misconfigured web portals (exposing over 1.5 million individuals’ data), inadequate or delayed ransomware responses, failing to train certain workforce segments (e.g., nursing students), and prolonged refusal to provide patients with copies of their own records.
How OCR Enforces HIPAA: Settlements vs. Proposed Notices vs. Final Determinations
Since so many HIPAA enforcement cases in 2024 ended in CMPs (rather than a resolution agreement), I thought it would be a good time to revisit exactly how that happens. Legally, an enforcement action can unfold in three main ways under HIPAA:
- Settlement Agreement (Resolution Agreement).
When OCR finds potential violations, it often engages in settlement discussions with the covered entity or business associate. Should both sides agree, the entity pays a negotiated amount (a “resolution amount”), typically agrees to a multi-year Corrective Action Plan, and avoids a formal hearing. This type of settlement is final once signed and is reported as a closed enforcement action. - Notice of Proposed Determination (NPD).
If settlement discussions fail or do not occur, OCR may formally propose a Civil Money Penalty. The “notice” states the alleged violation(s) and proposed penalty. The entity then may: - Accept and pay the penalty,
- Request a hearing before an administrative law judge, or
- Attempt to negotiate further.
As long as the matter remains in “proposed” status (i.e., under a Notice of Proposed Determination), no final payment is due yet, and the total is not counted among collected amounts. - Final Determination.
If the entity does not request a hearing or the administrative law judge upholds the penalty, OCR issues a Final Determination. At that point, the Civil Money Penalty is imposed. The amount is then collected (unless subject to further appeal). Final Determinations usually follow an unresolved or uncontested NPD.
Who Faced Enforcement and Why
Of the 14 enforcement actions announced in 2024, the overwhelming majority—13—involved health care providers. These ranged from large hospital systems and long-term care facilities to ambulance authorities, specialized surgical clinics, a family medicine office, and a dental practice. One action targeted a health care clearinghouse (Inmediata Health Group), underscoring that any HIPAA-regulated entity can face scrutiny.
Frequent infractions included:
- Risk Analysis Failures: Entities had not thoroughly assessed or mitigated vulnerabilities in their systems, leaving electronic PHI at high risk.
- Delayed Right of Access: Several faced enforcement after repeatedly denying or delaying records requests.
- Misconfigurations or Ransomware: A handful of large breaches stemmed from poorly secured portals, unpatched servers, or staff inadvertently permitting unauthorized access.
- Workforce Training Gaps: Some neglected to train students or rotating staff, exposing PHI to privacy risks.
Observations and Looking Ahead
Biggest Single Check: Montefiore’s $4.75 million settlement overshadowed every other single-case figure of 2024, illustrating how a large-scale breach and internal misuse of PHI can draw severe penalties.
Right of Access Initiative Lives On: Hackensack Meridian’s $100,000 fine and Gums Dental Care’s $70,000 penalty both illustrate OCR’s continued focus on ensuring patients receive copies of their medical records within HIPAA’s mandated timelines.
Widespread Ransomware: From Heritage Valley to Plastic Surgery Associates and beyond, ransomware attacks yielded major settlements (in the $90k to $950k range), primarily for failing to conduct comprehensive risk analyses or implement strong incident response plans.
Clearinghouse Liability: Inmediata’s case showed that clearinghouses remain squarely in OCR’s sights, especially regarding public exposure of PHI due to web misconfigurations.
With the total final penalty and settlement figure topping $9 million, 2024 demonstrates OCR’s unwavering stance on basic HIPAA requirements—particularly risk analysis, timely patient access, and thorough workforce training. Going into 2025, any entity handling PHI should ensure the fundamentals are in place: robust security risk assessments, fully executed vendor agreements, validated training for everyone touching PHI, and immediate compliance with patient record requests.
_________________________
Need help updating and improving your HIPAA compliance program? Our HIPAA Helper compliance resources have been developed by experienced attorneys for over a decade. Get access to checklists, forms, sample language for policies and much more. See our HIPAA Helper Table of Contents for Covered Entity Health Care Providers and Business Associates.
Access is just a click away at legalhie.com/membership
