Record HIPAA Enforcement Activity in 2018

Why is HIPAA Compliance Important to Us at UW-Madison?  What’s the Big Deal?

2018 marked a record period of HIPAA enforcement activity by the Office of Civil Rights (OCR) at the United States Department of Health and Human Services (DHHS).  In 2018, OCR’s enforcement activity yielded a total of $28.7 million through settlements and fines.  This amount includes OCR’s largest HIPAA-related settlement, to date, with Anthem Inc., for $16 million.  OCR is likely to continue expanding its enforcement activities moving forward.  They are actively recruiting for and hiring additional complaint investigators and directors for offices across the country!

The University of Wisconsin is subject to HIPAA; our status as a public educational institution does not insulate us from HIPAA enforcement.

During 2018, the well-known academic institutions and teaching hospitals listed below paid settlements or fines to OCR in the following amounts:

  • University of Texas / MD Anderson Cancer Center ($4.35M)
  • Massachusetts General Hospital ($515K)
  • Brigham and Women’s Hospital ($384K)
  • Boston Medical Center ($100K)

OCR investigated MD Anderson’s HIPAA compliance after MD Anderson reported three separate data breaches to OCR in 2012 and 2013.  The penalties levied against MD Anderson related to failures to use encryption to adequately protect patients’ and research subjects’ Protected Health Information (PHI).

Massachusetts General Hospital, Brigham and Women’s Hospital, and Boston Medical Center were each investigated after HHS discovered a 2014 news story about a medical documentary program (“Boston Med”) being filmed at these hospital locations.  The settlements related to the hospitals’ failures to obtain authorizations from patients before they were filmed and their PHI was disclosed to the Boston Med film crew.


The training and reminders you receive throughout the year are crafted to help address potential areas of risk identified by OCR as the driving factors behind settlements such as the ones briefly summarized above.

Be sure you follow our institution’s HIPAA Privacy and Security Policies when working with PHI for clinical, research, and teaching purposes.    

We need to be good stewards of PHI.   This is required by law(s), helps us avoid fines, and is the right thing to do! 

Contact the HIPAA Coordinators for your health care component unit with any questions about HIPAA Privacy or HIPAA Security.