Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: OCR announces $1.25M settlement with Banner Health

The U.S Department of Health and Human Services ('HHS') Office for Civil Rights ('OCR') announced, on 2 February 2023, that it had reached a settlement, with the transaction number 16-245464, with Banner Health Affiliated Covered Entities to pay the OCR $1,250,000 as well as undertake a Corrective Action Plan ('CAP') to settle a potential violation of §§164.308 and 312 of Subpart C of Part 164 of Subchapter C of Title 45 of the Code of Federal Regulations ('C.F.R.') in accordance with the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') Privacy and Security Rules, following a data breach reported by Banner Health.

Background to the case

The OCR explained that it had initiated an investigation against Banner Health following a breach report submitted by Banner in which it stated that, on 13 July 2016, Banner Health discovered that a third party had gained unauthorised access to the electronic protected health information ('ePHI'). In particular, the total number of individuals involved was determined to be 2.81 million.

Findings of the OCR

Based on the investigation carried out, the OCR found potential violations of the following requirements:

  • to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Banner;
  • to implement sufficient procedures to regularly review records of information system activity;
  • to implement procedures to verify that a person or entity seeking access to ePHI is the one claimed; and
  • to implement technical security measures to guard against unauthorised access to ePHI that is being transmitted over an electronic communications network.


In conclusion, the OCR noted that Banner Health agreed to pay $1,250,000 as a resolution amount for the settlement, noting that the agreement is not an admission of liability by Banner Health. Moreover, Banner Health committed to undertake a CAP, which will include, among other things:

  • conducting accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organisation;
  • develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
  • develop, implement, and distribute policies and procedures for:
    • a risk analysis and risk management plan;
    • the regular review of activity within their information systems;
    • an authentication process to provide safeguards to data and records; and
    • security measures to protect ePHI from unauthorised access when it is being transmitted electronically; and
  • report to HHS within 30 days when workforce members fail to comply with the HIPAA Security Rule.

You can read the press release here and the resolution agreement and CAP here.