Enforcement Highlights - September 2017

(As of September 30, 2017)

The HIPAA Privacy Rule is a set of federal standards to protect the privacy of patients’ medical records and other health information maintained by covered entities (health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare and Medicaid; most doctors, hospitals and many other health care providers and health care clearinghouses) and by their business associates.  The Privacy Rule provides patients with access to their medical records and with other important rights.  Compliance with the Privacy Rule was required as of April 14, 2003 for most entities covered by HIPAA, and by September 23, 2013, for their business associates.

The HIPAA Security Rule establishes national standards for the security of electronic protected health information.  The Security rule specifies a series of administrative, technical, and physical security safeguards for covered entities and their business associates to assure the integrity, availability, and confidentiality of electronic protected health information.  Compliance with the Security rule was required as of April 20, 2005, for most entities covered by HIPAA, and by September 23, 2013, for their business associates.  The authority to administer and enforce the Security Rule was transferred to OCR on July 27, 2009.

The HIPAA Breach Notification Rule requires covered entities and their business associates to notify the Secretary, individuals, and in some cases, the media, regarding breaches of unsecured protected health information.  Compliance with the standards was required as of September 23, 2009.

Enforcement Results as of the Date of This Summary

Since the compliance date of the Privacy Rule in April 2003, OCR has received over 165,175 HIPAA complaints and has initiated over 851 compliance reviews.  We have resolved ninety-seven percent of the complaint cases (160,770).

OCR has investigated and resolved over 25,441 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates.  Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve.  OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate, which may include settling with the entity in lieu of imposing a civil money penalty.  To date, OCR has settled 52 such cases resulting in a total dollar amount of $72,929,182.00.  OCR has investigated complaints against many different types of entities including:  national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

In another 11,334 cases, our investigations found no violation had occurred. 

Additionally, in 23,276 cases, OCR has intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation.

In the rest of our completed cases, (100,719) OCR determined that the complaint did not present an eligible case for enforcement.  These include cases in which:

  • OCR lacks jurisdiction under HIPAA.  For example, in cases alleging a violation by an entity not covered by HIPAA;
  • The complaint is untimely, or withdrawn by the filer.  The activity described does not violate the HIPAA Rules;
  • The activity described does not violate the HIPAA Rules.  For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure.  

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Lack of administrative safeguards of electronic protected health information; and
  • Use or disclosure of more than the minimum necessary protected health information.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

  • Private Practices;
  • General Hospitals;
  • Outpatient Facilities;
  • Pharmacies; and
  • Health Plans (group health plans and health insurance issuers).


OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rules.  As of the date of this summary, OCR made 643 such referrals to DOJ.

Watch for monthly updates reporting the number of cases received, investigated or resolved.

Content created by Office for Civil Rights (OCR)
Content last reviewed on November 9, 2017