Enforcement Data

Enforcement Highlights

See a summary of OCR’s enforcement activities and cumulative enforcement results from the implementation of the HIPAA Privacy Rule to the last month, including the number of cases in which OCR: obtained corrective action, did not find violations, referred the case to DOJ, or otherwise resolved.

For more information about how OCR reviews and investigates cases, here is a link to the HIPAA Privacy and Security Rule Complaint Process Flowchart: HIPAA Privacy and Security Rule Complaint Process.

Enforcement Results by Calendar Year

Cases that OCR closes fall into five categories:

  1. Resolved after intake & review (no investigation)

    OCR closes these cases after determining that OCR lacks jurisdiction, or that the complaint, referral, breach report, news report, or other instigating event will not be investigated. For example, OCR will close cases where: the organization alleged to have violated the HIPAA Rules is not a covered entity or business associate and/or no protected health information (PHI) is involved; the behavior by the organization does not implicate the HIPAA Rules; the complainant refuses to provide consent for his/her information to be disclosed as part of the investigation; or OCR otherwise decides not to investigate the allegations.

  2. Technical Assistance (no investigation):

    OCR provides Technical Assistance to the covered entity, business associate, and complainant through early intervention by investigators located in Headquarters or a Regional Office.

  3. No Violation* (investigated):

    OCR investigates and does not find any violations of the HIPAA Rules.

  4. Corrective Action Obtained* (investigated):

    OCR investigates and provides technical assistance to or requires the covered entity or business associate to make changes regarding HIPAA-related privacy and security policies, procedures, training, or safeguards. In some cases, technical assistance is provided after investigation without requiring specific corrective action, for example, when the covered entity or business associate has already taken corrective action during the investigation or within the 60-day window prior to notifying OCR of the breach incident.

    Corrective action closures include those cases in which OCR enters into a settlement agreement with a covered entity or business associate: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html. To promote systemic reform that benefits the greatest number of individuals, in such cases, OCR settles for a percentage of any applicable civil money penalties OCR could impose and requires entities to reinvest in their enterprises to correct the underlying root causes for the noncompliance through a corrective action plan, which includes monitoring.

  5. Other:

    OCR may decide not to investigate a case further if:

    A. It is referred to the Department of Justice for prosecution.
    B. It involved a natural disaster.
    C. It was pursued, prosecuted, and resolved by state authorities.
    D. The covered entity or business associate has taken steps to comply with the HIPAA Rules and OCR determines enforcement resources are better/more effectively deployed in other cases.

*Due to the complexity of some cases, and the evidence needed to understand and/or prove indications of noncompliance, most investigations can take multiple years to investigate and resolve. In addition, multi-year monitoring of privacy and security practices may be required by OCR.

Enforcement Results by Year - Compliance Reviews

Annual numbers of breach and non-breach compliance reviews resolved

OCR initiates compliance reviews due to a variety of instigating events other than a complaint, including: media reports, referrals from other state and federal agencies, trends in complaints and/or breach reports received, or other ongoing indications of noncompliance identified by Headquarters or Regional staff.

Enforcement Results by State by Calendar Year - Complaints

Cumulative proportions of complaint cases resolved in each state:

This data represents the quantitative outcome of complaints resolved by state since the implementation of the HIPAA Privacy Rule on April 14, 2003 (see items 1, 2, 3, 4, and 5 above).

Number of Complaints Received by Calendar Year

Number of Complaints Received by Calendar Year

This data represents the number of complaints received since the implementation of the HIPAA Privacy Rule on April 14, 2003.

Top 5 Issues in Investigated Cases

This data represents the top five issues that were identified in cases that were investigated and closed with corrective action since the inception of the Privacy Rule on April 14, 2003 (see item 4 above). Multiple issues may be identified in any one case closed with corrective action. Other cases do not generally implicate issues of noncompliance with the HIPAA Rules (see items 1, 2, 3, and 5 above) and, as such, are not included in this data.

Content created by Office for Civil Rights (OCR)
Content last reviewed on March 22, 2019