Enforcement Highlights

(As of March 31, 2011)

PRIVACY RULE

The HIPAA Privacy Rule is a set of federal standards to protect the privacy of patients' medical records and other health information maintained by covered entities: health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare and Medicaid; most doctors, hospitals and many other health care providers; and health care clearinghouses. These standards provide patients with access to their medical records and with significant control over how their personal health information is used and disclosed. Compliance with the standards was required as of April 14, 2003 for most entities covered by HIPAA. On that date, OCR began accepting complaints involving the privacy of personal health information in the health care system.

Privacy Rule Enforcement Results as of the Date of This Summary

  • HHS / OCR has investigated and resolved over 13,294 cases by requiring changes in privacy practices and other corrective actions by the covered entities. Corrective actions obtained by HHS from these entities have resulted in change that is systemic and that affects all the individuals they serve. HHS has successfully enforced the Privacy Rule by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
  • In another 6,906 cases, our investigations found no violation had occurred.
  • In the rest of our completed cases (34,297), HHS determined that the complaint did not present an eligible case for enforcement of the Privacy Rule. These include cases in which:
    • OCR lacks jurisdiction under HIPAA – such as a complaint alleging a violation prior to the compliance date or alleging a violation by an entity not covered by the Privacy Rule;
    • the complaint is untimely, or withdrawn or not pursued by the filer;
    • the activity described does not violate the Rule – such as when the covered entity has disclosed protected health information in circumstances in which the Rule permits such a disclosure.
  • In summary, since the compliance date in April 2003, HHS has received over 59,745 HIPAA Privacy complaints. We have resolved over ninety-one percent of complaints received (over 54,497): through investigation and enforcement (over 13,294); through investigation and finding no violation (6,906); and through closure of cases that were not eligible for enforcement (34,297).

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Uses or disclosures of more than the Minimum Necessary protected health information; and
  5. Complaints to the covered entity.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

  1. Private Practices;
  2. General Hospitals;
  3. Outpatient Facilities;
  4. Health Plans (group health plans and health insurance issuers); and,
  5. Pharmacies.

Referrals

OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rule. As of the date of this summary, OCR made over 491 such referrals to DOJ.

SECURITY RULE

The HIPAA Security Rule establishes national standards for the security of electronic protected health information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications. Compliance with the standards was required as of April 20, 2005, for most entities covered by HIPAA. The authority to administer and enforce the Security Rule was transferred to OCR on July 27, 2009.

Security Rule Enforcement Results as of the Date of This Summary

  • Since OCR began reporting its Security Rule enforcement results in October 2009, HHS has received approximately 368 complaints alleging a violation of the Security Rule.  During this period, we closed 165 complaints after investigation and appropriate corrective action.  As of March 31, 2011, OCR had 270 open complaints and compliance reviews.

Watch for monthly updates reporting the number of cases received, investigated or resolved.

Content created by Office for Civil Rights (OCR)
Content last reviewed on October 21, 2015