Since the compliance date of the Privacy Rule in April 2003, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) received over 225,378 Health Insurance Portability and Accountability Act (HIPAA) complaints and initiated over 993 compliance reviews.

As of Dec. 31, 2019, the office resolved 99% (222,175) of cases. More than 27,600 cases were resolved by requiring changes in privacy practices and corrective actions by or providing technical assistance to HIPAA covered entities and their business associates. OCR settled or imposed a civil money penalty in 73 cases resulting in a total dollar amount of $111,855,582.00.

Various types of entities have been investigated to include national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. In another 12,094 cases, OCR investigations found that a violation had not occurred. Additionally, in 40,882 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation.

In the remainder of the cases (141,595), OCR determined that the complaint did not present an eligible case for enforcement. These include cases in which:

  • OCR lacks jurisdiction under HIPAA. For example, in cases alleging a violation by an entity not covered by HIPAA;
  • The complaint is untimely, or withdrawn by the filer; and
  • The activity described does not violate the HIPAA Rules. For HIPAA VIOLATIONSHHS Resolves about 99% HIPAA-Related ComplaintsHealth plans are among the least likely entities to violate the rule. For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure.
  • From the compliance date to the present, the compliance issues most often alleged in complaints are, compiled cumulatively, in order of frequency:
  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Lack of administrative safeguards of electronically protected health information; and
  • Use or disclosure of more than the minimum necessary protected health information.

The most common types of covered entities that have been alleged to have committed violations are, in order of frequency:

  • General Hospitals;
  • Private Practices and Physicians;
  • Outpatient Facilities;
  • Pharmacies; and
  • Health Plans (group health plans and health insurance issuers).
  • Referrals

OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rules. For additional information, click here: