OCR has conducted HIPAA enforcement by investigating and resolving over 27,109 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates.
Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve.
OCR has successfully conducted HIPAA enforcement under the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate. To date, OCR, as a result of its HIPAA enforcement efforts, has settled or imposed a civil money penalty in 65 cases resulting in a total dollar amount of $102,681,582.00. OCR, as part of its HIPAA enforcement efforts, has investigated complaints against many different types of entities, including:
- National pharmacy chains
- Major medical centers
- Group health plans
- Hospital chains
- Small provider offices
In another 11,863 cases, investigations found no violation had occurred.
Additionally, in 37,522 cases, OCR engaged in early intervention efforts, by providing technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the HIPAA Privacy Rule, without the need for an investigation.
In the remainder of its completed cases (133,637), OCR determined that the complaint did not present an eligible case for enforcement. These cases did not prevent an eligible case for HIPAA enforcement for the following reasons:
- OCR lacked jurisdiction under HIPAA – that is, OCR lacked legal authority to take action against an entity named in a complaint, because the entity was not an entity the HIPAA law authorizes action to be taken against.
- The complaint was untimely, or withdrawn by the person or entity filing it.
- The activity described did not constitute a violation of HIPAA Rules.
- For example, when a covered entity has disclosed protected health information (PHI) in circumstances in which the HIPAA Privacy Rule permits such a disclosure, there is no violation to complain about.
From the 2003 compliance date to the present, of the compliance issues investigated most are, compiled cumulatively, in order of frequency:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
- Lack of administrative safeguards of electronic protected health information (ePHI)
- Use or disclosure of more than the minimum necessary protected health information
The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:
- General Hospitals
- Private Practices and Physicians
- Outpatient Facilities
- Pharmacies
- Health Plans (group health plans and health insurance issuers).
What are HIPAA Enforcement “Referrals”?
OCR has referred 760 cases to the Department of Justice (DOJ) for criminal investigation. These cases are those involving the knowing disclosure or obtaining of protected health information (PHI) in violation of the HIPAA Rules.