The numbers seem to paint an odd picture. In 2018, the federal Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) received 25,912 health information privacy complaints – HIPAA privacy complaints relating to the HIPAA Privacy Rule and the HIPAA Security Rule.

The annual number of HIPAA privacy complaints has gone up each year since 2015. 

The number of HIPAA privacy complaints – and required corrective actions – has historically increased after new rules are made. For example, after the passage of the 2009 HITECH Act (which requires reporting and documentation of breaches, and notifying patients of breaches), the number of entities required to take corrective actions went up, peaking in 2010 at 2,709. 

While, since 2015, the amount of HIPAA privacy complaints has gone up, the number of complaints on which OCR takes formal action – action ending in formal settlement – has gone down. 


The decline can be attributed at least in part to how, in 2014, OCR changed its approach to HIPAA complaints. In 2014, OCR began increasing informal intervention efforts as a way of responding to HIPAA privacy complaints. HIPAA regulations now permit the HHS Secretary to resolve a complaint by informal means, which include demonstrated compliance, completed corrective action plans, or other measures.

In some instances, informal intervention may take the form of HHS assistance. Here, HHS provides technical assistance to healthcare organizations and their contractors who have been the subject of HIPAA privacy complaints. Under this process, HHS does not require the organization that was complained about to take corrective action or enter into compliance agreements.  Instead, when it provides the assistance, HHS essentially warns the organization that it is “on notice” that there will be more serious consequences in the event subsequent complaints are filed against it. 

While the number of formal interventions has gone down, the number of informal interventions taken in response to HIPAA privacy complaints has skyrocketed since 2015. At the beginning of 2015, OCR had informally intervened in 7,883 cases. By the end of 2018, the total number of informal interventions quadrupled, to slightly over 32,000. These increased efforts have prompted organizations to change their privacy and security practices.  

OCR’s new compliance strategy should be taken seriously by all providers and contractors. OCR is still vigorously fining noncompliant organizations – to date, OCR has settled or imposed civil money penalties that add up to a total dollar amount of $102,681,582. That’s over a hundred million dollars. And if an organization that’s been put on notice after informal intervention becomes the subject of another complaint, that organization can also, still, be audited and fined.

HIPAA Privacy and Security Rules are among the most important components of HIPAA law. If your organization does not have an effective compliance program that meets the requirements of these rules, you are subject to an OCR investigation, which will be resolved formally or informally. Any investigation – formal or informal – costs time and money, and makes you focus less on your business.

Third Party Verification and Validation

Need Help with HIPAA?

Let our complete HIPAA solution handle it.