Enforcement Highlights February 2019
HIPPA Privacy Rule Enforcement Highlights and Results as of February 2019.
Final
Issued by: Office for Civil Rights (OCR)
Issue Date: July 11, 1905
Enforcement Highlights
For information on the history of and details about each of the HIPAA Rules, please visit https://www.hhs.gov/hipaa/for-professionals/index.html and click on “Privacy,” “Security,” or “Breach Notification” from the left-hand tool-bar.
Enforcement Results as of February 28, 2019
Since the compliance date of the Privacy Rule in April 2003, OCR has received over 201,663 HIPAA complaints and has initiated over 931 compliance reviews. We have resolved ninety-eight percent of these cases (197,467).
OCR has investigated and resolved over 26,683 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve. OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate. To date, OCR has settled or imposed a civil money penalty in 63 cases resulting in a total dollar amount of $99,581,582.00. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
In another 11,699 cases, our investigations found no violation had occurred.
Additionally, in 33,473 cases, OCR has intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation.
In the rest of our completed cases, (125,612) OCR determined that the complaint did not present an eligible case for enforcement. These include cases in which:
- OCR lacks jurisdiction under HIPAA. For example, in cases alleging a violation by an entity not covered by HIPAA;
- The complaint is untimely, or withdrawn by the filer. The activity described does not violate the HIPAA Rules;
- The activity described does not violate the HIPAA Rules. For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure.
From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information.
- Use or disclosure of more than the minimum necessary protected health information.
The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:
- General Hospitals;
- Private Practices and Physicians;
- Outpatient Facilities;
- Pharmacies; and
- Health Plans (group health plans and health insurance issuers).
Referrals
OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rules. As of the date of this summary, OCR made 719 such referrals to DOJ.
Watch for monthly updates reporting the number of cases received, investigated or resolved.
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.