HHS Office for Civil Rights Delivers Annual Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information - February 17, 2023
HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking - February 2, 2023
HHS Office for Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information - December 1, 2022
HHS Office for Civil Rights and SAMHSA Propose New Protections to Help Increase Care Coordination and Confidentiality for Patient Substance Use Disorder Records - November 28, 2022
OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA - September 20, 2022
OCR Settles Case Concerning Improper Disposal of Protected Health Information - August 23, 2022
Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA - July 15, 2022
Oklahoma State University - Center for Health Services Pays $875,000 to Settle Hacking Breach - July 14, 2022
HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe - June 29, 2022
HHS Issues Guidance on HIPAA and Audio-Only Telehealth - June 13, 2022
Four HIPAA enforcement actions hold healthcare providers accountable with compliance - March 28, 2022
HHS Notice and Guidance on Gender Affirming Care, Civil Rights, and Patient Privacy - March 2, 2022
- Statement by HHS Secretary Xavier Becerra Reaffirming HHS Support and Protection for LGBTQI+ Children and Youth - March 2, 2022
Improving the Cybersecurity Posture of Healthcare in 2022 - February 28, 2022
HHS Issues Guidance on HIPAA and Disclosures of Protected Health Information for Extreme Risk Protection Orders - December 20, 2021
HHS Office for Civil Rights Commemorates World AIDS Day - December 1, 2021
Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access - November 30, 2021
OCR Issues Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace - September 30, 2021
U.S. Department of Health and Human Services Announces Lisa J. Pino as Director for Office for Civil Rights - September 27, 2021
El Departamento de Salud y Servicios Humanos de los EE. UU. Anuncia a Lisa J. Pino como Directora de la Oficina de Derechos Civiles - 27 de septiembre de 2021
OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement - September 10, 2021
OCR Settles Nineteenth Investigation in HIPAA Right of Access Initiative - June 2, 2021
Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations - May 25, 2021
OCR Settles Eighteenth Investigation in HIPAA Right of Access Initiative - March 26, 2021
OCR Settles Seventeenth Investigation in HIPAA Right of Access Initiative - March 24, 2021
Extension of the Public Comment Period for Proposed Modifications to the HIPAA Privacy Rule - March 9, 2021
OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative - February 12, 2021
OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative - February 10, 2021
OCR Announces Notification of Enforcement Discretion for Use of Online or Web-Based Scheduling Applications for the Scheduling of COVID-19 Vaccination Appointments - January 19, 2021
Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People - January 15, 2021
OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative - January 12, 2021
OCR Settles Thirteenth Investigation in HIPAA Right of Access Initiative - December 22, 2020
OCR Issues Guidance on HIPAA, Health Information Exchanges, and Disclosures of Protected Health Information for Public Health Purposes - December 18, 2020
OCR Issues Audit Report on Health Care Industry Compliance with the HIPAA Rules - December 17, 2020
HHS Proposes Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens - December 10, 2020
OCR Settles Twelfth Investigation in HIPAA Right of Access Initiative - November 19, 2020
OCR Settles Eleventh Investigation in HIPAA Right of Access Initiative - November 12, 2020
OCR Settles Tenth Investigation in HIPAA Right of Access Initiative - November 6, 2020
City Health Department failed to terminate former employee’s access to protected health information - October 30, 2020
Aetna Pays $1,000,000 to Settle Three HIPAA Breaches - October 28, 2020
OCR Settles Ninth Investigation in HIPAA Right of Access Initiative - October 9, 2020
OCR Settles Eighth Investigation in HIPAA Right of Access Initiative - October 7, 2020
Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People - September 25, 2020
HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual - September 23, 2020
Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance with HIPAA Rules - September 21, 2020
OCR Settles Five More Investigations in HIPAA Right of Access Initiative - September 15, 2020
Trump Administration Adds Health Plans to June 2020 Plasma Donation Guidance - August 24, 2020
Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach - July 27, 2020
Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements - July 23, 2020
OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities - June 12, 2020
OCR Announces Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency - April 9, 2020
OCR Issues Bulletin on Civil Rights Laws and HIPAA Flexibilities That Apply During the COVID-19 Emergency - March 28, 2020
OCR Issues Guidance to Help Ensure First Responders and Others Receive Protected Health Information about Individuals Exposed to COVID-19 - March 24, 2020
OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion - March 20, 2020
OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency - March 17, 2020
Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements - March 3, 2020
OCR Issues Guidance to Help Ensure Equal Access to Emergency Services and the Appropriate Sharing of Medical Information Following Puerto Rico Earthquakes - January 09, 2020
Ambulance Company Pays $65,000 to Settle Allegations of Longstanding HIPAA Noncompliance - December 30, 2019
OCR Settles Second Case in HIPAA Right of Access Initiative - December 12, 2019
OCR Secures $2.175 Million HIPAA Settlement After Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information - November 26, 2019
OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations - November 7, 2019
Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement - November 5, 2019
OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations - October 23, 2019
Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information - October 2, 2019
OCR Settles First Case in HIPAA Right of Access Initiative - September 9, 2019
OCR Issues Guidance to Help Ensure Equal Access to Emergency Services and the Appropriate Sharing of Medical Information during Hurricane Dorian - September 3, 2019
Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach - May 23, 2019
OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement - February 7, 2019
Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million - February 7, 2019
Colorado hospital failed to terminate former employee’s access to electronic protected health information - December 11, 2018
Florida contractor physicians' group shares protected health information with unknown vendor without a business associate agreement - December 4, 2018
Allergy Practice pays $125,000 to settle doctor's disclosure of patient information to a reporter - November 26, 2018
OCR provides FAQs on Patient Access and APIs
OCR released frequently asked questions about the Health Insurance Portability and Accountability Act (HIPAA) right of access related to apps designated by the individual and application programming interfaces (APIs) used by the provider’s electronic health record system. This release was in conjunction with CMS and ONC announcing that they are extending the public comment period by 30 days for two proposed regulations aimed at promoting the interoperability of health information technology and enabling patients to electronically access their health information.
OCR Launches Public Education Campaign About Civil Rights Protections in Response to the National Opioid Crisis - October 25, 2018
Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) launched a public education campaign on civil rights protections in response to the national opioid crisis. The materials inform the public about civil rights protections that may apply to a person in recovery from an opioid addiction and ensure that covered entities are aware of their obligation to comply with federal nondiscrimination laws.
Anthem pays OCR $16 Million in record HIPAA settlement following largest health data breach in history – October 15, 2018
Unauthorized Disclosure of Patients’ Protected Health Information During ABC Doumentary Filming Results in Multiple HIPAA Settlements Totaling $999,000 – September 20, 2018
A previous version of this release mistakenly identified the TV series as “Boston Med.” “Boston Med,” also an ABC television series, was not involved in this investigation.
OCR Issues Guidance to Help Ensure Equal Access to Emergency Services and the Appropriate Sharing of Medical Information During Hurricane Florence
In preparation for Hurricane Florence, OCR has issued a press release providing resources and effective practices to help emergency responders and officials effectively serve at-risk populations and ensure that the whole community is included in emergency response and recovery efforts. OCR continues to coordinate with our sister agencies and federal partners to make sure that responsible officials are mindful of all segments of the community as they prepare for disaster response in the areas affected by Hurricane Florence.
- Read the HHS Press Release
- Visit the Civil Rights Emergency Preparedness Page
- Visit the HIPAA Emergency Preparedness Page
Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations - June 18, 2018
Consequences for HIPAA violations don’t stop when a business closes - February 13, 2018
Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules - February 1, 2018
Failure to protect the health records of millions of people costs entity millions of dollars - December 28, 2017
HHS Office for Civil Rights Issues Guidance on how HIPAA Allows Information Sharing to Address the Opioid Crisis - October 27, 2017
Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k - May 23, 2017
Texas health system settles potential HIPAA violations for disclosing patient information - May 10, 2017
$2.5 million settlement shows that not understanding HIPAA requirements creates risk - April 24, 2017
No Business Associate Agreement? $31K Mistake - April 20, 2017
Overlooking risks leads to breach, $400,000 settlement - April 12, 2017
$5.5 million HIPAA settlement shines light on the importance of audit controls - February 16, 2017
Lack of timely action risks security and costs money - February 1, 2017
HIPAA settlement demonstrates importance of implementing safeguards for ePHI - January 18, 2017
Comunicado de prensa (Spanish) - PDF
First HIPAA enforcement action for lack of timely breach notification settles for $475,000 - January 9, 2017
UMass settles potential HIPAA violations following malware infection - November 22, 2016
$2.14 million HIPAA settlement underscores importance of managing security risk - October 17, 2016
OCR Releases New Guidance on HIPAA and Cloud Computing - October 6, 2016
HIPAA settlement illustrates the importance of reviewing and updating, as necessary, business associate agreements - September 23, 2016
Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million - August 4, 2016
Multiple alleged HIPAA violations result in $2.75 million settlement with the University of Mississippi Medical Center (UMMC) - July 21, 2016
Widespread HIPAA vulnerabilities result in $2.7 million settlement with Oregon Health & Science University - July 18, 2016
Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement - June 29, 2016
HHS Guidance Regarding Patient Safety Work Product and Providers’ External Obligations -
June 23, 2016
Clarification of Permissible Fees for HIPAA Right of Access - Flat Rate Option Up to $6.50 is Not a Cap on All Fees for Copies of PHI - May 23, 2016
Unauthorized Filming for "NY Med" Results in $2.2 Million Settlement with New York Presbyterian Hospital - April 21, 2016
$750,000 settlement highlights the need for HIPAA business associate agreements - April 19, 2016
OCR Launches Phase 2 of HIPAA Audit Program - March 21, 2016
Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement - March 17, 2016
$1.55 million settlement underscores the importance of executing HIPAA business associate agreements - March 16, 2016
New HIPAA Guidance Reiterates Patients’ Right to Access Health Information and Clarifies Appropriate Fees for Copies - February 25, 2016
Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework - 02/24/2016
Physical therapy provider settles violations that it impermissibly disclosed patient information - 02/16/2016
Administrative Law Judge rules in favor of OCR enforcement, requiring Lincare, Inc. to pay $239,800 - 02/03/2016
Individuals’ Right Under HIPAA to Access their Health Information - 01/07/2016
OCR Launches Redesigned Website
Obama Administration Modifies HIPAA to Strengthen the Firearm Background Check System - 01/04/2016
$750,000 HIPAA Settlement Underscores the Need for Organization Wide Risk Analysis - 12/14/2015
Triple-S Management Corporation Settles HHS Charges by Agreeing to $3.5 Million HIPAA Settlement - 11/30/2015
HIPAA Settlement Reinforces Lessons for Users of Medical Devices - 11/25/2015
OCR Invites Developers to Ask Questions about HIPAA Privacy and Security - 10/5/2015
HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications - 7/10/2015
HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records - 4/30/2015
NEW Guidance on HIPAA and Workplace Wellness Programs - 4/16/15
Version 2.0 of the Guide to Privacy and Security of Electronic Health Information released. - PDF - 4/13/2015
