OCR Enforcement Results
Enforcement Results as of September 30, 2022 Since the compliance date of the Privacy Rule in April 2003, OCR has received over 309,475 HIPAA complaints and has initiated over 1,053 compliance reviews. We have resolved ninety-seven percent of these cases (300,427). OCR has investigated and resolved over 29,779 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve. OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate. To date, OCR settled or imposed a civil money penalty in 126 cases resulting in a total dollar amount of $133,519,272.00. OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. In another 14,117 cases, our investigations found no violation had occurred. Additionally, in 52,133 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation. In the rest of our completed cases (204,398), OCR determined that the complaint did not present an eligible case for enforcement. These include cases in which: - OCR lacks jurisdiction under HIPAA. For example, in cases alleging a violation by an entity not covered by HIPAA;
- The complaint is untimely, or withdrawn by the filer; and
- The activity described does not violate the HIPAA Rules. For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure.
From the compliance date to the present, the compliance issues most often alleged in complaints are, compiled cumulatively, in order of frequency: - Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Lack of patient access to their protected health information;
- Lack of administrative safeguards of electronic protected health information; and
- Use or disclosure of more than the minimum necessary protected health information.
The most common types of covered entities that have been alleged to have committed violations are, in order of frequency: - General Hospitals;
- Private Practices and Physicians;
- Pharmacies;
- Outpatient Facilities; and
- Community Health Centers.
Referrals OCR refers to the Department of Justice (DOJ) for criminal investigation appropriate cases involving the knowing disclosure or obtaining of protected health information in violation of the Rules. As of the date of this summary, OCR made 1,552 such referrals to DOJ.
| Mental Health Center Provides Access and Revises Policies and Procedures Covered Entity: Mental Health Center Issue: Access, Restrictions The complainant alleged that a mental health center (the "Center") refused to provide her with a copy of her medical record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist, but the Center did not provide her with a copy of her records. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts ...read more |
| HHS Issues Guidance on HIPAA and Audio-Only Telehealth Today, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), is issuing guidance on how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when such communications are conducted in a manner that is consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth - PDF is no longer in effect. This guidance will help individuals ...read more |
| Private Practice Ceases Conditioning of Compliance with the Privacy Rule Covered Entity: Private Practice Issue: Conditioning Compliance with the Privacy Rule A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule ...read more |
| Hospital Implements New Minimum Necessary Polices for Telephone Messages Covered Entity: General Hospital Issue: Minimum Necessary; Confidential Communications A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patient’s home telephone number, despite the patient’s instructions to contact her through her work number. To resolve the issues in this case, the hospital developed and implemented several new procedures. ...read more |
|
July 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| | 1 | 2 | 3 | 4 | 5 |
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
November 2022 (54)
January 2025 (1)
Blog Labels
ePHI (2)
Covered Entity (40)
Data Breach (1)
EHR Fraud (1)
Telehealth (1)
PPP Fraud (1)
HIPAA Enforcement (3)
BAA (4)
HIPAA (2)
|
