HIPAA Enforcement Data

The OCR is responsible for enforcement of HIPAA Privacy and Security Rules.  These standards allow patients access to their medical record and control over uses and disclosures of their protected health information.  The confidentiality of the electronic protected health information is protected with administrative, technical and physical safeguards.

Since the 2003 compliance date, 94,445 HIPAA complaints have been filed with OCR. Of these cases investigated, 22,353 cases  instituted corrective actions, 10,057 cases were found to have no violation, and  56,595 cases were ineligible for enforcement under HIPAA.


Source : HHS/OCR

According to the OCR:The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

  1. 1. Private Practices
  2. 2. General Hospitals
  3. 3. Outpatient Facilities
  4. 4. Health Plans (group health plans and health insurance issuers 


From the compliance date to the present, the compliance issues investigated most are, compiled  cumulatively, in order of frequency:

  1. 1. Impermissible uses and disclosures of protected health information
  2. 2. Lack of safeguards of protected health information
  3. 3. Lack of patient access to their protected health information
  4. 4. Uses or disclosures of more than the minimum necessary protected health information
  5. 5. Lack of administrative safeguards of electronic protected health information