Protecting patient information is a central duty for both covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA).  Should a HIPAA-subject entity ever fail to protect patient information, it may face possible enforcement action from the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) as well as state attorneys general for alleged violations of HIPAA and its Privacy, Security, and Breach Notification Rules.

The possibility of an enforcement action is unfortunately very real for HIPAA-subject entities. As of May 31, 2016, OCR has received more than 134,246 HIPAA-related complaints, and investigated and resolved more than 24,241 cases since 2003. Even if an entity successfully avoids a settlement or civil money penalties, just having to go through a HIPAA investigation can be a painful and expensive experience.

HIPAA-subject entities may thus feel a little in the dark as to just how frequent state and federal enforcement actions for perceived HIPAA violations are brought, and what penalties typically are imposed. To help entities better understand how active OCR and state attorneys general have been in the HIPAA enforcement space – and what penalties they may face for any alleged violation – DWT has distilled key information from OCR’s Resolution Agreements and Civil Money Penalties and enforcement actions by state attorneys general enforcing HIPAA into an easily-readable infographic.


Key Takeaways

  • Since OCR entered into its first Resolution Agreement resolving a HIPAA violation complaint in 2008, OCR has engaged in 36 enforcement actions for alleged HIPAA violations. Of those, 23 enforcement actions resulted from a covered entity’s or business associate’s own breach report to OCR.
  • Settling with OCR doesn’t come without a cost. OCR typically imposes monetary penalties in HIPAA settlements, with the average settlement amount being $1,070,585.
  • You need to fix the problem. In all settlements but one, the entities that entered into settlements with OCR agreed to a corrective action plan, which requires  remediation of the alleged violation and usually ongoing reporting to OCR of their efforts to comply with the settlement terms for the duration of the corrective action plan. The average corrective action plan is approximately two years.
  • Nearly 70% of OCR enforcement actions involved electronic protected health information (ePHI), demonstrating that continued compliance with the HIPAA Security Rule remains a central focus for OCR. Covered entities and business associates therefore should, for example: conduct and update as needed a risk analysis as required by the Security Rule to identify potential risks and vulnerabilities to ePHI; and manage risk by implementing appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and security of ePHI. Entities also should revisit their compliance efforts to verify that they meet the Security Rule requirements.
  • From 2008 onward, the number of OCR enforcement actions resolved annually has ticked steadily upward: in 2015, OCR resolved six complaints in total. As of June 10, 2016, the agency has resolved just as many, signaling that 2016 may see a record-breaking number of enforcement actions and settlements.
  • State attorneys general also have been active in HIPAA enforcement: in just over six years, 11 enforcement actions have been conducted by chief state law enforcement officers. Massachusetts has been the most active, with five settlements so far.