Skip to Main Content
Services Talent Knowledge
Site Search

Blog Post

September 18, 2018

HHS Reveals Top HIPAA Enforcement Areas

The Department of Health and Human Services’ Office of Civil Rights recently published its cumulative enforcement results since the enactment of the HIPAA Privacy Rule in 2003.

As of July 31, 2018, OCR received over 186,450 HIPAA complaints and initiated over 905 compliance reviews. It has investigated complaints against many different types of entities, including national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

Ninety-six percent of the cases were resolved by OCR. Many were resolved by requiring changes in privacy practices and corrective actions by the HIPAA-covered entities and their business associates, or by providing technical assistance to the covered entities or their associates. To date, OCR has settled or imposed a civil money penalty in 55 cases, resulting in a total dollar amount of over $78 million.

The compliance issues investigated most are, in order of frequency:

  • Impermissible uses and disclosures of protected health information
  • Lack of safeguards of PHI
  • Lack of patient access to their PHI
  • Lack of administrative safeguards of electronic PHI
  • Use or disclosure of more than the minimum necessary PHI

The most common types of covered entities required to take corrective action to achieve voluntary compliance are, in order of frequency:

  • General hospitals
  • Private practices and physicians
  • Outpatient facilities
  • Pharmacies
  • Health plans (group health plans and health insurance issuers)

As these results indicate, OCR continues to be active in HIPAA enforcement, which can result in significant penalties to covered entities. Health care organizations are encouraged to review their HIPAA policies and procedures for newly evolving risks, revisit staff training on the organization’s specific procedures (including the appropriate use of texting and mobile equipment), and review the oversight and management of the organization’s process for identifying, investigating, disclosing, and documenting HIPAA breaches and security incidents.

More information on enforcement activities can be obtained by visiting

If you have any questions regarding the content of this blog post, please contact Fran Ciardullo, special counsel, at or 315.425.2866.


Click here to sign up for alerts, blog posts, and firm news.


Sign up to receive our latest news via email

Practice Areas

Featured Industries

New & Emerging Industry Practice Areas


View our Privacy Policy

Featured Media


COVID-19: NYS Governor Cuomo Announces Additional Aid for Small Businesses


COVID-19: Additional Loan Forgiveness Guidance


COVID-19: OPWDD Updates Billing Guidance for Certain Providers


COVID-19: Eligible Massachusetts Businesses Begin Reopening Under Commonwealth's Four-Phase Plan


NYS Statutes of Limitation Further Tolled During COVID-19


COVID-19: Eligible Connecticut Businesses to Open May 20

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out