Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

September 18, 2018

HHS Reveals Top HIPAA Enforcement Areas

The Department of Health and Human Services’ Office of Civil Rights recently published its cumulative enforcement results since the enactment of the HIPAA Privacy Rule in 2003.

As of July 31, 2018, OCR received over 186,450 HIPAA complaints and initiated over 905 compliance reviews. It has investigated complaints against many different types of entities, including national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

Ninety-six percent of the cases were resolved by OCR. Many were resolved by requiring changes in privacy practices and corrective actions by the HIPAA-covered entities and their business associates, or by providing technical assistance to the covered entities or their associates. To date, OCR has settled or imposed a civil money penalty in 55 cases, resulting in a total dollar amount of over $78 million.

The compliance issues investigated most are, in order of frequency:

  • Impermissible uses and disclosures of protected health information
  • Lack of safeguards of PHI
  • Lack of patient access to their PHI
  • Lack of administrative safeguards of electronic PHI
  • Use or disclosure of more than the minimum necessary PHI

The most common types of covered entities required to take corrective action to achieve voluntary compliance are, in order of frequency:

  • General hospitals
  • Private practices and physicians
  • Outpatient facilities
  • Pharmacies
  • Health plans (group health plans and health insurance issuers)

As these results indicate, OCR continues to be active in HIPAA enforcement, which can result in significant penalties to covered entities. Health care organizations are encouraged to review their HIPAA policies and procedures for newly evolving risks, revisit staff training on the organization’s specific procedures (including the appropriate use of texting and mobile equipment), and review the oversight and management of the organization’s process for identifying, investigating, disclosing, and documenting HIPAA breaches and security incidents.

More information on enforcement activities can be obtained by visiting HHS.gov.

If you have any questions regarding the content of this blog post, please contact Fran Ciardullo, special counsel, at fciardullo@barclaydamon.com or 315.425.2866.

Featured Media

Alerts

New York Public Service Commission Determines to Withdraw Its Finding in the New York City Offshore Wind Public Policy Transmission Need Process

Alerts

A "Sticky" Situation – Can Treatment of Administrative Claims Be Modified in a Subchapter V Plan?

Alerts

Key Affordable-Housing Provisions in the One Big Beautiful Bill Act

Alerts

What the One Big Beautiful Bill Act Means for Clean-Energy Tax Credits

Alerts

One Big Beautiful Bill Act Changes Tax Incentives for Charitable Giving

Alerts

Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Wislande Claude, Felipe Fernandez, Howard Wilson, Lisa Cantwell, and Erika Alexandria—Targeting Businesses in Recent Flurry of Lawsuits