The Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) is responsible for enforcing the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Enforcement of the Privacy Rule began on April 14, 2003, while enforcement of the Security Rule began on April 20, 2005. Furthermore, covered entities were required to comply with the HIPAA Breach Notification Rule beginning on September 23, 2009.1

The OCR relies on complaints filed by third parties, self-reports of data breaches, and media reports to identify targets for compliance reviews. If a covered entity is found to have committed serious violations during a compliance review, HHS may require the entity to enter into a “Resolution Agreement” (“RA”) that may include a fine and a corrective action plan.

Click here to view the table.

Trends in Enforcement Activities and Fines

Click here to view the graph.

What to consider when assessing the impact of an OCR investigation:

Click here to view the table.