Protecting patient information is a central duty for both covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA). Should an entity subject to HIPAA fail to protect patient information, it may face possible enforcement action from the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) as well as state attorneys general for alleged violations of HIPAA and its Privacy, Security, and Breach Notification Rules.

The possibility of an enforcement action is unfortunately very real for HIPAA-subject entities. As of February 28, 2017, OCR has received more than 150,507 HIPAA-related complaints, and investigated and resolved more than 24,879 cases since 2003. Even if an entity successfully avoids a settlement or civil money penalties, a HIPAA investigation can be a painful and expensive experience.

As of February 28, 2017, OCR has received more than 150,507 HIPAA-related complaints, and investigated and resolved more than 24,879 cases since 2003.

Entities subject to HIPAA may thus feel in the dark as to just how frequent state and federal enforcement actions for alleged HIPAA violations are brought, and what penalties are typically imposed. To help entities better understand OCR and state attorneys general ongoing activity in the HIPAA enforcement space – and what penalties they may face for any alleged violation – DWT has distilled key information from OCR’s Resolution Agreements and Civil Money Penalties and enforcement actions by state attorneys general enforcing HIPAA into an easily-readable infographic.