Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Medical Office Manager
 Get Our Daily eNewsletter, MOMAlert, and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives
Plus, You Get FREE Webinars, and MUCH MORE!

New OCR data shed light on the costs of privacy noncompliance

HIPAA enforcement isn’t nearly as fat a cash cow as enforcement of False Claims Act (FCA) and other healthcare fraud laws is, it still takes a lot of money out of the pockets of providers and into the hands of the federal government. But tracking the economics of HIPAA enforcement is tough because the government doesn’t publish data on HIPAA recovery amounts the way it does with the FCA. However, new data from the HHS Office of Civil Rights (OCR) has recently emerged that offers some rare insight into the dollars and cents of HIPAA enforcement over the past two decades. Here are some of the key figures, which encompass April 2003, when HIPAA first began being enforced, through 2020:

  • $129,722,482: Total amount of civil penalties and settlements collected by OCR for HIPAA infractions;
  • $26 Million: Highest one-year total collected in past five years (2018);
  • $12 Million: Lowest one-year total collected in past five years (2019);
  • $16 Million: The highest ever settlement for a HIPAA violation, paid by Anthem in 2018 for a massive 2015 data breach affecting 79 million people;
  • 250,367: Total number of HIPAA complaints received by OCR;
  • 3,992: Number of HIPAA complaints that remain open (2 percent of total complaints filed); and
  • $129,722,482: Total amount of civil penalties and settlements collected by OCR for HIPAA infractions.

Top 5 HIPAA Complaints

The OCR report also lists the top 5 most frequent reasons that people file HIPAA complaints:

  1. Impermissible use or disclosure of an individual’s protected health information (PHI);
  2. Lack of adequate safeguards for PHI;
  3. Lack of patient access to their PHI;
  4. Lack of proper administrative safeguards for electronic PHI; and
  5. Use or disclosure of more than the necessary amount or type of PHI.


From a compliance officer’s perspective, perhaps the most meaningful number listed in the OCR report is 69, which is the percentage of HIPAA complaints that have resulted in a corrective action being taken against a provider. In other words, nearly 7 in 10 HIPAA complaints result in a fine and/or imposition of a corrective action. That’s a factoid you might want to cite next time you encounter resistance to HIPAA compliance initiatives.









Try Premium Membership