Make Enhanced HIPAA Compliance a New Year’s Resolution


January 31, 2023

The Department of Health & Human Services, Office for Civil Rights (OCR) has published its “Enforcement Highlights” as of the end of the calendar year 2022. Since the 2003 Privacy Rule compliance date, the OCR has received more than 317,079 HIPAA complaints and has initiated over 1,149 compliance reviews. Resolution of complaints for which the OCR makes a negative finding may result in the provision of technical assistance by the OCR (for minor infractions) or may result in a settlement agreement under which the violating entity agrees to a monetary fine, a corrective action plan, and monitoring for a period of time. As of December 31, 2022, the OCR settled or imposed civil money penalties exceeding $133 million over a total of 129 cases.

In the order of frequency, the most commonly-alleged complaints were:
• Impermissible uses and disclosures of protected health information (PHI);
• Lack of safeguards of PHI;
• Lack of patient access to their PHI;
• Lack of administrative safeguards of electronic PHI; and
• Use or disclosure of more than the minimum necessary PHI.

The most common types of covered entities that have been alleged to violate HIPAA, in order of frequency, are general hospitals, private practices and physicians, pharmacies, outpatient facilities, and community health centers.

The takeaway is that the most frequent HIPAA complaints received by the OCR are largely preventable by having in place a robust HIPAA compliance program, one or more HIPAA compliance officials, security safeguards, and frequent and meaningful staff training.

For more information or if you need assistance with your HIPAA compliance program, please contact:
Lani M. Dornfeld, CHPC | 973.403.3136 |

*This is intended to provide general information, not legal advice. Please contact the authors if you need specific advice.

Related Practices:   Healthcare Law

Related Attorney:   Lani M. Dornfeld