Tracking HIPAA complaints continued

Home > Tracking HIPAA complaints continued

After my article about tracking of HIPAA complaints and the current figures, two healthcare knowledgable lawyers, Robert Coffield and Alan Goldberg were gracious enough to send some specific statistics. It turns out that the topic of HIPAA complaints numbers was actually discussed in a legal listserv and here’s what Robert had to say about it:

I thought I would share a post that appeared on the American Health Lawyer’s listserve a couple of days ago. It is the most recent data I have seen on the number of complaints filed with OCR relating to potential privacy HIPAA violations.

I’m not sure if your post was limited to only violations of the security regulations or also privacy. I would point out that there is HIPAA enforcement activities going on, however, it is complaint driven enforcement. Looking at the link you provided I think the tracking system was proposed for the investigation of security, transaction code set and identifier regulation violations (not privacy). I have not handled any non-privacy investigations but have been involved in counseling health care clients on a number of HIPAA privacy related investigations by OCR. You might want to explore the website below – they may have a database on this website.

Additional info:

Here are the regulations for the investigation and enforcement on non-privacy related incidents. The regs were published in March 2005.

OCR has the responsibility for enforcement and investigation of privacy complaints. The Office for E-Health Standards and Services under CMS is responsible for enforcement and investigation of non-privacy related HIPAA complaints (security, transaction code set and identifier). Here are links to additional information:

The post on AHLA was by Alan Goldberg – reliable source for the information.

UNOFFICIALLY: as of the end of November OCR received +/- 16,625 complaints and closed 69%. While many of the closures continue to be nonjurisdictional — that is, OCR believes OCR has no jurisdiction over complaints, in Oct. OCR closed +/- 30% of the cases based on informal resolution with the covered entity; as of Nov. over 263 cases have been referred to DOJ for consideration for criminal investigation. There have been no enforcement proceedings or ALJ hearings yet. The foregoing does not include what may be going on external to OCR, of course, although I expect that after the DOJ memorandum to HHS on criminal enforcement, no AUSAs are likely to seek to prosecute non-convered entities.

If you know any lawyer jokes, rest assure they don’t apply to Alan or Robert! 🙂

Separately a reader (sophizo) commented:

Tell the reader good luck finding up-to-date info on HIPAA complaints! Do they realize how many complaints are filed??? It’s insane! But the HHS Office of Civil Rights (OCR) would be where the reader would want to look. They deal specifically with the privacy aspect of HIPAA. In a news article in November, it stated that as of 10/31/05 OCR has recieved and initiated reviews of over 16,000 HIPAA complaints. About 250 of those have been referred to the Department of Justice for criminal prosecution.

CMS HIPAA website

Office of Civil Rights HIPAA website


Shahid N. Shah

Shahid Shah is an internationally recognized enterprise software guru that specializes in digital health with an emphasis on e-health, EHR/EMR, big data, iOT, data interoperability, med device connectivity, and bioinformatics.