As a resource to Covered Entities and Business Associates the Department Of Health and Human Services (HHS) Office for Civil Rights (OCR) provides two reports related to HIPAA Compliance and Breaches.

The 2021 Report on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the number of complaints received, the method by which those complaints were resolved, the number of compliance reviews initiated by OCR, and the outcome of each review. The cases presented in this report included:

Entity Violation Settlement
1 Banner Health Right of Access Standard $200,000.00
2 Excellus Health Plan Breach, unauthorized access $5,100,000.00
3 Renown Health Right of Access Standard $75,000.00
4 Sharp Healthcare Right of Access Standard $70,000.00
5 Arbour Right of Access Standard $65,000.00
6 Village Plastic Surgery Right of Access Standard $30,000.00
7 Peachstate Health Management

Systemic Noncompliance

(Security Risk Analysis, Security Management Plan, Audit Controls, Policies and Procedures)

$25,000.00
8 Diabetes, Endocrinology & Lipidology Center Right of Access Standard $5,000.00
9 Dr. Robert Glaser Right of Access Standard $100,000.00
10 U. Phillip Igbinadolor, D.M.D. & Associates Right of Access Standard $50,000.00
11 Children’s Hospital & Medical Center Right of Access Standard $80,000.00
12 Denver Retina Center Right of Access Standard $30,000.00
13 Rainrock Treatment Center Right of Access Standard $160,000.00
14 Advanced Spine & Pain Management Right of Access Standard $32,150.00
15 Wake Health Medical Group Right of Access Standard $10,000.00
16 Jacob & Associates Right of Access Standard $28,000.00
17 Donald B. Brockley, D.M.D. Right of Access Standard $30,000.00

Note: OCR did not initiate any audits in 2021 and is currently developing the criteria for implementing future audits.

The 2021 Report on Breaches of Unsecured Protected Health Information identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the Secretary of HHS during the calendar year 2021 and the actions taken in response to those breaches. This report emphasized areas needing improvement such as:

  • risk analysis and risk management;
  • information system activity review;
  • audit controls; and
  • access controls.

Both reports are very informative and copies of the same may be found at:
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/reports-congress/index.html
https://www.hhs.gov/hipaa/for-professionals/breach-notification/reports-congress/index.html