The HIPAA privacy rule: A decade of enforcement

In April 2003, the U.S. Department of Health and Human Services, or HHS, Office for Civil Rights, or OCR, began enforcing the Health Insurance Portability and Accountability Act, commonly known as HIPAA. Now, a decade later, we can look at how the rule is being applied.

Facts and figures

As of press time, HHS had received a total of almost 80,000 HIPAA complaints. Of those, more than 44,000 were dismissed, more than 19,000 were investigated and resolved with changes to privacy practice, and more than 9,000 were investigated and no violation was found. Investigations were conducted against many types of entities, including national pharmacy chains, major medical centers, group health plans, hospitals and small provider offices. According to HHS, private medical practices were the ones most often required to take corrective action as a result of enforcement, followed by general hospitals. With the exception of 2009, HIPAA complaints have been increasing annually. In 2011, there were more than 9,000 complaints received. 

According to HHS, the compliance issues investigated most frequently are, in order:

• Impermissible use and disclosure of protected health information;


• Lack of safeguards for protected health information;


• Lack of patient access to their own protected health information;


• Use or disclosure of more than the minimum necessary protected health information; and,


• Lack of administrative safeguards of electronic protected health information.

Enforcement examples

Typically, complaints are resolved by the covered entity (i.e., hospital, pharmacy, health plan or medical practice) instituting new procedures to ensure patient privacy, training or retraining staff, censuring or dismissing staff, and making policy changes to protect electronic data. Often settlements also include monetary payments. Some recent examples of enforcement actions include the following:

• A grocery store-based pharmacy chain kept its pseudoephedrine log books, which contained protected health information, in such a way that the protected information was visible to the public at the pharmacy counter. The pharmacy chain was required to implement national policies and procedures to safeguard the information in the log books and to train all staff on the new policy.


• A pharmacy employee placed a patient’s insurance card in another patient’s prescription bag. OCR held that insurance cards contain protected health information and need to be safeguarded. The pharmacy was required to revise its policies and retrain its staff.


• A nurse and orderly in a state hospital discussed the HIV/AIDS status of a patient and patient’s spouse within earshot of other patients without making any effort to prevent the disclosure. Both employees were put on leave, disciplined, given a year of probation, referred for peer review and given more HIPAA privacy training. A monetary settlement was given to the patient.


• A nurse practitioner working in a multi-hospital healthcare system impermissibly accessed the medical records of her ex-husband. The health system terminated the nurse practitioner’s access to the electronic records system, reported her conduct to the licensing authority and provided her with remedial privacy rule training.

Use caution with personal health information

To avoid HIPAA privacy issues, it’s wise to treat patient records as you would want your own private records treated. In other words:

• Don’t share private information unless necessary; 


• Properly safeguard electronic records;


• Don’t access records for patients who you are not actively treating; and


• Don’t casually talk about patients in front of other patients or customers.

Stay tuned for the next law column, which will cover frequently asked questions about the HIPAA privacy rule.

Ann W. Latner, JD, a former criminal defense attorney, is a freelance medical writer in Port Washington, N.Y.