OCR: HIPAA’s enforcement was record in 2018 and enforcement continues …


On September 9, 2019, the Department of Health and Human Services’ Office for Civil Rights settles its first HIPAA violation case under its 2019 Right of Access Initiative. Bayfront Health St. Petersburg (Bayfront), a Florida hospital, paid $85,000 to OCR and adopted a corrective action plan to settle a potential violation of the right of access for failing to provide a patient with timely access to records about her miscarriage. While under HIPAA health care providers must provide medical records within 30 days from the request, the patient took 9 months to obtain her records. In addition to the fine, the hospital agreed to a  corrective action plan including one year of OCR’s monitoring.

“Since the compliance date of the Privacy Rule in April 2003, OCR has received over 225,378 HIPAA complaints and has initiated over 993 compliance reviews. We have resolved ninety-nine percent of these cases (222,175)” Source:

Enforcement Results as of December 31, 2019, available here


On February 7, 2019, the Office for Civil Rights (OCR) announced that it concluded an all-time record year in Health Insurance Portability and Accountability Act (HIPAA) enforcement activity.

In 2018, OCR totaled $28.7 million from enforcement actions (22% more compared to the $23.5 million of 2016).

The OCR settled 10 cases and was granted summary judgment in a case before an Administrative Law Judge. OCR also achieved the single largest individual HIPAA settlement: $16 million with Anthem, Inc., representing almost three times as much as the one reached in 2016 for nearly $5.5 million.

OCR announcement can be found at https://www.hhs.gov…


A summary of all 2018 OCR HIPAA settlements and judgments may be found at https://www.hhs.gov…



For more information on data protection, contact Francesca Giannoni-Crystal and Federica Romanelli