The Department of Health and Human Services has not imposed any fines for
violations of the Health Insurance Portability and Accountability Act's privacy
rule, but stricter penalties may be necessary in the future if violators do not
voluntarily come into compliance, an HHS official said March 27.
"The pipeline is starting to fill up with cases that will be going to more formal
forms of enforcement," Marilou King, acting senior adviser of HIPAA privacy
compliance enforcement in HHS's Office for Civil Rights (OCR), said during a
presentation at the International Association of Privacy Professionals
From April 2003, when enforcement of the privacy rule began,
through January 2008, OCR investigated 8,405 of the 33,277 complaints they
received about violations of the privacy rule, according to King.
Of those investigations, 5,653 resulted in an entity covered by the privacy rule changing their privacy practices or taking some other corrective action. In the remaining cases, investigators found no violation, King said.