Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Years 2011 and 2012

THE SECRETARY OF HEALTH AND HUMAN SERVICES

WASHINGTON, D.C. 20201

May 20, 2014

The Honorable Fred Upton

Chairman

Committee on Energy and Commerce

U.S. House

Representatives

Washington, DC 20515

Dear Mr. Chairman:

I am pleased to provide you with the Annual Report to Congress

Health Insurance Portability

and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rule Compliance.

This report was prepared by the Office for Civil Rights (OCR) in the Department

Health and

Human Services (HHS) and is being submitted in accordance with section 13424(a)

the Health

Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part

the

American Recovery and Reinvestment Act

2009.

The report contains information about the Department's compliance and enforcement activities

with respect to the HIP AA Privacy, Security, and Breach Notification Rules for calendar years

2011

and 2012.

also includes cumulative enforcement data since the 2003 compliance date

the Privacy Rule (the first compliance date

the Rules).

Specifically, the report includes information on the number

complaints received; compliance

reviews opened; the resolution

these complaints and compliance reviews; subpoenas issued;

and general background information about OCR enforcement.

also describes the Department's

development and implementation

an audit program, plans for future improved enforcement

the Rules, and outreach efforts.

HHS continues to be committed to strong enforcement

the HIPAA Rules. I hope you will find

this report informative.

Kathleen Sebelius

Enclosure

THE SECRETARY OF HEALTH AND HUMAN SERVICES

WASHINGTON,

D.C.

20201

May 20, 2014

The Honorable Henry Waxman

Ranking Member

Committee on Energy and Commerce

U.S. House

Representatives

Washington, DC 20515

Dear Representative Waxman:

I am pleased to provide you with the Annual Report to Congress on Health Insurance Portability

and Accountability Act (HIP AA) Privacy, Security, and Breach Notification Rule Compliance.

This report was prepared by the Office for Civil Rights (OCR) in the Department

Health and

Human Services (HHS) and is being submitted in accordance with section 13424(a)

the Health

Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part

the

American Recovery and Reinvestment Act

2009.

The report contains information about the Department's compliance and enforcement activities

with respect to the HIP AA Privacy, Security, and Breach Notification Rules for calendar years

2011 and 2012.

also includes cumulative enforcement data since the 2003 compliance date

the Privacy Rule (the first compliance date

the Rules).

Specifically, the report includes information on the number

complaints received; compliance

reviews opened; the resolution

these complaints and compliance reviews; subpoenas issued;

and general background information about OCR enforcement.

also describes the Department's

development and implementation

an audit program, plans for future improved enforcement

the Rules, and outreach efforts.

HHS continues to be committed to strong enforcement

the HIP

Rules. I hope you will find

this report informative.

Sincerely,

Kathleen Sebelius

Enclosure

THE SECRETARY OF HEALTH AND HUMAN SERVICES

WASHINGTON,

D.C.

20201

May 20, 2014

The Honorable Sander Levin

Ranking Member

Committee on Ways and Means

U.S . House

Representatives

Washington,

20515

Dear Representative Levin:

I am pleased to provide you with the Annual Report

Congress on Health Insurance Portability

and Accountability Act (HIP AA) Privacy, Security, and Breach Notification Rule Compliance.

This report was prepared by the Office for Civil Rights (OCR) in the Department

Health and

Human Services (HHS) and

being submitted in accordance with section 13424(a)

the Health

Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part

the

American Recovery and Reinvestment Act

2009.

The report contains information about the Department's compliance and enforcement activities

with respect to the HIP AA Privacy, Security, and Breach Notification Rules for calendar years

2011 and 2012. It also includes cumulative enforcement data since the 2003 compliance date

the Privacy Rule (the first compliance date

the Rules).

Specifically, the report includes information on the number

complaints received; compliance

reviews opened; the resolution

these complaints and compliance reviews; subpoenas issued;

and general background information about OCR enforcement.

also describes the Department's

development and implementation

an audit program, plans for future improved enforcement

the Rules, and outreach efforts.

HHS continues to be committed to strong enforcement

the HIPAA Rules. I hope you will find

this report informative.

Sincerely,

Enclosure

THE SECRETARY OF HEALTH ANO HUMAN SERVICES

WASHINGTON,

D.C.

20201

May 20, 2014

The Honorable Dave Camp

Chairman

Committee on Ways and Means

U.S. House

Representatives

Washington, DC 20515

Dear Mr. Chairman:

pleased

provide you with the Annual Report to Congress on Health Insurance Portability

and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rule Compliance.

This report was prepared by the Office for Civil Rights (OCR) in the Department

Health and

Human Services (HHS) and is being submitted in accordance with section 13424(a)

the Health

Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part

the

American Recovery and Reinvestment Act

2009.

The report contains information about the Department's compliance and enforcement activities

with respect to the HIP AA Privacy, Security, and Breach Notification Rules for calendar years

2011 and 2012. It also includes cumulative enforcement data since the 2003 compliance date

the Privacy Rule (the first compliance date

the Rules).

Specifically, the report includes information on the number

complaints received; compliance

reviews opened; the resolution

these complaints and compliance reviews; subpoenas issued;

and general background information about OCR enforcement.

also describes the Department's

development and implementation

an audit program, plans for future improved enforcement

the Rules, and outreach efforts.

HHS continues to be committed to strong enforcement

the HIPAA Rules. I hope you will find

this report informative.

Sincerely,

Kathleen Sebelius

Enclosure

THE SECRETARY OF HEALTH AND HUMAN SERVICES

WASHINGTON,

D.C.

20201

May 20, 2014

The Honorable Tom Harkin

Chairman

Committee on Health, Education, Labor,

and Pensions

United States Senate

Washington, DC 20510

Dear Mr. Chairman:

I am pleased to provide you with the Annual Report to Congress on Health Insurance Portability

and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rule Compliance.

This report was prepared by the Office for Civil Rights (OCR) in the Department

Health and

Human Services (HHS) and is being submitted in accordance with section 13424(a)

the Health

Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part

the

American Recovery and Reinvestment Act

2009.

The report contains information about the Department's compliance and enforcement activities

with respect to the HIP AA Privacy, Security, and Breach Notification Rules for calendar years

201

I and 2012.

also includes cumulative enforcement data since the 2003 compliance date

the Privacy Rule (the first compliance date

the Rules).

Specifically, the report includes information on the number

complaints received; compliance

reviews opened; the resolution

these complaints and compliance reviews; subpoenas issued;

and general background information about OCR enforcement.

also describes the Department's

development and implementation

an audit program, plans for future improved enforcement

the Rules, and outreach efforts.

HHS continues to be committed

strong enforcement

the HIP AA Rules. I hope you will find

this report informative.

Sincerely,

Kathleen Sebelius

Enclosure

THE SECRETARY OF HEALTH AND HUMAN SERVICES

WASHINGTON, 0.C. 20201

May 20, 2014

The Honorable Lamar Alexander

Ranking Member

Committee on Health, Education, Labor,

and Pensions

United States Senate

Washington, DC 20510

Dear Senator Alexander:

I am pleased to provide you with the Annual Report to Congress on Health Insurance Portability

and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rule Compliance.

This report was prepared by the Office for Civil Rights (OCR) in the Department

Health and

Human Services (HHS) and is being submitted in accordance with section 13424(a)

the Health

Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part

the

American Recovery and Reinvestment Act

2009.

The report contains information about the Department's compliance and enforcement activities

with respect to the HIPAA Privacy, Security, and Breach Notification Rules for calendar years

2011 and 2012.

also includes cumulative enforcement data since the 2003 compliance date

the Privacy Rule (the first compliance date

the Rules).

Specifically, the report includes information on the number

complaints received; compliance

reviews opened; the resolution

these complaints and compliance reviews; subpoenas issued;

and general background information about OCR enforcement.

also describes the Department's

development and implementation

an audit program, plans for future improved enforcement

the Rules, and outreach efforts.

HHS continues to

committed to strong enforcement

the HIPAA Rules. I hope you will find

this report informative.

Sincerely,

Kathleen Sebelius

Enclosure