HIPAA Enforcement Statistics

The Centers for Medicare & Medicaid Services (CMS) has authority to investigate complaints of non-compliance related to all of the HIPAA regulations except the Security Rule or the Privacy Rule.  The regulations for which CMS has enforcement authority include: the Transactions and Code Sets (TCS); the National Employer Identifier Number (EIN); and the National Provider Identifier (NPI).  Enforcement authority for the HIPAA Security and Privacy Rules is held by the Office for Civil Rights (OCR). From 2003 through the summer of 2009, CMS had enforcement for the Security Rule.  However, this authority was delegated to OCR in July 2009 to ensure coordination of complaints with both a privacy and security element.    

To view the chart that reflects the type and number of cases CMS is investigating, please see the link in the Download section below.