HIPAA Enforcement Statistics

The Centers for Medicare & Medicaid Services (CMS), on behalf of HHS, has authority to investigate complaints of non-compliance related to all of the HIPAA regulations except the Security Rule and Privacy rules, which are enforced by the Office of Civil Rights (OCR).  The regulations for which CMS has enforcement authority include: the Transactions and Code Sets (TCS); the National Employer Identifier Number (EIN); the National Provider Identifier (NPI); and the Operating Rules (OPR).   

Please view the below-revised report(s) that provide statistics on complaint types submitted by covered entities, violations based on the type of transaction, and resolution time frames. Moving forward, CMS is publishing its complaint reports on a quarterly basis. We welcome your feedback/comments on the information provided in the complaint reports. To share your comments, contact AdministrativeSimplification@cms.hhs.gov.


Page Last Modified:
04/10/2023 03:06 PM