News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update
resolution agreement

Reports to Congress: Corrective action / RA

Resolution ,

Penalty

Corrective action / RA

Action type

Resolution agreement

Entity profile

Case number

What went wrong

Reports to Congress

  • Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process En

Full description

Navigate to: HIPAA for Professionals Regulatory Initiatives Privacy Summary of the Privacy Rule Guidance Combined Text of All Rules HIPAA Related Links Security Security Rule NPRM Summary of the Security Rule Security Guidance Cyber Security Guidance Breach Notification Breach Reporting Guidance Reports to Congress Regulation History Compliance & Enforcement Enforcement Rule Enforcement Process Enforcement Data Resolution Agreements Case Examples Audit Reports to Congress State Attorneys General Special Topics Parental Access Mental and Behavioral Health Change Healthcare Cybersecurity Incident FAQs HIPAA and COVID-19 HIPAA and Reproductive Health HIPAA and Final Rule Notice HIPAA and Telehealth HIPAA and FERPA Research Public Health Emergency Response Health Information Technology Health Apps Patient Safety Covered Entities & Business Associates Business Associate Contracts Business Associates Training & Resources FAQs for Professionals Other Administrative Simplification Rules Substance Use Disorder Confidentiality Reports to Congress on Breach Notification Program Section 13402(i) of the HITECH Act requires the Secretary of Health and Human Services (“the Secretary”) to prepare and submit to Congress an annual report containing the number and nature of breaches reported to the Secretary, and the actions taken in response to those breaches. Section 13424(2) of the HITECH Act requires the Secretary to make each report available to the public on the HHS website.The following report was prepared to fulfill these statutory requirements. This report provides an overview of the breach notification requirements, as well as a discussion of the reports the Secretary received that occurred during the reporting period.2023 Report to Congress on the Breach Notification Program2022 Report to Congress on the Breach Notification Program2021 Report to Congress on the Breach Notification Program2020 Report to Congress on the Breach Notification Program2019 Report to Congress on the Breach Notification Program *2018 Report to Congress on the Breach Notification Program*2015-2016-2017 Report to Congress on the Breach Notification Program - Submitted to Congress on February 22, 2019.Submission Letters for the 2013 - 2014 Report to Congress on the Breach Notification Program2013 - 2014 Report to Congress on the Breach Notification ProgramSubmission Letters for the 2011 - 2012 Report to Congress on the Breach Notification Program2011 - 2012 Report to Congress on the Breach Notification ProgramSubmission Letters for the 2009 - 2010 Report to Congress on the Breach Notification Program2009 - 2010 Report to Congress on the Breach Notification Program* People using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing OCRMail@hhs.gov.View the Report to Congress on Privacy Rule and Security Rule Compliance Content last reviewed April 20, 2026

Timeline

  • Resolution,
  • Incident and investigation milestones are not consistently published by OCR in machine-readable form.

Key takeaways for your organization

  • Treat internet-facing systems and vendor-hosted environments as in-scope for HIPAA risk analysis and technical safeguards testing.
  • Maintain an actionable risk analysis tied to remediation milestones; evidence should map to Security Rule implementation specifications.
  • Align policies, procedures, and evidence with the specific CFR provisions cited in OCR resolutions affecting your entity type.
  • Run tabletop exercises for breach response, OCR inquiry handling, and privilege-preserving communications with counsel.

Related actions

Ending Anti-Semitism on College Campuses

,

Keeping Food Ingredients Safe

,

Press Releases

,

Source

U.S. Department of Health and Human Services release

Source: U.S. Department of Health and Human Services, Office for Civil Rights. medcomply.ai aggregates public materials for educational use, not legal advice.