In its annual report to Congress, the Office for Civil Rights (OCR) said it is developing audit protocol to conduct audits of up to 145 covered entities in an ongoing effort to enforce the privacy and security rules of HIPAA.

The Office for Civil Rights of the Department of Health and Human Services (HHS) is charged with enforcing the security and privacy rules of the Health Insurance Portability and Accountability Act (HIPAA), which protect individuals' personal health information (PHI) in both electronic and paper forms. Under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, OCR is further required to make an annual report to Congress on both rules and their enforcement.

The privacy rule took effect in 2003, and the security rule, dealing with electronic PHI, took effect in 2005.

In its just-released report to Congress, OCR said it has received 57,375 complaints of violations of the privacy rule since its 2003 effective date Of those, 52,339 (91 percent) have been resolved, and 5,036 (9 percent) remain open. The agency said it has received 803 security rule complaints since the rule took effect, and has resolved 577, or 72 percent, of them, leaving 226, or 28 percent, open.