The report found that from 2011 to 2014 several large nationwide health providers failed to follow HIPAA procedures, yet didn't receive any punishment for the violations. For example, over the course of four years CVS, one such provider, received 200 reminders of its obligation to follow HIPAA, but not fines for failing to do so.