Who is Responsible for Implementing and Monitoring the HIPAA Regulations?

by

Responsibility for implementing and monitoring HIPAA regulations is held by HIPAA Covered Entities and Business Associates through their privacy and security policies, while federal oversight and enforcement are carried out by the U.S. Department of Health and Human Services Office for Civil Rights.

HIPAA Covered Entities are responsible for adopting and maintaining policies and procedures that meet the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. Covered Entities are also responsible for workforce training, role-based access controls, sanctions for noncompliance, incident response, and documentation that supports compliance operations.

Business Associates are responsible for implementing safeguards and procedures that apply to their handling of protected health information on behalf of HIPAA Covered Entities. Business Associates are responsible for complying with contractual requirements in Business Associate Agreements, managing subcontractor relationships that involve protected health information, and reporting incidents and breach related information to HIPAA Covered Entities according to required timelines.

Internal monitoring is commonly assigned to a designated HIPAA Privacy Officer and HIPAA Security Officer or equivalent roles with delegated authority. These roles coordinate risk analysis and risk management activities, oversee policy enforcement, monitor access and incident reports, manage training administration, and support breach assessment and notification coordination.

External monitoring and enforcement are performed by the U.S. Department of Health and Human Services Office for Civil Rights through complaint intake, compliance reviews, investigations, and resolution agreements. The U.S. Department of Justice has authority to prosecute criminal HIPAA violations. State attorneys general may bring civil actions under HIPAA enforcement authority in defined circumstances.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA