Who Enforces HIPAA?

by

HIPAA Rules are mainly enforced by the Department of Health and Human Services’ Office for Civil Rights (OCR). However, the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009 allocated state attorneys general the power to assist OCR in the enforcement of HIPAA. The Centers for Medicare and Medicaid Services (CMS) also has some enforcement authority and the U.S. Food and Drug Administration (FDA) and the Federal Communications Commission (FCC) have participated in HIPAA enforcement to an extent.

HIPAA Enforcement by the HHS’ Office for Civil Rights

The HHS’ Office for Civil Rights examines all data breaches reported by covered outfits and business associates if they effect more than 500 people. Smaller data breaches are also occasionally examined, especially if several small breaches of a similar nature have been reported which could suggest compliance failures. OCR also examines HIPAA complaints registered by patients and employees of HIPAA covered entities over suspected HIPAA breaches.

OCR examines covered entities to determine whether there have been any breaches of the HIPAA Privacy, Security, and Breach Notification Rules. Not every data breach is caused as a direct result of HIPAA violations. OCR accepts that even fully compliant healthcare outfits can only reduce the possibility of a data breach to a reasonable level. Data breaches are now a fact of life and cannot always be stopped. Many complaints are registered in relation to possible HIPAA violations, although a large portion are not substantiated. When an investigation into a data breach or complaint uncovers no proof of HIPAA violations, the investigation is shut down, the findings, documented, and no further action happens.

When HIPAA violations are identified, OCR can take a number of different steps. OCR normally opts to resolve HIPAA violations through voluntary compliance. In other words, the covered entity accepts that HIPAA violations have taken place, and takes voluntary actions to correct the violation to prevent any repeat offences.

Minor violations of HIPAA Rules may be found that have been caused by a misinterpretation of HIPAA obligations. HIPAA legislation does not explicitly state everything that a covered entity must do to be in adherence and the legislation is technology-agnostic. The HIPAA Security Rule also contains many addressable obligations, which must be considered, but may not be appropriate for certain covered outfits. HIPAA also includes terms such as ‘reasonable protections’ and ‘reasonable efforts,’ which are a tad subjective. As a result there are some gray areas when it comes to HIPAA compliance and the legislation is, in some areas, left to interpretation.

When these ‘violations’ are spotted, OCR may decide to issue technical guidance to help a covered entity be compliant. When similar violations are seen at multiple covered entities, OCR may choose to release guidance to clarify what is necessary.

Particularly egregious breaches of HIPAA Rules, multiple violations of a similar nature, and persistent and widespread non-compliance require more punitive measures and can lead to fines for HIPAA violations. Financial penalties are most commonly settlements, where the covered entity says they will pay a financial penalty with no admission of liability. Far less commonly, OCR imposes a civil monetary fine. This happens when a covered entity is found to have broken HIPAA rules, yet the covered entity objects and fights the case. The matter is then brought before an Administrative Law Judge who will rule on whether whether HIPAA Rules have indeed been broken and if a CMP or the amount of the CMP is justified.

HIPAA violations can also lead to some criminal charges. Criminal violations of HIPAA Rules, including theft of PHI for financial gain, are referred to the Department of Justice, although criminal charges are relatively unusual.


The Office for Civil Rights also completes HIPAA compliance audits. A pilot audit program was run during 2011/2012 on a number of HIPAA-covered entities and a second round of compliance audits was finished in 2016/2017. The second phase also incorporated audits of business associates. The compliance audit program is mainly concerned with discovering areas of noncompliance to guide OCR’s enforcement efforts and to help OCR provide pertinent guidance, although, a failed audit may result in additional investigation and financial penalties could be issued.

HIPAA Enforcement by State Attorneys General

HIPAA enforcement by state attorneys general can happen, although since they were given the right to enforce HIPAA compliance it has been relatively unusual for cases to be chased up. While all HIPAA violations are treated seriously, in some cases, state attorneys general pursue the cases for violations of state statutes instead of breaches of HIPAA Rules. There are many reasons for this, but commonly it is because it is more simple to take action against companies under state legislation.

That said, a small amount of state attorneys general have taken action against HIPAA-covered outfits for HIPAA violations, as per HIPAA and the HITECH Act, and the number of actions has grown in recent years. State Attorneys general that have won cases against healthcare outfits over HIPAA violations include California, Connecticut, Indiana, Massachusetts, Minnesota, New Jersey, New York, Vermont, and the District of Columbia.

The financial penalties that can be sanctioned by state attorneys general are much smaller than those that can be issued by OCR. The maximum financial penalty allowed under the HITECH Act is $25,000 per identical violation per 12 months.

HIPAA Enforcement by the Centers for Medicare and Medicaid Services (CMS)

The CMS is charged with enforcing compliance with the HIPAA Administrative Simplification Regulations. This is a lesser known part of HIPAA, but one of the main reasons why the legislation was originally passed. The HIPAA Administrative Simplification Regulations enhance efficiency in the healthcare sector, which ultimately helps to bring down the cost of healthcare. The HIPAA Administrative Simplification Regulations require covered entities to put in place standards for healthcare transactions, including the use of standard code sets and identifiers.

While the CMS does examine complaints about covered entities that are not adhering with this aspect of HIPAA Rules, its enforcement actions have not yet lead to financial penalties. When a violation is found, covered entity is required to voluntarily achieve compliance. Fines would only be necessary for ongoing non-compliance.

In 2019, the CMS said that it has kicked off an audit program to examine compliance with the HIPAA Administrative Simplification Regulations. In April 2019, 9 randomly selected health plans and healthcare clearinghouses were picked for audit, following which, random audits will be completed on more health plans and healthcare clearinghouses. The audit program will also be expanded to include healthcare providers.

Daniel Lopez

Daniel Lopez is the HIPAA expert behind HIPAA Coach. Daniel has over 10 years experience as a HIPAA trainer and has developed deep experience in teaching HIPAA to healthcare professionals. Daniel has contributed to numerous publications including expert articles on The HIPAA Guide. Daniel is currently a staff writer on HIPAA at the Healthcare IT Journal. Daniel was a subject matter expert for ComplianceJunction's online HIPAA training. Daniel's academic background in Health Information Management is the foundation of his HIPAA expertise. Daniel's primary professional interest is protecting patient privacy, which he believes is the core of the HIPAA regulations and the best route to HIPAA compliance. You can reach Daniel on the contact page of HIPAA Coach and follow him on Twitter https://twitter.com/DanielLHIPAA