HIPAA Enforcement Rule
The HIPAA Enforcement Rule of 2006 – and subsequent amendments attributable to the passage of HITECH – details the procedures for investigating violations of HIPAA and the penalties that the HHS Office for Civil Rights can impose on Covered Entities and Business Associates for failing to comply with the Privacy, Security, and Breach Notification Rules.
In 1996, the passage of HIPAA gave the Secretary of Health and Human Services (HHS) the authority to impose financial penalties for violations of the Administrative Simplification provisions (see Sections 1176 and 1177). The Administrative Simplification provisions led to the publication of the HIPAA Privacy and Security Rules which were enacted in 2002 and 2003 respectively.
The authorization to enforce the HIPAA Privacy and Security Rules (and later, the Breach Notification Rule) was delegated to the HHS´ Office for Civil Rights. However, despite receiving more than 13,000 complaints in the first two years, the Office for Civil Rights failed to bring a single enforcement action – giving Covered Entities the impression that HIPAA compliance was optional rather than mandatory.
The HIPAA Enforcement Rule takes Shape
In 2003, HHS released an Interim Final Rule relating to the “Procedures for Investigations, Imposition of Penalties, and Hearings” (68 FR 18895). Despite describing the Interim Final Rule as the first installment of a HIPAA Enforcement Rule, the document describes the Office for Civil Rights´ approach to enforcement as intending to “seek and promote voluntary compliance with the rules” – further giving the impression HIPAA compliance was optional.
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
In order to overcome this impression and encourage voluntary compliance with the Privacy and Security Rules, the 2003 Interim HIPAA Enforcement Rule increased the volume of the General Administrative Requirements relating to compliance and investigations (45 CFR § 160 Subpart C) and introduced a new section to the General Administrative Requirements relating to the procedures for investigation (45 CFR § 160 Subpart E).
A further new section was added to the General Administrative Requirements when a later Interim HIPAA Enforcement Rule was published in 2005 (PDF). This new section (45 CFR § 160 Subpart D) explained the basis for issuing a financial penalty and the amounts Covered Entities could be fined for violations of HIPAA. At the time, the maximum penalty per violation was $100, with fines being capped at $25,000 per year for identical violations.
Despite the new section, many public comments were critical of the apparent “policy of nonenforcement” – so much so that when the Final HIPAA Enforcement Rule was published in 2006, the preamble goes to considerable lengths to explain the challenges of enforcing HIPAA and claims that “68 percent [of cases] have been resolved or otherwise closed”. Nonetheless, it was a further three years before a Covered Entity was fined for a violation of HIPAA.
Subsequent Amendments Attributable to HITECH
The passage of the HITECH Act in 2009 had a significant impact on the enforcement of HIPAA. HITECH introduced the HIPAA Breach Notification Rule and new compliance requirements for both Covered Entities and their Business Associates. Compliance with the Security Rule and some elements of the Privacy Rule was extended to Business Associates, and – significantly in the context of the HIPAA Enforcement Rule – the burden of proof was reversed.
Prior to HITECH, the Office for Civil Rights had to prove that an unauthorized disclosure of PHI had resulted in harm before it could issue a financial penalty to a non-compliant Covered Entity. Subsequent to HITECH, Covered Entities and Business Associates have the burden of demonstrating that all required notifications have been made or that a use or disclosure of unsecured PHI did not constitute a breach as defined by 45 CFR § 164.402.
In addition, the previous maximum penalty and penalty cap were scrapped, and a new four-level penalty tier introduced via the HIPAA Final Omnibus Rule of 2013 in which fines would reflect the non-compliant entity´s level of culpability. The minimum and maximum limits in each penalty tier and the annual penalty limit are adjusted annually to account for inflation. The current penalty limits are:
How Enforcement Changed in the Post-HITECH Era
The HITECH amendments started a new era of HIPAA enforcement. From 2014 onwards, the Office for Civil Rights increased the number of investigations into alleged HIPAA violations, gave more technical assistance, issued more Corrective Action Plans, and reached more settlements with offenders. The revenues from the fines were used to provide the Office for Civil Rights with more enforcement resources; and, in 2016, the HIPAA audit program was extended.
Now, in addition to investigating unauthorized disclosures of unsecured PHI, the Office for Civil Rights is able to investigate other types of HIPAA violations. In recent years, the focus has been on non-compliance with Privacy Rule provisions relating to patients´ rights. Although fewer individuals are affected by this type of HIPAA violation – and the fines issued are much less – enforcement action of this nature demonstrates that claims of lax enforcement are no longer justified.
Looking forward, proposed new HIPAA regulations could affect short-term enforcement action. As with all previous HIPAA Rules, Covered Entities and Business Associates will be given a period of time to adjust to any new regulations; and because some of the proposals relax existing HIPAA standards, there is likely to be a number of unintentional violations attributable to misunderstanding the rules that will be resolved by technical assistance rather than Corrective Action Plans and fines.
HIPAA Enforcement Rules: FAQs
What is the largest financial penalty issued for a violation of HIPAA?
The largest financial penalty for a violation of HIPAA is $16 million. The penalty was a settlement (rather than a fine) between HHS´ Office for Civil Rights and Anthem Inc. following an advanced persistent threat attack in 2015 that exposed the individually identifiable health information of almost 79 million individuals.
How many financial penalties have been imposed for violations of HIPAA?
As of July 2022, HHS´ Office for Civil Rights has imposed fines or agreed settlements in 122 cases. While this may not seem like a lot, it has also resolved nearly 30,000 cases with Corrective Action Plans. In these cases, even though no fine has been issued, the violating entity still incurs significant indirect costs due to revising privacy practices, HIPAA policies, and workforce training.
Has any Covered Entity faced criminal charges for HIPAA violations?
As yet, no Covered Entity or Business Associate has been prosecuted for a criminal violation of HIPAA. However, several employees have been given jail terms for abusing access rights and stealing patient data. In most cases, the Covered Entity or Business Associate from which patient data was stolen has not violated HIPAA, and no action was taken against the perpetrators´ employers.
What do the different levels of culpability mean in the tiered penalty structure?
HIPAA penalties are calculated on a number of criteria – for example, how many records were affected by the violation, the length of time the violation was allowed to continue, and the amount of assistance provided by the Covered Entity or Business Associate when HHS´ Office for Civil Rights investigates the violation. Probably the most important consideration is the level of culpability.
- If a violation occurs despite reasonable efforts to comply with HIPAA, the violation is considered to be a Tier 1 violation.
- If a violation occurs due to a lack of oversight – for example, failing to monitor access to ePHI – the violation is a Tier 2 violation.
- If a violation occurs due to a Covered Entity´s or Business Associate´s “willful neglect” of HIPAA, the violation is a Tier 3 violation.
- If a Tier 3 violation is not corrected within 30 days of being discovered, it automatically becomes a Tier 4 violation.
Can penalties be reduced if a Covered Entity has a previous good record?
This works both ways. If a Covered Entity has a previous good record of HIPAA compliance and can demonstrate at least twelve months compliance with a recognized security framework, HHS´ Office for Civil Rights can use enforcement discretion when investigating a HIPAA violation. However, if a Covered Entity has a previous poor record of compliance, this may reflect in any subsequent penalty.