Who is Responsible for Enforcing the HIPAA Security Rule?
Parties responsible for enforcing the HIPAA Security Rule include HHS’ Office for Civil Rights, other federal and state agencies, and organizations’ HIPAA Privacy Officers. HHS’ Centers for Medical and Medicaid Services (CMS) may also soon be indirectly responsible for enforcing the HIPAA Security Rule if compliance with HHS’ Healthcare Sector Cybersecurity Strategy becomes a condition for participation in federal health programs.
Many sources discussing who is responsible for enforcing the HIPAA Security Rule state HHS’ Office for Civil Rights is the sole party responsible. Although in theory this is the case, in practice HHS’ Office for Civil Rights rarely takes enforcement action for violations of the HIPAA Security Rule. It is more often the case that enforcement actions for violations of the HIPAA Security Rule are taken by other federal agencies, State Attorneys General, and organizations’ HIPAA Privacy Officers.
HHS’ Office for Civil Rights Enforcement Actions
Each year, HHS’ Office for Civil Rights receives between 60,000 and 65,000 HIPAA breach notifications. Not all the notifications are attributable to violations of the HIPAA Security Rule and most affect fewer than 500 individuals. Nonetheless, the agency only investigates 1% of the notifications it receives and takes enforcement action in less than 1% of those. Between 2016 and 2023, the agency resolved just 36 Security Rule violations with civil monetary penalties (CMPs) or settlements.
In addition, in the absence of a HIPAA audit program, HHS’ Office for Civil Rights only finds out about Security Rule violations when they are identified in a compliance investigation. Many Security Rule violations do not result in data breaches. In these cases, no breach notifications are submitted to HHS’ Office for Civil Rights (because no breach has occurred), the agency does not identify the violations (because no investigations are conducted), and no enforcement action is taken.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Other Agencies’ Involvement in HIPAA Enforcement
Although HHS’ Office for Civil Rights is theoretically responsible for enforcing the HIPAA Security Rule, other federal agencies are more often involved in enforcement actions following a Security Rule violation. For example, HIPAA data breaches attributable to a malicious insider’s criminal actions can be referred to the Department of Justice, while breaches that could result in an exclusion from federal health programs can be referred to HHS’ Office of Inspector General.
In referred cases, enforcement actions are most often taken against the individual responsible for the data breach rather than the organization that should have been monitoring the individual’s activity. However, when a State Attorney General identifies a HIPAA Security Rule violation that impacts residents of their state, they have the authority to pursue CMPs against organizations. In 2023 alone, fifteen CMPs were issued by State Attorneys General for data breaches attributable to HIPAA Security Rule violations.
Are HIPAA Privacy Officers Really Responsible for Enforcing the HIPAA Security Rule?
The HIPAA Security Rule requires covered entities and business associates to “identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule]”. This is commonly assumed to mean that a “HIPAA Security Officer” is responsible for enforcing the HIPAA Security Rule. However, nowhere in the text of the HIPAA Administrative Simplification Regulations is this confirmed.
Nonetheless, covered entities and business associates are required to “apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures”. Covered entities are also required to “apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart [the Privacy Rule] or subpart D [the Breach Notification Rule].” (§164.530(e))
For organizations that qualify as HIPAA covered entities, this means that impermissible disclosures of PHI attributable to a violation of a Security Rule policy or procedure are still sanctionable events under §164.530(e) of the Privacy Rule because permissible disclosures of PHI should be included in HIPAA Privacy Rule training. Effectively, in the absence of a HIPAA Security Officer assuming responsibility for enforcing the HIPAA Security Rule, the burden falls on the HIPAA Privacy Officer.
The Potential for Future CMS HIPAA Security Rule Enforcement
In December 2023, HHS published a Healthcare Sector Cybersecurity Strategy which outlined proposals to introduce e Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs). The Goals are currently voluntary; however, in January 2024, HHS Deputy Secretary Andrea Palm announced that the HPH CPGs will shape future HHS policies and procedures and become enforceable Security Rule standards.
In the announcement, Deputy Secretary Palm also implied that compliance with the new Security Rule standards will be mandatory for healthcare organizations that participate in Medicare and Medicaid programs. As CMS has the authority to exclude healthcare organizations from federal health programs, this suggests CMS may also be indirectly responsible for enforcing the HIPAA Security Rule at some time in the future.
Takeaway: Voluntary Compliance is Better than Enforcement
HHS’ Office for Civil Rights has, in the past, pursued a policy of voluntary compliance over enforcement, and frequently provides technical assistance to covered entities and business associates to support their HIPAA compliance efforts. The consequence of this policy is that fewer than 0.01% of HIPAA data breaches attract a financial penalty or settlement (bearing in mind that not all data breaches are attributable to violations of the HIPAA Security Rule).
Despite this low percentage of enforcement actions for violations of the HIPAA Security Rule, covered entities and business associates should not become complacent with their compliance efforts. State Attorneys General are increasingly supporting state finances by taking enforcement actions against non-compliant organizations, plus there is an increasing number of private lawsuits being filed using HIPAA compliance as the expected standard of care.
With the future possibility of CMS excluding healthcare organizations from federal health programs for failing to comply with the HIPAA Security Rule, covered entities and business associates need to organize who is responsible for enforcing the HIPAA Security Rule in their organizations, implement the required technical and physical safeguards, and ensure members of the workforce are aware of all elements of HIPAA compliance and the sanctions for non-compliance.
