Share this article on:
The Health Insurance Portability and Accountability Act (HIPAA) introduced many new rules for healthcare organizations, but who enforces HIPAA? Which federal departments are responsible for ensuring HIPAA Rules are followed by covered entities and their business associates?
Who Enforces HIPAA?
The primary enforcer of HIPAA Rules is the Department of Health and Human Services’ Office for Civil Rights (OCR). However, since the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009, state attorneys general were also given the power to enforce HIPAA Rules. The Centers for Medicare and Medicaid Services (CMS) also have some powers, and are primarily responsible for enforcing the HIPAA administrative simplification regulations. The U.S. Food and Drug Administration (FDA) can also enforce HIPAA with respect to medical devices and may take action against healthcare organizations in certain situations.
HIPAA Enforcement by the HHS’ Office for Civil Rights
As the main enforcer of HIPAA Rules, the Office for Civil Rights investigates all data breaches reported by covered entities and business associates if they impact more than 500 individuals. Smaller data breaches are also occasionally investigated, if HIPAA violations are suspected. OCR also investigates HIPAA complaints filed by patients and employees of HIPAA covered entities.
When HIPAA violations are discovered, OCR can take a number of different actions. OCR prefers to resolve HIPAA violations through voluntary compliance or by issuing technical guidance to help the covered entity comply with HIPAA Rules.
Egregious breaches of HIPAA Rules, multiple violations, and persistent non-compliance may result in financial penalties for HIPAA violations. Financial penalties are most commonly settlements, where the covered entity agrees to pay a penalty with no admission of liability. OCR may also impose a civil monetary penalty. If criminal violations of HIPAA Rules are discovered, the case is referred to the Department of Justice.
HIPAA Enforcement by State Attorneys General
HIPAA enforcement by state attorneys general is possible, although it is rare for cases to be pursued. While all HIPAA violations are treated seriously, oftentimes, if the personal information of state residents has been exposed or patient privacy has been violated, state attorneys general pursue the cases under state laws rather than HIPAA legislation. There are various reasons for this, but most commonly it is because it is more straightforward to take action against companies under state laws.
That said, a handful of state attorneys general have taken action against HIPAA-covered entities for HIPAA violations, as mandated by HIPAA and the HITECH Act. These include the attorneys general offices in Connecticut, Massachusetts, New York, Minnesota, and Vermont.