Who Enforces HIPAA?
HIPAA is enforced by multiple federal agencies including the Department of Health and Human Services, the Department of Labor, the Department of the Treasury, and the Federal Trade Commission. State Attorney Generals can also enforce HIPAA; while, within each organization subject to the Administrative Simplification provisions, HIPAA compliance should be enforced by a Privacy Officer and a Security Officer.
If your organization qualifies as a HIPAA-covered entity or as a business associate to a HIPAA-covered entity, or it creates, receives, maintains, or transmits individually identifiable health information outside the scope of the HIPAA Administrative Simplification provisions, it is important to know who enforces HIPAA because your organization may have to engage with the appropriate agency or agencies.
It is also important for organizations´ workforces to know who enforces HIPAA within the organization because, in the event of a HIPAA violation or breach of unsecured Protected Health Information (PHI), the compliance officer needs to be notified as soon as possible in order to mitigate the impact of the incident and develop policies and/or procedures to prevent the incident happening again.
The Majority of HIPAA is Not Enforced by HHS
When HIPAA was passed in 1996, its primary objective was to reform the health insurance industry. It achieved its objective by adding new sections to – or amending existing sections of – the Employee Retirement Income Security Act of 1974 (ERISA) in order to increase health insurance portability, prohibit discrimination due to health status, and guarantee renewability in multiemployer plans.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
As the majority of HIPAA focuses on revising ERISA, the majority of HIPAA is not enforced by the Department of Health and Human Services (HHS), but rather the federal agencies responsible for enforcing ERISA – namely the Labor Department’s Employee Benefits Security Administration, the Treasury Department´s Internal Revenue Service, and the Pension Benefit Guaranty Corporation.
HHS´ Responsibilities for Enforcing HIPAA
HHS´ responsibility for enforcing HIPAA is limited to the Rules that evolved from the Administrative Simplification provisions in Title II of HIPAA – and even then, not all the Rules. Section 1177 of the Administrative Simplification provisions is enforced by the Department of Justice, while the HITECH Act authorizes State Attorneys General and the Federal Trade Commission to also enforce HIPAA.
Of the Rules that HHS enforces, the responsibility for enforcing the Administrative Requirements is delegated to the Centers for Medicare and Medicaid Services (CMS), while the responsibility for enforcing the Privacy, Security, and Breach Notification Rules is delegated to the Office for Civil Rights (OCR). Both agencies enforce HIPAA using similar enforcement tools:
Technical Assistance
When either CMS or OCR receive a complaint or breach notification, the agencies first conduct a review to determine whether the complaint is justified and an investigation is necessary. If a complaint is minor, or the reason for the breach has been corrected, the agencies will most often offer technical assistance to prevent further complaints and ensure corrections are appropriate.
Corrective Action Plans
When a review indicates an underlying culture of noncompliance, CMS or OCR may initiate an investigation. If an underlying culture of noncompliance is confirmed, CMS or OCR will impose a corrective action plan which usually consists of a complete risk analysis, the development of new policies and procedures, and the comprehensive retraining of members of the workforce.
Civil Monetary Penalties and Financial Settlements
Complying with corrective action plans can incur costs due to the resources required to correct a culture of noncompliance and business disruption. However, the costs can be far greater if CMS or OCR issues a civil monetary penalty. Depending on the nature of a violation, the impact of a data breach, and the organization´s willingness to correct the causes, penalties can reach $2,067,813 (December 2023 figures).
| Level of Culpability | Minimum Penalty per Violation Type | Maximum Penalty per Violation Type | Annual Penalty Limit |
| Lack of Knowledge | $137 | $34,464 | $34,464 |
| Lack of Oversight | $1,379 | $68,928 | $137,886 |
| Willful Neglect | $13,785 | $68,928 | $344,638 |
| Willful Neglect not Corrected within 30 days | $68,928 | $68,928 | $2,067,813 |
Who Enforces HIPAA as Well as HHS Agencies?
In addition to CMS and OCR, other federal and state agencies can take enforcement action for specific violations of the Privacy, Security, and Breach Notifications Rules. These include:
The Department of Justice
The Department of Justice is authorized by the Social Security Act to pursue criminal convictions for wrongful disclosures of individually identifiable health information (§1320d-6). If convicted, the person(s) responsible for knowingly wrongful disclosures can face financial penalties of up to $250,000 and custodial sentences of up to ten years depending on the motive for their crime.
State Attorneys General
Since 2009, State Attorneys General have the authority to pursue civil actions on behalf of citizens that have suffered harm as a result of a HIPAA violation. Although required to notify OCR of the intention to pursue civil actions, state-initiated civil actions can be independent of OCR investigations, and outcomes are not reliant on a civil monetary penalty being issued by OCR.
The Federal Trade Commission
Another agency who enforces HIPAA is the Federal Trade Commission. However, the FTC´s enforcement role is limited to organization´s outside the scope of the Administrative Simplification provisions (i.e., vendors of personal health records), and its enforcement action is limited to ensuring individuals are notified when identifiable health information is breached or disclosed without an individual´s authorization.
Who Enforces HIPAA within an Organization?
Within organizations, different people may have responsibility for enforcing HIPAA. This is because the HIPAA Privacy Rule §164.530 states covered entities must designate a Privacy Officer who is responsible for developing policies and procedures, training members of the workforce on the policies and procedures, and making sure the policies and procedures are complied with.
However, the Security Rule §164.308 states covered entities and business associates must designate a Security Officer who is responsible for the development and implementation of policies and procedures relating to the confidentiality, integrity, and availability of electronic PHI. Note: It is not necessary – although a good idea – for business associates to designate a Privacy Officer.
These standards mean the Privacy Officer will likely be a member of the legal, HR, or administration teams, while the Security Officer will likely be a member of the IT team. Although it is possible for a Privacy and Security Officer to be the same person, it is essential a “joint” Compliance Officer understands security best practices to meet the requirements of the Technical Safeguards.
Who Enforces HIPAA? FAQs
Which organizations qualify as covered entities under HIPAA?
Most health plans, health care clearinghouses, and healthcare providers qualify as HIPAA-covered entities. However, organizations that do not qualify as a covered entity, but provide a service for or on behalf of a covered entity, will need to comply with the Security and Breach Notification Rules and any areas of the Administrative Requirements and Privacy Rule relevant to the service.
How is CMS notified of HIPAA violations?
CMS is notified of HIPAA violations relating to health transactions, code sets, unique identifiers, and operating rules via the Administrative Simplification Enforcement Testing Tool (ASETT). Notifications relating to other types of HIPAA violations should be sent to either OCR via the Complaints Portal, State Attorney Generals via their websites, or the Federal Trade Commission via ftc.gov.
How do you report a criminal violation of HIPAA?
If you want to report a criminal violation of HIPAA, you have to make a complaint to OCR via the Complaints Portal. OCR will review the complaint and refer the case to the Department of Justice for investigation. If the Department of Justice decides not to pursue the case, it is referred back to OCR to determine whether civil action against the perpetrator would be appropriate.
What does “state-initiated civil actions can be independent of OCR investigations” mean?
Effectively, this means that if you complain to OCR, and the agency declines to investigate and/or issue a civil monetary penalty, you can raise the complaint with your State Attorney General – who may pursue the complaint even though it has been declined by OCR. The reverse can also happen inasmuch as State Attorneys General can decline to investigate a case which is then pursued by OCR.
What role does the Food and Drug Administration (FDA) have in enforcing HIPAA?
Although the FDA regulates the safety and effectiveness of medical devices, and is responsible for ensuring they are marketed honestly, the agency has no authority to enforce the devices are used or how data maintained on the devices is protected from unauthorized disclosures. However, the agency has issued guidance for medical device vendors about sharing personal data with users.
Who enforces HIPAA privacy provisions in non-criminal cases?
HIPAA privacy provisions in non-criminal cases are mostly enforced by HHS´ Office for Civil Rights. In a small number of cases, State Attorneys General will take action for violations of the Privacy Rule, while the FTC only pursues violations of the Breach Notification Rule. The Department of Justice only gets involved when there has been a criminal violation of the Privacy Rule.
What is the difference between a HIPAA violation and a HIPAA breach?
The difference between a HIPAA violation and a HIPAA breach is that the term HIPAA violation relates to any violation of the Administrative Simplification provisions (i.e., Administrative Requirements, Privacy Rule, Security Rule, and Breach Notification Rule), whereas a HIPAA breach is an unauthorized and impermissible disclosure of unsecured PHI.
HIPAA breaches are most often attributable to HIPAA violations, but not always. For example, a Covered Entity could be in complete compliance with the Security Rule´s password requirements, but a hacker can still gain access to a database containing PHI via a brute force attack. This is why it is important to create unique and complex passwords for each account.
What is the role of the HIPAA Privacy Officer?
The role of the Privacy Officer is not only to develop policies and procedures, train members of the workforce, and ensure compliance with the policies and procedures. A Privacy Officer is also the point of contact for patients and plan members who wish to file a complaint and for members of the workforce that wish to notify a HIPAA violation or data breach.
Who is responsible for HIPAA enforcement?
The responsibility for HIPAA enforcement is one of the roles of a HIPAA Privacy or Security Officer. If a violation occurs, and a complaint is made to the Centers for Medicare and Medicaid Services, HHS´ Office for Civil Rights, or the Federal Trade Commission, one of these agencies become responsible for HIPAA enforcement depending on the nature of the complaint.
Which entity enforces HIPAA?
No single “entity” enforces HIPAA. The majority of HIPAA is enforced by the Treasury Department´s Internal Revenue Service, the Labor Department’s Employee Benefits Security Administration, and the Pension Benefit Guaranty Corporation. With regards to the Administrative Simplification Regulations, this section of HIPAA is primarily enforced by two agencies within the Department of Health and Human Services – CMS and the Office for Civil Rights.
How often does HHS conduct HIPAA audits?
HHS first conducted HIPAA audits in 2011 and 2012 as a pilot program. A second, more comprehensive round of audits started in 2016; and, at the time, the HIPAA audit program was intended to be ongoing. However, the program was interrupted by the COVID-19 pandemic in 2020 and it is not currently known when it will resume. (Note: See Update May 2024)
Do all HIPAA violations result in a fine?
Not all HIPAA violations result in a fine because HHS´ Office for Civil Rights prefers to follow a course of voluntary compliance. Rather than issue a fine to a covered entity, offending entities are offered technical assistance to prevent the violation happening again or – where a general lack of compliance exists – the entity is required to follow a Corrective Action Plan.
Between the effective date of the Privacy Rule in April 2003 and December 2022. HHS´ Office for Civil Rights conducted more than 100,000 investigations into HIPAA violations. Only 129 investigations resulted in a fine for a HIPAA violation. The remainder were resolved by technical assistance or a Corrective Action Plan, or the investigation found no violation had occurred.
Who regulates HIPAA?
HIPAA is regulated by different U.S. Departments depending on the area of the Act. Most of Title I is regulated by the Department of Labor and the Internal Revenue Service. Most of Title II is regulated by the Department of Health and Human Services, and most of Titles III, IV, and V are regulated by the Internal Revenue Service – although there is some overlap between Titles.
Who enforces the HIPAA Privacy Rule?
Enforcement of the HIPAA Privacy Rule – within an organization – is a role of the HIPAA Privacy Officer. Outside an organization, HHS´ Office for Civil Rights enforces the HIPAA Privacy Rule unless a criminal violation occurs – in which case the matter is referred to the Department of Justice for investigation and prosecution.
Which agency enforces the HIPAA Security Rule?
The agency that enforces the Security Rule is HHS´ Office for Civil Rights – but only when it receives a complaint about a violation or when it is notified of a breach of unsecured PHI. At all other times, the Security Rule should be enforced by a covered entity´s or business associate´s Security Officer, who has the responsibility for monitoring compliance with Security Rule policies.
Who oversees compliance with the HIPAA Breach Notification Rule?
Who oversees compliance with the HIPAA Breach Notification Rule depends on whether or not an organization is a covered entity or business associate. If so, HHS´ Office for Civil Rights oversees compliance with the Breach Notification Rule. If not, the Federal Trade Commission oversees compliance for businesses that fall within Section 5 of the Federal Trade Commission Act.
In small practices, who is responsible for HIPAA enforcement?
In small practices, the responsibility for HIPAA enforcement is often assigned to one member of the workforce. This person assumes the roles of both the HIPAA Privacy Officer and the HIPAA Security Officer, and they should have an understanding of IT security in order to implement all the Administrative, Physical, and Technical Safeguards of the Security Rule.
Why do different agencies enforce HIPAA?
Different agencies enforce HIPAA because HIPAA amended several existing Acts – mostly the Employee Retirement Income Security Act (mostly regulated by the Department of Labor), the Internal Revenue Act (regulated by the Department of the Treasury), and the Social Security Act (mostly regulated by the Department of Health and Human Services).
When HIPAA was passed in 1996, Congress instructed the Secretaries of the Department of Labor, Department of the Treasury, and the Department of Health and Human Services to coordinate policies related to HIPAA enforcement in order to ensure similar enforcement strategies between the three departments and to avoid duplication.
What is the difference between technical assistance and a Corrective Action Plan?
The difference between technical assistance and a Corrective Action Plan is that technical assistance is informal. Generally, HHS´ Office for Civil Rights will provide technical assistance to an organization that has violated HIPAA if the reason for the violation is that the organization was unable to comply with one or more HIPAA standards due to a lack of understanding, capabilities, or resources.
By comparison, if a covered entity or business associate is required to comply with a Corrective Action Plan, the organization understood the HIPAA requirements and had the capabilities and resources to comply with them – but didn´t. Although this could be interpreted as “willful neglect”, HHS´ Office for Civil Rights prefers voluntary compliance to Civil Monetary Penalties, and will impose a formal Corrective Action Plan – rather than issue a fine – wherever possible.
If I am unsure my business complies with HIPAA, who should I contact?
If you are unsure your business complies with HIPAA, you can approach HHS´ Office for Civil Rights for guidance. However, HHS´ Office for Civil Rights mostly offers general guidance (unless investigating an alleged violation); and, if your concerns are about specific areas of compliance, it may be better to speak with a professional compliance expert.
