HIPAA is enforced primarily by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Understanding how enforcement works helps organizations prioritize compliance and respond appropriately if a problem arises.
How enforcement begins
Most enforcement starts in one of three ways: a complaint filed by a patient or employee, a breach report submitted by the covered entity or business associate, or a compliance review initiated by OCR. OCR reviews complaints to decide whether the conduct, if proven, would violate HIPAA and whether it has jurisdiction.
Resolution paths
Many investigations do not end in penalties. OCR often resolves matters through:
- Voluntary compliance and technical assistance for lower-risk issues.
- Corrective action plans that require the organization to fix specific deficiencies, sometimes with monitoring.
- Resolution agreements that may include a settlement payment.
- Civil money penalties in more serious cases.
The tiered penalty structure
HIPAA's civil penalties are organized into tiers based on the entity's level of culpability, ranging from situations where the entity did not know and could not reasonably have known of the violation, up to willful neglect that was not corrected. Each tier carries a higher minimum penalty per violation, and there are annual limits for identical violations. The specific dollar amounts are set by regulation and adjusted for inflation over time.
Criminal penalties
Beyond civil enforcement, HIPAA includes criminal provisions enforced by the U.S. Department of Justice. Knowingly obtaining or disclosing PHI in violation of HIPAA can lead to fines and imprisonment, with harsher penalties when the conduct involves false pretenses or intent to sell or use the information for personal gain or malicious harm.
What OCR looks for
Recurring themes in OCR's resolved cases include the absence of an accurate, enterprise-wide risk analysis, lack of encryption on portable devices, insufficient access controls, failure to have business associate agreements, and delays in providing patients access to their records. OCR has also pursued enforcement initiatives focused specifically on the patient right of access.
Reducing your exposure
Organizations cannot guarantee they will never face an investigation, but they can reduce risk and demonstrate good faith by:
- Conducting and updating a thorough security risk analysis.
- Documenting policies, training, and corrective actions.
- Maintaining current business associate agreements.
- Responding promptly to patient access requests.
- Investigating and, where required, reporting breaches without unreasonable delay.
Good documentation matters at every stage. When OCR evaluates culpability, evidence that an organization took compliance seriously and corrected problems quickly can shape the outcome.
State enforcement and other regulators
OCR is not the only authority that can act on a health-data problem. Under HITECH, state attorneys general may bring certain HIPAA-related actions on behalf of their residents. Separately, the Federal Trade Commission can pursue health-data practices that fall outside HIPAA, and many states have their own health-privacy and breach-notification laws with independent penalties. In Washington, for example, the My Health My Data Act is enforceable through the state Consumer Protection Act, which includes a private right of action. A single incident can therefore draw attention from more than one regulator, each applying its own standard.
What to expect during an investigation
An OCR investigation typically begins with a data request. The organization is asked to produce policies, its risk analysis, training records, business associate agreements, and an account of what happened. How an organization responds matters. Cooperating promptly, providing complete and organized documentation, and showing that identified problems were corrected all weigh in the organization's favor. Resolution agreements often pair any payment with a corrective action plan and a period of monitoring, during which the organization reports on its progress. Treating the process as an opportunity to demonstrate diligence, rather than something to minimize, tends to produce better outcomes.