Become a security expert
Get the latest articles on startup security and compliance best practices delivered straight to your inbox.Get a Secureframe demo
As a leader in health care, the responsibility to keep your organization compliant rests on your shoulders — and it’s a responsibility to be taken seriously.
After all, the prospect of owing $16 million for HIPAA violations, as Anthem did in 2018, likely feels unthinkable. To make sure you’re avoiding penalties and keeping your patients’ information safe, learning who enforces HIPAA is a great place to start.
In this guide, we break down who is responsible for enforcing the HIPAA Rules, the tiers of HIPAA violation penalties, and how to make sure your organization is protected from those penalties.
Here’s the simple answer: the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) is the primary enforcer of HIPAA’s Privacy and Security Rules.
That said, there are a couple other organizations that also hold the authority to enforce HIPAA, though they wield this power less frequently. They include the state attorneys general and the Centers for Medicare and Medicaid Services (CMS).
OCR has the greatest responsibility to enforce the law, so let’s start by walking through what this enforcement looks like.
OCR plays several roles in enforcing HIPAA’s Privacy and Security Rules. It investigates complaints, conducts compliance reviews, and educates relevant entities about compliance requirements. If needed, it can levy penalties against non-compliant entities and even refer them to the Department of Justice.
While OCR prioritizes investigating data breaches that impact more than 500 people, it also investigates organizations that have had multiple smaller breaches. Data breaches don’t always mean an organization isn’t compliant with HIPAA, but OCR considers breaches enough of a reason to investigate an entity covered by HIPAA.
OCR, of course, prefers to resolve HIPAA violations through voluntary compliance. This is when the organization at fault voluntarily corrects its compliance issues. If this doesn’t happen, OCR will likely pursue legal action.
OCR breaks down HIPAA violations into four categories, in order of severity:
OCR has a different penalty for each of its HIPAA violation categories. They are as follows:
Violation fines cap out at $1,500,000 per violation, per year. To determine a specific fine within each of these categories, OCR takes the following factors into account:
As we mentioned earlier, OCR isn’t the only entity allowed to enforce HIPAA Rules. While they don’t step in nearly as much, state attorneys general and the CMS also have authority here. Next, we’ll explain what powers they are granted and how they enforce HIPAA.
In 2008, the Health Information Technology for Economic and Clinical Health (HITECH) Act gave state attorneys general the authority to enforce HIPAA in their states.
Early on, states were hesitant to use this power, and many chose not to. But recently, state attorneys general have been enforcing HIPAA more actively. In 2021, for example, New Jersey helped investigate the 2019 data breach at American Medical Collection Agency (AMCA).
While increasing state involvement is partially due to the practice becoming more accepted over time, it’s also likely because attorneys general are now allowed to keep a portion of violation fines.
It’s important to note that penalties issued by state attorneys general are far less severe than those issued by OCR, ranging from $100 to $25,000.
In addition to its well-known patient security stipulations, HIPAA includes provisions designed to improve efficiency in the health care sector. These are known as the HIPAA Administrative Simplification Regulations.
It’s the CMS’ responsibility to enforce these regulations. CMS investigates covered entities that have failed to comply with this area of HIPAA. However, it does not issue penalties against non-compliant entities unless they refuse to achieve compliance.
Needless to say, complying with HIPAA will save you a lot of hassle — say goodbye to the stress of an impending investigation. Apart from following HIPAA’s Security and Privacy Rules, we compiled some best practices to help your organization remain compliant.
Secureframe takes the guesswork out of HIPAA compliance. We break the process down into straightforward steps, from helping you create privacy and security policies to facilitating employee HIPAA training.
Our software makes it easy to ensure that your vendors are HIPAA-compliant, too. We nip vendor risk in the bud, helping you create Business Associate Agreements for partners that have access to patient health information.
For total confidence in your HIPAA compliance strategy, request a demo of our platform today.