As a leader in health care, the responsibility to keep your organization compliant rests on your shoulders — and it’s a responsibility to be taken seriously.
After all, the prospect of owing $16 million for HIPAA violations, as Anthem did in 2018, likely feels unthinkable. To make sure you’re avoiding penalties and keeping your patients’ information safe, learning who enforces HIPAA is a great place to start.
In this guide, we break down who is responsible for enforcing the HIPAA Rules, the tiers of HIPAA violation penalties, and how to make sure your organization is protected from those penalties.
Who enforces HIPAA?
Here’s the simple answer: the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) is the primary enforcer of HIPAA’s Privacy and Security Rules.
That said, there are a couple other organizations that also hold the authority to enforce HIPAA, though they wield this power less frequently. They include the state attorneys general and the Centers for Medicare and Medicaid Services (CMS).
OCR has the greatest responsibility to enforce the law, so let’s start by walking through what this enforcement looks like.
HHS’ Office for Civil Rights
OCR plays several roles in enforcing HIPAA’s Privacy and Security Rules. It investigates complaints, conducts compliance reviews, and educates relevant entities about compliance requirements. If needed, it can levy penalties against non-compliant entities and even refer them to the Department of Justice.
While OCR prioritizes investigating data breaches that impact more than 500 people, it also investigates organizations that have had multiple smaller breaches. Data breaches don’t always mean an organization isn’t compliant with HIPAA, but OCR considers breaches enough of a reason to investigate an entity covered by HIPAA.
OCR, of course, prefers to resolve HIPAA violations through voluntary compliance. This is when the organization at fault voluntarily corrects its compliance issues. If this doesn’t happen, OCR will likely pursue legal action.
OCR breaks down HIPAA violations into four categories, in order of severity:
- Category 1: A violation that the covered entity wasn’t aware of and likely couldn’t have avoided. The entity has clearly tried to comply with HIPAA.
- Category 2: A violation that the covered entity was expected to know but still couldn’t have avoided. This category doesn’t yet constitute willful neglect.
- Category 3: A violation due to willful neglect of HIPAA Rules. To fit into this category, the entity must have tried to correct its mistakes.
- Category 4: A violation due to willful neglect of HIPAA Rules in which the entity was aware of its errors and did not try to correct them.
OCR’s HIPAA violation penalties: A breakdown
OCR has a different penalty for each of its HIPAA violation categories. They are as follows:
- Category 1: A fine of $100-$50,000 per violation
- Category 2: A fine of $1,000-$50,000 per violation
- Category 3: A fine of $10,000-$50,000 per violation
- Category 4: A fine of at least $50,000 per violation
Violation fines cap out at $1,500,000 per violation, per year. To determine a specific fine within each of these categories, OCR takes the following factors into account:
- The covered entity’s size
- The type of data exposed
- The duration of the violation
- The number of individuals affected
- The severity of the damage done
- The entity’s cooperation with the investigation
Other HIPAA enforcers
As we mentioned earlier, OCR isn’t the only entity allowed to enforce HIPAA Rules. While they don’t step in nearly as much, state attorneys general and the CMS also have authority here. Next, we’ll explain what powers they are granted and how they enforce HIPAA.
State attorneys general
In 2008, the Health Information Technology for Economic and Clinical Health (HITECH) Act gave state attorneys general the authority to enforce HIPAA in their states.
Early on, states were hesitant to use this power, and many chose not to. But recently, state attorneys general have been enforcing HIPAA more actively. In 2021, for example, New Jersey helped investigate the 2019 data breach at American Medical Collection Agency (AMCA).
While increasing state involvement is partially due to the practice becoming more accepted over time, it’s also likely because attorneys general are now allowed to keep a portion of violation fines.
It’s important to note that penalties issued by state attorneys general are far less severe than those issued by OCR, ranging from $100 to $25,000.
The Centers for Medicare and Medicaid Services (CMS)
In addition to its well-known patient security stipulations, HIPAA includes provisions designed to improve efficiency in the health care sector. These are known as the HIPAA Administrative Simplification Regulations.
It’s the CMS’ responsibility to enforce these regulations. CMS investigates covered entities that have failed to comply with this area of HIPAA. However, it does not issue penalties against non-compliant entities unless they refuse to achieve compliance.
4 tips for maintaining HIPAA compliance
Needless to say, complying with HIPAA will save you a lot of hassle — say goodbye to the stress of an impending investigation. Apart from following HIPAA’s Security and Privacy Rules, we compiled some best practices to help your organization remain compliant.
- Train employees in privacy and security policies: Ideally, following HIPAA Privacy and Security Rules would be enough to keep an organization HIPAA-compliant. But that isn’t always the case. Create and regularly update privacy and security policies, then train your employees to follow those policies during their onboarding process and on a regular basis.
- Perform regular self-audits: Threats evolve and security measures fail over time. To remain compliant, conduct regular audits of your physical, technical, and administrative safeguards. According to the HSS, these should be conducted at least annually.
- Document everything: If your organization is investigated, it will be a much easier process if you’ve been documenting all of your HIPAA compliance efforts. OCR and other enforcers will likely want to see self-audit records, privacy and security policies, and organization-wide training sessions.
- Automate compliance: Automating the compliance process makes it much easier to become continuously compliant. This makes audits and investigations far less stressful.
Covering your HIPAA bases with Secureframe
Secureframe takes the guesswork out of HIPAA compliance. We break the process down into straightforward steps, from helping you create privacy and security policies to facilitating employee HIPAA training.
Our software makes it easy to ensure that your vendors are HIPAA-compliant, too. We nip vendor risk in the bud, helping you create Business Associate Agreements for partners that have access to patient health information.
For total confidence in your HIPAA compliance strategy, request a demo of our platform today.
Who is responsible for enforcing HIPAA?
The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is primarily responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. The OCR investigates complaints, conducts compliance reviews, and provides education and outreach to foster compliance with the HIPAA rules. In addition to the OCR, certain states may have their own agencies or attorneys general that can enforce HIPAA regulations, especially after the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which provided state attorneys general the authority to file civil actions for HIPAA violations.
Who imposes HIPAA penalties?
HIPAA penalties are primarily imposed by the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR), but they can also be imposed by state attorney generals and the Centers for Medicare and Medicaid Services (CMS). It’s important to note that penalties issued by state attorneys general are far less severe than those issued by OCR, ranging from $100 to $25,000. Also, the CMS only investigates covered entities that have failed to comply with the HIPAA Administrative Simplification Regulations and issues penalties against entities that refuse to achieve compliance.
Who oversees HIPAA complaints?
The U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) oversees and investigates HIPAA complaints filed by individuals that feel a covered entity or business associate violated their (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules.
How do you file a complaint regarding a HIPAA violation with the Office for Civil Rights?
To file a complaint regarding a HIPAA violation with the Office for Civil Rights, individuals can fill out the Patient Safety Confidentiality Complaint Form- PDF and Consent Form Package- PDF in PDF format or submitt a written complaint in their own format and then mail or fax it to the appropriate OCR regional office or email it to OCRComplaint@hhs.gov. All complaint requirements can be found here.
How are HIPAA regulations enforced?
HIPAA regulations are enforced through a variety of mechanisms:
- Complaints: Individuals can file complaints with the OCR if they believe their rights under HIPAA have been violated. The OCR investigates these complaints and determines whether there has been a violation.
- Compliance Reviews: The OCR may initiate a compliance review of a covered entity or business associate to ascertain compliance with HIPAA rules.
- Audits: The HHS OCR has established an audit program to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules.
- Corrective Action Plans: If a violation is identified, the OCR may require the entity to implement a corrective action plan to address and remedy the violation.
- Civil Monetary Penalties: In cases of non-compliance, the OCR may impose civil monetary penalties on the violating entity. The amount of the penalty is based on the nature and extent of the violation and the harm resulting from the violation.
- Resolution Agreements: The OCR may enter into a resolution agreement with the covered entity or business associate, which typically includes a monetary settlement and a corrective action plan to resolve the compliance issues.
What happens if HIPAA is violated?
The consequences of a HIPAA violation can vary based on the nature and extent of the violation and the harm caused:
- Investigation and Corrective Measures: Initially, the OCR may seek voluntary compliance and corrective action from the entity to address the violation.
- Civil Monetary Penalties: If the violation is severe or the entity is uncooperative, the OCR may impose civil monetary penalties. The penalties for HIPAA violations can range from $100 to $50,000 per violation or per record, with a maximum penalty of $1.5 million per year for violations of an identical provision.
- Criminal Penalties: In cases of willful neglect or criminal offenses, such as wrongful disclosure of individually identifiable health information, criminal penalties can be imposed. These penalties can range from fines up to $250,000 and imprisonment for up to ten years, depending on the severity of the violation.
- Resolution Agreements: The entity may also enter into a resolution agreement with the OCR, which may include a monetary settlement and a corrective action plan that specifies actions the entity must take to come into compliance with HIPAA rules.
Violations can also lead to reputational damage, loss of patient trust, and potential lawsuits from affected individuals.