HIPAA Enforcement

The Department of Health and Human Services’ Office for Civil Rights is the organisation responsible for enforcing HIPAA’s Privacy and Security Rules. In March 2006, the Enforcement Rule was introduced to give OCR the power to investigate complaints made against CEs that were violating HIPAA’s Rules. Furthermore, the Enforcement Rule gave OCR the ability to levy a financial penalty against an organisation for failing to comply with HIPAA’s Security Rule.

OCR has several methods of enforcing the Privacy and Security Rules. As mentioned above, it can investigate any complaints that an individual or organisation has filed against a CE and use the data gathered to inform any further action that may need to be taken. OCR may also conduct compliance reviews of organisations to check that a particular CE’s methods and practices meet HIPAA’s strict requirements.

In addition to these methods of enforcing HIPAA, OCR also attempts to encourage compliance in CEs by creating an education and outreach program to assist employees in CEs to understand the importance of HIPAA and the potential consequences of a violation.

The Enforcement Rule also grants the OCR power to work with the Department of Justice to pursue criminal violations of HIPAA. For example, the OCR can bring criminal charges against CEs who repeatedly violated HIPAA and failed to introduce corrective measures within 30 days of an offence being highlighted.

According to the HHS.gov website, the cases of reported HIPAA violations that OCR closes fall into one of five categories:

  • No investigation, resolved after review: OCR closes the case without a full investigation as it has no jurisdiction or there is some other valid reason for HIPAA not investigating the case
  • No investigation, technical assistance: OCR has decided that no formal investigation into the CE is required but has provided Technical Assistance to the CE and complainant through ‘early intervention’
  • Investigated, no violation: OCR has investigated and discovered that there has been no violation of HIPAA’s Rules
  • Investigated, corrective action obtained: Following an investigation, OCR requires the CE to change its practices and procedures such that they are compliant with HIPAA. In some instances, OCR provides technical assistance to the CE. According to their website, cases which have been closed by corrective action include those in which ‘OCR enters into a settlement agreement with a covered entity or business associate’
  • Other cases: These include if a case has been sent to be dealt with the Department of Justice, it involved a natural disaster, or state authorities resolved the case instead

The Enforcement Rule also gave more power to individuals; if their PHI was disclosed without their permission, resulting in “serious harm” done to them (for example, causing them to become a victim of identity fraud), the Enforcement Rule grants the individual the right to pursue civil legal action against the CE.


The Health Information Technology for Economic and Clinical Health (HITECH) Act is closely associated with the Enforcement Rule. HITECH established new criminal and civil penalties for violating HIPAA’s Rules. Following HITECH, business associates of covered entities are required to follow the same privacy and security standards as CEs and may have the same penalties levied against them for HIPAA non-compliance.