HIPAA Enforcement: Who Enforces HIPAA?

How Does HIPAA Enforcement Work?

HIPAA enforcement takes place on both the federal government and state government level. The Department of Health and Human Services’ Office for Civil Rights receives and investigates complaints, and issues penalties and fines. Enforcement action can be taken with respect to any of the HIPAA Rules. These rules include the HIPAA Privacy Rule, the Security Rule, the Breach Notification Rule, and the HIPAA Omnibus Rule. 

When an individual reports a violation, files a complaint, or discloses a breach, OCR reviews the complaint, report, or disclosure. OCR may then pursue enforcement in the form of investigations or audits. Audits are randomly conducted. Thus far, HHS has publicly announced, with respect to each audit it has conducted, when the audit was to take place, and what the audit consisted of.  

Investigations, in contrast, are made in response to a specific complaint. Upon receiving a complaint, OCR seeks information from the entity against whom the complaint is filed, about the extent of its HIPAA compliance.

Investigation sometimes results in the entity that is the subject of the complaint taking voluntary steps to improve its compliance. In addition, after an investigation starts, HIPAA enforcement can take the form of OCR providing technical assistance to an entity to resolve the matter. Technical assistance consists of OCR’s advising the entity as to what is expected of it in terms of HIPAA compliance. Typically, an entity agrees to make specified changes. 

In addition, state attorneys general can enforce HIPAA. The ability to do so was given to states in the 2009 amendment to HIPAA that appears in the Health Information Technology for Economic and Clinical Health (HITECH) Act. States were reluctant to take enforcement actions in the initial years after the amendment; however, recently, states have not only engaged in more vigorous HIPAA enforcement activity, but have joined together with other states in multi-state litigation. 

There are significant consequences for breaking the HIPAA laws in new ways as well: The first multi-state litigation was brought in December of 2018. Arizona and 15 other states filed suit, asserting claims under HIPAA as well as various applicable state data protection laws. The suit was filed as a result of a data breach in which hackers infiltrated WebChart, and stole the electronic protected health information (ePHI) of approximately 4 million individuals. 

As shown above, consequences for breaking the HIPAA law can be severe. Covered entities can address their obligations under HIPAA by working with Compliancy Group.

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address the HIPAA regulations, so they can get back to confidently running their business.