Who Enforces HIPAA?

Who Enforces HIPAA? Everything You Need to Know About HIPAA Enforcement

If you work in the medical field, you hear the word "HIPAA" thrown around on a daily basis. Most know it as a set of rules and know that bad things can happen if you break those rules.

For many, that's where their knowledge of HIPAA ends. Have you ever stopped to ask, "who enforces HIPAA anyway?" "How does an investigation work?" Well look no further, we've got all the answers here. Read on to learn more about the HIPAA enforcement process!

What Is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. The U.S. Congress passed the act in 1996. As healthcare records moved from solely paper documents to many forms of media, we required new protections to keep them safe.

HIPAA established laws to help in the following areas:

  • Laws providing the ability to transfer and maintain health insurance coverage when people change their job
  • Laws aimed at reducing health care abuse and fraud
  • Laws that mandate standards for the healthcare industry related to electronic billing and other digital processes that include patient information
  • Laws that require confidentiality and proper handling of patient's protected health information

The goal of HIPAA is to improve healthcare efficiency while not sacrificing the protection of patient information. It applies to all patients, even up to 50 years after death.

Why Is HIPAA Important?

The ways we access healthcare are continuously evolving. We no longer have to physically go to the doctor's office to have a consultation. You can have a digital doctor's office visit using a webcam, discuss treatment via email, and even obtain prescriptions over the internet.

The ease of accessibility that provides also requires heightened security. Paper records used to be relatively safe locked inside a filing cabinet within a locked doctor's office. Now, all those records are digital, accessible anywhere in the world at any time through your doctor's online portal.

Preventing personal information from falling into the hands of hackers and identity thieves is more important than ever. We hold medical providers to a high standard to make sure they do all they can to prevent patient's personal information.

It's not just those with nefarious intent that HIPAA protects against, however. HIPAA makes sure doctors protect patient's privacy while still remaining easy to communicate with. It also makes sure that medical providers can communicate with each other easily about a patient and protect their information at the same time.

For example, many medical facilities have private messaging apps set up so that doctors can communicate quickly and easily about a patient through encoded messages. Text messages can be intercepted or easily compromised.

Who Enforces HIPAA?

HIPAA enforcement falls under the domain of the U.S. Department of Health and Human Services. The HHS' Office for Civil Rights (OCR) handles the process of enforcing HIPAA's privacy and security regulations.

Institutions that fall under HIPAA enforcement range for small doctor's offices, to national pharmacy chains, to hospitals. Since the law came into effect in 2003, the OCR has received over 200,000 violations and resolved 98% of them.

How Is HIPAA Enforced?

A HIPAA violation is first brought to the attention of the OCR in one of two ways:

A patient or other outside observer submits a complaint. The complaint states that they believe an institution or individual violated HIPAA regulations.

After an internal review, a healthcare organization determines it is required to report the HIPAA breach in accordance with the HIPAA Breach Notification Rule.

The OCR reviews each incoming complaint and may resolve them before any investigation. There are four possible reasons that OCR may resolve a complaint before launching an investigation:

  • The violation occurred before 4/14/2003, which is when HIPAA was enacted
  • The entity in question is not subject to HIPAA requirements
  • The reporter filed the complaint more than 180 days after the incident received no extension
  • The incident described does not violate the privacy rule

If the complaint is not resolved during the intake process, OCR determines whether the reported violation could constitute a criminal violation. If so, they forward the case to the Department of Justice (DOJ).

The DOJ can accept the case if they believe criminal activity may have taken place. If they accept, then they would conduct the investigation. Alternatively, they can reject the case and then it goes back to the OCR where they conduct the investigation instead.

If there is no possibility of a criminal violation but there was a possible privacy or security rule violation, then the OCR will launch an investigation. There are generally three possible outcomes of the investigation:

  • OCR does not find a violation took place
  • The institution voluntarily agrees to corrective action
  • OCR has to issue a formal finding of violation

Penalties for HIPAA violations range in severity and can carry with them penalties ranging from $100 per violation to $1.5 million per violation

How to Avoid HIPAA Violations

So now that you know who enforces HIPAA, how do you protect against violations? The best way is by investing in the services of a HIPAA compliance agency. They help you avoid penalties in three key ways:

  • Risk Assessment: They test your institution and digital infrastructure to make sure there are no holes in patient information protection
  • Documentation: They provide documents that include policy manuals and network configuration diagrams to make sure to cover every part of your organization
  • Training: Comprehensive employee training ensures that everyone at your organization is on the same page

If you're looking for greater accountability and to avoid costly HIPAA violations, contact us today to get your organization HIPAA compliant!

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top