Who Enforces HIPAA & How To Make Sure Your Business Is HIPAA Compliant

who enforces HIPAA

Who Enforces HIPAA & How To Make Sure Your Business Is HIPAA Compliant

Rochelle van Rensburg | Sep, 25 2020

1. Who Enforces HIPAA?

The enforcement of The Healthcare Insurance Portability and Accountability Act, commonly known as HIPAA, takes place on both the federal government and state government levels. The Department of Health and Human Services' Office for Civil Rights (OCR), sets the rules for HIPAA, receives and investigates complaints, and issues penalties and fines.

2. How are HIPAA laws enforced?

health information

You might like: What Is A Learning Management System?—Everything You Need To Know

Enforcement is carried out by the Office of Civil Rights (OCR) within HHS (Department of Health and Human Services). OCR is responsible for the investigation of complaints. When a complaint is filed, OCR reviews it. They may then pursue enforcement by investigations or audits. Thus far, HHS has publicly announced each audit it has conducted, when the audit was to take place, and what the audit consisted of.

During the investigation or audit, the OCR determines whether the covered entity was in compliance with the HIPAA security and privacy rule. If the organization is not in violation, the findings are documented and the case is closed. If in violation, action can be taken with respect to any of the HIPAA Rules. These rules include the HIPAA Privacy Rule, the Breach Notification Rule, the HIPAA Omnibus Rule, and the Security Rule.

3. Who is liable under HIPAA?

You are liable under HIPAA if your organization handles protected health information (PHI), electronic Protected Health Information (ePHI), or if you interact with patient health information in any way. Some examples of interactions with patient information are:

  • Giving out prescriptions

  • Taking blood pressure

  • Talking to patients directly

  • Encrypting patient data on behalf of a provider

  • Managing a database that holds patient data

  • Managing the firewall for a healthcare environment

The practice is always considered at fault If Protected Health Information (PHI) is compromised at a healthcare practice. However, based on the violation, an employee (especially an executive-level employee) may also be considered at fault and face serious consequences. If an employee was involved, healthcare employers hold some blame for not training employees properly.

online training

Related Article: How To & When Should You Promote HIPAA Awareness Effectively In Your Organization

4. The Categories of HIPAA Violation

The most common HIPAA violations are:

  • Hacking

  • Keeping Unsecured Records

  • Unencrypted Data

  • Loss or Theft of Devices

  • Lack of Employee Training

  • Gossiping / Sharing PHI

  • Employee Dishonesty

  • Unauthorized Release of Information

  • Improper Disposal of Records

  • 3rd Party Disclosure of PHI

Check out HIPAA Courses

What are the penalties for violating HIPAA?

low angle photography of beige building

Related Article: How to Get HIPAA Certification

Hefty fines are applicable if your organization fails to comply with HIPAA requirements.
OCR’s fines are classified into several tiers.

  • The first tier is applicable if you unknowing violated the HIPAA regulations. A minimum fine of $100 for every violation and a maximum of $25,000 annually for repeated violations is likely. This can go up to $50,000 for every violation and $1.5 million a year as OCR may deem necessary.

  • The second tier (reasonable cause) is associated with at least $1,000 per violation and $100,000 for repeated violations. In this tier, the maximum penalty may rise to $50,000 for every offense and a maximum of $1.5 million each year.

  • The third tier is associated with willful neglect of the HIPAA regulations but rectified within the required timelines. A minimum fine of $10,000 for every violation and a maximum of $250,000 annually may be enforced. The penalty may rise to $50,000 per violation and a maximum of $1.5 million per year.

  • If an entity has willfully neglected the regulations and failed to correct them within the required time, they will be fined $50,000 per violation with a maximum of $1.5 million per year.

  • If any covered entity discloses PHI knowingly, one-year imprisonment and $50,000 fine could be enforced on the entity.

  • If any individual in the covered entity obtains PHI through false pretense to use inappropriately, they may receive ten years of imprisonment and a fine of $100,000. If the PHI was used for malicious harm, personal gain, or financial benefit, the penalty increases to $250,000.

5. HIPAA Enforcement by State Attorneys General

The Health Information Technology for Clinical and Economic Health (HITECH) Act, gave the State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act allows State Attorneys General to obtain damages on behalf of state residents.

OCR is encouraging State AGs to activate their authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. In addition, OCR promised to:

  • Provide guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule

  • Assist State AGs in exercising this new enforcement authority by providing information upon request about pending or concluded OCR actions against covered entities or business associates

  • Collaborate with State AGs seeking to bring civil actions to enforce the HIPAA Rules

6. HIPAA Enforcement by the Centers for Medicare and Medicaid Services (CMS)

The Centers for Medicare & Medicaid Services (CMS), on behalf of HHS, administers the Compliance Review Program to ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions.

It has the authority to investigate complaints of non-compliance related to all of the HIPAA regulations except the Security Rule and Privacy rules, which are enforced by the Office of Civil Rights (OCR). The regulations for which CMS has enforcement authority include the Transactions and Code Sets (TCS); the National Employer Identifier Number (EIN); the National Provider Identifier (NPI); and the Operating Rules (OPR). CMS also enforces the insurance portability requirements under Title I of HIPAA.


Would you like to learn more to ensure that your business is 100% HIPAA compliant?

We invite you to have a look at Coggno’s wide range of HIPAA training courses covering everything you need to know about compliance as well as providing the correct training to your employees.

You can have a look at our free courses here and our course catalog here.

Explore Library of 10,000+ courses

Speak to one of our experts about Coggno Prime

Whether your goal is to buy industry specific training or get an integrated LMS, we have your back.

Also, learn how we helped organizations save $150,000 on their training budget last quarter. Fill out the form below and one of our experts will get in touch with you.

Learning Made Simple

online training courses Blog
Employee training

Boost Your Workforce's Skill

Fresh and relevant courses to elevate your team’s skills and competencies

Schedule Demo