HIPAA Enforcement

Hundreds of thousands of HIPAA complaints have been filed over the last two decades, with impermissible use and disclosure of PHI ranking as the most common alleged issue. The top two entities most frequently alleged to have violated HIPAA are general hospitals, followed by private practices and physicians. Given these patterns, it is helpful to understand the responsible agencies and process for enforcing the HIPAA Privacy and Security Rules. 

Enforcement Entities 

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the federal agency responsible for enforcing HIPAA. It does this primarily through investigating complaints, performing compliance reviews, and conducting education and outreach. When reviewing complaints, OCR may refer cases of possible criminal violations to the Department of Justice.  

Complaints may also be filed with State Attorneys General. As a result of the Health Information Technology for Clinical and Economic Health (HITECH) Act, State Attorneys General have the enforcement authority to bring civil actions on behalf of their residents for HIPAA violations. In states with specific privacy laws, individuals may be able to sue under state law.  

Enforcement Process 

Upon investigating a complaint, OCR may determine that there was no violation or that the activity described in the complaint is not eligible for enforcement. This may happen in cases where OCR does not have jurisdiction under HIPAA, the complaint was not filed in time or was withdrawn after being filed, or the activity described was not a HIPAA violation, such as circumstances in which disclosure of PHI is permitted under the Privacy Rule. Based on OCR Enforcement Highlights, two-thirds of complaints filed are determined to not be eligible for enforcement. 

If OCR determines there has been a compliance issue, OCR seeks to resolve the matter through voluntary compliance, corrective action, and/or a resolution agreement, which may include a settlement amount. Most cases are resolved using these methods. If a covered entity does not satisfactorily resolve the issue, OCR may impose civil money penalties (CMPs).  

Penalties 

Violations of HIPAA or state privacy laws carry penalties that can range significantly, with the potential for serious consequences.  

Civil penalties are based on a tiered structure, which was created by modifications to the Enforcement Rule as a result of the HITECH Act. This penalty structure includes four categories of violations, reflecting increasing levels of culpability: 

There is a maximum penalty amount of up to $1.5 million annually, depending on whether the covered entity or business associate knew of the violation or practiced willful neglect and didn’t correct the violation within the required timeframe. CMPs are adjusted annually for inflation. 

Criminal penalties for HIPAA violations may include fines or imprisonment. Similar to civil penalties, there are different levels of criminal penalties based on the offense, with penalties for the highest level including fines of up to $250,00 and up to ten years in jail. 

In addition, State Attorneys General may pursue financial penalties for violation of state privacy laws, and there may also be professional disciplinary actions for HIPAA violations. 

Additional Resources 

• HHS Enforcement Data includes details on complaints received, top issues, and enforcement results by year.  
• See the HHS webpage, How OCR Enforces the HIPAA Privacy & Security Rules, for more information on the enforcement process.

Disclaimer: 

The recommendations in this publication do not indicate an exclusive course of treatment or serve as a standard of medical care. Variations, taking into account individual circumstances, may be appropriate. This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired.