HIPAA Enforcement Guide: Government Investigation Process, Penalties, and Examples

HIPAA Enforcement Overview

HIPAA is enforced primarily by the U.S. Department of Health and Human Services’ Office for Civil Rights. OCR oversees compliance with the Privacy and Security Rules, as well as the Breach Notification Rule, for covered entities and business associates that create, receive, maintain, or transmit Protected Health Information (PHI).

OCR uses several tools to drive compliance: investigations, compliance reviews, technical assistance, resolution agreements with a Corrective Action Plan, civil money penalties, and referrals for criminal prosecution when appropriate. State attorneys general may also bring civil actions for HIPAA violations, creating additional enforcement exposure.

Enforcement Investigation Process

How cases begin

• Individual complaints alleging improper use, disclosure, or denial of access to PHI.
• Data breach reports, especially incidents affecting 500 or more individuals.
• Referrals from other agencies, media reports, or patterns suggesting systemic noncompliance.
• Compliance reviews initiated by OCR based on risk signals or industry trends.

OCR’s investigative steps

• Opening letter outlining issues under review and requesting documents, policies, risk analyses, and logs.
• Interviews of key personnel and, when necessary, on‑site visits to verify controls and practices.
• Assessment of safeguards, vendor management, right‑of‑access processes, and breach response actions.
• Evaluation of whether the entity promptly identified, mitigated, and corrected deficiencies.

Possible enforcement resolution outcomes

• No violation or technical assistance to resolve minor issues.
• Resolution agreement with a multi‑year Corrective Action Plan and monitoring.
• Civil money penalties when violations are serious, persistent, or uncorrected.
• Referral to the Department of Justice for potential Criminal Prosecution in egregious cases.

Appeals and due process

Entities may contest civil money penalties before an HHS Administrative Law Judge, with further review by the HHS Departmental Appeals Board. Many matters settle through negotiations that tailor an Enforcement Resolution to the entity’s size, risk, and remediation progress.

Civil Penalties Structure

Tiered Civil Penalties

HIPAA’s civil money penalties follow a tiered framework that aligns the penalty level with culpability and corrective efforts:

• Tier 1 — No Knowledge: The entity did not know and, with reasonable diligence, would not have known of the violation.
• Tier 2 — Reasonable Cause: The violation was due to reasonable cause, not willful neglect.
• Tier 3 — Willful Neglect (Corrected): The entity acted with willful neglect but corrected the violation within the required time.
• Tier 4 — Willful Neglect (Not Corrected): The entity acted with willful neglect and failed to correct in a timely manner.

How penalties are calculated

Penalties apply per violation, and continuing violations may accrue per day. Annual caps apply per identical requirement violated, with amounts adjusted for inflation. OCR considers factors such as the nature and extent of the violation, the number of individuals affected, the level of harm, the entity’s compliance history, financial condition, and demonstrated recognized security practices.

Illustrative drivers of higher penalties

• Failure to conduct an enterprise‑wide risk analysis or implement risk management plans.
• Lack of encryption or access controls leading to unauthorized access to PHI.
• Missing or outdated business associate agreements for vendors handling PHI.
• Delays in providing individuals timely access to their records under the Privacy Rule.

Criminal Penalties Structure

When HIPAA becomes a crime

Criminal liability arises for knowingly obtaining or disclosing PHI in violation of HIPAA. Penalties escalate for offenses committed under false pretenses and for actions taken with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. The Department of Justice prosecutes these cases, often alongside related identity theft or fraud charges.

Potential sanctions

• Knowingly obtaining or disclosing PHI: fines and up to one year of imprisonment.
• Offenses under false pretenses: enhanced fines and up to five years of imprisonment.
• Intent to sell or use PHI for gain or harm: higher fines and up to ten years of imprisonment.

Common criminal scenarios

• Employees snooping on celebrity or acquaintance records without a job‑related need.
• Sale or barter of patient lists for marketing, fraud, or identity theft schemes.
• Unauthorized access to prescription data to divert controlled substances.

Notable Enforcement Examples

• Anthem (2018): A multistate cyberattack exposed tens of millions of records, leading to a record OCR settlement and a robust Corrective Action Plan emphasizing risk analysis, monitoring, and access controls.
• Premera Blue Cross (2020): A hacking incident affecting over ten million individuals resulted in a multimillion‑dollar settlement and mandated improvements to audit controls and vendor oversight.
• Excellus Health Plan (2021): OCR cited insufficient risk management and delayed detection following a prolonged intrusion, requiring extensive remediation and independent monitoring.
• University of Rochester Medical Center (2019): OCR imposed a significant penalty for failing to encrypt mobile devices and for gaps in device inventory and risk analysis.
• Right of Access Initiative (2019–present): Dozens of providers have entered settlements—often five‑ to six‑figure amounts—for not providing patients timely or reasonably priced access to their records.

Corrective Actions and Resolutions

What a Corrective Action Plan typically requires

• Comprehensive, enterprise‑wide risk analysis and a documented risk management plan with timelines.
• Updated Privacy and Security Rule policies, procedures, and workforce training with attestations.
• Technical safeguards such as encryption, multi‑factor authentication, endpoint protection, and audit logging.
• Business associate governance: inventories, due diligence, and signed agreements before PHI sharing.
• Independent assessments, progress reports to OCR, and leadership accountability for sustained compliance.

Monitoring and closure

CAPs often run one to three years. Entities submit periodic reports and evidence of implementation. OCR closes the matter after verifying completion, memorializing the Enforcement Resolution and ending active monitoring.

Compliance Best Practices

• Perform and refresh an enterprise‑wide risk analysis; tie remediation to documented risk levels.
• Implement recognized security practices and keep evidence for at least 12 months to demonstrate maturity.
• Encrypt PHI at rest and in transit; enforce multi‑factor authentication and least‑privilege access.
• Operationalize the Right of Access: track requests, meet timelines, and apply reasonable, cost‑based fees.
• Harden third‑party risk management with thorough vendor vetting and current business associate agreements.
• Maintain audit logs, alerts, and regular access reviews to detect and contain inappropriate activity.
• Test incident response and breach notification plans; document decisions and law‑enforcement holds.
• Provide role‑based training, sanction policy enforcement, and recurring phishing awareness exercises.
• Secure physical environments: facility access controls, device inventories, and media sanitization.
• Establish clear governance with designated privacy and security officers and routine compliance reporting.

FAQs.

What triggers a government HIPAA investigation?

Common triggers include individual complaints, breach reports (especially incidents affecting 500+ people), media or whistleblower tips, referrals from other agencies, and risk‑based compliance reviews. Any pattern suggesting systemic gaps—like repeated access delays or unencrypted device losses—can prompt OCR to act.

What are the civil penalties for HIPAA violations?

HIPAA uses Tiered Civil Penalties that scale with culpability and remediation. Penalties apply per violation with annual caps, and OCR weighs factors such as harm, scope, history, and financial condition. Demonstrated recognized security practices can mitigate outcomes, while uncorrected willful neglect leads to the highest penalties.

How does the Office for Civil Rights conduct enforcement investigations?

OCR sends an opening letter, requests documents and evidence, interviews personnel, and may conduct on‑site reviews. It examines risk analysis and management, safeguards, vendor controls, and breach response. Cases resolve through technical assistance, a resolution agreement with a Corrective Action Plan, civil money penalties, or referral for criminal prosecution.

What are examples of enforcement actions against HIPAA violators?

Enforcement actions range from five‑figure Right of Access settlements to multimillion‑dollar resolution agreements after cyberattacks. High‑profile matters have required extensive Corrective Action Plans, independent monitoring, and long‑term reporting to OCR to ensure sustained compliance and remediation.