The HIPAA Enforcement Rule: What to Know

July 13, 2022
HIPAA contains quite a few requirements for individuals and businesses, so it’s no surprise that authorities exist to enforce these rules.

The HIPAA Enforcement Rule: What to Know

Since HIPAA contains so many requirements that individuals and businesses are held to, it only makes sense that there need to be processes in place to enforce these rules. This is where the HIPAA enforcement rule comes in. The HIPAA enforcement rule gives the HHS the power to levy civil money and criminal penalties at different levels, depending on the scope of violations.

In this guide, we’ll explore what the HIPAA enforcement rule is, what it entails, and the different categories of both civil money and criminal penalties.  

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a piece of US legislation that establishes data privacy and security safeguards for medical records. The bill has gained support as a result of several health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers in recent years.

HIPAA has two major goals: to offer continuous health insurance coverage for employees who leave their positions and to lower medical costs by standardizing the electronic transmission of administrative and financial activities. Combating misuse, fraud, and waste in health insurance and healthcare delivery, as well as enhancing access to long-term care services and health insurance, are among the other objectives.

What is the HIPAA Enforcement Rule?

HHS has established certain HIPAA compliance standards. Compliance investigations and fines for violators are all part of the enforcement rule. It also outlines the processes for imposing civil penalties on entities that breach any HIPAA rules, as well as the monetary penalties. 

The Department of Health and Human Services' Office of Civil Rights (OCR) is in charge of investigating all potential infractions. The OCR assesses whether the Covered Entity or Business Associate was in compliance with the HIPAA Security and Privacy Rule or whether any violations occurred. 

For each instance, OCR evaluates the information and gathers evidence. If evidence shows that the Covered Entity was not in compliance, OCR will work with the Covered Entity to settle the issue through voluntary compliance, remedial action, and/or a resolution agreement.

HIPAA regulations are enforced by both the federal and state governments. When there is a breach or potential violation of HIPAA rules, HIPAA enforcement kicks in. The Office for Civil Rights of the Department of Health and Human Services accepts complaints regarding non-compliance and investigates them. As a result of the investigative results, enforcement action against any of the HIPAA Rules may be conducted, and the OCR may assess penalties and fines.

The entity may take voluntary efforts to enhance its compliance as a consequence of the OCR inquiry. The OCR may also be able to help by advising and outlining the expected parameters of the resolution.

Enforcement and Penalties for Violating HIPAA

There is a high cost for violating HIPAA’s regulations. The OCR is primarily responsible for conducting violation investigations, determining the results, enforcing violations as they see appropriate, and monitoring their corrective actions afterward. 

HIPAA enforcement is carried out by both the federal and state governments. The OCR receives and looks into complaints, as well as levying penalties and fines. Any of the HIPAA Rules can be subjected to enforcement action.

HIPAA Investigation Process

OCR investigates complaints, reports, and disclosures when someone reports a violation, files a complaint, or reveals a breach. Following that, OCR may seek enforcement through investigations or audits. Audits are carried out at random. To date, HHS has made public announcements about each audit it has done, including when the audit will take place and what the audit would include.

In contrast, investigations are conducted in response to a specific allegation. When OCR receives a complaint, it requests information from the entity being sued concerning the degree of its HIPAA compliance.The entity that is the subject of the complaint may take voluntary actions to enhance its compliance after an investigation. 

HIPAA enforcement can also take the form of OCR offering technical support to a business to help them remedy a problem after an inquiry has begun. OCR provides technical support by informing the entity about what is required of it in terms of HIPAA compliance. In most cases, an entity agrees to make certain adjustments.

State attorney generals can also enforce HIPAA. States were granted this authority as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 update to HIPAA. In the early years after the amendment, states were hesitant to launch enforcement proceedings; but, in recent years, states have not only increased their HIPAA enforcement activities but have also joined forces with other states in multistate litigation.

There are also serious implications for breaching HIPAA regulations in new ways: In December of 2018, the first multistate lawsuit was filed. Arizona and 15 other states filed a lawsuit, alleging violations of HIPAA and several state data protection statutes. The lawsuit was launched in response to a data breach in which hackers gained access to WebChart and stole nearly 4 million people's electronic protected health information (ePHI).

Civil Money and Criminal Penalties

The HIPAA Privacy, Security, Breach Notification, and Omnibus Rules are all part of the HIPAA Enforcement Rule. Noncompliance with the HIPAA Rules gives the OCR the authority to hold corporations liable for noncompliance with fines and other penalties.

Civil Money Penalties

Over the course of a single year, companies can be punished with up to $1,500,000 in total fines, which are divided into four categories:

  • If an entity commits a violation but was not aware of it, it will be penalized between $100 to $50,000.
  • If the entity has reasonable grounds for the offense, the penalties will range from $1,000 to $50,000.
  • Willful disregard of correction will result in fines ranging from $10,000 to $50,000.
  • Willful disregard without rectification will result in a fine of $50,000.
Criminal Penalties and Charges

Intentional non-compliance and fraud offenses may result in criminal consequences for businesses. Intentional misuse of ePHI can result in a fine of up to $50,000 and a year in jail for the individual at fault. If false pretenses are involved, a fine of $100,000 and up to five years in jail will be imposed. For infractions committed for personal benefit, a fine of $250,000 and up to 10 years in jail will be imposed.

The severity of the fine or punishment will most likely be determined by a variety of criteria. As previously noted, the HHS has the authority to remedy a problem without imposing a fine or to reduce a fine to a lesser infraction. All of the violation investigating, fine levying, and remedy demanding authorizations are due to the authority that was given to the OCR and State Attorney Generals within the HIPAA Enforcement Rule.

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
Expert guidance
Build trust
Dedicated Compliance Success Managers
HIPAA Training
Decrease risk
Close more deals