Who enforces HIPAA? The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E.


HIPAA Enforcement

The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards.

Investigating HIPAA

Besides random audits, HIPAA is investigated by the OCR when a complaint is filed. The OCR will gather all the evidence and review the information for each case. At the end of the investigation, the OCR will issue a letter describing the resolution of the investigation. If it is decided that the covered entity may not have complied with HIPAA rules, the entity must:

  • Voluntarily comply with HIPAA rules
  • Take corrective action
  • Agree to a settlement

If the covered entity does not take satisfactory action to resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case.

How to Avoid a HIPAA Fine

If you want to avoid a HIPAA fine or settlement, make sure you have your ducks in a row. Follow the HIPAA guidelines the best you can, and if you feel something is not “right”, it probably isn’t. Be vigilant with your HIPAA security. Protect your network. Remember, you also want to protect yourself against hackers and thieves, so implementing the HIPAA guidelines can help with that.