Who Enforces HIPAA?

by | Feb 19, 2024

Who enforces HIPAA depends on the section of HIPAA being enforced, the activities of the organization against which enforcement action is being taken, or whether an individual against whom enforcement action is being taken is a member of a covered entity’s or business associate’s workforce.

The Health Insurance Portability and Accountability Act (HIPAA) was not only responsible for the adoption of standards to improve the privacy and security of Protected Health Information. It also made changes to numerous existing Acts and United States Codes in order to improve access to – and the portability of – health insurance.

For this reason, there is not only one federal Department who enforces HIPAA. For example, the Department of Labor enforces HIPAA provisions relating to the accessibility and portability of health insurance. Organizations that violate these provisions can face civil and criminal penalties of up to $500,000 and ten years in jail.

Other federal Departments who enforce sections of HIPAA include the Treasury, Justice, Defense, and Veterans Affairs Departments. In addition, since the passage of the HITECH Act, the Federal Trade Commission enforces its own Health Breach Notification Rule that applies to organizations not covered by “Healthcare HIPAA”.

What is “Healthcare HIPAA”?

“Healthcare HIPAA” is a term used to distinguish Title II of the HIPAA Act from its primary objectives. This sections covers the measures introduced to reduce fraud and abuse in the healthcare industry and simplify the administration of healthcare transactions between healthcare providers and health insurance companies.

Healthcare HIPAA is enforced by the Department of Health and Human Services (HHS). Within HHS, three agencies are responsible for enforcing different sections of Healthcare HIPAA:

  • The Office of Inspector General (OIG) enforces HIPAA provisions relating to healthcare fraud and abuse.
  • The Centers for Medicare and Medicaid Services (CMS) enforces the standards for electronic transactions and data elements.
  • The Office for Civil Rights (OCR) enforces Parts 160 and 164 of the Administrative Simplification Regulations.

Parts 160 and 164 of the Administrative Simplification Regulations are what most people recognize as HIPAA because these Parts contain the standards adopted to improve the privacy and security of Protected Health Information. Part 160 also includes the HIPAA Enforcement Rule, while Part 164 also includes the HIPAA Breach Notification Rule.

How Does OCR Enforce HIPAA?

OCR enforces HIPAA by investigating complaints and breach notifications. In most cases, investigations are resolved via voluntary corrective actions and technical assistance. However, when a violation causes harm, or the entity being investigated has a history of non-compliance, OCR has the authority to issue civil monetary penalties.

The amount of a civil monetary penalty can vary according to the nature of the violation, the length of time the violation was allowed to continue, the number of individuals affected, and the organization’s cooperation during the investigation. The penalties were set by the HITECH Act and are adjusted annually to account for inflation. The penalties for 2024 are:

HIPAA Violation Penalties - ComplianceJunction.com

Other Enforcers of Healthcare HIPAA

The HITECH Act also authorized State Attorneys General to pursue civil monetary penalties against covered entities and business associates who are responsible for unauthorized uses and disclosures of Protected Health Information. Claims can be filed through federal district courts and resolved for up to $25,000 per violation.

Although State Attorneys General must inform OCR they are filing a civil claim against a covered entity or business associate, the outcome of the claim is not dependent on OCR issuing a civil monetary penalty. There are multiple examples of State civil actions resulting in settlements when OCR chose not to issue a civil monetary penalty.

More recently, HIPAA has also been indirectly enforced by private legal actions. Although HIPAA does not have a private right of action, individuals – or groups of individuals – who have been affected by unauthorized uses or disclosures of PHI are taking advantage of state privacy laws to sue for violations of HIPAA – often successfully.

Who Enforces HIPAA in the Workplace?

Who enforces HIPAA in the workplace can depend on the HIPAA “status” of the organization. If the organization qualifies as a covered entity, the organization’s Privacy Officer is responsible for enforcing HIPAA – although this responsibility can be delegated to another senior member of the workforce such as a department head or HR manager.

If the organization qualifies as a business associate, it is not required to designate a Privacy Officer. If no Privacy Officer is designated, the organization’s Security Officer is responsible for enforcing HIPAA – although this responsibility can again be delegated. In both cases the penalty for workforce HIPAA violations depends on the organization’s sanctions policy.

Usually, an organization’s sanctions policy consists of three or four tiers. At the lower tiers, the penalty for a workforce HIPAA violation is a verbal warning and/or HIPAA training. For more serious violations – or repeated violations – the penalties can range from a written warning to suspension and loss of employment.

Serious violations can also be reported to law enforcement agencies – particularly when a workplace HIPAA violation violates §1177 of the Social Security Act. Violations of the Social Security Act are referred to the Department of Justice and can result in fines of up to $250,000 and/or sentences of up to 10 years “if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm”.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy