The HIPAA enforcement rule explained

The Health Insurance Portability and Accountability Act (HIPAA) regulates healthcare providers, data processors, and health plans in the United States. Regulators invoke the HIPAA enforcement rule to investigate HIPAA violations, levy penalties, and demand remedial action.

This article explains what the enforcement rule is and who it covers. Learn how enforcement actions work, common HIPAA violations, and best practices to cut your compliance risks.

What is the HIPAA enforcement rule?

The HIPAA enforcement rule defines procedures for investigating and penalizing HIPAA violations.

The enforcement rule is enforced by the HHS Office for Civil Rights (OCR) on behalf of the Department of Health and Human Services (HHS). It enables regulators to levy fines with tiered per-violation amounts and annual caps per identical requirement, if covered entities or business associates fail to safeguard protected health information (PHI).

To whom does the HIPAA enforcement rule apply?

The HIPAA enforcement rule applies to all covered entities under the Health Insurance Portability and Accountability Act. Under HIPAA, covered entities include health providers, insurers that provide and manage health plans, and clearinghouses that process health-related data.

The HITECH Act (2009) and the Omnibus Rule (2013) extended the HIPAA enforcement rule to business associates of covered entities. Business associates include organizations that process or store PHI for covered entities. Examples include cloud platforms, billing services, and legal partners.

The key takeaway is that the HIPAA enforcement rule applies to covered entities (health plans, healthcare clearinghouses, and most healthcare providers that transmit health information electronically) and their business associates. Organizations meeting these conditions may be liable for significant HIPAA fines.

How does the HIPAA enforcement rule work?

The Office for Civil Rights is responsible for applying the HIPAA enforcement rule.

OCR enforces HIPAA at the federal level; state attorneys general may bring separate civil actions under HIPAA, and the Department of Justice (DOJ) handles potential criminal HIPAA violations referred by OCR. OCR/HHS determine civil liability and penalties under HIPAA; DOJ pursues criminal HIPAA violations when OCR refers a case.

Compliance actions typically follow complaints from individuals. Following the receipt of a complaint, options available to OCR under the enforcement rule include:

  • Launching investigations to assess the nature, scope, and severity of reported HIPAA violations.
  • Starting Compliance Reviews to determine whether covered entities comply with HIPAA rules. Reviews generally include interviews and site visits to analyze the organization's data protection practices.

OCR may take further action under the HIPAA enforcement rule following initial investigations. Compliance action can follow if:

  • The complaint involves covered entities or their business associates.
  • The complaint was filed less than 180 days after the victim discovered the alleged violation (not the date the violation occurred). This requirement is flexible, and the OCR can proceed if investigators decide there was a reasonable cause for not reporting a violation within the 180-day time limit.
  • The incident took place less than six years ago.
  • The incident appears to involve a violation of the HIPAA privacy rule or security rule.

If OCR decides to take further compliance action, regulators notify both the covered entities involved and the person(s) making the complaint (also known as "concerned parties"). In cases where incidents violate criminal clauses of HIPAA, the OCR also informs the DoJ.

The HIPAA enforcement process

OCR investigates each reported violation to determine whether it breaches HIPAA's security, privacy, and breach notification rules. If the investigation finds evidence of violations, regulators can take a range of actions:

Voluntary compliance measures

Regulators try to reach voluntary outcomes wherever possible. If covered entities take remedial action within the timeframe of the investigation (or before the compliance action starts), OCR may deem that voluntary compliance is sufficient.

OCR may also provide technical or administrative assistance to help regulated entities achieve compliance. Assistance is common in cases where HIPAA violations are unintentional.

Corrective Action Plans (CAPs)

CAPs require covered entities or business associates to take specific compliance actions. Regulators issue lists of actions needed to ensure compliance. For instance, the organization may need new privacy policies or more robust access controls. OCR monitors compliance for the period specified in the CAP or resolution agreement (often two to three years), then determines whether the entity is compliant.

Resolution agreements

Resolution agreements are legal settlements between the Department of Health and Human Services and regulated entities under HIPAA. Resolution agreements require specified corrective actions and ongoing reporting for a period defined in the agreement (commonly around three years). HHS tracks progress and performance throughout that period.

Unlike CAPs, resolution agreements often require financial payments to concerned parties. However, these payments differ from maximum civil HIPAA penalties.

Civil monetary penalties (CMPs)

Under the HIPAA enforcement rule, the Office for Civil Rights can levy significant financial penalties. OCR tends to reserve CMPs for cases when covered entities fail to take necessary compliance actions.

Penalties are not fixed and vary depending on the severity of HIPAA violations.Covered entities may request a hearing before an HHS administrative law judge; hearings are generally public unless confidentiality is ordered for good cause. If the judge finds in favor of OCR/HHS, there are four tiers of penalty:

  • Tier 1: Organizations are unaware of HIPAA violations and could not reasonably have known. $141-71,162 per violation.
  • Tier 2: Organizations could reasonably have known about violations. $1,424-71,162 per violation.
  • Tier 3: The organization willfully neglected its HIPAA compliance obligations but took action within 30 days of discovery. $14,232-71,162 per violation.
  • Tier 4: The organization willfully neglected its HIPAA compliance obligations and took no remedial actions. The per-violation amount is up to the maximum allowed by regulation, with a higher annual cap per identical requirement; the amounts are inflation-adjusted.

Cases brought under the HIPAA enforcement rule end if:

  • The HHS Office for Civil Rights decides that no further action is needed. For example, investigators may find that the offense does not involve a covered entity or business associate. Organizations may also have taken corrective actions 60 days before notification.
  • Assistance provided by OCR brings organizations into compliance, and the complainant is satisfied.
  • Investigations find that no HIPAA violations have occurred.
  • Another agency takes over the investigation (generally the Department of Justice).

Common HIPAA enforcement rule violations

Organizations must know whether they risk invoking the HIPAA enforcement rule. Violations of HIPAA rules lead to significant penalties, extended corrective monitoring periods, and further regulatory action in the future, not to mention reputational harm. Common HIPAA violations include:

Failure to implement security controls

The HIPAA Security Rule requires covered entities and business associates to take reasonable action to safeguard patient data (ePHI). Regulators may resort to the HIPAA enforcement rule if organizations lack:

  • Robust access controls to prevent unauthorized access to electronic protected health information
  • Encryption of data at rest or in transit
  • Device security measures, such as screen deactivation when laptops are not in use
  • Physical controls to secure servers, workstations, and employee devices
  • Secure remote work technology or systems that remotely connect patients and providers
  • Technology to ensure the availability of PHI during emergencies. For example, redundancy during DoS attacks or back-ups to restore critical data.

Poor-quality employee training and privacy awareness

Compliance with the HIPAA privacy rule requires that every employee understand how to prevent unauthorized disclosure or exposure of PHI.

Comprehensive training ensures that all staff who handle or process PHI know how to safeguard data and understand the consequences of HIPAA violations. If healthcare providers cannot show evidence of regular training, OCR may invoke the HIPAA enforcement rule.

Insufficient risk assessment

The HIPAA enforcement rule covers instances where organizations fail to understand their compliance risks.

Under HIPAA, covered entities must assess data security and privacy risks and take reasonable action based on assessment outcomes. Compliance action may result if you lack robust risk analysis policies or fail to grade risks accurately.

Unsafe deletion or disposal of ePHI

Healthcare providers or insurers often retain ePHI for limited periods (for example, while patients are undergoing treatment or switch health plans). When it is no longer needed, covered entities must dispose of PHI safely, making it impossible for malicious actors to recover patient data.

The HIPAA enforcement rule may apply when organizations leave unencrypted data on obsolete devices or fail to use magnetic data removal techniques to wipe confidential information.

How to ensure compliance with the HIPAA enforcement rule

Compliance with the HIPAA enforcement rule cuts the risk of financial penalties and guards against reputational damage. Best practices to ensure compliance include:

  • Carry out comprehensive risk assessments: Assess risks relating to privacy, data security, and breach notification processes.
  • Educate staff: Train employees to protect patient data against unauthorized disclosure or data security risks.
  • Enforce HIPAA compliance policies: Create and enforce security management policies. Explain how your organization meets HIPAA compliance goals and uses policies as the basis for staff training.
  • Tighten up physical security: Implement access controls for workplaces and data centers. Ensure remote work devices are encrypted and include deactivation tools in the event of theft or loss.
  • Implement data security controls: Revisit your access controls and authorization systems. Ensure only authorized users can access sensitive data. Implement firewalls, encryption, and threat monitoring to counter cyber-attackers.
  • Use strong business associate agreements (BAAs): BAAs should require business associates to comply with HIPAA and their contractual obligations; business associates are directly liable for specified HIPAA provisions, and each party is responsible for its own compliance.
  • Document compliance: Maintain compliance records for at least six years. Be ready to provide OCR with evidence of reasonable compliance actions.
  • Test breach notification processes: Don't risk simple breaches of breach notification rules. Test your incident response processes to ensure you meet HIPAA timescales and contact all concerned parties.

Tighten compliance to avoid HIPAA enforcement rule action

The HIPAA enforcement rule enables the HHS Office for Civil Rights to investigate, advise, and potentially fine covered entities and business associates. Avoid financial penalties under HIPAA by assessing risks, implementing security controls, and training staff in compliance essentials.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. The laws, regulations, and penalties discussed are subject to change and may have been updated since the time of publication. We recommend consulting with a qualified legal professional for guidance on your specific compliance needs.

Learn next

Network security
Zero Trust
Secure Access Service Edge (SASE)
Cloud security
Virtual Private Network (VPN)
Identity access management (IAM)
Firewall
Access control
PCI-DSS
Regulatory compliance