The HIPAA Enforcement Rule is administered by the U.S. Department of Health and Human Services (HHS). The Rule determines how the Office for Civil Rights (OCR) enforces HIPAA compliance. More specifically, it outlines how complaints are investigated, how violations are resolved, and when civil money penalties (CMPs) may be imposed.
According to the HHS’s case example on How OCR Enforces the HIPAA Privacy & Security Rules, the OCR is responsible for enforcing “the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E). One of the ways that OCR carries out this responsibility is to investigate complaints filed with it.”
The OCR may also “conduct compliance reviews to determine if covered entities are in compliance” and “perform education and outreach to foster compliance with requirements of the Privacy and Security Rules.”
Related: Understanding and implementing HIPAA rules
Covered entities and business associates must comply with all HIPAA provisions, including safeguarding PHI under the Privacy, Security, and Breach Notification Rules.
OCR investigates complaints that allege HIPAA violations. “If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it.” Both parties are required to provide information about the alleged violation. Covered entities “are required by law to cooperate with complaint investigations.”
In certain cases, OCR may also refer complaints involving potential criminal violations of HIPAA (42 U.S.C. § 1320d-6) to the Department of Justice.
If evidence shows noncompliance, OCR works to achieve “voluntary compliance, corrective action, and/or a resolution agreement.” Most investigations are resolved through these cooperative measures, and both the complainant and the covered entity receive written notice of the outcome.
When an organization fails to correct violations, OCR may impose civil money penalties. These penalties can reach up to $1.5 million per violation, based on the nature and extent of the breach. Covered entities have the right to request a hearing before an HHS administrative law judge, who determines whether the penalties are justified. All penalties are paid to the U.S. Treasury; complainants do not receive a portion.
The Enforcement Rule applies to healthcare providers, health plans, and business associates handling protected health information (PHI). State and local governments, as well as employers, are only subject to the Enforcement Rule if they meet the definition of a covered entity or business associate, so enforcement remains targeted and relevant.
Covered entities must assign a dedicated privacy or compliance officer to oversee HIPAA implementation and uphold the Enforcement Rule’s requirements.
Perform internal audits to assess compliance with the Privacy, Security, and Breach Notification Rules. These reviews help identify risks so proactive corrective measures can be taken.
Organizations must focus on voluntary compliance and timely resolution to prevent investigations from escalating into formal enforcement actions.
Before launching a full investigation, the OCR conducts an intake and review process to determine whether a complaint meets the legal standards for enforcement under the HIPAA Rules. The process helps the OCR allocate its resources to legitimate violations involving covered entities or business associates that handle PHI.
OCR reviews every complaint it receives, but it can only act on those that satisfy specific criteria. First, the alleged incident must have occurred within the past six years. Additionally, the complaint must be filed against an organization that is legally obligated to comply with the HIPAA Rules.
These may include covered entities like “doctors, clinics, hospitals, pharmacies, dentists, psychologists, and nursing homes”. Business associates like “billing companies, law firms, or data analysis vendors” are also subject to investigation if they create, receive, maintain, or transmit PHI on behalf of a covered entity.
In contrast, organizations that generally fall outside HIPAA’s scope include life insurers, employers, workers’ compensation carriers, many schools, state agencies such as child protective services, law enforcement agencies, and municipal offices. Since these entities are not considered covered entities or business associates, OCR does not have the authority to enforce HIPAA against them.
The OCR also evaluates whether the complaint alleges an activity that, if proven true, would violate HIPAA. For example, “OCR generally could not investigate a complaint that alleged that a physician sent an individual’s health information to another health care provider for consultation relating to a patient, because the Privacy Rule permits covered health care providers to use and disclose such information for such treatment purposes.”
To be eligible for review, complaints must be filed within 180 days of when the complainant knew (or should have known) about the alleged violation. However, OCR may extend this timeframe if there is “good cause” for the delay, such as extenuating personal or logistical circumstances that made timely submission impossible.
Ultimately, this structured intake process helps the OCR guarantee that only valid and legally actionable complaints proceed to investigation, maintaining fairness and efficiency.