Who enforces HIPAA?

With all the compliance mandates surrounding HIPAA, and the fines that have taken place over the past year, it's easy to wonder who's finding all these violations and who's enforcing HIPAA. The main party enforcing HIPAA is the Department of Health and Human Services Office for Civil Rights, also known as OCR.

While they have most of the jurisdiction, the State Attorney General, Centers for Medicare and Medicaid Services (CMS), U.S. Food and Drug Administration (FDA) and the Federal Communications Commission (FCC) all have some say in HIPAA enforcement.

How does the HHS Office for Civil Rights Enforce HIPAA?

This office usually investigates any reported data breaches that come in from covered entities and business associates if the breach impacts over 500 individuals. In some cases, smaller breaches are investigated if they have a series within a short time frame. The OCR is also responsible for investigating HIPAA complaints that are reported by employees of HIPAA covered entities or patients.

When investigating covered entities, they are primarily searching for violations in the areas of privacy, security and breach notification. If a violation is discovered, a number of actions can take place. In most instances, the easiest would be a voluntary compliance move by the covered entity. When this occurs, the entity voluntary attempts to remediate the situation.

There are times when the HIPAA Rules are misinterpreted causing confusion. When the covered entity attempts to get clarification through reasonable protections and reasonable areas, this works in their favor when being evaluated and/or fined. In these cases, OCR may issue technical guidance in lieu of initial fines to help the covered entity achieve compliance. Additionally, if a number of covered entities are all having the same issue, OCR may elect to provide guidance to clarify what they expect under the HIPAA rules.