U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules.
OCR enforces the Privacy and Security Rules in several ways:
- Investigating complaints filed with it
- Conducting compliance reviews to determine if covered entities are in compliance
- Performing education and outreach to foster compliance with the rules' requirements
OCR reviews the information that it gathers. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy and Security Rules. In the case of noncompliance, OCR will attempt to resolve the case with the covered entity by obtaining:
- Voluntary compliance
- Corrective action and/or
- Resolution agreement
Failure to comply with HIPAA can also result in civil and criminal penalties. If a complaint describes an action that could be a violation of the criminal provision of HIPAA, OCR may refer the complaint to the Department of Justice (DOJ) for investigation.
In cases of noncompliance where the covered entity does not satisfactorily resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity.
CMPs for HIPAA violations are determined based on a tiered civil penalty structure. The secretary of HHS has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. The secretary is prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended at HHS’ discretion).