Close Server: KOPWWW05 | Not logged in


Practical Steps for HIPAA Enforcement: Who Enforces HIPAA?

HIPAA enforcement is upon us, or is it?  Have you seen any HIPAA police yet? Or, is HIPAA enforcement a toothless dragon? Is the industry faced only with soft enforcement?

Types of HIPAA enforcement
We should first look at the types of enforcement possible under HIPAA law and regulations, other laws and regulations and individual perspectives on how, when and where they can enforce the HIPAA standards.

Within the HIPAA law and the related regulations, civil and criminal enforcement typically starts with a compliant. The complaint can be made by anyone who thinks he or she has seen a breach or violation based on a specific HIPAA requirement. The complaint does not have to be made by an individual or a covered entity who has been wronged.  The complaint may pertain to something that you have done -- or not done (e.g., some event that happened within your practice or at a health plan office or something that you should have done and did not do). Something not done is called an omission.

Only if there is a huge problem will the "HIPAA police" act without a complaint being submitted. If something is reported in the newspaper, the HIPAA police may enforce compliance before they receive a complaint.

All HIPAA regulatory requirements may be enforced civilly; you can be fined for your acts and omissions. HIPAA transactions and code sets, identifiers, and security and privacy may all be civilly enforced. Only privacy may be criminally enforced. But we are getting ahead of ourselves in the enforcement story.

The Secretary of the Department of Health and Human Services (HHS) has been given the responsibility under the HIPAA law to enforce the HIPAA requirements and standards. The Secretary, in turn, has delegated the privacy enforcement to the Office for Civil Rights (OCR) within HHS. If a privacy complaint rises to the criminal level OCR refers the complaint to the Department of Justice (DoJ) for investigation and possible prosecution. All the other HIPAA requirements and standards enforcement has been delegated to the Office of E-Health Standards and Services (OESS) of the Centers of Medicare and Medicaid Services (CMS) within HHS. Both OCR and OESS can direct that the covered entity pay civil monetary penalties.

Both OCR and OESS want to solve all complaints informally by working with the covered entity that has the HIPAA issue. To date, they have succeeded in doing this in all but a handful of complaints. Only a few privacy complaints have been sent to the DoJ.  Plus, no known fines have been levied. If a complaint includes a privacy and a security act[s] or omission[s], then OCR and OESS work together to resolve the problem[s].

Private enforcement
Two types of "private HIPAA enforcement" potentially have more teeth and stronger enforcement of a complaint to a federal agency. HIPAA does not give an individual a private right of action; however some states give individuals private rights of legal action under state laws about medical information. Also, in the states with no private right of action, cases are being brought under other state law using the federal HIPAA law and regulations as a standard of care that everyone in health care knows about, or should know about.

The private HIPAA enforcement penalties are now, and will be, monetary. As in other cases, individuals who think they have been wronged will pursue the individuals and businesses with "deep pockets." In other words, those with the money will have complaints against them filed in state courts.

The other type of private HIPAA enforcement is often part of a court case but it need not be. This enforcement is in and by the court of public opinion. Do you want to find your problem on the front page of the local newspaper or on the local television newscast? Probably not, yet this may be the first place where you receive 'notice.' I have seen HIPAA-related reporting on my local television news in the past few weeks; have you seen any news reports?

HIPAA enforcement documents
If you find yourself faced with a complaint, no matter where it originated, you need to review a number HIPAA laws, regulations and notice documents to determine if you have a real HIPAA event or an omission.

First, you must look to both the HIPAA law from 1996 and all the HIPAA regulations since that date. Review the general regulatory standards found in 42 Code of Federal Regulations [CFR] 160, and the specific regulation and section[s] that may have been breached, such as 42 CFR 164.512, for a breach of a permitted privacy use and disclosure.

Second, two HIPAA enforcement regulations have been released in the Federal Register in the past few years. The documents for the enforcement regulation are found at 68 FR 18895, 70 FR 54293 and 70 FR 20223. The final provisions are presented in the general CFR section and include sections for enforcement procedures and how civil monetary penalties will be calculated and enforced.  

Third, OESS released a notice document in April 2005 at 70 FR 15329.  It outlines the investigation process undertaken when a federal agency receives a complaint for all but a privacy event or omission.

Finally, the regional DoJ staff uses a document when it starts HIPAA criminal investigations and prosecution. The June 1, 2005, memorandum specifies who is subject to criminal penalties. It can be found at

Remember both acts and omissions can be HIPAA mistakes and violations.

Good luck with your HIPAA enforcement. In a future article, I will examine what to do if you find or are told about a HIPAA problem.

Ms. Miller is chief operating officer and chief privacy officer of, a new company forged by two long-time health care hands empowering the health care industry in administrative, clinical and financial transactions. The company provides valuable strategic information that enables clients to move forward using the newest technology to gain efficiencies, interoperability and strength in their market space.


I have a question! Im an MA student who just got cert. in HIPPA regulations and rules, im just confused about who really enforces HIPPA rules, and regulations?

tom miller,  fed. work study,  IBMCApril 28, 2015
Greeley, CO

There is no HIPAA enforcement. There is no enfocement of CFR. These medical people don't even KNOW which laws they are breaking! There is nothing to stop predatory practices amongst medical providers. You will be treated in defiance of your wishes with no recourse. Information is deliberately withheld, ommitted, glossed over etc. You will be the living cadaver for training purposes. You will be insulted, lied to and knocked in the head with the same patient control drug that the cops use, (Versed/Midazolam) just to shut you up. You have zero rights in the hospital and if your procedure turns out badly or was sloppily executed there is no recourse. In fact YOU will have to pay for any further treatment to correct the original butchering. If you get an easily avoidable hospital aquired infection, guess what? YOU get to pay for that too, many times at the hospital that gave it to you in the first place. No wonder health care costs are through the roof. There are no standards whatsoever. There is nobody involved to help the patient, just to make sure that your minor procedure is as expensive as possible and patient be damned.

Jackie September 19, 2009


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.

View New Jobs, Events and More


Back to Top

© 2017 Merion Matters

660 American Avenue Suite 300, King of Prussia PA 19406