HIPAA Enforcement and Penalties

Section 1. OCR Compliance Investigations

Oversight of the HIPAA Privacy Policy and Security Policy falls under the jurisdiction of the Office of Civil Rights (OCR) under the U.S. Department of Health and Human Services. To ensure that covered entities are applying the policies in their facilities, OCR conducts periodic audits or compliance reviews. Additionally, OCR investigates complaints made by patients regarding breaches of privacy.

The complaint process is structured in such a way as to be fair to all parties, and to not entertain claims that are clearly without merit. Each complaint that is received is thoroughly reviewed and only progresses to an investigation if it satisfies the following criteria:

  • Complaints are from disclosures after the legislation was enacted - OCR will not consider complaints made prior to the implementation of the Privacy and Security rules being enacted. The implementation date for the Privacy Policy was April 14, 2003. Compliance with the Security Rule was not required until April 20, 2005. Because there was no uniform policy before these dates, a covered entity is not held liable for unauthorized disclosures and usage of patient information before these dates.
  • The complaint is made against a covered entity - To pursue a complaint, OCR must verify that is was made against a covered entity who is fully responsible for complying with the Privacy and Security rules. There may be instances where a patient has disclosed private information to a business or provider of services, however, they do not qualify as a covered entity under HIPAA. In those instances, OCR is not able to pursue an investigation.

The types of establishments that OCR regulates are those whose primary functions are the treatment and diagnosis of patients, as well as the processing of medical claims and other third party services resulting from that treatment. OCR oversight includes, but is not limited to:

  • doctors
  • clinics
  • hospitals
  • psychologists
  • chiropractors
  • nursing homes
  • pharmacies
  • dentists
  • a health care clearinghouse.

Entities that would not be included in OCR oversight include Workman's Compensation carriers, law enforcement agencies, and school districts.

  • The complaint must be a situation that violates the Privacy or Security rules - A patient is not able to pursue a complaint for actions that are not listed as unauthorized under these two policies. For example, a patient may have a problem with the use of their health information in filing an insurance claim, however a covered entity is entitled to do this under the TPO exclusion.
  • The claim must be filed within 180 days - This is 180 days from the alleged violation, or when the patient became aware of the violation. Complaints filed after this time period are not considered unless the patient can present a compelling reason as to why they were unable to file the complaint earlier. All complaints must be filed in writing, with a full description of the alleged violation.

Accepted Complaints

If OCR determines that a complaint is valid and warrants investigation, they will contact the patient, as well as the covered entity, to notify them of the required next steps. OCR may request additional information from both parties in order to assist in the deliberations. If a covered entity is found not to have committed any violations, both parties are notified of this determination. The process for confirmed violations will be discussed below.

Interested in learning more? Why not take an online HIPAA Compliance course?

Section 2. Punishment for Noncompliance

In the event that the covered entity is determined to have violated the Privacy or Security rules, there are a number of steps that may be taken, based on the severity and prevalence of the violation. OCR will usually look to resolve complaints in the following manner:

Voluntary Compliance

If a covered entity is found to be in error, they are given the option to voluntarily come into compliance. This means that the covered entity takes full responsibility for the breach and will cease and desist with the practices that led to the breach.

Corrective Action

A covered entity may also submit to corrective action once a violation is proven. This may include fines, mandated periodic reviews, or even temporary exclusion from federal health plan reimbursement. Corrective action usually also requires changes in their systems and policies to ensure that the unauthorized disclosure is not repeated. There are instances where a covered entity has never performed a risk analysis or developed security policies. They would need to go back at this point and thoroughly complete the entire process to come into compliance.

Fines for Noncompliance

It is within in the discretion of OCR to exact monetary penalties on a covered entity in the event of an egregious privacy or security breach. The amount will depend on the size of the covered entity, the type of breach, and the number of patients affected. Claimants do not receive a portion of any monetary penalties. The funds are deposited in the United States Treasury. Specific violation case studies and the resulting fines will be discussed in the next lesson.

Criminal Prosecution

In the event that OCR deems the violation reaches the level of criminal wrongdoing, they will refer the investigation to the U.S.Department of Justice. The DOJ will thoroughly review the case and determine if it is within their scope and interest to pursue. The DOJ may determine that the charges do not meet the level of a criminal violation and refer the case back to OCR for processing. However, if it does meet the criteria for criminal prosecution, the DOJ will pursue charges and penalties as allowed by law, which may include fines and even prison time.

Food For Thought

Do you think the investigation process is fair and balanced?

Now that patients have a means to file complaints in a formal way, do you think there will be an increase in frivolous complaints?


Investigation and enforcement is necessary to ensure compliance to the Privacy and Security Rules. The Office of Civil Rights has clear criteria for considering and investigating complaints and will refer any suspected criminal offenses to the Department of Justice.