HIPAA Enforcement Procedures

The Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing the HIPAA regulations. The reasoning is that the right of privacy of medical records is a fundamental civil right.

Enforcement activities include:

  • Responding to state requests for exception determinations.
  • Investigating complaints and conducting compliance reviews.
  • Where voluntary compliance cannot be achieved, seeking civil monetary penalties and working with the Justice Department in seeking criminal prosecution.

In order to try to put more teeth into the civil penalties, the Office of Civil Rights will be enforcing the civil side, and the Department of Justice will enforce the criminal side. The breakdown of the civil penalties are not more than $100 for each violation and not more than $25,000 for all violations of identical type during a single calendar year. Improperly obtaining or disclosing individual health information, or improper use of unique health identifiers are subject to the following penalties:

Fine Prison
Knowingly $50,000 1 Year
False Pretenses $100,000 5 Years
For Profit, Gain, or Harm $250,000 10 Years

HIPAA Enforcement Rule

Procedures for Investigations, Hearings, and Imposition of Civil Monetary Penalties

On February 16, 2006 the DHHS published the final Enforcement Rule in the Federal Register. This rule establishes rules of procedure for the imposition, by the Secretary of Health and Human Services, of civil money penalties on entities that violate standards adopted by the Secretary under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (“HIPAA”). The Enforcement Rule sets forth procedural and substantive requirements for imposition of civil money penalties. The DHHS has issued the below rules of procedure to inform covered entities of their approach to enforcement and to advise covered entities of certain procedures that will be followed as the DHHS enforces HIPAA.

The Enforcement Rule is effective on March 16, 2006.

Click on any underlined heading or topic below to read the current enforcement procedures and regulations.

  • Summary and Introduction
  • Background
  • General Approach – Includes The Following Contents:
    • HHS’s General Approach to Enforcement
    • HHS’s Approach to the Enforcement Rule
    • Administrative Procedure Act
    • Approach of the Interim Final Rule
  • Provisions of the Enforcement Rule – Includes The Following Contents:
    • Applicability
    • Definitions
    • Investigational subpoenas and inquiries
    • Basis for penalty
    • Amount of penalty
    • Authority to settle
    • Notice of proposed determination
    • Failure to request a hearing
    • Collection of penalty
    • Limitations
    • Hearing before an administrative law judge (ALJ)
    • Rights of parties; authority of the administrative law judge (ALJ)
    • Ex-parte contacts
    • Prehearing conferences
    • Settlement
    • Discovery
    • Exchange of witness lists, statements, and exhibits
    • Subpoenas for attendance at the hearing
    • Fees
    • Form, filing, and service of papers; computation of time
    • Motions
    • Sanctions
    • The hearing
    • Witnesses
    • Evidence
    • The record
    • Post-hearing briefs
    • Administrative law judge (ALJ) decision
    • Judicial review; stay of administrative law judge (ALJ) decision