HIPAA is enforced primarily by the U.S. Department of Health and Human Services Office for Civil Rights for the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule, with criminal enforcement handled by the U.S. Department of Justice and additional civil enforcement authority available to state attorneys general in certain cases.
The HHS Office for Civil Rights enforces compliance through complaint investigations, compliance reviews, audits, and corrective action processes, and it can resolve matters through voluntary compliance, corrective action plans, and monetary settlements or civil money penalties. Enforcement activity addresses impermissible uses and disclosures of protected health information, failure to provide required patient rights, insufficient administrative safeguards, and failures to implement technical and physical safeguards for electronic protected health information. The HHS Office for Civil Rights also administers breach reporting requirements for covered entities and business associates and evaluates whether breach notifications were required and timely.
The U.S. Department of Justice enforces HIPAA criminal provisions that apply to certain knowing conduct involving protected health information, including obtaining or disclosing protected health information in violation of the statute and related offenses that can involve false pretenses or intent to sell, transfer, or use protected health information for personal gain or malicious harm. Criminal investigations may involve federal law enforcement agencies and U.S. Attorneys’ Offices, and they are separate from civil investigations conducted by the HHS Office for Civil Rights.
State attorneys general may bring civil actions on behalf of state residents for HIPAA violations under federal authority created by the HITECH Act, which can result in injunctions and damages paid to the state. HIPAA administrative simplification requirements for certain electronic healthcare transactions and code sets, and related standards, are enforced through federal administrative processes distinct from the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule enforcement model. Covered entities and business associates remain responsible for demonstrating compliance through documented policies, workforce training, risk analysis, incident response procedures, and vendor management, regardless of which authority initiates an enforcement action.