How HHS enforces the HIPAA Security Rule, Privacy Rule

Investigating complaints filed to OCR

One of the key ways that OCR enforces HIPAA is by investigating complaints. OCR is only permitted to take action on complaints in which the alleged violation occurred in the past six years and involves organizations that are required to comply with HIPAA.

"If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint," OCR guidance states.

"OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations."

After the intake and review process, OCR reroutes any possible criminal violations to the Department of Justice. If the case involves a potential HIPAA violation, OCR moves forward with its investigation.

As of Oct. 31, 2024, OCR had received more than 374,321 HIPAA complaints and resolved 99% of cases.

Cases can be resolved through voluntary compliance, corrective action or resolution agreements. In many cases, OCR offers technical assistance to the covered entity to help them comply with HIPAA, avoiding monetary penalties.

OCR resolved 31,191 of its total cases by requiring changes in privacy practices, issuing corrective actions and providing technical assistance.

OCR found that no violations occurred in 15,561 of the cases and provided early technical assistance without the need to investigate in 67,873 cases.

OCR settled or imposed a civil money penalty in just 152 cases. The remaining cases were closed because OCR determined that the complaint did not present a viable case for enforcement.

"Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve," OCR stated on a webpage outlining its enforcement results.

"OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate."

While voluntary compliance is the preferred method for all parties, OCR uses its enforcement authority to investigate and resolve complaints on a case-by-case basis.

Conducting compliance reviews

Compliance reviews are another tool that OCR can use to enforce HIPAA.

According to the text of the HIPAA Omnibus Rule, which amended HIPAA in 2013, the HHS secretary "will conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provisions when a preliminary review of the facts indicates a possible violation due to willful neglect."

Additionally, the secretary may conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provisions in any other circumstance.

In response to comments on the HIPAA Omnibus Rule in 2013, HHS provided clarity on when and how it conducts compliance reviews versus investigating complaints. HHS clarified that "the Department generally conducts compliance reviews to investigate allegations of violations of the HIPAA Rules brought to the Department’s attention through a mechanism other than a complaint."

"For example, the Department may use a compliance review to investigate allegations of violations of the Rules brought to our attention through a media report, or from a State or another Federal agency," the rule stated.

Essentially, compliance reviews are another avenue that OCR can use to look into potential HIPAA violations, without the need for a formal complaint to come through its traditional complaint channels.

Education and outreach

While less formal than official enforcement actions, OCR's role in issuing guidance documents and providing free resources to covered entities and business associates complements its enforcement mechanisms while fostering HIPAA compliance across the sector.

For example, OCR maintains two email lists -- the privacy listserv and the security listserv. These lists help OCR inform the public as well as covered entities about frequently asked questions and technical assistance guidance.

Additionally, the Office of the National Coordinator for Health Information Technology, along with OCR, created a beginner's guide to HIPAA rules.

OCR also creates and posts informative videos about certain aspects of HIPAA on its YouTube channel, furthering its outreach efforts.

All covered entities and business associates should familiarize themselves with OCR's enforcement mechanisms to understand how to improve their own compliance efforts and work with OCR to resolve potential violations.

In addition to enforcing HIPAA through investigations and compliance reviews, OCR initiated its 2024-2025 HIPAA audits. During the auditing process, OCR will review 50 covered entities and business associates and assess their compliance with selected HIPAA Security Rule provisions.

"These Audits will give OCR an opportunity to examine mechanisms for compliance, identify promising practices for protecting the privacy and security of health information, and discover risks and vulnerabilities that may not have been revealed by OCR’s enforcement activities," OCR stated.

"The Audits will benefit the selected covered entities and business associates by providing them with OCR’s assessment of their Security Rule compliance in the selected provisions and information on how to improve their cybersecurity of electronic protected health information."

Altogether, OCR's traditional enforcement mechanisms paired with educational materials and periodic audits help the department understand systemic compliance gaps and ensure that covered entities are devoting adequate resources to protecting patient data and privacy.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.