HIPAA Enforcement Process

The Health Insurance Portability and Privacy Act was passed in 2003. Since then HIPAA has become one of the most consistently enforced privacy laws to date. Enforcement falls largely to the Department of Health and Human Service’s Office for Civil Rights.

HIPAA legislation is divided between two rules: the Privacy Rule and the Security Rule. The Privacy Rule of HIPAA involves the privacy of protected health information (PHI). Among the protections it provides are the right to access and amend medical records, the right to consent to PHI disclosure, the right to notice of a covered entity’s privacy practices, as well as the safeguarding and limited disclosure of PHI. Enforcement of the Privacy Rule ensures that such rights are protected.

How Does the OCR Enforce the Privacy Rule?

The Office for Civil Rights enforces the Privacy Rule through several methods:

  • Investigating complaints filed with the OCR
  • Conducting compliance reviews of covered entities
  • Creating programs for education and outreach

The most common method of enforcement is the investigation of complaints.

How Does the OCR Investigate Complaints?


All complaints filed with the OCR go through an Intake and Review process. If the complaint meet the following criteria, the complaint moves on to the investigation stage:

  • The alleged violation occurred after the effective dates of the Privacy or Security Rule.
  • The entity against whom the complaint is filed must be considered a covered entity
  • The alleged complaint must be an activity that would violate the Privacy or Security Rule.
  • The Complaint must be filed within 180 days of when then person submitting the complaint became aware of the violation.

If the complaint does not meet all of the above criteria, than no violation of HIPAA is considered to have occurred. If the complaint does meet all of the above criteria, an investigation is launched to determine the veracity of the complaint.

If the complaint involves a possible criminal violation, the investigation is handled by the Department of Justice. If the complaint only involves Privacy or Security Rule violations, it is investigated by the OCR. Depending on the results of the OCR investigation:

  • No violation may be found
  • A violation may be found and voluntary compliance, or corrective action is taken
  • A formal finding of violation from the OCR is issued

Enforcement Statistics

The Number of HIPAA complaints has increased each year since its institution. In 2008, the OCR received almost 10,000 complaints. On average, around two-thirds of alleged complaints are determined to be violations and resolution action is taken. One-third of alleged complaints either do not meet the criteria to warrant an investigation or the investigation determined that no violation had occurred.

On average the top five complaints filed every year involve:

  1. Impermissible uses and disclosures
  2. Safeguards
  3. Access
  4. More PHI is collected or used than the minimum necessary
  5. Improper authorization for disclosure

On average, the top five covered entities that have been found to be in violation of the Privacy Rule include:

  1. Private Practices
  2. General Hospitals
  3. Outpatient Facilities
  4. Health Plans
  5. Pharmacies



The OCR is committed to HIPAA enforcement. All complaints filed with the OCR are reviewed and may be subject to investigation if a violation is suspected. Depending on the severity of the violation, the OCR may need to take enforcement action against an entity to ensure compliance. Such enforcement is costly to both the entity, the U.S. Government and its citizens, so covered entities should review their practices and policies to correct any potential compliance violations.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

  • HIPAA (I.B.a.i)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>