OGC
HIPAA Fundamentals

How HIPAA Is Enforced

OCR's role, the complaint process, the audit program, investigation procedures, resolution agreements, and corrective action plans.

The Office for Civil Rights

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is the primary federal agency responsible for enforcing HIPAA's Privacy and Security Rules and the Breach Notification Rule. OCR has the authority to receive and investigate complaints, conduct compliance reviews, provide education and technical assistance, and impose civil monetary penalties for violations. OCR's enforcement activities are carried out from its Washington D.C. headquarters and ten regional offices across the country.

How Investigations Are Initiated

OCR investigations are initiated in three ways:

  • Complaints — Any person who believes a covered entity or business associate has violated HIPAA may file a complaint with OCR. Complaints must be filed within 180 days of when the complainant knew or should have known about the violation, though OCR has discretion to waive this deadline for good cause.
  • Compliance reviews — OCR may conduct compliance reviews of covered entities and business associates on its own initiative, without receiving a complaint, to determine whether they are complying with HIPAA.
  • Breach reports — OCR investigates breaches reported under the Breach Notification Rule, particularly those affecting 500 or more individuals, which are automatically reviewed.

The Investigation Process

When OCR receives a complaint or initiates a compliance review, it follows a structured process:

  1. Initial review — OCR determines whether the complaint is timely, whether it involves an entity subject to HIPAA, and whether the allegations, if true, would constitute a violation.
  2. Notification — OCR notifies the covered entity or business associate that an investigation has been opened and requests documentation and information.
  3. Investigation — OCR reviews policies, procedures, and documentation; interviews workforce members; and evaluates the facts against HIPAA requirements.
  4. Determination — OCR makes a finding of compliance or noncompliance. If noncompliance is found, OCR attempts to resolve the matter through informal means where possible.

Resolution Methods

OCR resolves HIPAA violations through several mechanisms:

  • Technical assistance — For minor violations or first-time offenders, OCR may provide guidance and education to help the entity come into compliance voluntarily.
  • Voluntary compliance — The entity agrees to implement corrective actions without a formal agreement.
  • Resolution agreement with corrective action plan (CAP) — For more serious violations, OCR enters a formal resolution agreement under which the entity pays a monetary amount and agrees to implement a detailed CAP monitored by OCR, typically for one to three years.
  • Civil monetary penalties (CMPs) — For entities that will not voluntarily comply, OCR may impose CMPs after following formal notice and hearing procedures.

The Audit Program

In addition to complaint-driven investigations, OCR conducts a HIPAA Audit Program to proactively assess the compliance efforts of covered entities and business associates. The audit program has two phases:

  • Phase 1 (2011-2012) — Pilot audits of 115 covered entities to assess their compliance with HIPAA requirements and identify best practices and areas of concern.
  • Phase 2 (2016-2017) — Desk audits and on-site audits of both covered entities and business associates, focusing on specific compliance areas identified as high risk.

Audit findings are used to develop guidance and technical assistance materials for the industry rather than primarily for enforcement purposes, though serious violations found during audits can be referred for compliance review.

Factors in Penalty Determination

When determining the appropriate penalty amount, OCR considers the nature of the violation, the entity's history of prior compliance, the financial condition of the entity, the harm caused by the violation, and whether the violation was willful or inadvertent. OCR has stated that it takes into account an entity's good-faith efforts to comply when determining the appropriate level of response.

Corrective Action Plans

A corrective action plan (CAP) is a detailed agreement between OCR and the covered entity or business associate that specifies the corrective actions the entity must take, the timeline for implementation, and the reporting requirements. CAPs typically require the entity to conduct a risk analysis, implement a risk management plan, develop or revise policies and procedures, train its workforce, and report regularly to OCR on its implementation progress. OCR monitors CAP compliance and may impose additional penalties if the entity fails to meet its obligations.

Was this article helpful?

Related Articles

HIPAA Penalty Tiers Explained

Enforcement & Penalties

Criminal Penalties for HIPAA Violations

Enforcement & Penalties

State Attorney General HIPAA Enforcement

Enforcement & Penalties