Go to app
GuidesPatient experienceWho enforces HIPAA regulations?

Who enforces HIPAA regulations?

Last updated

14 November 2023


Dovetail Editorial Team

Working in a large organization with over 100+ employees? Discover how Dovetail can scale your ability to keep the customer at the center of every decision.Contact sales.

The Health Insurance Portability and Accountability Act (HIPAA) is a US legislation with regulations dictating the use of patient health information. It’s the cornerstone of preserving the privacy of patients’ protected health information (PHI) from unauthorized access. It applies to covered entities like healthcare plans, healthcare clearinghouses, healthcare providers, and business associates that have access to PHI.

Learn who enforces HIPAA regulations and why it’s important to comply with this federal law.

How does the Department of Health and Human Services enforce HIPAA?

HHS has the following responsibilities for enforcing HIPAA:

Technical assistance

When the Office for Civil Rights (OCR), part of HSS, receives a specific complaint, like failure to restrict access to medical records, it seeks more information on the covered entity’s HIPAA compliance. If the entity takes voluntary steps to improve compliance, HHS provides technical assistance.

For instance, the OCR might offer advice on the measures the covered entity should take to improve compliance. When a covered entity has misinterpreted HIPAA regulations, HHS will provide technical guidance by clarifying the rules.

Corrective action plans

The OCR is tasked with investigating complaints and determining whether healthcare agencies comply with HIPAA regulations. If the OCR identifies a violation, it mandates corrective actions. In some cases, it requires revisions to existing privacy and security practices and additional workforce training.

The agency also carries out risk analysis and develops new policies to avoid future noncompliance issues.

Civil monetary penalties and financial settlements

The OCR can impose fines or penalties if HIPAA guidelines are violated. The monetary penalties and settlements vary depending on the severity and level of negligence. Penalties are broken down into four categories:

Category 1

  • The covered entity was involved in the violation but was not aware of it.

  • The covered entity tried to comply with HIPAA regulations.

  • The violation could not have been avoided.

  • A penalty of between $100 and $50,000 is imposed.

Category 2

  • The entity was expected to know about the violation.

  • The violation could not have been avoided.

  • A penalty of between $1,000 and $50,000 is imposed.

Category 3

  • The violation occurred due to willful neglect.

  • The entity tried to correct its mistakes.

  • A fine of between $10,000 and $50,000 is imposed.

Category 4

  • The violation occurred due to willful neglect.

  • The entity did not take any steps to correct its wrongdoings.

  • A penalty of at least $50,000 is imposed.

Get a demo from a Dovetail expert

Our team can give you a demo, help you choose the right plan and ensure you get the most out of Dovetail.

Request a demo

Which agencies enforce HIPAA?

HIPAA enforcement is a collaborative effort between different agencies. It’s mostly enforced by several state and federal agencies, not the Department of Health and Human Services (HHS). These agencies include the following:

  • The Pension Benefit Guaranty Corporation

  • The Internal Revenue Service

  • The Federal Trade Commission (FTC)

  • The Department of Justice (DOJ)

  • The Employee Benefits Security Administration

  • State attorneys general

Let’s look at some of these agencies in more detail.

The Department of Justice

If the OCR identifies a criminal violation, the complaint will be referred to the US Department of Justice for further investigation. The DOJ is responsible for pursuing criminal convictions.

Under HIPAA, the DOJ imposes criminal penalties for unpermitted disclosure and the use of PHI for malicious intent or personal gain. Intentional misuse of protected personal information results in one year of imprisonment. If false pretense is involved, the individual can be jailed for up to five years.

State attorneys general

State attorneys generally play a role in enforcing HIPAA regulations. They coordinate activities with the OCR that address systemic issues and widespread HIPAA breaches.

State attorneys generally seek civil actions on behalf of citizens who have suffered as a result of HIPAA violations. They are responsible for prosecuting the offender under state law rather than HIPAA.

One of their responsibilities is to obtain damages on behalf of state residents if their rights have been violated. Depending on the severity of the HIPAA violation, penalties of up to $25,000 per violation tier can be imposed.

The Federal Trade Commission

The FTC enforces the Health Breach Notification rule, which requires companies not covered by HIPAA to alert their customers and the media if a breach of unprotected health information occurs.

According to the FTC, the information should be given within 60 calendar days and include a brief of what happened, the kind of information involved, and the suggested steps individuals should take to protect themselves. The companies are also required to give a brief of the steps they are taking as a business to investigate the breach and how people can reach them for more information.

The FTC also enforces consumer protection laws and prohibits companies from misleading consumers. It also takes action against organizations that engage in deceptive practices related to protecting and securing PHI.

Who enforces HIPAA within an organization?

Organizations should take steps to avoid violating HIPAA regulations. They should designate a privacy officer who will review HIPAA policies and ensure compliance. The appointed HIPAA officers are responsible for overseeing the development and implementation of HIPAA rules within the organization. Other responsibilities include training the workforce on the confidentiality and integrity of electronic health information.


What is the penalty for violating HIPAA?

Financial penalties are often settlements with no publicized admission of liability or civil monetary penalty. An administrative law judge is the person who determines the civil monetary settlement.

Is HIPAA only in the US?

HIPAA is a regulation that only applies to covered entities in the US.

Who investigates a potential information breach?

The OCR accepts and investigates complaints of potential information breaches.

Should you be using a customer insights hub?

Do you want to discover previous research faster?

Do you share your research findings with others?

Do you analyze patient research?

Start for free today, add your research, and get to key insights faster

Get Dovetail free

Editor’s picks

What is HIPAA? A comprehensive guide

Last updated: 23 August 2023

7 best healthcare website designs 2024

Last updated: 11 September 2023

What are the 18 HIPAA identifiers?

Last updated: 16 November 2023

What are quality measures in healthcare?

Last updated: 25 November 2023

How to respond to negative patient reviews

Last updated: 17 January 2024

Related topics

Employee experienceSurveysMarket researchPatient experienceCustomer researchResearch methodsProduct developmentUser experience (UX)

Decide what to build next

Decide what to build next

Get Dovetail free


OverviewChannelsMagicIntegrationsEnterpriseInsightsAnalysisPricingLog in


About us
© Dovetail Research Pty. Ltd.
TermsPrivacy Policy

Log in or sign up

Get started for free


By clicking “Continue with Google / Email” you agree to our User Terms of Service and Privacy Policy