Which Entity Enforces HIPAA?

HIPAA Minimum Necessary Standard - HIPAAGuide.net

Although the entity most often referred to as the enforcer of HIPAA is the Department of Health and Human Services’ Office for Civil Rights, the actual answer to the question which entity enforces HIPAA has a number of answers depending on which Title of HIPAA is being referred to. This is because the Health Insurance Portability and Accountability Act amended several existing sections of the U.S. Code, with some sections being enforced by more than one department or by more than one agency within the same department.

In the preamble to the Health Insurance Portability and Accountability Act, the objectives of the Act are listed as “to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage […], to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes”.

To achieve these objectives, the Act not only amended the Internal Revenue Code, but also the Labor Code and the Public Health and Welfare Code, while subsequent amendments (introduced via HITECH) amended the Commerce and Trade Code. These amendments resulted in several agencies being responsible for enforcing HIPAA and – in some cases of who enforces HIPAA – different departments within the same agency being responsible for enforcing different areas of HIPAA.

Examples of Which Entity Enforces HIPAA

Because most of the text of HIPAA is concerned with improving the portability and continuity of health insurance coverage (Title I), most of the amendments made to the Internal Revenue Code impact the Employee Retirement Income Security Act (ERISA). In the context of which entity enforces HIPAA, ERISA is enforced by three bodies – the Labor Department’s Employee Benefits Security Administration, the Pension Benefit Guaranty Corporation, and the Internal Revenue Service.

Title II of HIPAA – relating to preventing fraud and abuse and administrative simplification – amended areas of the Social Security Act. The responsibility for enforcing the fraud and abuse provisions was assigned to the Attorney General and the Inspector General of the Department for Health and Human Services, while the responsibility for developing the Administrative Simplification Regulations was assigned to the Secretary for Health and Human Services.

When the Administrative Simplification Regulations were published, the responsibility for enforcing the Administrative Requirements (Part 162) was assigned to the Centers for Medicare and Medicaid Services, while the responsibility for enforcing the Privacy and Security Rules was assigned to the Office for Civil Rights. When the Breach Notification Rule was added, the responsibility for enforcing the Rule was divided between the Office for Civil Rights and the Federal Trade Commission.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Other Enforcers of HIPAA

The later Titles of HIPAA are mostly administered and enforced by the Internal Revenue Service with contributions from the Social Security Administration. However, one agency who enforces HIPAA – the Department of Justice – is barely mentioned in the text of HIPAA despite several changes to the Crimes and Criminal Procedure Code to account for prosecuting criminal violations of HIPAA – and there are many different ways in which HIPAA violations can be criminal, including:

  • Disposing of assets in order to obtain Medicaid benefits is a criminal violation of HIPAA if assets are disposed of below market value.
  • Knowingly attempting to defraud a health care benefit program is a criminal violation of HIPAA (even if the attempt if unsuccessful).
  • The intentional misuse of any assets – including property – belonging to a health care benefit program is a criminal violation of HIPAA.
  • The obstruction of an investigation into a criminal violation of HIPAA – even if done by somebody other than the perpetrator – is a criminal violation of HIPAA.
  • The wrongful acquisition or disclosure of individually identifiable health information is a criminal violation of HIPAA, even if it was done for somebody else.

The threat of HIPAA enforcement action by the Department of Justice does not appear to be a deterrent for some people. Dozens of individuals have received custodial sentences for wrongfully acquiring or disclosing individually identifiable health information, while dozens of businesses have paid millions of dollars to resolve criminal charges relating to HIPAA fraud. Consequently, it is recommended that businesses know not only which entity enforces HIPAA but how they can adopt best practices to comply with HIPAA and avoid enforcement action.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/