Who is Responsible for Enforcing the HIPAA Security Rule?
The HIPAA Journal
|
Summary
The enforcement of the HIPAA Security Rule is primarily overseen by HHS’ Office for Civil Rights (OCR), although other federal agencies, State Attorneys General, and organizations’ own HIPAA Privacy Officers often play more proactive roles in enforcement actions. OCR investigates a minimal number of breach notifications, typically less than 1%, leading to few enforcement actions. Violations requiring attention by other agencies, like the Department of Justice or HHS’ Office of Inspector General, often involve criminal actions or potential federal program exclusions. State Attorneys General may also impose civil monetary penalties for data breaches. While HIPAA Privacy Officers enforce compliance within organizations, the potential for future indirect enforcement by CMS through federal health program conditions signifies a need for stringent voluntary compliance to avoid penalties and exclusions.
