How OCR Enforces the HIPAA Rules
OCR is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules in accordance with the HIPAA Enforcement Rule—known collectively as the HIPAA Rules (45 CFR Parts 160 and 164). One of the ways that OCR carries out this responsibility is to investigate complaints received through the web-based complaint portal. OCR also conducts compliance reviews to determine if covered entities and business associates (together, “regulated entities”) are in compliance, and OCR performs education and outreach to foster compliance with the requirements of the HIPAA Rules.
OCR may only take action on certain complaints. See What OCR Considers During Intake and Review of a Complaint for a description of the types of cases in which OCR cannot take an enforcement action. For information about when OCR can investigate complaints against a business associate, see the Fact Sheet entitled “Direct Liability of Business Associates.”
If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the regulated entity named in it. Then OCR commences its investigation and requests information from the regulated entity regarding the complaint allegation(s). OCR requests specific information to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.
If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation.
OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the regulated entity did not violate the applicable requirements of the HIPAA Rules. If the evidence indicates that the regulated entity was not in compliance, OCR will attempt to resolve the case with the regulated entity by obtaining:
- Voluntary compliance;
- Corrective action; and/or
- Resolution agreement.
Most investigations into compliance with the HIPAA Rules are concluded to the satisfaction of OCR through these types of resolutions. OCR notifies the person who filed the complaint and the regulated entity in writing of the resolution result.
If the regulated entity does not take action to resolve the matter in a way that is satisfactory, OCR may decide to impose civil money penalties (CMPs) on the regulated entity. If CMPs are imposed, the regulated entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case.