HIPAA Rules: Enforcement Rule
The Health Insurance Portability and Accountability Act were first passed in 1996; the HIPAA Enforcement Rule was added in 2006. HIPAA mandated that the Secretary of the U.S. Department of Health and Human Services (HHS) create rules for the security and privacy of specific health information.
The U.S. Department of HHS (Health and Human Services) now has the authority to impose fines on corporations for avoidable ePHI breaches due to the HIPAA Enforcement Rule. The office for Civil Rights (OCR) of HHS carries out the enforcement, which also conducts investigations into complaints and outreach to promote compliance.
Financial fines and other consequences ensure that covered companies are held responsible for maintaining patient privacy and the confidentiality of health data, granting patients access to their health records upon request and acting as a deterrent to HIPAA violations. The HIPAA penalty structure is graded based on the knowledge of how much information a covered entity had about the breach.
HIPAA violations and data breaches can result in severe financial and non-financial penalties, including sizeable fines that vary depending on the violation, organizational costs associated with notifying parties and mitigating the effects of breaches, and even the possibility of criminal prosecution.