Data breaches involving healthcare organizations keep rising. In 2024, there were more than 12,000 separate security failures at hospitals, clinics, and health insurers, including the crippling ransomware attack on Ascension’s EHR systems. Many of these breaches also result in HIPAA violations, potentially exposing healthcare companies to costly penalties in addition to disruptions. Is anyone enforcing HIPAA in 2025, or are compliance efforts a waste of resources?
What Agency Enforces HIPAA?
The responsibility for HIPAA enforcement actions belongs to the Office for Civil Rights, a division of the U.S. Department of Health and Human Services. OCR performs compliance reviews and investigates complaints of HIPAA violations. The agency also oversees corrective actions, which can include specific security measures, follow-up audits, or fines.
Healthcare organizations, private clinics, health insurers, and other covered entities must adhere to the HIPAA Privacy, Security, and Breach Notification Rules. If a data breach leaks protected health information, covered entities must notify the HHS Secretary within 60 days (or annually if fewer than 500 records were involved). These notifications also trigger OCR investigations in HIPAA compliance failures.
Is HIPAA a Federal Law?
HIPAA stands for the Health Insurance Portability and Accountability Act. As an act of Congress, HIPAA is a federal law that gives HHS the authority and responsibility to set standards and enforce compliance.
Technically, the Privacy Rule, Security Rule, and similar HIPAA rules are regulations, not laws. They were created by HHS to give healthcare organizations instructions for safeguarding the protected health information of patients. In any case, HIPAA rules are mandatory for covered entities and third-party business associates.
Are HIPAA Regulations Actually Enforced?
With recent shifts in HHS oversight and staffing, some hospitals may wonder if the agency that enforces HIPAA is still taking compliance seriously. According to records from 2024, now isn’t the time to lower your guard when it comes to HIPAA.
Between April 2003 and October 2024, OCR has reviewed more than 370,000 complaints, performed over 15,000 audits, and issued nearly $150,000,000 in fines. In just the first half of 2024, the agency received over 100 complaints.
Not every HIPAA complaint leads to a civil penalty. Sometimes, OCR finds that the PHI disclosure was allowed under the TPO exception. Other times, OCR personnel focus on helping hospitals and clinics become HIPAA compliant. The agency mainly issues large fines in cases of negligence.
Who Enforces HIPAA Compliance in Your Organization?
HIPAA compliance doesn’t happen by accident. That’s why the framework requires naming a HIPAA officer, a qualified professional responsible for managing the organization’s HIPAA compliance program. Larger enterprises typically have one HIPAA security officer and another HIPAA privacy officer.
Enforcing HIPAA regulations is necessary to keep patient data secure and prevent unauthorized access. Implementing cybersecurity best practices benefits your organization in other ways, too, such as reducing the risks of ransomware attacks and theft.
Can You Realistically Enforce HIPAA?
Modern technology can simplify compliance for your personnel in charge of enforcing HIPAA, even if you have thousands of employees. Compyl is a cutting-edge HIPAA compliance solution that maps your program, tracks worker adoption, shows compliance progress, and helps you automate the process. Request a demo today.
