The HIPAA Enforcement Rule provides information regarding HIPAA compliance, investigations, and fines for HIPAA violations.

The HIPAA Enforcement Rule initially started as an interim final rule on “Procedures for Investigations, Imposition of Penalties, and Hearings.”  In essence, this final rule was created to outline what the civil monetary penalties would be for a HIPAA breach.  It mostly applied to privacy standards, as the security standards were relatively new.

In 2005, the HIPAA Enforcement Rule was proposed, which helped solidify monetary penalties. It also modified the final interim rule to apply to the security standards in addition to the privacy standards.  This new rule also clarified the investigation process, basis for liability, grounds for waiver, and the appeal process.

Then, in 2009, the HITECH Act updated the monetary penalties and removed the ability for a covered entity to claim they didn’t know about a HIPAA standard.  This included four categories of violations and corresponding tiers of penalty amounts.  It also included a maximum penalty amount of $1.5 million for all violations of an identical provision.

Eventually, in 2013, the Omnibus Rule solidified the HITECH Act and required that business associates be treated similarly to covered entities in regards to HIPAA compliance.

If you are interested in learning more about the HIPAA Enforcement Process, you can read more on the Health and Human Services (HHS) website.


To help protect your organization against the costly fines that can be imposed for a HIPAA breach, sign up with HIPAAgps today.