The U.S. Department of Health and Human Services (HHS), and specifically its Office for Civil Rights (OCR), is responsible for overseeing and enforcing compliance with the Privacy and Security Rules that are part of HIPAA.
Anyone who has a complaint about noncompliance with these rules can file a complaint with the OCR. That office is responsible for investigating those complaints as well as doing compliance reviews. It has the authority to take enforcement action on some types of complaints.
If your company or organization is notified by OCR of a complaint, you have a legal responsibility to cooperate with the investigation, including any requests for information and documentation. Most cases are resolved with corrective action, a resolution agreement and/or voluntary compliance.
What are the potential penalties?
When an entity doesn’t resolve an issue satisfactorily, OCR can impose what’s called a civil money penalty (CMP). This penalty is paid to the U.S. Treasury – not to the complainant in the matter. The entity ordered to pay a CMP can ask for a hearing where an HHS administrative law judge decides whether the penalty is warranted.
Note that some HIPAA complaints can rise to the level of a potential federal crime. In that case, OCR can send the complaint on to the U.S. Department of Justice.
If you have been notified of a HIPAA complaint, it’s crucial to take it seriously and to cooperate with investigators, but also to preserve your rights. Having experienced legal guidance is essential.