HIPAA Enforcement and Penalties
The OCR enforces both rules with civil penalties up to roughly $2 million per year per violation type and audits entities. HIPAA has no private right of action. The DOJ pursues criminal cases (up to 10 years); the FTC and state AGs can also act. The 2021 HIPAA Safe Harbor Law rewards recognized security practices.
The OCR is the primary enforcer of both the Privacy and Security Rules, processing complaints and assessing civil penalties up to roughly $2 million per year per type of violation. Examples: a 2018 Anthem settlement of $16 million (79 million people affected) and a 2020 Premera Blue Cross penalty of $6.85 million.
HIPAA has no Private right of action. Individuals file complaints with the OCR (and may not be retaliated against). The DOJ holds criminal authority with sentences up to 10 years; the FTC and state AGs can also pursue unfair/deceptive practices.
Since 2019 the OCR has emphasized the right to access records in a timely manner (e.g., a 2021 Banner Health $200,000 settlement). The 2021 HIPAA Safe Harbor Law gives the OCR discretion for leniency where recognized security practices were in place for the prior 12 months.