The HIPAA Enforcement Rule is a decree from HIPAA that sets out the rules that govern the responsibilities and requirements of Covered Entities and Business Associates about how it expects them to cooperate in the enforcement process. The HIPAA Enforcement Rule also sets out another important principle: It lays out rules describing how the Human and Health Services (HHS) investigates noncompliance by Covered Entities and Business Associates. This the HHS does through two mechanisms: Investigation of complaints it receives, and through compliance reviews.
First enacted in 2003; the HIPAA Enforcement Rule has been undergoing changes from time to time. The original enactment of the HIPAA Enforcement Rule was modified subsequently in 2004, 2005, 2006 and 2009. As of early 2016, the HIPAA Enforcement Rule modification carried out in late 2009 applies.
By the latest of these modifications, namely, the one of 2009; the HITECH Act modified the penalty structure of civil money accrued for violating HIPAA Rules. It brought in a layered increment in the amount of penalties levied on Covered Entities and Business Associates found guilty of wrongdoing. The criterion is the level of blameworthiness by these entities. These penalties are to be levied with retrospective effect, i.e., violations happening from the date of enactment.
Also, the HIPAA Enforcement Rule of the HITECH Act gave State Attorneys General the authority for enforcing the HIPAA Rules. They can do this by bringing civil action against CE's and BA's accused of causing data breach. For the record, Connecticut has become the first State in which this section of the HIPAA Enforcement Rule has been applied.
The OCR implements the Privacy and Security Rules of the HIPAA Enforcement Rules in many ways: