The HIPAA Breach Notification Rule, found at 45 CFR Part 160 and Subparts A and D of Part
164, requires HIPAA covered entities to notify affected individuals, the Department, and in some
cases, the media, following the discovery of a breach of unsecured PHI. Business associates are
also required to notify covered entities following the discovery of a breach.
For most HIPAA covered entities, compliance with the Privacy Rule was required by April 14,
2003, compliance with the Security Rule was required by April 20, 2005, and compliance with
the Breach Notification Rule was required for breaches that occurred on or after September 23,
2009.
4
This report includes information about the Department’s enforcement process with
regard to the Privacy, Security, and Breach Notification Rules, and information about the
Department’s efforts to enforce the Rules both since their respective compliance dates, as well as
specifically with regard to calendar years 2011 and 2012. Additionally, the report includes a
discussion of the Department’s plans to improve enforcement of the Rules in 2013 and beyond.
Enforcement Process
OCR enforces the HIPAA Rules by investigating written complaints filed with OCR, either on
paper, by e-mail, or through our complaint portal, and by conducting compliance reviews with
regard to circumstances brought to the attention of OCR by other means, to determine if covered
entities or business associates are in compliance with the Rules. In addition, OCR’s compliance
activities include conducting audits of covered entities,
5
and providing education and outreach to
foster compliance with the Rules’ requirements, which are discussed later in the report.
Under the law, OCR may take action only on complaints that meet the following conditions:
• The alleged violation must have taken place after compliance with the Rules was
required. OCR cannot investigate complaints regarding actions that took place before
compliance with the HIPAA Rules was required.
• The complaint must be filed against an entity that is required by law to comply with the
HIPAA Rules.
• A complaint must describe an activity that, if determined to have occurred, would violate
the HIPAA Rules.
• Complaints must be filed within 180 days of when the individual submitting the
complaint knew or should have known about the act or omission that is the subject of the
complaint. OCR may waive this time limit if it determines that the individual submitting
the complaint shows good cause for not submitting the complaint within the 180 day time
4
A separate Report to Congress, available at http://www.hhs.gov/ocr/privacy/, describes the types and numbers of
breaches reported to the Secretary and the actions that have been taken by covered entities and business associates in
response to the reported breaches.
5
Section 13411 of the HITECH Act, which became effective on February 17, 2010, authorizes and requires the
Department to provide for periodic audits to ensure that covered entities and business associates comply with the
HIPAA Rules. As a result of the HITECH Act’s mandate, during 2010, 2011, and 2012, OCR undertook several
initiatives towards the establishment of an audit program.
4