NRPM: Standards for Privacy of Individually Identifiable Health Information. 10. Enforcement.


The HIPAA grants the Secretary the authority to impose civil monetary penalties against covered entities which fail to comply with the requirements of this rule, and also establishes criminal penalties for certain wrongful disclosures of protected health information. The civil fines are capped at $25,000 for each calendar year for each provision that is violated. The criminal penalties are graduated, increasing if the offense is committed under false pretenses, or with intent to sell the information or reap other personal gain. The statute does not provide for a private right of action for individuals.

We propose to create a complaint system to permit individuals to make complaints to the Secretary about potential violations of this rule. We also propose that covered entities develop a process for receiving complaints from individuals about the entities’ privacy practices. (See § 164.522.) Our intent would be to work with covered entities to achieve voluntary compliance with the proposed standards.