Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Compliance and Enforcement


Comment: A Member of Congress and a number of privacy and consumer groups expressed their concern with whether the Office for Civil Rights (OCR) in HHS has adequate funding to carry out the major responsibility of enforcing the complaint process established by this rule. The Member stated that "[d]ue to the limited enforcement ability allowed for in this rule by HIPAA, it is essential that OCR have the capacity to enforce the regulations. Now is the time for The Secretary to begin building the necessary infrastructure to enforce the regulation effectively."

Response: The Secretary agrees with the commenters and is committed to an effective enforcement program. We will work with Congress to ensure that the Department has the necessary funds to secure voluntary compliance through education and technical assistance, to investigate complaints and conduct compliance reviews, to provide states with exception determinations and to use civil and criminal penalties when necessary.