The HIPAA or Health Insurance Portability and Accessibility Act was formulated and made a law in 1996. The Enforcement rule was added to the sub-rules of HIPAA in 2006 by the Health and Human Services of the United States. The secretary of the US department of HHS was required to develop regulations in order to protect the privacy and security of the health information of the consumers in the industries of health care and health insurance.

If any organization commits avoidable breaches of the ePHI then they can be penalised by the Health and Human Services department of the United States. The Officer for Civil Rights appointed in the HHS department is held responsible for the enforcement of this penalty. They need to conduct some compliance reviews, and outreach to encourage compliance and also by looking into complaints from consumers.

Apart from financial penalties there are other HIPAA sanctions which deter the businesses from violating the laws of HIPAA laid down by the government. This ensures that the covered entities are held accountable for protecting the privacy of patients along with the confidentiality of health data and providing patients with access to their health records on their request.

The penalties applied by the HHS department are tiered and is based on the knowledge that the business had of the violation. Of course, the US government realises that some violations could be because of hardware or software malfunctioning of the systems that store the data and transfer them. Some breaches may also be due to human error.

Due to this the government has to give a benefit of doubt, while ensuring that any deliberate breach of the HIPAA rules is punished severely in order to deter other miscreants from getting their hands on such sensitive and private health information of the consumers.

On the other hand, The financial and other penalties incurred as a result of HIPAA violations and data breaches can be extremely costly, ranging from significant fines that vary by violation to the organisational costs of issuing notifications and mitigating the damages caused by breaches, as well as the possibility of criminal prosecution.