The responsibility for enforcing the HIPAA Security and Privacy Rules lies in the hands of the HHS Office of Civil Rights.
From April 20, 2005, onwards, all covered entities were required to comply with the Security Rule introduced by HIPAA.
Moreover, the HHS Office for Civil Rights also began to investigate all data breaches regarding PHI from then onwards — but only if they impacted more than 500 individuals.
However, since all breaches are not a result of the HIPAA violation, the OCR investigates covered entities to determine whether or not there have been any violations. After an investigation, if there is no sign of a HIPAA violation, the case is closed, and the OCR takes no action. But if HIPAA violations are discovered, the OCR takes several kinds of action.
The preferable way of dealing with a violation is through voluntary compliance. This means that the entity is allowed to take voluntary actions to correct the violation and prevent this mistake in the future.
Though accidental violations do not necessarily result in jail time, voluntary violations of the Security Rule can result in severe penalties and possible jail time.