Here's a simple guide for who enforces HIPAA or the Health Insurance Portability and Accountability Act and how they carry out compliance. In just a moment, we’ll break down everything from how to avoid hefty fines, why the HIPAA was created, and how penalties for violations work.
If you are worried about your organization receiving fines for not following the rules, try EasyLlama’s HIPAA compliance training. Our easily accessible videos are a great way to comply with HIPAA regulations and certify your entire team.
What is HIPAA?
HIPAA is made up of two segments that dictate the use of patient health information. The first is the original Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the second is the Health Information Technology for Economic and Clinical Health Act (HITECH).
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that created national standards to protect patient health information from being shared without the patient’s consent. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was instituted to address privacy and security concerns regarding the transmission of electronic health information.
Who Enforces HIPAA and HITECH?
The Office for Civil Rights (OCR), a division of the US Department of Health and Human Services (HHS) was originally tasked with enforcing HIPAA guidelines. It wasn’t until 2006 however, when the Department of Health and Human Services issued the HIPAA Privacy Rule, also known as The Enforcement Final Rule of 2006, that HIPAA could actually be enforced. The Privacy Rule laid out specific guidelines on how to assess HIPAA compliance and how to report HIPAA violations
. It established mandatory reporting systems, gave the Office for Civil Rights (OCR) the ability to impose fines and penalties, and created new privacy and security requirements.
While the Office for Civil Rights is the primary enforcer of HIPAA compliance, other agencies have the power to enforce HIPAA in certain situations. The creation of the HITECH Act in 2009
granted state attorneys general the power to enforce HIPAA rules as they apply to health information technology and the electronic transmission of health records or other protected health information. In situations that involve medical devices, the Food and Drug Administration can also enforce HIPAA.
The Office for Civil Rights and HIPAA Enforcement
Violating HIPAA rules can lead to significant fines against health care agencies, and The Office for Civil Rights also has the power to prosecute business associates of these health care agencies for non-compliance as well.
The Office for Civil Rights enforces HIPAA guidelines in several ways. The OCR is charged with investigating any HIPAA violations
and complaints that are filed, conducting compliance assessments and audits to determine if health care agencies are in compliance, and educating the health care community to foster compliance with the Privacy and Security Rules. If the OCR determines that a complaint is a criminal violation, such as theft of private health information for financial gain, the OCR will refer the complaint to the US Department of Justice for criminal investigation.
How does the penalty for violation work?
The penalty structure for HIPAA violations is divided into several levels and is based on a variety of factors. If the OCR decides that a covered organization is not in compliance with the HIPAA rules, the OCR will attempt to resolve the case through voluntary compliance, which is the preferred method of resolution. They are also able to assess a corrective action plan and generally create a resolution agreement. The HIPAA rules are not always clear or applicable to every organization. When minor violations are discovered due to a lack of understanding, the OCR may choose to issue follow-up training and guidance to help the agency correct the violation rather than charge a formal violation.
Major violations of HIPAA Rules or widespread non-compliance can result in fines and penalties. Financial penalties are most commonly settlements, where the covered organization agrees to pay a financial penalty with no admission of liability, but when an organization chooses to fight the case, the OCR may impose a civil monetary penalty that is made public. The matter is then presented to an Administrative Law Judge who will rule on whether HIPAA Rules have been violated and will determine a civil monetary penalty.
State Attorneys General and HIPAA Compliance
In February 2009, the HITECH Act gave state Attorneys General the power to enforce HIPAA for data breaches occurring in their state. This act also allowed Attorneys General the power to file civil actions with the federal district courts with a maximum fine of $25,000 per violation category per calendar year, which is much lower than the fines that can be levied by the OCR.
Although the state Attorneys Generals have had the ability to pursue cases under HIPAA guidelines, few have chosen to use the option, and tend to pursue cases based on violation of state laws rather than under HIPAA. Recently, state offices have been granted the power to retain a certain amount of fines issued for HIPAA violations, which may encourage states to become more involved in HIPAA enforcement.
Because there are numerous ways to enforce HIPAA compliance, it is not always clear what agency will be doing the enforcing. Primarily, and in most cases, the Office for Civil Rights is the enforcement agency, and if not, is the organization that determines where the violation will be prosecuted. The FDA and CMS also have some enforcement power as well as the FCC in recent days, and finally, the HITECH Act has given state attorneys general the ability to prosecute specific violations in their states.