Who enforces HIPAA depends on the section of HIPAA being enforced, the activities of the organization against which enforcement action is being taken, or whether an individual against whom enforcement action is being taken is a member of a covered entity’s or business associate’s workforce.
The Health Insurance Portability and Accountability Act (HIPAA) was not only responsible for the adoption of standards to improve the privacy and security of Protected Health Information. It also made changes to numerous existing Acts and United States Codes in order to improve access to – and the portability of – health insurance.
For this reason, there is not only one federal Department who enforces HIPAA. For example, the Department of Labor enforces HIPAA provisions relating to the accessibility and portability of health insurance. Organizations that violate these provisions can face civil and criminal penalties of up to $500,000 and ten years in jail.
Other federal Departments who enforce sections of HIPAA include the Treasury, Justice, Defense, and Veterans Affairs Departments. In addition, since the passage of the HITECH Act, the Federal Trade Commission enforces its own Health Breach Notification Rule that applies to organizations not covered by “Healthcare HIPAA”.
What is “Healthcare HIPAA”?
“Healthcare HIPAA” is a term used to distinguish Title II of the HIPAA Act from its primary objectives. This sections covers the measures introduced to reduce fraud and abuse in the healthcare industry and simplify the administration of healthcare transactions between healthcare providers and health insurance companies.
Healthcare HIPAA is enforced by the Department of Health and Human Services (HHS). Within HHS, three agencies are responsible for enforcing different sections of Healthcare HIPAA:
- The Office of Inspector General (OIG) enforces HIPAA provisions relating to healthcare fraud and abuse.
- The Centers for Medicare and Medicaid Services (CMS) enforces the standards for electronic transactions and data elements.
- The Office for Civil Rights (OCR) enforces Parts 160 and 164 of the Administrative Simplification Regulations.
Parts 160 and 164 of the Administrative Simplification Regulations are what most people recognize as HIPAA because these Parts contain the standards adopted to improve the privacy and security of Protected Health Information. Part 160 also includes the HIPAA Enforcement Rule, while Part 164 also includes the HIPAA Breach Notification Rule.
How Does OCR Enforce HIPAA?
OCR enforces HIPAA by investigating complaints and breach notifications. In most cases, investigations are resolved via voluntary corrective actions and technical assistance. However, when a violation causes harm, or the entity being investigated has a history of non-compliance, OCR has the authority to issue civil monetary penalties.
The amount of a civil monetary penalty can vary according to the nature of the violation, the length of time the violation was allowed to continue, the number of individuals affected, and the organization’s cooperation during the investigation. The penalties were set by the HITECH Act and are adjusted annually to account for inflation. The penalties for 2024 are:
Other Enforcers of Healthcare HIPAA
The HITECH Act also authorized State Attorneys General to pursue civil monetary penalties against covered entities and business associates who are responsible for unauthorized uses and disclosures of Protected Health Information. Claims can be filed through federal district courts and resolved for up to $25,000 per violation.
Although State Attorneys General must inform OCR they are filing a civil claim against a covered entity or business associate, the outcome of the claim is not dependent on OCR issuing a civil monetary penalty. There are multiple examples of State civil actions resulting in settlements when OCR chose not to issue a civil monetary penalty.
More recently, HIPAA has also been indirectly enforced by private legal actions. Although HIPAA does not have a private right of action, individuals – or groups of individuals – who have been affected by unauthorized uses or disclosures of PHI are taking advantage of state privacy laws to sue for violations of HIPAA – often successfully.
Who Enforces HIPAA in the Workplace?
Who enforces HIPAA in the workplace can depend on the HIPAA “status” of the organization. If the organization qualifies as a covered entity, the organization’s Privacy Officer is responsible for enforcing HIPAA – although this responsibility can be delegated to another senior member of the workforce such as a department head or HR manager.
If the organization qualifies as a business associate, it is not required to designate a Privacy Officer. If no Privacy Officer is designated, the organization’s Security Officer is responsible for enforcing HIPAA – although this responsibility can again be delegated. In both cases the penalty for workforce HIPAA violations depends on the organization’s sanctions policy.
Usually, an organization’s sanctions policy consists of three or four tiers. At the lower tiers, the penalty for a workforce HIPAA violation is a verbal warning and/or HIPAA training. For more serious violations – or repeated violations – the penalties can range from a written warning to suspension and loss of employment.
Serious violations can also be reported to law enforcement agencies – particularly when a workplace HIPAA violation violates §1177 of the Social Security Act. Violations of the Social Security Act are referred to the Department of Justice and can result in fines of up to $250,000 and/or sentences of up to 10 years “if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm”.