Trying to come up with a definitive answer to the question ‘Who Enforces HIPAA?’ can bring up two very different answers. On one hand there are the official bodies and agencies that are charged with ensuring compliance and sanctioning penalties against any entity that is found guilty of coming up short in its HIPAA obligations, while on the other hand there are those eomployees within HIPAA covered entities that must see to it that the HIPAA regulations are understood and adhered to internally.
The Health Insurance Portability and Accountability Act (HIPAA) Enforcement Rule was issued as part of the Final Rule regarding HIPAA enforcement on February 16, 2006. It became effective on March 16, 2006. The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations. For many years there were few prosecutions for violations.
From an official standing the chief enforcer of HIPAA legislation is the Department of Health and Human Services’ Office for Civil Rights (OCR). In 2009 the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act resulted in state attorneys general been allocated the power to work with OCR in relation to HIPAA enforcement. In addition to this there are other bodies such as the Centers for Medicare and Medicaid Services (CMS), the U.S. Food and Drug Administration (FDA) and the Federal Communications Commission (FCC) that also have a small amount of power in relation to to HIPAA enforcement. However first of all we we look at what HIPAA covered entities can do to enforce HIPAA legislation within their own organizations.
Internal HIPAA Enforcement by HIPAA Entities
This is an often overlooked aspect of ensuring that HIPAA rules are being enforced in your organization. It is the duty of every HIPAA entity to ensure that the legislation is being completely adhered to internally. In order to do this someone in the entity must either be appointed to, or volunteer for, the position of being for this task. Their duties will involve investigating breaches, identifying potential flaws within the organization, devising training and orientation programmes for new and existing members of staff and contracting the services of external expert groups to assist if necessary.
Training is one of the most reliable ways of preventing a HIPAA breach being unknowingly committed by a member of staff. Sessions should be conducted on an ongoing basis to keep staff members conscious of their HIPAA obligations and what they can/cannot do when handling Private Health Information (PHI). Doing this will not only indicate that you did all in your power to prevent breaches from occurring but will also go a long way to allowing you avoid stringent financial penalties that can be applied if a HIPAA breach occurs within your group.
Here are some examples of HIPAA breaches that were a result of a mistake being made by a member of staff:
- 200,000 HIPAA Covered Records Exposed by Staff Members
- Photographs of Patient’s Genital Injury Shared by Hospital Staff
- Member of Hospital Staff Was Accessing Medical Records Without Authorization for 14 Years
- UnityPoint Health Phishing Attack Impacts Several Staff Email Accounts
- Former Member of Staff Causes HIPAA Breach at Northwestern Memorial Hospital
All of these incidents should clearly indicate to you that the importance of policing HIPAA compliance within your own organization is absolutely vital if you wish to do everything in your power to avoids penalties like the ones listed above. Should you come up short in your HIPAA obligations you could then come into contact with one of the official agencies detail below.
HHS’ Office for Civil Rights (OCR) & HIPAA Enforcement
The HHS’ Office for Civil Rights (OCR) has the duty of reviewing every breach made known to it by HIPAA covered entities and business associates when it involves the PHI of over 500 individuals. In some cases smaller data breaches will be reviewed by the OCR if there is a suspicion that there were issues involving compliance failures or if complaints were submitted by patients and employees of HIPAA covered entities.
During the OCR review process there it will be investigated to see if any violations of the HIPAA Privacy, Security, and Breach Notification Rules have taken place. OCR has an attitude that even a HIPAA entity that is 100% compliant is only in a position to reduce the possibility of a data breach occurring to an acceptable lowest level.
OCR must review reports of possible HIPAA breaches so every HIPAA investigation will not automatically result in a breach being discovered and subsequent sanctions being applied. In the event that a HIPAA breach is identified, OCR can apply a range of different sanctions including voluntary compliance, a directive to implement specific new measures to prevent future breaches or punitive measures including financial penalties. In some cases HIPAA violations such as the theft of PHI for financial gain can result in criminal charges and be referred to the Department of Justice for further action.
HIPAA compliance audits are also completed by OCR. These are completed with the aim of uncovering areas of noncompliance to guide OCR’s enforcement attempts and allow for the formulation of new guidance. Additionally they are conducted to ensure that compliance is in place and may warrant further investigation and financial penalties could be sanctioned.
State Attorneys General & HIPAA Enforcement
State attorneys may become involved in HIPAA enforcement as per the HIPAA and the HITECH Act. However, it is more common for the state attorneys general to pursue the cases for violations of state statutes as opposed to HIPAA Rule breaches – mainly due to the fact that state legal actions are more straightforward to conduct.
Even so, a number of state attorneys general have taken action in relation to HIPAA breaches in states including California, Connecticut, Indiana, Massachusetts, Minnesota, New Jersey, New York, Vermont, and the District of Columbia. The maximum financial penalty allowed to be sanctioned in this manner is, as per the HITECH Act, is $25,000 per identical violation in a calendar. year.
Centers for Medicare and Medicaid Services (CMS) & HIPAA Enforcement
The CMS can police compliance with the HIPAA Administrative Simplification Regulations. These regulations were created to enhance efficiency in the healthcare sector in order to decrease the the cost of healthcare. They mandate covered entities to implement standards for healthcare transactions, including the use of standard code sets and identifiers. CMS reviews complaints about covered entities that are not in compliance with this set of regulations. However, enforcement actions have not yet lead to any fines being sanctioned. Upon discovery of a violation, a covered entity must then voluntarily achieve compliance so any actions would only arise following a period of ongoing non-compliance.
There are a number of official entities that are charged with policing compliance with HIPAA. However, if you are attempting to achieve complete compliance with the data privacy regulations, avoiding data breaches and the subsequent financial sanction and damage to your organization’s reputation, then the most important aspect of this article for you to take on board is that the effective policing of HIPAA begins at your own doorstep.
By conducting ongoing training sessions to ensure your staff are aware of all HIPAA obligations you are taking the biggest step forward in establishing the strongest cybersecurity system possible and avoiding HIPAA breaches and penalties.