The Health Insurance Portability and Accountability Act (HIPAA) brought in many new regulations for healthcare groups, but who polices HIPAA? Which federal departments are charged with making sure HIPAA Rules are adhered to by covered bodies and their business associates?
Who Polices HIPAA?
The chief enforcer of HIPAA Rules is the Department of Health and Human Services’ Office for Civil Rights (OCR). However, since the addition of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009, state attorneys general were allocated the power to police HIPAA Rules. The Centers for Medicare and Medicaid Services (CMS) also have some responsibilities, and are chiefly responsible for policing the HIPAA administrative simplification regulations. The U.S. Food and Drug Administration (FDA) can also police HIPAA in relation to medical devices and may take action against healthcare groups in certain scenarios.
HHS’ Office for Civil Rights Policing HIPAA
As the chief enforcer of HIPAA Rules, the Office for Civil Rights reviews all data breaches reported by covered bodies and business associates if they affect more than 500 people. Smaller data breaches are also sometimes investigated, if HIPAA violations are a possibility. OCR also looks into HIPAA complaints submitted by patients and employees of HIPAA covered bodies.
When HIPAA breaches are found, OCR can take a number of different steps. OCR prefers to settle HIPAA violations through voluntary compliance or by issuing technical guidance to help the covered bodies adhere with HIPAA Rules.
Egregious breaches of HIPAA Rules, multiple violations, and persistent non-compliance may result in financial penalties for HIPAA violations. Financial penalties are most commonly settlements, where the covered entity agrees to pay a penalty with no admission of liability. OCR may also impose a civil monetary penalty. If criminal violations of HIPAA Rules are discovered, the case is sent to the Department of Justice.
HIPAA Policing by State Attorneys General
HIPAA policing by state attorneys general can happen, although it is unusual for cases to be pursued. While all HIPAA breaches are dealt with seriously, oftentimes, if the personal data of state residents has been accessible or patient privacy has been breached, state attorneys general pursue the cases under state legislation instead of HIPAA legislation. There are a number of reasons for this, but more often than not it is because it is simpler to take action against firms under state legislation.
However, a number of state attorneys general have taken legal action against HIPAA-covered bodies for HIPAA breaches, as mandated by HIPAA and the HITECH Act.