Who Polices HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) brought in many new regulations for healthcare groups, but who polices HIPAA? Which federal departments are charged with making sure HIPAA Rules are adhered to by covered bodies and their business associates?

Who Polices HIPAA?

The chief enforcer of HIPAA Rules is the Department of Health and Human Services’ Office for Civil Rights (OCR). However, since the addition of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009, state attorneys general were allocated the power to police HIPAA Rules. The Centers for Medicare and Medicaid Services (CMS) also have some responsibilities, and are chiefly responsible for policing the HIPAA administrative simplification regulations. The U.S. Food and Drug Administration (FDA) can also police HIPAA in relation to medical devices and may take action against healthcare groups in certain scenarios.

HHS’ Office for Civil Rights Policing HIPAA

As the chief enforcer of HIPAA Rules, the Office for Civil Rights reviews all data breaches reported by covered bodies and business associates if they affect more than 500 people. Smaller data breaches are also sometimes investigated, if HIPAA violations are a possibility. OCR also looks into HIPAA complaints submitted by patients and employees of HIPAA covered bodies.

When HIPAA breaches are found, OCR can take a number of different steps. OCR prefers to settle HIPAA violations through voluntary compliance or by issuing technical guidance to help the covered bodies adhere with HIPAA Rules.

Egregious breaches of HIPAA Rules, multiple violations, and persistent non-compliance may result in financial penalties for HIPAA violations. Financial penalties are most commonly settlements, where the covered entity agrees to pay a penalty with no admission of liability. OCR may also impose a civil monetary penalty. If criminal violations of HIPAA Rules are discovered, the case is sent to the Department of Justice.

HIPAA Policing by State Attorneys General

HIPAA policing by state attorneys general can happen, although it is unusual for cases to be pursued. While all HIPAA breaches are dealt with seriously, oftentimes, if the personal data of state residents has been accessible or patient privacy has been breached, state attorneys general pursue the cases under state legislation instead of HIPAA legislation. There are a number of reasons for this, but more often than not it is because it is simpler to take action against firms under state legislation.

However, a number of state attorneys general have taken legal action against HIPAA-covered bodies for HIPAA breaches, as mandated by HIPAA and the HITECH Act.

About Patrick Kennedy 619 Articles
Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile: https://www.linkedin.com/in/pkkennedy/