The responsible entity for enforcing the HIPAA Privacy and Security rules is The Department of Health and Human Services’ Office for Civil Rights (OCR). Since 2003, the OCR’s role has considerably improved the privacy practices of covered entities, thus ensuring more effective protection of the privacy of health information for individuals.
The HIPAA Enforcement Rule contains provisions covering compliance and investigations, procedures for hearings, and the enforcement of civil money penalties for violations of the HIPAA Administrative Simplification Rules.
The legislation under the Enforcement Rule specifies how HHS governs liability and calculates fines for health care providers that have breached the HIPAA rules after an investigation and administrative hearing. Now we know what the enforcement rule is, let’s look at the enforcement method.
The OCR is responsible for enforcing the HIPAA Privacy and Security Rules. This includes the investigation of complaints lodged, the implementation of training to facilitate compliance with the rules, and administration of compliance reviews to ensure entities are compliant.
However, the OCR may only take on complaints that meet the following conditions:
If the OCR accepts a complaint, the individual who filed the complaint, as well as the covered entity named, will be notified. For the OCR to obtain a proper understanding of the facts, both entities will be requested to present information about the incident.
If the covered entity is not in compliance, the OCR will attempt to resolve the matter by attempting to obtain voluntary cooperation, corrective action, or a settlement agreement. If the covered entity does not take the necessary action to resolve the matter, the OCR may impose civil money penalties (CMPs) on the covered entity. A covered entity may then request a hearing in which an HHS administrative law judge may determine if the facts in the case justify the penalty.
Should a complaint violate HIPAA’s criminal provision, the OCR may refer the complaint to the Department of Justice (DOJ) for investigation. Up to date, the OCR has made 945 referrals to DOJ.
“The Secretary” under HIPAA refers to the Secretary of the US Department of Health and Human Services or his/her appointed representatives.
A person may file a complaint with the Secretary if he/she believes a covered entity is not compliant with HIPAA regulations. Complaints must meet the following requirements:
The Secretary will investigate a complaint when a preliminary review indicates a possible violation due to willful neglect. If an investigation indicates noncompliance, the Secretary may attempt to reach a resolution by informal means. This can be proven compliance or a corrective action plan.
If the matter is not resolved by informal means, the Secretary will inform the covered entity in writing and allow them to submit written evidence of affirmative defenses for consideration within 30 days. If the Secretary then finds that a civil money penalty should be imposed, the covered entity will be informed.
Covered entities have specific responsibilities, some of which are:
HIPAA rewards care providers who proactively detect, investigate, and correct violations within 30 days by providing them with immunity against fines. This is called an “affirmative defense.” Care providers have the opportunity to minimize exposure to penalties by discovering violations within electronic health records (EHRs) as soon as possible and taking prompt action to correct them. HIPAA rules also provide an affirmative defense where a cloud service provider (CSP) corrects non-compliance within 30 days that it knew of the violation.
Entities that violate HIPAA’s security, privacy, and electronic healthcare rules, face strict penalties. Fines and charges are broken down into two major categories:
The OCR has received over 245,393 HIPAA complaints and has initiated over 1,028 compliance reviews since the Privacy Rule’s compliance date in April 2003.
Some of the compliance issues most often found are:
The most common types of covered entities found to have committed violations are:
The HITECH Act (Health Information Technology for Clinical and Economic Health Act) gave the State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits the State Attorneys General to obtain damages on behalf of state residents or enjoin further violations of the HIPAA Privacy and Security Rules.
The OCR welcomes this collaboration with the State Attorneys General. It has developed HIPAA Enforcement Training to help State Attorneys General and their staff use their new authority to enforce the HIPAA Privacy and Security Rules.
The CMS (Centers for Medicare and Medicaid Services) is a federal agency that administers the nation’s major healthcare programs. This includes Medicare – (a taxpayer-funded program for seniors aged 65 and older), Medicaid – (a government-sponsored program that assists with health care coverage to people with low-incomes), and CHIP – (The Children’s Health insurance Program that is offered to parents of children under age 19 who make too much to qualify for Medicaid but can’t afford regular health insurance.
The CMS runs the following key points in the healthcare system:
The CMS also manages the Administrative Simplification standards of HIPAA. The use of Administrative Simplification Standards strives to implement the adoption of national electronic health care records, guarantee patient privacy and security, and enforce HIPAA rules.
The Department of Health and Human Services’ Office for Civil rights is responsible for enforcing HIPAA’s Privacy and Security Rules. Covered entities need to ensure that they are compliant with HIPAA rules and regulations and need to keep their staff informed and trained to avoid penalties and criminal charges.
Coggno has a wide range of online training courses that relate to the HIPAA Privacy and Security Rules. Get started with your first course today!