HIPAA Security Rule Enforcement: What to Do If You’re Investigated
The responsible entity for enforcing the HIPAA Privacy and Security rules is The Department of Health and Human Services’ Office for Civil Rights (OCR). Since 2003, the OCR’s role has considerably improved the privacy practices of covered entities, thus ensuring more effective protection of the privacy of health information for individuals.
What is the HIPAA enforcement rule?
The HIPAA Enforcement Rule contains provisions covering compliance and investigations, procedures for hearings, and the enforcement of civil money penalties for violations of the HIPAA Administrative Simplification Rules.
The legislation under the Enforcement Rule specifies how HHS governs liability and calculates fines for healthcare providers who have breached the HIPAA rules after an investigation and administrative hearing. Now we know what the enforcement rule is, let’s look at the enforcement method.
The enforcement process
The OCR is responsible for enforcing the HIPAA Privacy and Security Rules. This includes the investigation of complaints lodged, the implementation of training to facilitate compliance with the rules, and administration of compliance reviews to ensure entities are compliant.
However, the OCR may only take on complaints that meet the following conditions:
1. The allegation must be against a covered entity.
This means entities are required by law to comply with the Privacy and Security Rules. Company health plans and healthcare providers such as doctors, dentists, psychologists, and hospitals are examples of covered entities. Life insurers, workers’ compensation carriers, schools, and municipal offices are not expected to comply with the rules.
2. The action must have taken place after the dates the rules took effect.
Compliance with the Privacy rule commenced on 14 April 2003, and the Security Rule came into effect on 20 April 2005. Any complaints that occurred before these dates may not be investigated.
3. Complaints must be filed within 180 days of the violation.
The OCR may waive this if sufficient reasons are provided for not reporting the complaint within the required time frame.
Check out – HIPAA Courses
If the OCR accepts a complaint, the individual who filed the complaint, as well as the covered entity named, will be notified. For the OCR to obtain a proper understanding of the facts, both entities will be requested to present information about the incident.
If the covered entity is not in compliance, the OCR will attempt to resolve the matter by attempting to obtain voluntary cooperation, corrective action, or a settlement agreement. If the covered entity does not take the necessary action to resolve the matter, the OCR may impose civil money penalties (CMPs) on the covered entity. A covered entity may then request a hearing in which an HHS administrative law judge may determine if the facts in the case justify the penalty.
Should a complaint violate HIPAA’s criminal provision, the OCR may refer the complaint to the Department of Justice (DOJ) for investigation. Up to date, the OCR has made 945 referrals to DOJ.
Complaints to the Secretary
“The Secretary” under HIPAA refers to the Secretary of the US Department of Health and Human Services or his/her appointed representatives.
A person may file a complaint with the Secretary if he/she believes a covered entity is not compliant with HIPAA regulations. Complaints must meet the following requirements:
- It must be filed in writing.
- The person that is the subject of the complaint must be named, and their acts in violation of HIPAA regulations must be described.
- A complaint must be filed within 180 days of the incident unless the Secretary for a good cause provided waives this.
The Secretary will investigate a complaint when a preliminary review indicates a possible violation due to willful neglect. If an investigation indicates noncompliance, the Secretary may attempt to reach a resolution by informal means. This can be proven compliance or a corrective action plan.
If the matter is not resolved by informal means, the Secretary will inform the covered entity in writing and allow them to submit written evidence of affirmative defenses for consideration within 30 days. If the Secretary then finds that a civil money penalty should be imposed, the covered entity will be informed.
Responsibilities of covered entities
Covered entities have specific responsibilities, some of which are:
- They have to provide compliance reports and records.
- Full cooperation with complaint investigations and compliance reviews.
- Granting authorization to access information.
Related Article: How to Get HIPAA Certification
HIPAA rewards care providers who proactively detect, investigate, and correct violations within 30 days by providing them with immunity against fines. This is called an “affirmative defense.” Care providers have the opportunity to minimize exposure to penalties by discovering violations within electronic health records (EHRs) as soon as possible and taking prompt action to correct them. HIPAA rules also provide an affirmative defense where a cloud service provider (CSP) corrects non-compliance within 30 days that it knew of the violation.
Civil money penalties
Entities that violate HIPAA’s security, privacy, and electronic healthcare rules, face strict penalties. Fines and charges are broken down into two major categories:
- Reasonable cause – ranges from $100 to $50 000 per incident with no jail time involved.
- Willful neglect – ranges from $ 10,000 to $ 50,000 per incident and may result in criminal charges.
The OCR has received over 245,393 HIPAA complaints and has initiated over 1,028 compliance reviews since the Privacy Rule’s compliance date in April 2003.
Some of the compliance issues most often found are:
- Protected health information is illegally revealed and used.
- Lack of patient access to their protected health information.
- Lack of administrative safeguards for electronically protected health information.
The most common types of covered entities found to have committed violations are:
- General Hospitals.
- Outpatient Facilities.
- Private Practices and Physicians.
HIPAA enforcement by State Attorneys General
The HITECH Act (Health Information Technology for Clinical and Economic Health Act) gave the State Attorney General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act permits the State Attorney General to obtain damages on behalf of state residents or enjoin further violations of the HIPAA Privacy and Security Rules.
The OCR welcomes this collaboration with the State Attorneys General. It has developed HIPAA Enforcement Training to help State Attorneys General and their staff use their new authority to enforce the HIPAA Privacy and Security Rules.
HIPAA enforcement by the Centers for Medicare and Medicaid Services (CMS)
The CMS (Centers for Medicare and Medicaid Services) is a federal agency that administers the nation’s major healthcare programs. This includes Medicare – (a taxpayer-funded program for seniors aged 65 and older), Medicaid – (a government-sponsored program that assists with health care coverage to people with low incomes), and CHIP – (The Children’s Health insurance Program that is offered to parents of children under age 19 who make too much to qualify for Medicaid but can’t afford regular health insurance.
The CMS runs the following key points in the healthcare system:
- Collects and analyzes data.
- Produces research reports.
- Strives to eliminate fraud and abuse within the healthcare system.
The CMS also manages the Administrative Simplification standards of HIPAA. The use of Administrative Simplification Standards strives to implement the adoption of national electronic health care records, guarantee patient privacy and security, and enforce HIPAA rules.
The Department of Health and Human Services’ Office for Civil rights is responsible for enforcing HIPAA’s Privacy and Security Rules. Covered entities need to ensure that they are compliant with HIPAA rules and regulations and need to keep their staff informed and trained to avoid penalties and criminal charges.
Coggno has a wide range of online training courses that relate to the HIPAA Privacy and Security Rules. Get started with your first course today!