The enforcement of The Healthcare Insurance Portability and Accountability Act, commonly known as HIPAA, takes place on both the federal government and state government levels. The Department of Health and Human Services’ Office for Civil Rights (OCR), sets the rules for HIPAA, receives and investigates complaints, and issues penalties and fines.
Enforcement is carried out by the Office of Civil Rights (OCR) within HHS (Department of Health and Human Services). OCR is responsible for the investigation of complaints. When a complaint is filed, OCR reviews it. They may then pursue enforcement by investigations or audits. Thus far, HHS has publicly announced each audit it has conducted, when the audit was to take place, and what the audit consisted of.
During the investigation or audit, the OCR determines whether the covered entity was in compliance with the HIPAA security and privacy rule. If the organization is not in violation, the findings are documented and the case is closed. If in violation, action can be taken with respect to any of the HIPAA Rules. These rules include the HIPAA Privacy Rule, the Breach Notification Rule, the HIPAA Omnibus Rule, and the Security Rule.
You are liable under HIPAA if your organization handles protected health information (PHI), electronic Protected Health Information (ePHI), or if you interact with patient health information in any way. Some examples of interactions with patient information are:
The practice is always considered at fault If Protected Health Information (PHI) is compromised at a healthcare practice. However, based on the violation, an employee (especially an executive-level employee) may also be considered at fault and face serious consequences. If an employee was involved, healthcare employers hold some blame for not training employees properly.
The most common HIPAA violations are:
Hefty fines are applicable if your organization fails to comply with HIPAA requirements.
OCR’s fines are classified into several tiers.
The Health Information Technology for Clinical and Economic Health (HITECH) Act, gave the State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. The HITECH Act allows State Attorneys General to obtain damages on behalf of state residents.
OCR is encouraging State AGs to activate their authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. In addition, OCR promised to:
The Centers for Medicare & Medicaid Services (CMS), on behalf of HHS, administers the Compliance Review Program to ensure compliance among covered entities with HIPAA Administrative Simplification rules for electronic health care transactions.
It has the authority to investigate complaints of non-compliance related to all of the HIPAA regulations except the Security Rule and Privacy rules, which are enforced by the Office of Civil Rights (OCR). The regulations for which CMS has enforcement authority include the Transactions and Code Sets (TCS); the National Employer Identifier Number (EIN); the National Provider Identifier (NPI); and the Operating Rules (OPR). CMS also enforces the insurance portability requirements under Title I of HIPAA.
Would you like to learn more to ensure that your business is 100% HIPAA compliant?
We invite you to have a look at Coggno’s wide range of HIPAA training courses covering everything you need to know about compliance as well as providing the correct training to your employees.