The Health Insurance Portability and Accountability Act, or HIPAA, massively impacted the U.S. healthcare sector since it went into law back in 1996. Anything and everything involving patient information, from electronic medical records to the medical computers housing them, fall under its guidance. While many in healthcare are aware of it, many either do not know, or are unsure of, who enforces HIPAA. We cover that subject today, from the government department(s) involved to the various penalties that can be passed onto companies not in compliance with the law.

Who is Responsible for Enforcing HIPAA Rules? 

The Office of Civil Rights, or the OCR, bears the responsibility of enforcing HIPAA. The department falls under the U.S. Department of Health and Human Services (HHS). 

The OCR provides information for individuals under HIPAA and rules for Covered entities and business associates. Covered entities, as previously discussed under HIPAA Guidelines, are basically anyone who has electronic protected health information (PHI) as defined by the HHS. They are usually broken down into:

  • Healthcare plans like health insurance companies, government programs that pay for healthcare (example: Medicare), and military and veterans’ health programs.
  • Healthcare clearinghouses like a medical billing service, repricing company, or a community health management information system
  • Healthcare providers include providers, pharmacies, and nursing homes

The department recently announced it is expanding to include cybersecurity as one of its responsibilities in HIPAA enforcement. States Melanie Fontes Rainer, OCR director: “OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022– an increase of 69 percent between 2017 and 2022 – with 27 percent alleged violations of civil rights, 7 percent alleged violations of conscience/religious freedom, and 66 percent alleged violations of health information privacy and security laws. Today’s reorganization improves OCR’s ability to effectively respond to complaints, puts OCR in line with its peers’ structure and moves OCR into the future.”

Besides HIPAA, the OCR also is responsible for: 

  • Enforcing federal civil rights laws that protect the rights of individuals and entities from unlawful discrimination on the basis of race, color, national origin, disability, age, or sex in health and human services.
  • Enforcing federal laws that protect conscience and the free exercise of religion in health and human services. This includes prohibiting coercion and religious discrimination.

Interestingly, the OCR is also involved in dealing with the opioid overdose crisis sweeping across the U.S. 

The OCR: List of Its Duties 

HIPAA lays out three major rules in the protection of patient health information. The OCR began its enforcement of the first one, the Privacy Rule, back on April 14th, 2003. 

The three rules are: 

  • The Privacy Rule
  • The Security Rule
  • The Breach Notification Rule

The Privacy Rule 

The Privacy Rule is designed to protect PHI. It can viewed in two parts:

  • Covered entities must have protections set to protect patient information. These range from setting limits and conditions in the information’s usage to how it’s accessed.  
  • Patients have certain rights to access their PHI.

Note HIPAA’s Privacy Rule is undergoing its first major update in over a decade

The Security Rule

These are the standards and requirements that must be used to protect PHI when either stored by covered entities and business associates, or in its transmission (that is, an exchange between a RN’s medical tablet to provider’s smartphone.) Safeguards, like the use of built-in RFID readers and single sign-on software like Imprivata in such a medical tablet, is one way to comply with this rule. 

The Breach Notification Rule

This rule establishes what happens when the covered entity and any business associates suffers a data breach. 

Is the patient notified first? Or the director of the OCR? What about the HHS or even the media?  This rule answers those questions and more. 

Other, more specific HIPAA rules like the Transaction Rule, the Identifiers Rule, and Enforcement Rule, are enforced by the OCR.

How the OCR Enforces Rulings 

The OCR enforces HIPAA in several ways. The first is to investigate complaints filed with it. Complaints must follow strict guidelines for the department to consider them, namely:

  • The possible violation must have happened within the past six years. 
  • The entity and/or business associate involved falls under HIPAA rules.
  • The action committed by the entity and/or business associate was a violation of HIPAA rule.
  • The individual submitting the complaint must file it within 180 days after discovering the possible violation.

Compliance reviews or audits are another way the OCR enforces HIPAA. It will contact covered entities to make sure their processes are in compliance. This can be as part of an investigation of a complaint or randomly determined by the department. 

The OCR, if it determines there was lack of compliance with HIPAA by a covered entity, will work with it by:

  • Voluntary Compliance by the covered entity
  • Performance of Corrective action.
  • Establishment of a Resolution agreement.

What the specifics of these are varies on the nature of the complaint, the violation, and the covered entities involved. 

Civil Money Penalties

Unfortunately, some covered entities and/or their business associates may not uphold their end of the bargain with the OCR. In such cases, when the department realizes this, it can impose impose civil money penalties (CMPs) like: 

  • $100 to $50,000 for each violation the entity committed but “did not know.”
  • $1,000 to $50,000 for each violation the entity committed and had so-called “reasonable cause” for to violate
  • $10,000 to $50,000 for each violation the entity committed “willful neglect” with corrective action.
  • A set $50,000 if they commit “willful neglect” without corrective action.

Covered entities and/or business associates may be fined up to a maximum of $1,500,000 for all violations of an identical provision during a calendar year (before inflation).

Criminal Penalties

For more serious violations, the OCR can impose criminal penalties:

  • $50,000 and up to a year of imprisonment for the intentional misuse of PHI.
  • $100,000 and up to five years in prison if false pretenses are involved.
  • $250,000 and up to 10 years in prison for violations committed for personal gain.

Note the OCR does not work alone in enforcing HIPAA. Besides being able to call upon the full might of the HHS, the OCR can tap the Centers for Medicare and Medicaid Services, both of which have some enforcement powers in HIPAA cases. Same is true with the U.S. Food and Drug Administration and the Federal Communications Commission. Finally, many state attorney generals can enforce the Act. 

Closing Thoughts

The Office of Civil Rights is the answer to those who ask who enforces HIPAA. A part of the U.S. Health and Human Services, the OCR makes sure providers, insurance companies, and other covered entities who fall under HIPAA are in compliance with its rules, and are dealt with appropriately when they do not.

Contact an expert at Cybernet if you’re looking to make sure your medical computers and similar equipment are HIPAA-compliant. We may also be able to suggest ways they can assist in your HIPAA-compliance efforts which may include meeting any OCR-mandated penalties.