The Health Insurance Portability and Accountability Act (more commonly known as HIPAA) is an important piece of legislation but who is responsible for HIPAA enforcement? It turns out that the answer is not as straightforward as one might assume.
HIPAA regulates parts of the health care sector and imposes a number of obligations on organizations in this space. Most of these have to do with implementing sufficient processes and procedures to keep patients’ sensitive personal and health data, known as Protected Heath Information (PHI), private and secure. Ensuring that this is carried out to the appropriate level falls to a number of different entities.
Who is Responsible for HIPAA Enforcement?
Originally, the enforcement and monitoring of HIPAA compliance was the task of the Department of Health and Human Services’ Office for Civil Rights (OCR). As the law itself evolved and different aspects were introduced, different parties were accorded the ability to police HIPAA rules. A notable change was the integration of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009. When this occurred, state attorneys general received the ability to pursue and prosecute violations of HIPAA.
In addition to these, the Centers for Medicare and Medicaid Services (CMS) have a measure of responsibility when it come to addressing HIPAA’s administrative simplification regulations. Another agency that has a role in overseeing HIPAA compliance is the US Food and Drug Administration (FDA), which deals with certain issues relating to medical devices, as well as having the power to hold healthcare groups accountable in specific circumstances.
The OCR and HIPAA Enforcement
The OCR remains the original and most active entity in ensuring HIPAA rules are being followed. If an information breach affecting over 500 patients is reported by a HIPAA covered entity or one of their business associates, it is up to the OCR to investigate. The OCR also reserves the right to look into breaches affecting fewer people if there is sufficient reason to believe that the breached entity is not complying with HIPAA. Members of staff and patients of health care organizations have the ability to report suspected HIPAA violations to the OCR, which can then investigate them.
On discovery of a HIPAA violation, there are several courses of action which the OCR can choose from: they may decide to agree to voluntary compliance action on behalf of the violator, which involves the OCR providing guidance; or they can pursue fines and sanctions against the offender.
Financial punishments are usually reserved for more serious cases where rules are repeatedly broken or even actively disregarded. They often take the form of settlements where an admission of liability or wrong doing is not required. Some kinds of HIPAA violation can be prosecuted as criminal cases by the Department of Justice.
Attorneys General and HIPAA Enforcement
It is rare for state attorneys general to take on HIPAA violations, although it has happened. More frequently, they find elements of HIPAA cases that can be prosecuted under state law and use this as a basis for the a suit. State laws are generally easier to use when taking actions of this kind against companies.