Who enforces HIPAA regulations?

The Health Insurance Portability and Accountability Act (HIPAA) is a US legislation with regulations dictating the use of patient health information. It’s the cornerstone of preserving the privacy of patients’ protected health information (PHI) from unauthorized access. It applies to covered entities like healthcare plans, healthcare clearinghouses, healthcare providers, and business associates that have access to PHI.

Learn who enforces HIPAA regulations and why it’s important to comply with this federal law.

HHS has the following responsibilities for enforcing HIPAA:

Technical assistance

When the Office for Civil Rights (OCR), part of HSS, receives a specific complaint, like failure to restrict access to medical records, it seeks more information on the covered entity’s HIPAA compliance. If the entity takes voluntary steps to improve compliance, HHS provides technical assistance.

For instance, the OCR might offer advice on the measures the covered entity should take to improve compliance. When a covered entity has misinterpreted HIPAA regulations, HHS will provide technical guidance by clarifying the rules.

Corrective action plans

The OCR is tasked with investigating complaints and determining whether healthcare agencies comply with HIPAA regulations. If the OCR identifies a violation, it mandates corrective actions. In some cases, it requires revisions to existing privacy and security practices and additional workforce training.

The agency also carries out risk analysis and develops new policies to avoid future noncompliance issues.

Civil monetary penalties and financial settlements

The OCR can impose fines or penalties if HIPAA guidelines are violated. The monetary penalties and settlements vary depending on the severity and level of negligence. Penalties are broken down into four categories:

Category 1

• The covered entity was involved in the violation but was not aware of it.

• The covered entity tried to comply with HIPAA regulations.

• The violation could not have been avoided.

• A penalty of between $100 and $50,000 is imposed.

Category 2

• The entity was expected to know about the violation.

• The violation could not have been avoided.

• A penalty of between $1,000 and $50,000 is imposed.

Category 3

• The violation occurred due to willful neglect.

• The entity tried to correct its mistakes.

• A fine of between $10,000 and $50,000 is imposed.

Category 4

• The violation occurred due to willful neglect.

• The entity did not take any steps to correct its wrongdoings.

• A penalty of at least $50,000 is imposed.

HIPAA enforcement is a collaborative effort between different agencies. It’s mostly enforced by several state and federal agencies, not the Department of Health and Human Services (HHS). These agencies include the following:

• The Pension Benefit Guaranty Corporation

• The Internal Revenue Service

• The Federal Trade Commission (FTC)

• The Department of Justice (DOJ)

• The Employee Benefits Security Administration

• State attorneys general

Let’s look at some of these agencies in more detail.

The Department of Justice

If the OCR identifies a criminal violation, the complaint will be referred to the US Department of Justice for further investigation. The DOJ is responsible for pursuing criminal convictions.

Under HIPAA, the DOJ imposes criminal penalties for unpermitted disclosure and the use of PHI for malicious intent or personal gain. Intentional misuse of protected personal information results in one year of imprisonment. If false pretense is involved, the individual can be jailed for up to five years.

State attorneys general

State attorneys generally play a role in enforcing HIPAA regulations. They coordinate activities with the OCR that address systemic issues and widespread HIPAA breaches.

State attorneys generally seek civil actions on behalf of citizens who have suffered as a result of HIPAA violations. They are responsible for prosecuting the offender under state law rather than HIPAA.

One of their responsibilities is to obtain damages on behalf of state residents if their rights have been violated. Depending on the severity of the HIPAA violation, penalties of up to $25,000 per violation tier can be imposed.

The Federal Trade Commission

The FTC enforces the Health Breach Notification rule, which requires companies not covered by HIPAA to alert their customers and the media if a breach of unprotected health information occurs.

According to the FTC, the information should be given within 60 calendar days and include a brief of what happened, the kind of information involved, and the suggested steps individuals should take to protect themselves. The companies are also required to give a brief of the steps they are taking as a business to investigate the breach and how people can reach them for more information.

The FTC also enforces consumer protection laws and prohibits companies from misleading consumers. It also takes action against organizations that engage in deceptive practices related to protecting and securing PHI.

Organizations should take steps to avoid violating HIPAA regulations. They should designate a privacy officer who will review HIPAA policies and ensure compliance. The appointed HIPAA officers are responsible for overseeing the development and implementation of HIPAA rules within the organization. Other responsibilities include training the workforce on the confidentiality and integrity of electronic health information.

Financial penalties are often settlements with no publicized admission of liability or civil monetary penalty. An administrative law judge is the person who determines the civil monetary settlement.

HIPAA is a regulation that only applies to covered entities in the US.

The OCR accepts and investigates complaints of potential information breaches.