Who Enforces HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) has made a big impact introducing rules for healthcare organisations, but who is it that enforces HIPAA? In this report we will be uncovering which federal departments are responsible for ensuring HIPAA Rules are complied with by healthcare entities and their associates.

Who enforces HIPAA?

The main enforcer of HIPAA Rules is the Department of Health and Human Services’ Office for Civil Rights (OCR). Since the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009 however, state attorneys general were also given the power to enforce HIPAA Rules. Although they don’t have the same level of enforcement as the previous two, the Centers for Medicare and Medicaid Services (CMS) also have some powers when it comes to HIPAA. The CMS are primarily responsible for enforcing the HIPAA administrative simplification regulations. The U.S. Food and Drug Administration (FDA) can also enforce HIPAA in regard to medical devices and even have the ability to take action against healthcare organizations in certain situations.

HHS’ Office for Civil Rights HIPAA enforcement

As the Office for Civil Rights is the main enforcer of HIPAA Rules, it is their role to investigate all data breaches reported by covered entities and business associates if they effect more than 500 individuals. However, smaller data breaches can also occasionally be investigated in the case of suspected HIPAA violations. OCR also investigates HIPAA complaints filed by patients and employees of HIPAA covered entities.

Following the discovery of a HIPAA violation, OCR can take several different actions. The preferred method for OCR to take to resolve HIPAA violations is through voluntary compliance or by issuing technical guidance to help the covered entity comply with HIPAA Rules.

In the cases of extreme breaches of HIPAA Rules, multiple violations, and persistent non-compliance, financial penalties may be placed on the covered entity. These financial penalties are most commonly settlements, where the covered entity agrees to pay a penalty, but no admission of liability is required. OCR could also impose a civil monetary penalty. Criminal violations of HIPAA Rules are referred to the Department of Justice.

State Attorneys General HIPAA enforcement

Although rare, HIPAA enforcement by state attorneys general is possible and certain cases can be pursued. Although all HIPAA violations are treated seriously, in certain cases if the personal information of state residents has been exposed or patient privacy has been violated, state attorneys general choose to pursue the cases under state laws rather than HIPAA legislation. There are a number of reasons for this, the most common one being because it is more straightforward to take action against companies under state laws.

Although this is the most common method, a handful of state attorneys general have taken action against HIPAA-covered entities for HIPAA violations, as mandated by HIPAA and the HITECH Act. Included in this category are the attorneys general offices in Connecticut, Massachusetts, New York, Minnesota, and Vermont.