Share this article on:
Healthcare providers, health plans, healthcare clearinghouses, and business associates of those organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA), but what federal department regulates HIPAA and takes action against organizations that fail to comply with HIPAA Rules?
What Federal Department Regulates HIPAA?
HIPAA is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR). Since the introduction of the HIPAA Enforcement Rule in March 2006, OCR was given the power to investigate complaints about HIPAA violations. OCR was also given the right to issue civil monetary penalties if HIPAA-covered entities were found to have violated HIPAA Rules.
While OCR had the power to issue financial penalties, it is relatively rare for HIPAA violations to result in financial penalties. Over the years since the Enforcement Rule was passed, OCR has steadily increased enforcement of HIPAA Rules, although it has only been in the past four years that financial penalties for HIPAA violations have become more common.
Since the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, OCR has been required to publish details of data breaches. The list of breach reports, often referred to as OCR’s ‘Wall of Shame’, chart a steady rise in healthcare data breaches year on year.
As the number of data breaches and reports of HIPAA violations grew, OCR came under increasing pressure to enforce HIPAA Rules more vigorously. The first phase of HIPAA compliance audits in 2011/2011 also revealed there was widespread noncompliance with the HIPAA Privacy, Security, and Breach Notification Rules.
The past three years have seen record breaching numbers of HIPAA settlements reached with covered entities for the failure to comply with HIPAA Rules. In 2016, there were 12 settlements reached with covered entities and 1 civil monetary penalty issued.
The issuing of financial penalties is only a small part of OCR’s role in regulating HIPAA. OCR often resolves HIPAA violations by issuing technical guidance to covered entities to help them address specific aspects of HIPAA Rules. OCR is also regularly releases guidelines to confirm how HIPAA applies to certain situations and new technologies.
State Attorneys General Also Assist with HIPAA Enforcement
The HITECH Act gave state attorneys general the power to assist OCR with HIPAA enforcement and take action against HIPAA-covered entities and their business associates that violated the privacy of residents of their respective states.
There have only been a handful of financial penalties issued by state attorneys general for HIPAA violations since 2009, with the majority of states choosing not to exercise their HIPAA enforcement rights. In many cases, when HIPAA Rules are discovered to have been violated, state attorneys general choose to act on violations of state laws rather than HIPAA. To date, HIPAA penalties have only been issued by state attorneys general in Connecticut, Massachusetts, New York, Minnesota, and Vermont.