Share this article on:
The HIPAA Enforcement Rule of 2006 – and subsequent amendments attributable to the passage of HITECH – details the procedures for investigating violations of HIPAA and the penalties that the HHS Office for Civil Rights can impose on Covered Entities and Business Associates for failing to comply with the Privacy, Security, and Breach Notification Rules.
In 1996, the passage of HIPAA gave the Secretary of Health and Human Services (HHS) the authority to impose financial penalties for violations of the Administrative Simplification provisions (see Sections 1176 and 1177). The Administrative Simplification provisions led to the publication of the HIPAA Privacy and Security Rules which were enacted in 2002 and 2003 respectively.
The authorization to enforce the HIPAA Privacy and Security Rules (and later, the Breach Notification Rule) was delegated to the HHS´ Office for Civil Rights. However, despite receiving more than 13,000 complaints in the first two years, the Office for Civil Rights failed to bring a single enforcement action – giving Covered Entities the impression that HIPAA compliance was optional rather than mandatory.
The HIPAA Enforcement Rule takes Shape
In 2003, HHS released an Interim Final Rule relating to the “Procedures for Investigations, Imposition of Penalties, and Hearings” (68 FR 18895). Despite describing the Interim Final Rule as the first installment of a HIPAA Enforcement Rule, the document describes the Office for Civil Rights´ approach to enforcement as intending to “seek and promote voluntary compliance with the rules” – further giving the impression HIPAA compliance was optional.
In order to overcome this impression and encourage voluntary compliance with the Privacy and Security Rules, the 2003 Interim HIPAA Enforcement Rule increased the volume of the General Administrative Requirements relating to compliance and investigations (45 CFR § 160 Subpart C) and introduced a new section to the General Administrative Requirements relating to the procedures for investigation (45 CFR § 160 Subpart E).
A further new section was added to the General Administrative Requirements when a later Interim HIPAA Enforcement Rule was published in 2005 (PDF). This new section (45 CFR § 160 Subpart D) explained the basis for issuing a financial penalty and the amounts Covered Entities could be fined for violations of HIPAA. At the time, the maximum penalty per violation was $100, with fines being capped at $25,000 per year for identical violations.
Despite the new section, many public comments were critical of the apparent “policy of nonenforcement” – so much so that when the Final HIPAA Enforcement Rule was published in 2006, the preamble goes to considerable lengths to explain the challenges of enforcing HIPAA and claims that “68 percent [of cases] have been resolved or otherwise closed”. Nonetheless, it was a further three years before a Covered Entity was fined for a violation of HIPAA.
Subsequent Amendments Attributable to HITECH
The passage of the HITECH Act in 2009 had a significant impact on the enforcement of HIPAA. HITECH introduced the HIPAA Breach Notification Rule and new compliance requirements for both Covered Entities and their Business Associates. Compliance with the Security Rule and some elements of the Privacy Rule was extended to Business Associates, and – significantly in the context of the HIPAA Enforcement Rule – the burden of proof was reversed.
Prior to HITECH, the Office for Civil Rights had to prove that an unauthorized disclosure of PHI had resulted in harm before it could issue a financial penalty to a non-compliant Covered Entity. Subsequent to HITECH, Covered Entities and Business Associates have the burden of demonstrating that all required notifications have been made or that a use or disclosure of unsecured PHI did not constitute a breach as defined by 45 CFR § 164.402.
In addition, the previous maximum penalty and penalty cap were scrapped, and a new four-level penalty tier introduced via the HIPAA Final Omnibus Rule of 2013 in which fines would reflect the non-compliant entity´s level of culpability. The minimum and maximum limits in each penalty tier and the annual penalty limit are adjusted annually to account for inflation. The current penalty limits are:
How Enforcement Changed in the Post-HITECH Era
The HITECH amendments started a new era of HIPAA enforcement. From 2014 onwards, the Office for Civil Rights increased the number of investigations into alleged HIPAA violations, gave more technical assistance, issued more Corrective Action Plans, and reached more settlements with offenders. The revenues from the fines were used to provide the Office for Civil Rights with more enforcement resources; and, in 2016, the HIPAA audit program was extended.
Now, in addition to investigating unauthorized disclosures of unsecured PHI, the Office for Civil Rights is able to investigate other types of HIPAA violations. In recent years, the focus has been on non-compliance with Privacy Rule provisions relating to patients´ rights. Although fewer individuals are affected by this type of HIPAA violation – and the fines issued are much less – enforcement action of this nature demonstrates that claims of lax enforcement are no longer justified.
Looking forward, proposed new HIPAA regulations could affect short-term enforcement action. As with all previous HIPAA Rules, Covered Entities and Business Associates will be given a period of time to adjust to any new regulations; and because some of the proposals relax existing HIPAA standards, there is likely to be a number of unintentional violations attributable to misunderstanding the rules that will be resolved by technical assistance rather than Corrective Action Plans and fines.