Who enforces HIPAA?

The Health Insurance Portability and Accountability Act of 1996 placed a number of strict requirements on healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities in order to safeguard the Protected Health Information (PHI) of patients. The Department of Health and Human Services’ Office for Civil Rights (OCR) is the primary body responsible for the enforcement of HIPAA. The Enforcement Final Rule of 2006 granted OCR the ability to issue financial penalties (or action plans) to CEs that fail to ensure HIPAA compliance in their organisation.

Other organisations also have the power to enforce HIPAA in certain circumstances. The incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009 granted state attorneys general the power to enforce HIPAA Rules. The Food and Drug Administration can enforce HIPAA in situations involving medical devices.

OCR and HIPAA Enforcement

HIPAA enforcers can levy significant financial penalties against healthcare providers, health plans, healthcare clearinghouses that they find in violating HIPAA’s Rules. The OCR also has the power to prosecute the business associates of these organisations if they are HIPAA non-compliant.

The penalty structure for HIPAA violations is divided into several different tiers. The tiers are divided based on many different factors, including the size of the organisation, if appropriate safeguards were in place before the violation, and if the organisation had any knowledge of the breach. The OCR will set the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.

The categories of HIPAA violation are as follows:

• Category 1: A violation that the CE was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
• Category 2: A violation that the CE should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
• Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
• Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

The OCR has the power to waive a fee if the CE in question could not have been expected to avoid a data breach, a so-called “unknown violation”.

HIPAA Violation Penalty Structure

The OCR considers a wide range of factors when determining the appropriate penalty to be levied against a CE. This includes the length of time over which violation occurred, the number of people affected, and the nature of the data exposed, the financial means of the organisation, and how much damage had been done by the breach. The OCR also considers the organisation’s willingness to assist with the investigation. The maximum fine per violation category, per year, is $1,500,000. The fines are issued per violation category, per year that the violation was allowed to persist.

The fines per category are:

• Category 1: Minimum fine of $100 per violation up to $50,000
• Category 2: Minimum fine of $1,000 per violation up to $50,000
• Category 3: Minimum fine of $10,000 per violation up to $50,000
• Category 4: Minimum fine of $50,000 per violation

Fines may also be levied against an organisation depending on how many days over which the violation occurred, instead of by the number of patients affected. For example, if a CE has been denying patients the right to obtain copies of their medical records, and had been doing so for one year, the OCR may decide to apply a penalty per day that the CE has violated the law. Therefore, in this case, the penalty would be multiplied by 365.

Attorney Generals and HIPAA Enforcement

In February 2009, the HITECH Act (Section 13410(e) (1)) awarded state Attorney Generals the power to enforce HIPAA for data breaches occurring in their state. This act also allowed Attorney Generals have the power to file civil actions with the federal district courts. Statutory damages can be issued up to a maximum level of $25,000 per violation category, per the calendar year. The minimum fine applicable is $100 per violation.

Although AGs have had the power to enforce HIPAA for a decade, only a few U.S states – Connecticut, Massachusetts, Indiana, Vermont and Minnesota – have used this power. Recently, AG offices have been granted the power to retain a certain amount of fines issued against CEs, which may incentivise AGs to become more involved in HIPAA enforcement.