The chief enforcer of HIPAA Rules is the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). However, since the Health Information Technology for Economic and Clinical Health (HITECH) Act was added to HIPAA in 2009, state attorneys general were also allocated the power to enforce HIPAA Rules. The Centers for Medicare and Medicaid Services (CMS) also have some authority and are primarily responsible for enforcing the HIPAA administrative simplification regulations. The U.S. Food and Drug Administration (FDA) can also police HIPAA with respect to medical devices and may act against healthcare organizations in certain instances.
HHS’ Office for Civil Rights Policing HIPAA
As the chief enforcer of HIPAA Rules, the Office for Civil Rights reviews all data breaches reported by covered groups and business associates if they affect more than 500 individuals. Smaller data breaches are also occasionally looked into, if HIPAA violations are thought to be a possibility. OCR also reviews HIPAA complaints submitted by patients and staff of HIPAA covered groups.
When HIPAA violations are identified, OCR can take a number of different courses of action. OCR normally settles HIPAA violations through voluntary compliance or by issuing technical guidance to help the covered entity adhere with HIPAA Rules.
Egregious breaches of HIPAA Rules, numerous violations, and constant non-compliance may result in financial penalties for HIPAA breaches. Financial penalties are normally settlements, where the covered entity opts to pay a penalty with no admission of liability. OCR may also impose a civil monetary penalty. If criminal breaches of HIPAA Rules are identified, the case is referred to the Department of Justice.
State Attorneys General and HIPAA Enforcement by
State attorneys general can enforce HIPAA, although it is rare for cases to be pursued. While all HIPAA violations are treated with respect, sometimes, if the personal data of state residents has been exposed or patient privacy has been violated, state attorneys general chase the cases under state laws rather than HIPAA legislation. There are many reasons for this, but most typically it is because it is easier to take action against companies under state legislation.
That said, a number of state attorneys general have initiated action against HIPAA-covered bodies for HIPAA violations, as stated by HIPAA and the HITECH Act. These include the attorneys general offices located in the following states Connecticut, Massachusetts, New York, Minnesota, and Vermont.