The main enforcer of HIPAA Rules is the Department of Health and Human Services’ Office for Civil Rights (OCR). However, since the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009, state attorneys general have been allocated the power to assist OCR in the enforcement of HIPAA. The Centers for Medicare and Medicaid Services (CMS) also has some policing powers and the U.S. Food and Drug Administration (FDA) and the Federal Communications Commission (FCC) have participated in HIPAA enforcement to an extent.
HHS’ Office for Civil Rights & HIPAA Enforcement
The HHS’ Office for Civil Rights reviews all data breaches reported by covered groups and business associates if they affect over 500 individuals. Smaller data breaches are also occasionally investigated, especially if many small breaches of a similar nature have been reported which could suggest compliance failures. OCR also investigates HIPAA complaints filed by patients and employees of HIPAA covered entities over possible HIPAA violations.
OCR reviews covered entities to determine whether there have been any violations of the HIPAA Privacy, Security, and Breach Notification Rules. Not all data breaches happen as a direct result of HIPAA violations. OCR accepts that even fully compliant healthcare groups can only reduce the risk of a data breach to a reasonable level. Data breaches are inevitable and cannot always be prevented. Many complaints are submitted about possible HIPAA breaches, although a large percentage are not substantiated. When an investigation into a data breach or complaint shows no proof of HIPAA violations, the investigation is closed, the findings, documented, and no further action takes place.
When HIPAA violations are identified, OCR can implement a number of different actions. OCR prefers to resolve HIPAA violations through voluntary compliance. I.e. the covered entity accepts that HIPAA violations have happened, and takes voluntary actions to correct the violation to prevent any repeat offences.
Minor breaches of HIPAA Rules may be noticed that have been caused by a misinterpretation of HIPAA requirements. HIPAA legislation does not outright state in detail everything that a covered entity must do to comply and the legislation is technology-agnostic. The HIPAA Security Rule also includes many addressable requirements, which must be considered, but may not be appropriate for certain covered entities. HIPAA also includes terms such as ‘reasonable protections’ and ‘reasonable efforts,’ which are somewhat subjective. As a result there are some gray areas when it comes to HIPAA compliance and the legislation is, in some parts, open to interpretation.
When these ‘violations’ are noticed, OCR may chose to issue technical guidance to help a covered entity be compliant . When similar violations are discovered at multiple covered entities, OCR may choose to release guidance to clarify what is needed.
Very egregious violations of HIPAA Rules, multiple violations of a similar type, and persistent and widespread non-compliance require more punitive measures and can lead to financial penalties for HIPAA violations. Fines are most commonly settlements, where the covered group agrees to pay a financial penalty with no admission of liability. Far less commonly, OCR imposes a civil monetary penalty. This takes place when a covered entity is determined to have violated HIPAA, yet the covered entity objects and fights the case. The matter is then presented to an Administrative Law Judge who will rule on whether whether HIPAA Rules have indeed been breached and if a CMP or the amount of the CMP is justified.
HIPAA violations can also lead to criminal charges. Criminal violations of HIPAA Rules, such as theft of PHI for financial gain, are sent to the Department of Justice, although criminal charges are relatively rare.
The Office for Civil Rights also carries out HIPAA compliance audits. A pilot audit program was completed in 2011/2012 on a selection of HIPAA-covered entities and a second round of compliance audits was conducted in 2016/2017. The second phase also included audits of business associates. The compliance audit program is mainly concerned with identifying areas of noncompliance to guide OCR’s enforcement efforts and to help OCR produce pertinent guidance, although, a failed audit may lead to further investigation and financial penalties could be issued.
State Attorneys General & HIPAA Enforcement
HIPAA enforcement by state attorneys general can happen, although since they were given the right to enforce HIPAA compliance it has been relatively rare for cases to be chased. While all HIPAA violations are treated seriously, in some cases, state attorneys general pursue the cases for violations of state statutes rather than breaches of HIPAA Rules. There are various reasons for this, but commonly it is because it is simpler to take action against companies under state laws.
That said, a number of state attorneys general have taken action against HIPAA-covered entities for HIPAA breaches, as mandated by HIPAA and the HITECH Act, and the number of actions has increased in recent years. State Attorneys general that have been successful in cases against healthcare groups over HIPAA violations include California, Connecticut, Indiana, Massachusetts, Minnesota, New Jersey, New York, Vermont, and the District of Columbia.
The penalties that can be sanctioned by state attorneys general are much lower than those that can be issued by OCR. The maximum financial penalty premitted under the HITECH Act is $25,000 per identical violation in a calendar year.
Centers for Medicare and Medicaid Services (CMS) & HIPAA Enforcement
The CMS is charged with enforcing compliance with the HIPAA Administrative Simplification Regulations. This is a lesser known role of HIPAA, but one of the main reasons why the legislation was originally introduced. The HIPAA Administrative Simplification Regulations improve efficiency in the healthcare sector, which ultimately helps to drive down the cost of healthcare. The HIPAA Administrative Simplification Regulations require covered groups to implement standards for healthcare transactions, including the use of standard code sets and identifiers.
While the CMS does review complaints about covered entities that are not in compliance with this aspect of HIPAA Rules, its enforcement actions have not yet lead to fines. When a violation is discovered, covered entity is needed to voluntarily achieve compliance. Fines would only be needed for continued non-compliance.
In 2019, the CMS revealed that it has begun an audit program to assess compliance with the HIPAA Administrative Simplification Regulations. In April 2019, 9 randomly chose health plans and healthcare clearinghouses were selected for audit, following which, random audits will be carried out on further health plans and healthcare clearinghouses. The audit program will also be extended to healthcare suppliers.