Who enforces HIPAA?

by

The answer to the question who enforces HIPAA is “it depends”. This is because different agencies enforce different parts of the Health Insurance Portability and Accountability Act, and also because each organization subject to HIPAA should have a Privacy and/or Security Officer responsible for enforcing HIPAA within the organization.

HIPAA is a complex piece of legislation covering multiple topics. Originally proposed to reform the health insurance industry, much of HIPAA is dedicated to expanding the Employee Retirement Income Security Act of 1974 (ERISA) to increase the portability of health insurance between jobs, prohibit discrimination due to health status, and guarantee renewability in multiemployer plans.

Based on the fact that the health insurance reforms take up the majority of HIPAA´s 169 pages, it could be argued that the answer to who enforces HIPAA is the same group of agencies who enforce ERISA – the Labor Department’s Employee Benefits Security Administration, the Treasury Department’s Internal Revenue Service, and the Pension Benefit Guaranty Corporation.

However, most people don´t think of HIPAA for its health insurance reforms, but more for the Rules that resulted from the legislation to reduce fraud and abuse in the healthcare and health insurance industries, to protect the privacy of individually identifiable health information, and to ensure the confidentiality, integrity, and availability of Protected Health Information (PHI).

These Rules can be found in the HIPAA Administrative Simplification Regulation Text – Parts 160, 162 and 164 of the Administrative Data Standards and Related Requirements, which form the part of the Code of Federal Regulations relating to Public Welfare administered by the Department for Health and Human Services (HHS). The enforcement of these Parts is designated to two agencies within HHS – the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR).

The Roles of CMS and OCR in HIPAA Enforcement

HIPAA instructed the Secretary of Health and Human Services to standardize transactions between healthcare providers and health insurers to resolve scenarios in which the same transaction code could apply to different procedures. The publication of the General Provisions for Transactions had the impact of simplifying the administration of eligibility checks, treatment authorizations, and payment claims and increased efficiency in the healthcare and health insurance industries.

To ensure the correct use of transaction codes, the Centers for Medicare and Medicaid Services was delegated the authority to enforce the HIPAA General Provisions. The agency runs an ongoing compliance review program and has the power to impose Corrective Action Plans and Civil Monetary Penalties for non-compliance with the HIPAA General Provisions – although the most frequent course of action is to support non-compliant organizations with technical assistance.

The role of the Office for Civil Rights in HIPAA enforcement is much more high-profile. Complaints about violations of the Privacy Rule can be sent to OCR (or escalated to OCR if a complaint to an organization is not responded to), most breaches of unsecured PHI have to be notified to OCR (some are reported to the Federal Trade Commission – see below), and the agency has the authority to conduct HIPAA compliance audits on randomly chosen organizations.

The Office for Civil Rights has the authority to impose Corrective Action Plans and Civil Monetary Penalties on non-compliant Covered Entities and Business Associates, but most often resolves complaints and breach investigations via technical assistance. To date (October 2022), the agency has enforced HIPAA compliance in more than 100,000 cases but has only imposed Civil Monetary Penalties or reached a financial settlement with a non-compliant organization 126 times.  

Other Agencies Involved in Enforcing HIPAA

As well as CMS and OCR, another agency who enforces HIPAA – albeit through the Social Security Act – is the Department of Justice. The Department of Justice receives cases to investigate if, on review, the Office for Civil Rights identifies a wrongful disclosure of individually identifiable health information contrary to §1320d-6 of the Social Security Act. The Department of Justice can issue fines of up to $250,000 and pursue jail sentences of up to 10 years under the Act.

Additionally, it was mentioned above that most breaches of unsecured PHI have to be reported to OCR, but some are reported to the Federal Trade Commission. This is because not every organization that creates, receives, maintains, or transmits individually identifiable health information is a Covered Entity or Business Associate under HIPAA (for example, vendors of personal health devices); and every organization that is not covered by HIPAA must report data breaches to the FTC.

Organizations that fail to report data breaches in compliance with the Breach Notification Rule can be fined by the Federal Trade Commission, and by state Attorney Generals – who also have the authority to bring HIPAA enforcement action against non-compliant Covered Entities and Business Associates for violations of the Privacy and Security Rules. Many state Attorneys General maintain online portals through which individuals can submit complaints about non-compliant organizations.

In some states, District Attorneys also have the authority to enforce HIPAA or a state law that preempts HIPAA. For example, in California, the California Privacy Rights Act has much stronger privacy protections than HIPAA and many more individual rights. Covered Entities and Business Associates that provide a service for residents of states with laws that preempt HIPAA may need to be more concerned about who enforces state laws than who enforces HIPAA!

Who Enforces HIPAA within Organizations?

In organizations, who enforces HIPAA is clearly stipulated in the Privacy and Security Rules. In the Privacy Rule, §164.530 states “a Covered Entity must designate a Privacy Official who is responsible for the development and implementation of policies and procedures”. The Privacy Official (more commonly known as a HIPAA Privacy Officer) is also responsible for receiving complaints from patients and plan members and their contact details must appear in Notices Of Privacy Practices.

Similarly, in the Security Rule, §164.308 states Covered Entities and Business Associates must “identify the Security Official who is responsible for the development and implementation of the policies and procedures required by this subpart (the Security Rule)”. As Business Associates are not required to designate a Privacy Officer (although it a good idea to do so), the person identified as the Security Official is responsible for HIPAA compliance for the whole organization.

Although the clauses of the Privacy and Security Rule do not specify who enforces HIPAA, it is safe to assume this comes under the remit of Privacy and/or Security Officers. This is because the persons in these roles are responsible for workforce training and the enforcement of a sanctions policy for violations of HIPAA-related policies and procedures. Therefore, effectively, the Privacy and/or Security Officer is responsible for developing, implementing, and enforcing policies and procedures.

In larger organizations, it may be necessary to delegate the enforcement of HIPAA to line managers and team supervisors because it is humanly impossible to monitor every member of the workforce´s compliance simultaneously. Nonetheless, in the eyes of the Department for Health and Human Services, the Department of Justice, the Federal Trade Commission, and state Attorneys General, the person designated as Privacy Official is responsible for enforcing HIPAA within an organization.

HIPAA Enforcement: FAQ

What is the role of the HIPAA Privacy Officer?

The HIPAA Privacy Officer oversees HIPAA compliance within a covered entity. If a HIPAA violation occurs, it should first be reported to the HIPAA Privacy Officer, who can then assess the extent and nature of the violation. The Privacy Officer also acts as a point of contact for patients and plan members who wish to make a HIPAA-related complaint or ask a HIPAA-related question.

What are HIPAA breaches?

HIPAA breaches are any event that results in an impermissible use or disclosure of unsecured Protected Health Information. All HIPAA breaches have to be notified to the affected individual(s) and HHS´ Office for Civil Rights. HIPAA breaches affecting five hundred or more individuals must also be notified to a local media outlet.

How often are HIPAA audits conducted?

In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by 115 Covered Entities to comply with HIPAA’s requirements. A second round of audits took place in 2016, and the program was intended to be ongoing until it was interrupted by the COVID-19 pandemic. It is not currently known when the program will resume.

Do all HIPAA violations result in a fine?

No. Many HIPAA violations are never reported to OCR because they do not constitute a reportable event or because a patient or plan member has complained directly to the organization. Of more than 100,000 cases that have been reviewed by OCR, only 126 have resulted in a fine or a financial settlement. The rest have been resolved by technical assistance or a Corrective Action Plan.

Who pursues HIPAA criminal charges?

Ultimately, filing criminal charges for HIPAA violations falls within the remit of the Department of Justice. OCR can refer a case to the DoJ if they think a HIPAA violation or data breach is attributable to a knowing and wrongful disclosure of individually identifiable health information for personal gain, competitive advantage, or to cause malice to the person(s) whose information was disclosed.

Who is responsible for HIPAA enforcement?

Initially, Privacy and Security Officers are responsible for HIPAA enforcement. However, if complaints are escalated to CMS, OCR, or state Attorney Generals, these agencies become responsible for HIPAA enforcement.  

Which entity enforces HIPAA?

No single “entity” enforces HIPAA. The enforcement of the HIPAA Rules is shared between the Centers for Medicare and Medicaid Services, the Office for Civil Rights, the Department of Justice, and the Federal Trade Commission. Enforcement measures can also be taken by state Attorneys General, while the enforcement of HIPAA policies and procedures is the responsibility of each organization’s Privacy and/or Security Officer.

Who regulates HIPAA?

The Department of Health and Human Services regulates HIPAA inasmuch as the department is responsible for publishing and amending HIPAA Rules. However, before publishing and amending any HIPAA Rules the agency consults stakeholders in the healthcare and health insurance industries via Requests for Information (RFIs) and Notices of proposed Rule Making (NPRMs).

What agency enforces HIPAA’s Security Rule?

HIPAA’s Security Rule should be enforced internally by the organization’s Security Officer. However, if a breach of unsecured PHI occurs due to a security incident, the breach must be reported to OCR – at which point OCR assumes responsibility for investigating the incident and – if a violation of HIPAA is identified – enforcing HIPAA’s Security Rule.

Who enforces the HIPAA Privacy Rules?

Again, the HIPAA Privacy Rules should be enforced by the organization´s Privacy Officer or a designated manager or supervisor. Thereafter, depending on where a complaint or HIPAA violation is reported to, OCR or state Attorneys General become responsible for enforcing the HIPAA Privacy Rules. In some cases, the two agencies will work together to resolve a case more quickly.

Who oversees HIPAA compliance with the Breach Notification Rule?

In the majority of cases, OCR oversees compliance with the Breach Notification Rule. However, if an organization that is not a HIPAA Covered Entity or Business Associate experiences a breach of unsecured individually identifiable health information, the breach must be reported to the Federal Trade Commission under Section 5 of the Federal Trade Commission Act.

Who is responsible for HIPAA enforcement within small practices?

In small practices, it is often the case the resources do not exist to designate separate Privacy and Security Officers. In such cases, the roles can be designated to the same person, who will ideally be familiar with IT security in order to implement measures that satisfy the requirements of the Security Rule´s Technical Safeguards.

Who mandated HIPAA?

Because HIPAA is a complex piece of legislation covering multiple topics there were many people involved in developing HIPAA over many years. Some people attribute the passage of HIPAA to Senators Ted Kennedy and Nancy Kassebaum, but their version of the Act was rejected by the Senate in favor of a companion bill introduced by Representative Bill Archer. Ultimately, HIPAA was “mandated” (signed into law) by President Bill Clinton on August 21, 1996.