After Health Insurance Portability and Accountability Act of 1996 was signed into law by former President Bill Clinton, the Department for Health and Human Services (DHHS) was charged with its enforcement. Specifically, HIPAA compliance was overseen by the Office for Civil Rights within the DHHS. However, the OCR was not able to enforce any of the rules laid out in HIPAA until much later.
When did Enforcement Begin?
Though HIPAA was signed into law, for the first seven years after its introduction there was no real means of enforcement. This changed in 2003, when the Privacy Rule was added to HIPAA. Upon its introduction, the OCR was able to enforce all aspects of the rule and issue corrective actions to covered entities (CEs) found to be breaching the rule.
Conversely, though the Security Rule was first introduced in 2005, the OCR was unable to enforce it until 2009. Though CEs still had to comply with all the stipulations set out in the Security Rule, they would not receive financial penalties for non-compliance.
What is the Enforcement Rule?
Introduced in 2006, HIPAA’s Enforcement Rule laid out new guidelines on how HIPAA compliance was to be assessed, and how HIPAA violations were to be punished. It extended the requirement for compliance to Business Associates (who were previously not treated in the same manner as CEs), established mandatory reporting systems, introduced new civil and criminal penalties and created new privacy and security requirements.
According to the DHHS’ website, there are three main ways by which HIPAA complaints are enforced:
- by investigating complaints filed with it,
- conducting compliance reviews to determine if covered entities are in compliance, and
- performing education and outreach to foster compliance with the Rules’ requirements.
One of the first things the OCR must establish when carrying out investigations is whether a HIPAA violation has occurred. If it finds that one has, it will then try to determine whether or not it was the result of wilful neglect, ignorance, or was simply unavoidable. This will then determine how they proceed with the rest of the investigation.
The OCR first carried out HIPAA compliance audits in 2011-2012, and had surprising results. A large proportion of healthcare organisations were failing to meet HIPAA regulations, leaving hundreds of thousands of patients vulnerable to PHI breaches. Due to the large-scale nature of the problem, the OCR chose not to issue any fines for the violations, instead opting for corrective actions plans.
However, in 2016/2017, the OCR started its second round of audits. Though they are not deliberately trying to find CEs and BAs that are violating HIPAA, this is a part of their enforcement practices. If a violation is discovered it can be expected that the OCR will not be so lenient this time.
The audits are also valuable for collecting data on how well organizations of all sizes fare with HIPAA compliance, as it may point out some common vulnerabilities that can be specifically addressed. This helps the OCR enforce HIPAA via preventative measures, such as outreach or training guidelines.