In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was introduced. The Act contained many new rules for healthcare organizations across the states, so it is a reasonable take time to consider which federal departments are responsible for ensuring HIPAA Rules are followed by covered entities and their business associates.
Who Enforces HIPAA?
The primary enforcer of HIPAA Rules is the Department of Health and Human Services’ Office for Civil Rights (OCR). However, in 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act into incorporated into HIPAA, giving state attorneys general the power to enforce HIPAA Rules. The Centers for Medicare and Medicaid Services (CMS) are also granted some power to enforce HIPAA. However, they are primarily responsible for enforcing the HIPAA administrative simplification regulations. The U.S. Food and Drug Administration (FDA) can also enforce HIPAA with respect to medical devices and may act against healthcare organizations in certain situations.
HIPAA and Office for Civil Rights
As the main enforcer of HIPAA Rules, the Office for Civil Rights investigates all data breaches reported by covered entities and business associates if they impact more than 500 individuals. Smaller data breaches are also occasionally investigated, if HIPAA violations are suspected by OCR. The organisation also investigates HIPAA complaints filed by patients and employees of HIPAA covered entities.
When HIPAA violations are discovered, there are many ways for OCR to proceed in handling the case. It is preferable for HIPAA violations to be resolved by voluntary compliance by the CE, or by issuing technical guidance to help the covered entity comply with HIPAA Rules.
Severe violations of HIPAA Rules, or multiple violations, may result in financial penalties for HIPAA violations. Financial penalties may also be levied if the covered entity is guilty of persistent non-compliance. These penalties are most commonly settlements, where the covered entity agrees to pay a penalty with no admission of liability. OCR may also impose a civil monetary penalty. If criminal violations of HIPAA Rules are discovered, the case is referred to the Department of Justice.
HIPAA and State Attorneys General
Cases of HIPAA violations are rarely investigated by state attorneys general. If the personal information of state residents has been exposed or patient privacy has been violated, state attorneys general pursue the cases under state laws rather than HIPAA legislation. This route of action is taken because it is more straightforward to act against companies under state laws instead of HIPAA legislation.
Despite the rarity of state attorneys general acting against HIPAA covered entities, recently a handful of state attorneys general have acted against HIPAA-covered entities for HIPAA violations, as mandated by HIPAA and the HITECH Act. These include the attorneys general offices in Connecticut, Massachusetts, New York, Minnesota, and Vermont.