The Health Insurance Portability and Accountability Act, better known as HIPAA, is an important piece of legislation governing many aspects related to healthcare, but who enforces HIPAA? Which federal departments or bureaus are concerned with checking that covered entities and their business associates are acting in compliance with HIPAA Rules?
Who Enforces HIPAA?
The chief entity responsible for enforcing HIPAA is the Department of Health and Human Services’ Office for Civil Rights (OCR). Certain powers were granted to state attorneys general under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HIPAA administrative simplification is largely monitored by the Centers for Medicare and Medicaid Services (CMS). Finally, medical devices and a number specific situations can be dealt with by the U.S. Food and Drug Administration (FDA).
The OCR and HIPAA Enforcement
The OCR is responsible for investigating all data breaches affecting over 500 people once they have been reported by a covered entity or business associate. Other incidents may be investigated if it is thought that a HIPAA violation may have occurred, even if fewer people were impacted. HIPAA complaints reported by patients and staff members of covered entities are also subject to OCR investigation.
On discovery of a HIPAA violation, the OCR has a number of options. Voluntary compliance from covered entities and publication of technical advice seems to be the OCR’s preferred manner to solve HIPAA violations.
More severe, repeated, or numerous violations can lead to the OCR imposing financial sanctions on offenders. These most often take the form of settlements where alleged violators pay the OCR but do not have to admit liability. Civil monetary penalties can also be sought by the OCR. The Department of Justice is tasked with handling cases where criminal HIPAA violations are found to have occurred.
State Attorneys General and HIPAA Enforcement
While uncommon, state attorneys general can enforce HIPAA Rules. Even though HIPAA violations are always taken seriously, should the violation impact the people of a certain state, state attorneys general may seek to prosecute the offender under state law instead of under HIPAA. There are many reasons why this may be the case, but it is often just simpler to pursue companies under state law.
Despite the potentially easier approach, a number of state attorneys general have brought charges against companies for HIPAA violations under HIPAA and HITECH laws. These cases have occurred in Connecticut, Massachusetts, New York, Minnesota, and Vermont.