Who enforces HIPAA? [What you need to know]

Who enforces HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set the standards for the Privacy of Individually Identifiable Health Information. 

The HIPAA law aims at ensuring compliance and protection of personal information collected by a healthcare organization while allowing the safe delivery of high-quality care. 

The protected health information covered under HIPAA relates to any health information tied to an identifiable individual.

HIPAA legislation applies mainly to covered entities such as healthcare providers, including health care providers, health plans and healthcare clearinghouses, their business associates, subcontractors, and hybrid entities. 

What are the core rules that define the HIPAA law?

The five main pillars that define the HIPAA are:

The privacy rule is put in place to ensure that patient’s health information is adequately protected while still allowing the flow of healthcare data between the various providers or parties involved. This rule helps doctors provide and promote quality care for their patients and protect public health safety.

The security rule defines national standards to protect personal information. It requires appropriate administrative, physical and technical safeguards to ensure the confidentiality of electronically protected health information. Safeguards must cover all domains, including computers, mobile devices such as smartphones or tablets with internet access capabilities.

The transaction rule provides a set unified of standards applying to “any health plan, any health care clearinghouse, and any health care provider.” Transactions are defined as “activities involving the transfer of health care information for specific purposes.” 

The identifiers rule requires the use by Healthcare providers of their unique ten digits National Provider Identifier (NPI).

The enforcement rule includes a set of directives for complying with HIPAA requirements, penalizing Covered Entities for violations, and investigating such violations. The rule also sets out the civil penalties imposed by the Department of Health and Human Services.

Who enforces HIPAA at the state and federal levels?

HIPAA enforcement can be both federal and state.

HHS (Department of Health and Human Services) is the ultimate department in charge at the federal level. The Office of Civil Rights (OCR) within the Health Department investigates a potential violation, data breach, or complaint.

Under the Health Information Technology for Clinical and Economic Health (HITECH) Act, state attorneys have the power to open civil actions and seek damages on behalf of the state residents.

The rules are enforced either at the individual level by civil penalties such as damages and/or injunctions or through criminal prosecution if someone knowingly discloses another person’s protected information without authorization to do so.

The Centers for Medicare and Medicaid Services (CMS) also ensures compliance for electronic healthcare transactions. 

Suppose the public health authorities find that a healthcare organization does not comply with HIPAA requirements. In that case, it can entail a $50,000 civil penalty per violation up to $1.5 million per violation category in one year. Financial penalties are divided into 4 Tiers depending on the severity and context of the breach. 

Interestingly, the maximum penalties issued by state attorneys are lower than at the federal level. The maximum allowed penalty allowed under the HITECH act is $25,000 per violation and year.

Who is responsible for enforcing HIPAA at the health provider level? 

It is a legal requirement to ensure that the rules are strictly followed within a HIPAA-covered entity. This mission is devoted to the HIPAA compliance officer. Large organizations will often divide the duties and responsibilities between the HIPAA privacy officer and HIPAA security officer even though a single individual must ultimately be the point of contact for the health authorities or the public if a HIPAA breach is detected or a HIPAA complaint is filed.

The same person can combine both responsibilities. The privacy officer oversees the proper privacy policies, training the personnel, and regularly conducting a compliance review. The security officer is responsible for the proper implementation of technical safeguards.

Even though large organizations do not have to appoint a compliance officer for each state, a thorough knowledge of the individual states’ legal differences is required.

To wrap up

HIPAA’s primary goal is to ensure that health information is appropriately protected while allowing the smooth flow of information between the different entities involved. Ultimately, the public will benefit from these safeguards while receiving quality care.

Enforcing HIPAA is a complex process at the Federal, HHS, and State levels, state attorneys general. 

HIPPA compliance and security officers are in charge of the proper implementation within healthcare providers.

Was this article helpful?