Gazelle Consulting

Who Enforces HIPAA?

The Specter of HIPAA Enforcement

Who enforces HIPAA rules?

HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

Phew, now that we’ve gotten the acronyms out of the way…

Background on HIPAA Enforcement

Prior to 2003, the HIPAA laws had no enforcement provisions, meaning that while the HHS had issued Privacy and Security rules, they were really just asking nicely for providers to comply. This gave HIPAA the unfortunate reputation of being a law that healthcare businesses didn’t have to take seriously.

However, in 2003, the federal government issued the Enforcement Rule, which gave the OCR the authority to enforce HIPAA through an ongoing enforcement program and the option to issue fines of up to $1.5 million per violation per year.

Over the past decade, HIPAA enforcement has been a bit of a slow burn as the OCR works to change misconceptions that HIPAA has “no teeth.” Ultimately, the OCR’s goal is to increase compliance with HIPAA, not to punish healthcare providers. Their enforcement activities have ramped up slowly, with warning shots and opportunities for redemption.

OCR’s Enforcement Program​

Their materials, which can be accessed on the HHS website, include training resources for providers as well as regular reports about breaches and enforcement activities.

The OCR investigates and responds to every complaint that they receive, and may initiate an audit based on media reports or breach notifications. If an audit is initiated the OCR may require an organization to submit documentation of all of their compliance activities from training to risk assessments to physical security controls.

The OCR reserves the right to issue corrective action plans (CAP) to organizations and give them time to cure gaps. However, if willful negligence of the law is identified they may go straight to their final enforcement option: fines.

OCR’s Enforcement Process

Who Enforces HIPAA?


Since 2003, the rate of enforcement has steadily increased each year, with the OCR issuing fines to more diverse entities including small practices, Business Associates, and Hybrid Entities. As of the date of this writing in 2018, the OCR has issued nearly $25 million in fines, which is up from $20 million in 2017, $23 million in 2016, and $5 million in 2015.

Take Aways

  • Enforcement is heating up in the Healthcare Industry – Get your compliance in check TODAY.
  • The OCR enforcement process starts with complaints. Make sure you have an internal complaints process where patients can address compliance concerns with you directly.
  • Prepare your documentation for an audit, including policies and procedures, risk assessment, training documentation, and logs of all compliance controls and information systems that contain Protected Health Information (PHI).

Does all this talk of OCR enforcement give you serious compliance anxiety?

Gazelle Consulting is here to help! Call us today at (503) 389-5666. We can answer all of your HIPAA compliance questions and help you feel as confident as a lion in a grassy savanna.

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Popular Posts

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • The Specter of HIPAA Enforcement

    Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What is the Purpose of HIPAA?

    What is the Purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!