HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS). Phew, now that we’ve gotten the acronyms out of the way…
Prior to 2003, the HIPAA laws had no enforcement provisions, meaning that while the HHS had issued Privacy and Security rules, they were really just asking nicely for providers to comply. This gave HIPAA the unfortunate reputation of being a law that healthcare businesses didn’t have to take seriously. However, in 2003, the federal government issued the Enforcement Rule, which gave the OCR the authority to enforce HIPAA through an ongoing enforcement program and the option to issue fines of up to $1.5 million per violation per year.
Over the past decade, HIPAA enforcement has been a bit of a slow burn as the OCR works to change misconceptions that HIPAA has “no teeth.” Ultimately, the OCR’s goal is to increase compliance with HIPAA, not to punish healthcare providers. Their enforcement activities have ramped up slowly, with warning shots and opportunities for redemption.
The OCR’s Enforcement program starts with community outreach and education. Their materials, which can be accessed on the HHS website, include training resources for providers as well as regular reports about breaches and enforcement activities. Next, the OCR investigates and responds to every complaint that they receive, and may initiate an audit based on media reports or breach notifications. If an audit is initiated the OCR may require an organization to submit documentation of all of their compliance activities from training to risk assessments to physical security controls. The OCR reserves the right to issue corrective action plans (CAP) to organizations and give them time to cure gaps. However, if willful negligence of the law is identified they may go straight to their final enforcement option: fines.
OCR's Enforcement Program
Since 2003, the rate of enforcement has steadily increased each year, with the OCR issuing fines to more diverse entities including small practices, Business Associates, and Hybrid Entities. So far in 2018 the OCR has issued nearly $25 million in fines, which is up from $20 million in 2017, $23 million in 2016, and $5 million in 2015.
- Enforcement is heating up in the Healthcare Industry – Get your compliance in check TODAY.
- The OCR enforcement process starts with complaints. Make sure you have an internal complaints process where patients can address compliance concerns with you directly.
- Prepare your documentation for an audit, including policies and procedures, risk assessment, training documentation, and logs of all compliance controls and information systems that contain Protected Health Information (PHI).