If there aren’t repercussions for breaking laws or rules, there’s no point in having them at all. For example, if you drive over the speed limit, the police give you a ticket which may result in fines. If a child breaks the rules at school, the principal suspends them. Likewise, if a covered entity or business associate does not comply with HIPAA, Health and Human Services (HHS) Office for Civil Rights (OCR) determines the punitive measures. And remember, business associates and their subcontractors have the SAME requirements under HIPAA as covered entities. State attorneys general can also impose fines for HIPAA violations.
How does HHS OCR enforce HIPAA?
In 2017 alone, OCR imposed $19,393,000 in fines from covered entities and business associates to resolve HIPAA violations. OCR is responsible for investigating all filed complaints, conducting compliance reviews to make sure covered entities are in compliance, and performing education and outreach to encourage compliance. Once OCR determines if they will investigate a complaint, they notify both the person that filed the complaint and the organization named in it. Both parties are then asked for information about the incident described in the complaint. By law, covered entities must cooperate with complaint investigations. If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. § 1320d-6), OCR may refer the complaint to the Department of Justice for investigation.1
After reviewing the information or evidence for each case, OCR determines whether the organization violated the requirements of the HIPAA Privacy or Security Rule. If OCR concludes that a violation was made, they ask that the organization voluntarily comply and suggest corrective action, and/or resolution agreement. Most of the time, Privacy and Security Rule investigations result in resolution agreement, then OCR notifies both the person who filed the complaint and the organization of the resolution result.
When an organization doesn’t comply, OCR may fine the organization with civil money penalties (CMPs). If the organization is fined, they can have an HHS administrative law judge decide if the fines are supported by the evidence in the case. Any CMPs are deposited in the U.S. Treasury.2
What about enforcement from State Attorneys General?
In 2009, the Health Information Technology for Clinical and Economic Health, or HITECH, Act gave state attorneys general the authority to bring civil actions for violations of the HIPAA Privacy and Security Rules on behalf of state residents. Therefore, an entity might get a double dose of violations and fines, or it could mean that an entity receives no penalty from OCR, but does from their state’s attorney general.
The first attorney general HIPAA fine was issued by the Connecticut Attorney General’s office on July, 6, 2010.3 Although state attorneys general have been slow to issue violations in earlier years, they have increasingly brought action against violators to protect their state residents. For example, 2017 saw several notable settlements with healthcare organizations and business associates, including a $2 million dollar fine issued to Cottage Health System from the California Attorney General.4
HIPAA Enforcement in 2018 and Beyond
Are all aspects of HIPAA rules are still as relevant today as they were when they were first introduced? HHS is trying to minimize duplicated and burdensome requirements and eliminate outdated restrictions and obsolete regulations. That’s a welcome change for overworked personnel who strive for HIPAA compliance.
Roger Severino, Director of the Office for Civil Rights at the U.S. Department of Health and Human Services, presented at the HIMSS conference in early March 2018 on HIPAA compliance, enforcement, and policy updates from the Office for Civil Rights. Severino stated that OCR will continue to pursue settlements with HIPAA covered organizations for “egregious violations” of HIPAA Rules. Although the current administration does not want to introduce new regulation, Severino said there will be “no slowdown in our enforcement efforts,” and “we’re still looking for big, juicy, egregious cases,”5 noting that these cases can come from large and small organizations alike. Severino asks organizations to embrace compliance so OCR is not forced to continue punishing them. Financial penalties for common HIPAA violations are expected to continue.
HHS says its goals are “streamlining its regulations,” while promoting “meaningful information sharing”.6
Your 2018 HIPAA Compliance Plan
Above all, make 2018 your year to excel in HIPAA compliance. While there are several steps to take to achieve total compliance, one of the most important actions you can take is to stop issues before they start. Firstly, create a Risk Assessment so you are aware of the types of recurring compliance issues HHS OCR sees on an ongoing basis. Secondly, make it a priority to mitigate these types of risks. Based on Severino’s presentation at HIMSS 2018, the most popular HIPAA issues include7:
- Business Associate Agreements
- Risk Assessments
- Failure to Manage Identified Risk (e.g. Encryption)
- Lack of Transmission Security
- Lack of Appropriate Auditing
- No Patching of Software
- Insider Threat
- Improper Disposal
- Insufficient Data Backup and Contingency Planning
Compliance issues that occurred frequently in 2017 include8:
- Delayed Breach Notification to Patients
- Not securing PHI on portable devices
In conclusion, you must make HIPAA compliance a perpetual action in your organization. It’s an ongoing process that requires constant attention. Revisit our A Year in the Life of HIPAA blog post to see what you need to do on a yearly basis to stay ahead of the game. Above all, keeping HIPAA compliance at the top of your to-do list sets your organization up for cyber and financial security.