WHO ENFORCES HIPAA?

The enforcement of the HIPAA is primarily carried out by the Office for Civil Rights (OCR), which is a part of the U.S. Department of Health and Human Services (HHS). The OCR is responsible for ensuring compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The Health Insurance Portability and Accountability Act of 1996 placed a number of strict requirements on healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAAcovered entities in order to safeguard the Protected Health Information (PHI) of patients. The Enforcement Final Rule of 2006 granted OCR the ability to issue financial penalties (or action plans) to CEs that fail to ensure HIPAA compliance in their organisation.

Other organisations also have the power to enforce HIPAA in certain circumstances. The incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009 granted state attorneys general the power to enforce HIPAA Rules. The Food and Drug Administration can enforce HIPAA in situations involving medical devices.

OCR and HIPAA Enforcement

HIPAA enforcers can levy significant financial penalties against healthcare providers, health plans, healthcare clearinghouses that they find in violating HIPAA’s Rules. The OCR also has the power to prosecute the business associates of these organisations if they are HIPAA non-compliant.

The penalty structure for HIPAA violations is divided into several different tiers. The tiers are divided based on many different factors, including the size of the organisation, if appropriate safeguards were in place before the violation, and if the organisation had any knowledge of the breach. The OCR will set the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.

Visit us at compliancehome.com for more details.