Who enforces HIPAA? And how to ensure your business is compliant?

Anthem, an America-based healthcare industry, was fined $16 million in 2018 for violating HIPAA compliance. It’s the largest HIPAA violation penalty ever.

So, to avoid penalties, healthcare organizations must ensure they keep the patient’s sensitive information safe.

This article explains who oversees enforcing the HIPAA Rules, the various levels of fines for violations, and how to protect your organization from those penalties.

Who enforces HIPAA?

The Department of Health and Human Services (HSS) Office for Civil Rights (OCR) is the primary enforcer of HIPAA Security and Privacy Rules.

However, to some degree, other organizations, such as the Centers for Medicare and Medicaid Services (CMS), the U.S. Food and Drug Administration (FDA), and the Federal Communications Commission (FCC), have participated in HIPAA enforcement. In addition, the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009 granted state attorneys general the power to enforce HIPAA Rules.

How did HHS office for civil rights enforced HIPAA?

The HHS Office for Civil Rights analyzes all data breaches reported by covered entities and business associates if a data breach impacts more than 500 individuals. At times, more minor data breaches are investigated, especially when several small breaches of a similar nature have been reported that could indicate compliance failures.

OCR also investigates HIPAA complaints filed by patients and employees of HIPAA-covered entities over suspected HIPAA violations. OCR investigates complaints, conducts compliance reviews, and educates relevant entities about compliance requirements. It can also levy penalties against non-compliant entities if needed.

When HIPAA violations are discovered, OCR can take actions like investigating complaints, conducting compliance reviews, educating relevant entities about compliance requirements, and levying penalties against non-compliant entities if needed.

OCR classifies HIPAA violations into four groups based on their severity as follows:

1. Lack of knowledge

The covered entity was unaware of a violation that could not have been realistically avoided.

2. Reasonable cause

A violation that the covered entity expects and knows but still couldn’t have avoided. This violation doesn’t yet constitute wilful neglect.

3. Wilful neglect, corrected in 30 days

A violation is caused directly by “willful neglect” of HIPAA rules in cases where an attempt has been made to correct the violation.

4. Wilful neglect, not correct in 30 days

A violation due to wilful neglect of HIPAA rules where the organization was aware of its errors and did not rectify them.

What are OCR’s HIPAA penalties?

Violation fines cap up to $1,500,000 per violation per year. To determine a specific fine within each of these categories, OCR takes the following factors into account:

  • The covered entity’s size
  • The type of data exposed
  • The duration of the violation
  • The number of individuals affected
  • The severity of the damage done
  • The entity’s cooperation with the investigation

As discussed above, HIPAA violation penalties are categorized as below:

CategoryCost per violation
Lack of Knowledge$100-$50,000
Reasonable Cause$1,000-$50,000
Wilful Neglect, Corrected in 30 Days$10,000-$50,000
Wilful Neglect, Not Corrected in 30 Days> $50,000

What are the tips for maintaining HIPAA compliance?

Although complying with HIPAA saves a lot of time in maintaining Security and Privacy rules, we compiled the most important best practices to help your organization remain compliant.

1. Employee training

Security & privacy awareness and training are essential in maintaining HIPAA compliance. We recommend that you train your employees once every quarter to follow those policies during the employee onboarding process and on a daily basis.

2. Enforce a rigid privacy policy

Enforcing a rigid password policy will go a long way in helping to protect Personal Health Information (PHI). Passwords are frequently used to perform the most common tasks in a HIPAA-regulated office, including logging into computers and accessing emails. The passwords should be changed at least once every 90 days.

3. Conduct self-audits

According to the HSS, self-audits must be conducted at least once a year to remain compliant. Conduct audits of your physical, technical, and administrative safeguards.

4. Backup of all patient records

All entities covered by HIPAA, including medical practices, must establish and implement procedures to create and maintain retrievable copies of electronic PHI to save themselves during a data breach.

How do I become HIPAA compliant?

Scrut Automation is an innovative and radically simple governance, risk, and compliance automation platform for growing startups and mid-market enterprises. With Scrut, compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA, and CCPA. Schedule your demo today to see how it works.

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Stay up to date

Get the latest content and updates in information security and compliance delivered to straight to your inbox.

Book Your Free Consultation Call

Related Posts

In today’s digital world, data is currency. Businesses use the personal information […]

Pursuing and getting compliant with a proven security control framework is very […]

ISO 27001 certification requires a substantial amount of time, energy, and money. […]