Who enforces HIPAA? And how to ensure your business is compliant?


Vector Representation of HIPAA Compliance
Who Enforces HIPAA + How To Make Sure Your Business Is Compliant

Anthem, an America-based healthcare industry, was fined $16 million in 2018 for violating HIPAA compliance. It's the largest HIPAA violation penalty ever.


So, to avoid penalties, healthcare organizations must ensure they keep the patient's sensitive information safe.


This article explains who oversees enforcing the HIPAA Rules, the various levels of fines for violations, and how to protect your organization from those penalties.


Who enforces HIPAA?

The Department of Health and Human Services (HSS) Office for Civil Rights (OCR) is the primary enforcer of HIPAA Security and Privacy Rules.


However, to some degree, other organizations, such as the Centers for Medicare and Medicaid Services (CMS), the U.S. Food and Drug Administration (FDA), and the Federal Communications Commission (FCC), have participated in HIPAA enforcement. In addition, the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009 granted state attorneys general the power to enforce HIPAA Rules.



How did HHS office for civil rights enforced HIPAA?

The HHS Office for Civil Rights analyzes all data breaches reported by covered entities and business associates if a data breach impacts more than 500 individuals. At times, more minor data breaches are investigated, especially when several small breaches of a similar nature have been reported that could indicate compliance failures.


OCR also investigates HIPAA complaints filed by patients and employees of HIPAA-covered entities over suspected HIPAA violations. OCR investigates complaints, conducts compliance reviews, and educates relevant entities about compliance requirements. It can also levy penalties against non-compliant entities if needed.


When HIPAA violations are discovered, OCR can take actions like investigating complaints, conducting compliance reviews, educating relevant entities about compliance requirements, and levying penalties against non-compliant entities if needed.


OCR classifies HIPAA violations into four groups based on their severity as follows:


Lack of Knowledge

The covered entity was unaware of a violation that could not have been realistically avoided.


Reasonable Cause

A violation that the covered entity expects and knows but still couldn’t have avoided. This violation doesn’t yet constitute wilful neglect.


Wilful Neglect, Corrected in 30 Days

A violation is caused directly by “willful neglect” of HIPAA rules in cases where an attempt has been made to correct the violation.


Wilful Neglect, Not Correct in 30 Days

A violation due to wilful neglect of HIPAA rules where the organization was aware of its errors and did not rectify them.



What are OCR’s HIPAA penalties?

Violation fines cap up to $1,500,000 per violation per year. To determine a specific fine within each of these categories, OCR takes the following factors into account:

  • The covered entity’s size

  • The type of data exposed

  • The duration of the violation

  • The number of individuals affected

  • The severity of the damage done

  • The entity’s cooperation with the investigation


As discussed above, HIPAA violation penalties are categorized as below:

Category

Cost per violation

Lack of Knowledge


$100-$50,000


Reasonable Cause


$1,000-$50,000


Wilful Neglect, Corrected in 30 Days


$10,000-$50,000


Wilful Neglect, Not Corrected in 30 Days


> $50,000



What are the tips for maintaining HIPAA compliance?

Although complying with HIPAA saves a lot of time in maintaining Security and Privacy rules, we compiled the most important best practices to help your organization remain compliant.


Employee training

Security & privacy awareness and training are essential in maintaining HIPAA compliance. We recommend that you train your employees once every quarter to follow those policies during the employee onboarding process and on a daily basis.


Enforce a rigid privacy policy

Enforcing a rigid password policy will go a long way in helping to protect Personal Health Information (PHI). Passwords are frequently used to perform the most common tasks in a HIPAA-regulated office, including logging into computers and accessing emails. The passwords should be changed at least once every 90 days.


Conduct self-audits

According to the HSS, self-audits must be conducted at least once a year to remain compliant. Conduct audits of your physical, technical, and administrative safeguards.


Backup of all patient records

All entities covered by HIPAA, including medical practices, must establish and implement procedures to create and maintain retrievable copies of electronic PHI to save themselves during a data breach.



How do I become HIPAA compliant?

Scrut Automation is an innovative and radically simple Governance, Risk, and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.


3 views