New: 7 top security leaders break down how to manage real AI risk, without slowing down innovation.
September 19, 2022

Who enforces HIPAA? And how to ensure your business is compliant?

Anthem, an America-based healthcare industry, was fined $16 million in 2018 for violating HIPAA compliance. It's the largest HIPAA violation penalty ever.

So, to avoid penalties, healthcare organizations must ensure they keep the patient's sensitive information safe.

This article explains who oversees enforcing the HIPAA Rules, the various levels of fines for violations, and how to protect your organization from those penalties.

Who enforces HIPAA?

The Department of Health and Human Services (HSS) Office for Civil Rights (OCR) is the primary enforcer of HIPAA Security and Privacy Rules.

However, to some degree, other organizations, such as the Centers for Medicare and Medicaid Services (CMS), the U.S. Food and Drug Administration (FDA), and the Federal Communications Commission (FCC), have participated in HIPAA enforcement. In addition, the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act into HIPAA in 2009 granted state attorneys general the power to enforce HIPAA Rules.

How did HHS office for civil rights enforced HIPAA?

The HHS Office for Civil Rights analyzes all data breaches reported by covered entities and business associates if a data breach impacts more than 500 individuals. At times, more minor data breaches are investigated, especially when several small breaches of a similar nature have been reported that could indicate compliance failures.

OCR also investigates HIPAA complaints filed by patients and employees of HIPAA-covered entities over suspected HIPAA violations. OCR investigates complaints, conducts compliance reviews, and educates relevant entities about compliance requirements. It can also levy penalties against non-compliant entities if needed.

When HIPAA violations are discovered, OCR can take actions like investigating complaints, conducting compliance reviews, educating relevant entities about compliance requirements, and levying penalties against non-compliant entities if needed.

OCR classifies HIPAA violations into four groups based on their severity as follows:

1. Lack of knowledge

The covered entity was unaware of a violation that could not have been realistically avoided.

2. Reasonable cause

A violation that the covered entity expects and knows but still couldn't have avoided. This violation doesn't yet constitute wilful neglect.

3. Wilful neglect, corrected in 30 days

A violation is caused directly by “willful neglect” of HIPAA rules in cases where an attempt has been made to correct the violation.

4. Wilful neglect, not correct in 30 days

A violation due to wilful neglect of HIPAA rules where the organization was aware of its errors and did not rectify them.

What are OCR's HIPAA penalties?

Violation fines cap up to $1,500,000 per violation per year. To determine a specific fine within each of these categories, OCR takes the following factors into account:

  • The covered entity's size
  • The type of data exposed
  • The duration of the violation
  • The number of individuals affected
  • The severity of the damage done
  • The entity's cooperation with the investigation

As discussed above, HIPAA violation penalties are categorized as below:

CategoryCost per violationLack of Knowledge$100-$50,000Reasonable Cause$1,000-$50,000Wilful Neglect, Corrected in 30 Days$10,000-$50,000Wilful Neglect, Not Corrected in 30 Days> $50,000

What are the tips for maintaining HIPAA compliance?

Although complying with HIPAA saves a lot of time in maintaining Security and Privacy rules, we compiled the most important best practices to help your organization remain compliant.

1. Employee training

Security & privacy awareness and training are essential in maintaining HIPAA compliance. We recommend that you train your employees once every quarter to follow those policies during the employee onboarding process and on a daily basis.

2. Enforce a rigid privacy policy

Enforcing a rigid password policy will go a long way in helping to protect Personal Health Information (PHI). Passwords are frequently used to perform the most common tasks in a HIPAA-regulated office, including logging into computers and accessing emails. The passwords should be changed at least once every 90 days.

3. Conduct self-audits

According to the HSS, self-audits must be conducted at least once a year to remain compliant. Conduct audits of your physical, technical, and administrative safeguards.

4. Backup of all patient records

All entities covered by HIPAA, including medical practices, must establish and implement procedures to create and maintain retrievable copies of electronic PHI to save themselves during a data breach.

How do I become HIPAA compliant?

Scrut Automation is an innovative and radically simple governance, risk, and compliance automation platform for growing startups and mid-market enterprises. With Scrut, compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA, and CCPA. Schedule your demo today to see how it works.

Liked the post? Share on:

Authored by
Table of contents
Example H2
h3
Example H3
h4
Example H4
h5
Example H5
h6
Example H6
Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join our community and be the first to know about updates!

Subscribe
I agree to receive marketing insights and other communications from Scrut Automation.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Compliance Essentials
Draft Digital Personal Data Protection Bill 2022: Everything you need to know
Trust Management
Compliance Essentials
Risk Management
Cloud Security
Vulnerability Management
Increase customer trust with five easy steps
Risk Management
Trust Management
AI Hallucination: When AI experiments go wrong

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo
Platform
Why ScrutExplore the PlatformSimplify ComplianceStreamline AuditsEmpower Your EmployeesMonitor Cyber RiskAssess Third-Party RiskValidate User PrivilegesManage Asset InventoryDemonstrate TrustAI-Powered GRCIntegrate Your Tech Stack
Frameworks
SOC 2ISO 27001GDPRPCI DSSHIPAANIST AI RMFCustom FrameworksAll Frameworks
Company Stages
StartupGrowthEnterprise
Industry
Enterprise SoftwareFinancial ServicesHealthcareTravel and TourismEducation
Resources
BlogEbooksPodcastSuccess StoriesWebinarsEventsGlossaryFAQs
Hubs
SOC 2 HubISO 27001 HubHIPAA HubExplore All Hubs
Partners
Become a PartnerFind a Partner
Company
CustomersAboutCareersNewsroomSecurity
TrustTerms of UsePrivacy PolicyCookies Policy
© 2024 Scrut Automation. All Rights Reserved.
Compliance Essentials
HIPAA