Healthcare organizations are expected to follow the rules introduced by the Health Insurance Portability and Accountability Act (HIPAA). The question is which federal departments are enforcing HIPAA rules? How can consumers make sure that covered entities and business associates are following the HIPAA Rules?
The Department of Health and Human Services’ Office for Civil Rights (OCR) is the main enforcer of HIPAA Rules. It investigates all data breaches impacting more than 500 individuals that covered entities and business associates reported. It also investigates small data breaches when there’s a likelihood of HIPAA violations. OCR also looks into HIPAA complaints that patients and employees file against covered entities.
Whenever OCR needs to take action against HIPAA violations, their preferred course of action is voluntary compliance. OCR also issues technical guidance in order to help covered entities to comply with HIPAA Rules. But for multiple violations, egregious breaches of HIPAA Rules and repetitive non-compliance, OCR may impose financial penalties. If there were criminal violations of HIPAA Rules, the Department of Justice may handle the case.
State attorneys general also have the authority to enforce HIPAA rules since the Health Information Technology for Economic and Clinical Health (HITECH) Act was incorporated into HIPAA in 2009. When state attorneys general have to pursue cases of patients’ or state residents’ whose personal information has been exposed, they do it under state laws and not HIPAA laws. The state attorneys general offices in Massachusetts, Connecticut, New York, Vermont and Minnesota have take action against HIPAA covered entities
The Centers for Medicare and Medicaid Services (CMS) also exercise some authority primarily on enforcing HIPAA administrative simplification regulations. The U.S. Food and Drug Administration (FDA) enforce HIPAA as well as far as medical devices are concerned and may do what is necessary in certain situations against healthcare organizations.