As a leader in health care, the responsibility to keep your organization compliant rests on your shoulders — and it’s a responsibility to be taken seriously.
After all, the prospect of owing $16 million for HIPAA violations, as Anthem did in 2018, likely feels unthinkable. To make sure you’re avoiding penalties and keeping your patients’ information safe, learning who enforces HIPAA is a great place to start.
In this guide, we break down who is responsible for enforcing the HIPAA Rules, the tiers of HIPAA violation penalties, and how to make sure your organization is protected from those penalties.
Who enforces HIPAA?
Here’s the simple answer: the U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) is the primary enforcer of HIPAA’s Privacy and Security Rules.
That said, there are a couple other organizations that also hold the authority to enforce HIPAA, though they wield this power less frequently. They include the state attorneys general and the Centers for Medicare and Medicaid Services (CMS).
OCR has the greatest responsibility to enforce the law, so let’s start by walking through what this enforcement looks like.
HHS’ Office for Civil Rights
OCR plays several roles in enforcing HIPAA’s Privacy and Security Rules. It investigates complaints, conducts compliance reviews, and educates relevant entities about compliance requirements. If needed, it can levy penalties against non-compliant entities and even refer them to the Department of Justice.
While OCR prioritizes investigating data breaches that impact more than 500 people, it also investigates organizations that have had multiple smaller breaches. Data breaches don’t always mean an organization isn’t compliant with HIPAA, but OCR considers breaches enough of a reason to investigate an entity covered by HIPAA.
OCR, of course, prefers to resolve HIPAA violations through voluntary compliance. This is when the organization at fault voluntarily corrects its compliance issues. If this doesn’t happen, OCR will likely pursue legal action.
OCR breaks down HIPAA violations into four categories, in order of severity:
- Category 1: A violation that the covered entity wasn’t aware of and likely couldn’t have avoided. The entity has clearly tried to comply with HIPAA.
- Category 2: A violation that the covered entity was expected to know but still couldn’t have avoided. This category doesn’t yet constitute willful neglect.
- Category 3: A violation due to willful neglect of HIPAA Rules. To fit into this category, the entity must have tried to correct its mistakes.
- Category 4: A violation due to willful neglect of HIPAA Rules in which the entity was aware of its errors and did not try to correct them.
OCR’s HIPAA violation penalties: A breakdown
OCR has a different penalty for each of its HIPAA violation categories. They are as follows:
- Category 1: A fine of $100-$50,000 per violation
- Category 2: A fine of $1,000-$50,000 per violation
- Category 3: A fine of $10,000-$50,000 per violation
- Category 4: A fine of at least $50,000 per violation
Violation fines cap out at $1,500,000 per violation, per year. To determine a specific fine within each of these categories, OCR takes the following factors into account:
- The covered entity’s size
- The type of data exposed
- The duration of the violation
- The number of individuals affected
- The severity of the damage done
- The entity’s cooperation with the investigation
Other HIPAA enforcers
As we mentioned earlier, OCR isn’t the only entity allowed to enforce HIPAA Rules. While they don’t step in nearly as much, state attorneys general and the CMS also have authority here. Next, we’ll explain what powers they are granted and how they enforce HIPAA.
State attorneys general
In 2008, the Health Information Technology for Economic and Clinical Health (HITECH) Act gave state attorneys general the authority to enforce HIPAA in their states.
Early on, states were hesitant to use this power, and many chose not to. But recently, state attorneys general have been enforcing HIPAA more actively. In 2021, for example, New Jersey helped investigate the 2019 data breach at American Medical Collection Agency (AMCA).
While increasing state involvement is partially due to the practice becoming more accepted over time, it’s also likely because attorneys general are now allowed to keep a portion of violation fines.
It’s important to note that penalties issued by state attorneys general are far less severe than those issued by OCR, ranging from $100 to $25,000.
The Centers for Medicare and Medicaid Services (CMS)
In addition to its well-known patient security stipulations, HIPAA includes provisions designed to improve efficiency in the health care sector. These are known as the HIPAA Administrative Simplification Regulations.
It’s the CMS’ responsibility to enforce these regulations. CMS investigates covered entities that have failed to comply with this area of HIPAA. However, it does not issue penalties against non-compliant entities unless they refuse to achieve compliance.
4 tips for maintaining HIPAA compliance
Needless to say, complying with HIPAA will save you a lot of hassle — say goodbye to the stress of an impending investigation. Apart from following HIPAA’s Security and Privacy Rules, we compiled some best practices to help your organization remain compliant.
- Train employees in privacy and security policies: Ideally, following HIPAA Privacy and Security Rules would be enough to keep an organization HIPAA-compliant. But that isn’t always the case. Create and regularly update privacy and security policies, then train your employees to follow those policies during their onboarding process and on a regular basis.
- Perform regular self-audits: Threats evolve and security measures fail over time. To remain compliant, conduct regular audits of your physical, technical, and administrative safeguards. According to the HSS, these should be conducted at least annually.
- Document everything: If your organization is investigated, it will be a much easier process if you’ve been documenting all of your HIPAA compliance efforts. OCR and other enforcers will likely want to see self-audit records, privacy and security policies, and organization-wide training sessions.
- Automate compliance: Automating the compliance process makes it much easier to become continuously compliant. This makes audits and investigations far less stressful.
Covering your HIPAA bases with Secureframe
Secureframe takes the guesswork out of HIPAA compliance. We break the process down into straightforward steps, from helping you create privacy and security policies to facilitating employee HIPAA training.
Our software makes it easy to ensure that your vendors are HIPAA-compliant, too. We nip vendor risk in the bud, helping you create Business Associate Agreements for partners that have access to patient health information.
For total confidence in your HIPAA compliance strategy, request a demo of our platform today.