The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that seeks to protect patients’ sensitive health information. As a Business Associate (BA), you must comply with the HIPAA Privacy, Security, and Breach Notification rules. When you fail to do so, the HIPAA Enforcement Rule defines what follows.
In this article, you will learn what the Enforcement Rule entails, penalties due to non-compliance, how this law works, and which laws to follow to avoid it.
What is the HIPAA Enforcement Rule?
The HIPAA Enforcement Rule establishes directives around compliance, investigation, and penalties for violation. This revolves around the procedures and financial liabilities caused due to non-compliance of HIPAA privacy and security requirements. These rules are designed to prevent anyone with access to ePHI (protected health information in electronic form) from disclosing it.
It is developed by the Secretary of the US Department of Health and Human Services (HHS) and enforced by the Office of Civil Rights (OCR). It seeks to find ePHI handlers for breaches and hold them accountable.
In case of non-compliance, a penalty depending on the severity, will be imposed. Financial penalties are costly and go up to $1.5 million. As long as you comply with these laws, the HIPAA enforcement law will not apply.
Refer to the table below for penalties due to non-compliance. All charges are in dollars.
|Type of violation||Cost of each violation||All such violations in a year|
|Lack of awareness||$100 – $50,000||$1,500,000|
|Justifiable cause||$1,000 – $50,000||$1,500,000|
|Willful neglect (corrective actions taken)||$10,000 – $50,000||$1,500,000|
|Willful neglect (corrective actions pending)||$50,000||$1,500,000|
Who is subject to HIPAA rules?
Before we jump into the technicalities of the Enforcement Rule, let us understand who must comply and who need not.
You must comply if you are:
- Covered Entity – Health insurance companies, health plans, and healthcare providers. Examples include doctors, clinics, nursing homes, and pharmacies.
- Business Associate – Individual or entity with PHI access who provides a service or works for covered entities. Examples include third-party consultants or administrators, billing or accounting service providers, and data management or cloud-based services.
You need not comply if you are:
- Not a covered entity – Examples include child protection service agencies, municipal offices, life insurers, and employers.
How does HIPAA Enforcement Rule work?
HIPAA is enforced at the federal and state level when there is a breach of protected health information (PHI). The OCR works with the Department of Justice (DOJ) to review criminal violations of HIPAA. It can enforce privacy and security rules in multiple ways. They can
- Investigate the filed complaints
- Conduct compliance reviews to ensure that Covered Entities (CE) are compliant
- Educate and train to ensure compliance with the requirements of HIPAA
The OCR reviews all complaints but takes action only if certain conditions are met:
- The alleged violation occurred within the past six years
- The complaint is filed against subjects who are required to comply with HIPAA, such as CE or BA
- The complaint should involve an activity that violates HIPAA rules if proven
- The complaint should be filed within 180 days of when the person filing it knew the alleged action violates HIPAA. The OCR will expand this time limit if there is justifiable cause to not submit the complaint within 180 days
If the OCR accepts the complaints for investigation, they will notify the individual who filed it and the concerned covered entity. The concerned parties must present information about the incident. If the OCR requires specific facts to understand the situation better, both parties must cooperate with the request.
If the complaint involves any action that violates the criminal provision of HIPAA, the OCR will refer the case to the DOJ for further investigation.
The OCR will conduct an investigation based on the gathered evidence. The OCR will notify the involved parties about the result of the investigation in writing. In some cases, the OCR may determine that the accused party is not guilty of a violation of the security or privacy law. If found guilty of non-compliance, the OCR will resolve the issue through:
- Voluntary compliance
- Corrective action or
- Resolution agreement
The accused party must take appropriate action to resolve the issue. If they fail to do so, the OCR can impose civil money penalties (CMP). In such cases, the CE can request a hearing where an HHS administrative law judge makes the final resolution.
Cases are closed by the OCR in five cases. This happens when the OCR:
- Determines that investigation is not required. This happens if the alleged party is not a CE or BA, the action does not concern HIPAA rules, or the complainant refuses to disclose their data for investigation.
- Provides technical assistance to the CE, BA or the complainant through early investigation.
- Conducts an investigation and rules no violation of HIPAA rules.
- Investigates and provides technical assistance to the alleged party to change their policies, produces, staff training, and safeguards. Corrective action is not required when the BA or CE has made changes during the trial period or 60-day window before the OCR is notified.
- Does not investigate the case. This happens if it is referred to the DOJ, involves a natural disaster, is taken up by state authorities, the CE or BA has taken steps to comply with HIPAA as decided by the OCR.
What does the HIPAA Enforcement Rule include?
As a business associate, you can avoid any type of penalties when you comply with the HIPAA rules. If you are a BA, follow these HIPAA rules to avoid penalties.
HIPAA Security Rule
The Security Rule of HIPAA details the security standards to protect ePHI through technical and non-technical safeguards. A key objective of this rule is to protect patient privacy while allowing CEs to adopt and implement new technologies continuously. While most of the security rule is directed at CEs, it also applies to BAs under the HITCH Act of 2009.
HIPAA Privacy Rule
The Privacy Rule seeks to protect sensitive patient information such as medical records and PHI. It applies to entities who electronically transmit health care data. This rule establishes safeguards to use and disclose PHI. It also empowers patients with the right to obtain a copy of their medical data or request corrections.
HIPAA Breach Notification Rule
As per the HIPAA Breach Notification Rule, BAs or CEs must notify patients if a PHI breach occurs. The use of PHI without patient consent is also considered a breach.
The notification letter for incidents must cover a detailed description of the breach, the type of data compromised, measures the patients should take, investigative measures, and contact data of the CE. The breach severity level depends on the risk of exposure, if the data was viewed, the nature of PHI, and the type of disclosure.
Must read: A detailed HIPAA compliance checklist
Common violations that trigger HIPAA Enforcement Rule
HIPAA violations can be intentional or unintentional in nature. Irrespective of the type and severity, it can land you in legal trouble. Here are some of the common violations that cost healthcare businesses time and money to correct and what you can do about it.
You didn’t train your employees
Most businesses or service providers don’t consider employee training as an appropriate solution against common violations. They implement it only after an incident has occurred due to lack of knowledge or negligence. This is poor practice, as employees are the first line of defense.
You can tackle this issue with solutions like Sprinto’s training module. It breaks down confusing and complicated compliance into easy-to-understand pieces. It automates the first step towards compliance by flagging off unauthorized actions.
You didn’t implement secure technology
Your technical infrastructure keeps everything up and running but can cause serious downtime when you don’t have adequate controls in place. As per the HIPAA security rule, you must implement technical safeguards to protect ePHI.
Access control to prevent unauthorized individuals or systems from viewing or editing PHI. Specific of this control includes
- Data encryption and decryption wherever PHI is located
- Unique user ID to monitor activity
- Automatic device logoff when not in use
- Emergency access to PHI to ensure business continuity
Audit controls to review, track, manage, and document use of systems that contain ePHI.
Maintain integrity to prevent alteration of ePHI. Conduct risk assessments to identify vulnerabilities and implement technology that checks for unauthorized changes.
You disposed PHI incorrectly
You should dispose of PHI when it is no longer in use to prevent unintentional disclosure. The data should be inaccessible or irrecoverable after disposal.
You can adopt some standard techniques for safe disposal. Encrypt data before deleting it to stop decryption, overwrite PHI with random non-sensitive data, or destroy the data by exposing it to strong magnetic fields.
You didn’t perform risks analysis
A thorough risk analysis surfaces the gaps in your digital infrastructure. Vulnerabilities can seriously compromise the confidentiality, integrity, and availability of PHI. When you don’t address them on time, it is a recipe for breach disaster.
Assess your existing controls, identify where data is stored and address the lags based on their severity. This will help you gain a deep understanding of which measure to implement and where. The HHS recommends an eight-step approach to risk management.
Also read: who does HIPAA apply to
Implementing compliance is costly. But you know what’s costlier? Penalties due to non-compliance. It doesn’t just cost you money, but time and resources as well.
So, don’t just be adept at extinguishing fires; learn to prevent them as well. Using compliance automation solutions such as Sprinto can help you not only become HIPAA compliant but maintain it as well. With Sprinto, you can get a real-time 24×7 comprehensive visibility on your overall security environment, train your staff on the latest in HIPAA, undertake integrated risk assessments, and implement incident response management.
Talk to our experts today to become and stay HIPAA compliant.
Who enforces HIPAA laws?
The Office of Civil Rights (OCR) enforces HIPAA Privacy, Security, and enforcement laws. It works with the Department of Justice (DOJ) to review cases of criminal violations.
What are the HIPAA enforcement penalties?
HIPAA penalties depend on the type and severity of the violation. It can cost you up to
- $50,000 if you didn’t comply but were not unaware of it
- $50,000 if you have reasonable cause for violation or willfully neglected but took corrective measures
- flat $50,000 if you willfully neglected but didn’t take corrective measures.