With the regular and much needed update to critical standards such as HIPAA, auditors and compliance experts need to be continuously on their toes to review and acquaint themselves with these new developments. One of the latest such updates is the Health Information Portability and Accountability (HIPAA) Enforcement rule, which has caused quite a stir in the industry due to confusion about its applicability. To set certain things clear, HIPAA Enforcement will not be applicable as long as organizations value the privacy and security of the Protected Health Information (PHI) of their customers while also abiding by the HIPAA compliance requirements. For businesses in the healthcare industry, HIPAA compliance is essential.
HIPAA Enforcement Rules apply when an organization fails to follow the HIPAA Privacy, Security, and Breach Notification Rules. There are significant consequences for HIPAA violations. HIPAA is enforced through various enforcement actions dictated by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
What is the HIPAA Enforcement Rule?
HHS has set specific rules for HIPAA Compliance. The enforcement rule includes directives for compliance, investigation, and penalties for violations. It also details the procedures and monetary fines for imposing civil penalties on Covered Entities that violate any HIPAA requirements. The Office of Civil Rights within HHS is tasked with the responsibility of investigating the violation. Based on the investigation, the OCR determines if the Covered Entity or the Business Associate was in compliance with the HIPAA Security and Privacy Rule or whether the rule was violated. OCR reviews the information, and evidence is gathered for each case. If the evidence indicates that the Covered Entity was not compliant, OCR will attempt to resolve the case with the Covered Entity through voluntary compliance, corrective action, and/or resolution agreement.
How does the HIPAA Enforcement Rule Work?
HIPAA enforcement takes place at the Federal and State Government levels. HIPAA Enforcement applies when there is a breach or non-compliance with HIPAA Rules. These rules include the HIPAA Privacy Rule, the Security Rule, the Breach Notification Rule, and the HIPAA Omnibus Rule. The Department of Health and Human Services’ Office for Civil Rights receives complaints about non-compliance, and it investigates the matter. Accordingly, based on the investigation findings, enforcement action can be taken concerning any of the HIPAA Rules, and the OCR may levy penalties and fines.
The OCR investigation may at times result in the entity taking voluntary steps to improve its compliance. The OCR may also provide assistance by advising and explaining the expected terms for resolving the violation.
What does the HIPAA Enforcement Rule include?
Covered Entities and Business Associates must comply with HIPAA Rules to avoid enforcement penalties. Understanding the rules and correctly implementing compliance measures are crucial.
What exactly are the HIPAA Compliance Rules that Covered Entities and Business Associates must comply with?
Privacy Rules – The HIPAA Privacy Rule is a set of requirements that must be implemented by the Covered Entity to protect PHI data. It applies to Health Plans, Healthcare Clearinghouses, and Healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards in place to ensure:
- Privacy of the health information.
- Setting of limits and conditions on the use of such information.
- Setting controls on access to PHI.
- Setting limits on disclosure of PHI data.
The Privacy Rule also gives patients the right over their health information, including the right to examine and obtain a copy of their health records as well as to request corrections. In order to achieve this, Covered Entities are required to have the necessary procedures and processes in place to execute such requests.
Security Rules – The HIPAA Security Rule is a set of security requirements and standards for protecting PHI data when stored or in transit. This would also include securing the PHI data whether in physical or electronic form.
The safeguards required to be implemented within the security rule by both Covered Entities and Business Associates include:
- Technical safeguards – Protecting electronic data by using encryption.
- Administrative safeguards – Policies and procedures for PHI protection, management, and storage.
- Physical safeguards – Physical security such as access control security.
Breach Notification Rules – The HIPAA Breach Notification Rule sets out clear requirements for organizations’ response in the event of a data breach. If the breach involves 500 or fewer individuals, the Secretary of the U.S. Health and Human Services (HHS) must be notified within 60 days. However, in case of a breach involving 500 or more individuals, the incident must be reported to the Secretary of the HHS within 60 days of discovery. The affected victims must also be notified about the data breach.
Omnibus Rules – The HIPAA Omnibus Rule mandates the implementation of the Health Information Technology for Economic and Clinical Health Act (HITECH). This was introduced as the fourth rule to strengthen the privacy and security protections of PHI Data under HIPAA. This extends the reach of HIPAA obligations to Business Associates and their Subcontractors. This rule includes modification in the breach notification standard, expands patient rights to access and to restrict disclosure of PHI, imposes new rules governing uses and disclosures of PHI, provides clarity on enforcement approach, and addresses obligations under the Genetic Information Non-discrimination Act of 2008 (GINA).
Who enforces the HIPAA Privacy and Security Rules under HIPAA Compliance?
HIPAA Privacy and Security Rules are enforced by the HHS Office for Civil Rights. The 2009 incorporation of the HITECH Act into HIPAA gave the State Attorneys General the power to assist OCR in the enforcement of HIPAA. The Centers for Medicare and Medicaid Services (CMS) also has some enforcement powers. The U.S. Food and Drug Administration (FDA) and the Federal Communications Commission (FCC) have also participated in HIPAA enforcement to varying extents.
HIPAA Enforcement Rule Penalties & Procedures
The HIPAA Enforcement Rule includes adhering to the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules. Non-compliance with the HIPAA Rules gives the HHS OCR the right to hold businesses accountable with fines and other penalties for noncompliance:
- Civil money penalties – Companies may be fined up to $1,500,000 over a year across all individual fines, which breaks down into four categories:
- $100 – $50,000 if the entity committed a violation but “did not know.”
- $1,000 – $50,000 if the entity had “reasonable cause” for violation.
- $10,000 – $50,000 dollars for companies’ “wilful neglect” with correction.
- $50,000 flat for companies’ “wilful neglect” without correction.
- Criminal penalties – Companies may be subject to criminal penalties for intentional non-compliance and fraud violations. These include:
- $50,000 and up to one-year imprisonment for intentional misuse of (e)PHI.
- $100,000 and up to five years imprisonment if false pretenses are involved.
- $250,000 and up to ten years imprisonment for violations committed for personal gain.
The severity of the fine or penalty incurred will most likely depend on numerous factors. As stated previously, the HHS has discretion to resolve an issue without levying a fine or to reduce a fine to a lower-tier offense.
Non-compliance with HIPAA has significant consequences. Businesses will not just have to bear the financial losses; they will also incur reputational damage and other business costs. Worse yet, severe violations can even result in criminal penalties. For these reasons, businesses must vigorously ensure HIPAA Compliance to avoid these difficulties. Even in case of a breach incident, the organization must approach an experienced compliance consultant to guide them through the process and ensure immediate resolution. No matter the type of HIPAA violation under which the business entity falls, when subject to enforcement action, the organization must act quickly and carefully to limit penalties or at the very least mitigate the risk and liability for a breach.
About the Author: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm based in the US, Singapore & India. Mr. Sahoo has more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, and Compliance services. VISTA InfoSec specializes in Information Security audit, consulting, and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance and Audit, PCI PIN, SOC2, PDPA, and PDPB, to name a few. Since 1994, VISTA InfoSec has worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.