Any organization that handles protected health information (PHI) must comply with HIPAA to safeguard the privacy and sensitivity of PHI. HIPAA enforcement is overseen by the Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS). Read on to learn more about OCR HIPAA enforcement and how your organization can remain compliant.
What Does OCR HIPAA Enforcement Involve?
Since the OCR is a federal agency, OCR HIPAA enforcement relies on a framework of legally defined processes to ensure organizations within and adjacent to healthcare secure PHI.
To help you streamline your HIPAA compliance, this guide will cover:
- An overview of the OCR HIPAA enforcement process
- How the OCR processes HIPAA complaints
Beyond helping you safeguard the privacy of PHI, HIPAA compliance will help you avoid OCR HIPAA non-compliance violations—especially when optimizing compliance with a HIPAA partner.
OCR HIPAA Enforcement 101
Office of Civil Rights HIPAA enforcement—guided by the Enforcement Rule—breaks down the processes by which the OCR ensures that organizations within and adjacent to healthcare comply with the HIPAA Privacy and Security Rules. Compliance with the HIPAA Privacy Rule requires healthcare organizations to limit the use and disclosure of PHI, except when:
- Authorized in writing by the subject of the PHI
- Implementing the Privacy Rule’s permitted uses and disclosures
The HIPAA Security Rule requirements also guide the implementation of security controls to protect electronic PHI (ePHI) via three types of safeguards:
- Administrative safeguards streamline enterprise data security implementation.
- Physical safeguards secure access to physical locations containing ePHI.
- Technical safeguards outline the cybersecurity processes that protect the privacy of PHI.
Based on the requirements of the HIPAA Privacy and Security Rules, the OCR enforces HIPAA compliance via:
- Conducting investigations into complaints of HIPAA violations
- Performing audits to evaluate entities’ compliance with the HIPAA requirements
- Helping organizations streamline compliance efforts through education and outreach
During its investigations of HIPAA complaints, the HHS OCR may involve the Department of Justice (DOJ) in handling certain HIPAA criminal violations—especially those that significantly impact the privacy and sensitivity of PHI.
What is the OCR HIPAA Complaint Process?
Before investigating HIPAA complaints as potential HIPAA violations, the OCR must follow a set of legally-defined criteria to review submitted complaints. Based on the OCR HIPAA intake and review criteria, submitted complaints are only reviewed as potential HIPAA violations if:
- The alleged HIPAA violation described in the complaint occurred within the past six years from the time of submission.
- The organization in potential violation of HIPAA is a covered entity under HIPAA. Covered entities include:
- Health plans (e.g., insurance plans, health insurance companies)
- Healthcare providers (e.g., hospitals, health clinics, individual provider practices)
- Healthcare clearinghouses (i.e., organizations that standardize non-standard data)
- Business associates of covered entities (e.g., healthcare billing and accounting companies, data analysis firms)
- The action described in the complaint (should it have actually occurred) violates the requirements listed in one or more of the HIPAA Rules.
- Complaints were submitted within 180 days of the affected party gaining knowledge of the HIPAA violation, except if there was good cause for not submitting the complaint within a reasonable time.
If and only if a HIPAA satisfies the above OCR HIPAA intake and review criteria, the OCR will proceed with investigating the alleged HIPAA violation—and potentially enforcing penalties.
The OCR security efforts also involve periodic audits of the compliance processes implemented by covered entities. Any organization that handles PHI should be prepared for an OCR audit at any time—underscoring the need to remain compliant with HIPAA year-round.
OCR Investigation of HIPAA Complaints
Once an OCR HIPAA complaint is accepted, the OCR investigates the alleged HIPAA violations via the following steps:
- First, the OCR notifies both the covered entity and the complainant of the investigation.
- Next, the OCR requests specific information about the alleged incident from both parties to conduct a fair investigation.
- Then, the OCR conducts an internal investigation using collected and reviewed evidence to assess compliance with HIPAA.
Should a covered entity be found in violation of compliance, the OCR attempts to resolve the case by requesting the covered entity to provide:
- Evidence of voluntary compliance
- A corrective action plan for compliance gaps
- A resolution agreement
Once resolved, the OCR will provide written notification of the resolution to both the complainant and the covered entity.
Typically, the OCR resolves most complaints via the processes outlined above. However, the OCR will report any complaints deemed to be potential criminal violations of HIPAA under 42 U.S.C. 1320d-6 to the DOJ for further investigation. It is critical for covered entities to comply with each step of the OCR HIPAA investigation to avoid costly non-compliance penalties.
Optimize HIPAA Compliance
Non-compliance with HIPAA leaves sensitive PHI at risk of loss or compromise if a data breach occurs. Any breakage of Privacy or Security Rule controls may qualify as a breach. The best way to avoid hefty OCR HIPAA non-compliance fines and penalties is to optimize your data security controls to HIPAA standards—securing sensitive PHI against cybersecurity risks.
To learn more and get started with optimizing HIPAA compliance, contact RSI Security today!