For businesses in the healthcare industry, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is essential for keeping clients and stakeholders safe. HIPAA defines what counts as “protected health information” (PHI), and its three prescriptive rules (Privacy, Security, and Breach Reporting) ensure its protection. The fourth, the HIPAA Enforcement Rule, defines what happens when a company fails to follow the other three.
Read on to learn more!
What is the HIPAA Enforcement Rule?
HIPAA enforcement falls under the US Department of Health and Human Services (HHS) jurisdiction, along with other governmental agencies. Below, we’ll walk through everything you need to know about HIPAA enforcement across two main sections:
- A comprehensive look at the HIPAA Enforcement Rule, including tiers of non-compliance penalties and the investigation processes for identifying noncompliance violations
- An overview of the remaining HIPAA rules, including principles of the Privacy Rule, safeguards of the Security Rule, and reporting for the Breach Notification Rule
By the end of this blog, you’ll be well equipped to avoid the HIPAA enforcement rule’s penalties for non-compliance altogether.
Enforcement Rule: Penalties and Procedures
The HIPAA Enforcement Rule involves strict monitoring for and enforcement of the Privacy Rule since 2003 and the Security and Breach Notification Rules since 2009. The HHS reserves the right to hold businesses accountable with fines and other penalties for noncompliance:
- Civil money penalties – Companies may be fined up to $1,500,000 over a year across all individual fines, which break down into four categories:
- $100 – $50,000 dollars if the entity committed a violation but “did not know”
- $1,000 – $50,000 dollars if the entity had “reasonable cause” for violation
- $10,000 – $50,000 dollars for companies’ “willful neglect” with correction
- $50,000 dollars flat for companies’ “willful neglect” without correction
- Criminal penalties – Companies may be subject to criminal penalties for the most heinous instances of intentional noncompliance and fraud violations. These include:
- $50,000 dollars and up to one-year imprisonment for intentional misuse of (e)PHI
- $100,000 dollars and up to five years imprisonment if false pretenses are involved
- $250,000 dollars and up to ten years imprisonment for violations for personal gain
Aside from the basic thresholds detailed just about, the severity of the fine or penalty incurred depends on numerous factors. The HHS may exercise discretion to resolve an issue without assessing a fine, for instance, or apply a lower-tier fine to what should be a higher-tier offense.
Enforcement Process: Ensuring Compliance
To determine which fines or penalties a violation deserves, the HHS follows a strict Enforcement process. The process begins with the Office of Civil Rights (OCR) and stays within the OCR for civil penalties cases. Where criminal activity is suspected, the OCR works in conjunction with the US Department of Justice. Altogether, the process has three main stages:
- Intake and review – The OCR determines whether an immediate resolution is appropriate (an obvious non-violation) or if there is a potential civil or criminal violation, leading into…
- Investigation(s) – The OCR and DOJ begin a thorough auditing process to determine if and how one or more violations have occurred and the entity’s accountability, leading to…
- Resolution – The OCR and DOJ may find that no violation has occurred, reach an agreement regarding voluntary corrective action, or issue a formal finding.
Depending on what the OCR and DOJ decide, a company may face civil and criminal penalties for a particularly egregious violation. HHS publishes a list of relevant Case Examples that break down the reasoning behind some past cases (anonymized for security).
Covered Entities: Who Needs to Comply?
Given the stark penalties detailed above, avoiding enforcement is extremely important for all companies who need to comply. But which companies are these, exactly? The HHS maintains a (non-exhaustive) list of HIPAA Covered Entities, of which there are three main categories:
- Healthcare providers, such as doctors, hospitals, nursing homes, and pharmacies
- Health insurance plans, including insurance providers and coordinating companies
- Healthcare clearinghouses, or companies that process (non)standard health data
These companies aren’t the only ones who need to worry about enforcement. As of 2009, covered entities’ business associates also need to comply with HIPAA. Failure to do so can have significant consequences for both the business associate and the covered entity. Template business associate contracts can help account for this and keep all parties in the clear.
What are the Other HIPAA Rules?
As noted above, four main rules make up the core of HIPAA for professionals — the three non Enforcement Rules define the prescriptive regulations a company must follow to protect PHI. However, this was not always the case. At first, HIPAA included only the Privacy Rule, with the Security Rule added shortly afterward to protect electronic PHI (“ePHI”).
Major changes came to HIPAA following the passing of the H.R.1 – American Recovery and Reinvestment Act (ARRA) in 2009. HITECH, a key component of ARRA, added the Breach Notification Rule to HIPAA and significantly increased the penalties of Enforcement, and broadened the scope of covered entities to include business associates. HIPAA Enforcement is thus synonymous with HITECH Enforcement — let’s take a look at all the rules it has.
Privacy Rule: Authorized Use and Disclosure
The HIPAA Privacy Rule exists to define rights and requirements regarding PHI. It designates what constitutes an appropriate (permitted or required) use of PHI and the conditions under which it can be accessed. The HHS’s Privacy Rule summary comprises two significant principles:
- Uses and disclosures of PHI are prohibited unless required (expressly requested by the subject of the PHI or by a government agency) or permitted (disclosures to the subject or a representative, uses undertaken in the public interest, and incidental disclosure, etc.)
- All permitted disclosures, except certain required cases, need to be limited in scope to the minimum necessary amount that satisfies the permitted or required use case
- The HIPAA Privacy Rule is enforced by assessing the extent to which these principles are operationalized across a company’s cybersecurity architecture, personnel, and practices.
Security Rule: Confidentiality, Integrity, Availability
The HIPAA Security Rule exists to extend the Privacy Rule principles out across a covered entity’s security architecture. The HHS’ Security Rule summary specifies three safeguards covered entities must implement to ensure confidentiality, integrity, and availability of (e)PHI:
- Administrative safeguards, including management of security processes and personnel, identification and access, workforce training, and regular assessment or evaluation
- Physical safeguards, including restrictions of access to physical spaces and devices
- Technical safeguards, including robust access, audit, and integrity controls, as well as regular monitoring, analysis, and corrective measures for transmission security
The HIPAA Security Rule is enforced by assessing how effectively these safeguards contribute to the company’s risk analysis and management, proactively preventing threats to ePHI.
Breach Notification Rule: Reporting Security Events
Finally, the HIPAA Breach Notification Rule exists as part of a contingency plan to follow if a data breach happens. A data breach is defined as any use not permitted by the Privacy Rule (with some exceptions). Should this occur, covered entities need to provide:
- Individual notice to all impacted parties, delivered by mail or email without unreasonable delay (within 60 days), in addition to a statement on the company’s home page (select cases)
- Secretary notice to the HHS via Breach Reporting form, annually for breaches impacting fewer than 500 people, and within 60 days for violations affecting more than 500 people
- Media notice to a prominent local or national media outlet, within 60 days, for any breach that impacts more than 500 people within the defined geographic location of that outlet
HIPAA’s Privacy and Security rules are enforced by assessing a company’s security practices at rest, but Breach Notification enforcement analyzes a company’s response after a security event.
How to Avoid HIPAA Enforcement
To avoid the penalties of Enforcement, it’s crucial not to garner any complaints that would initiate the Enforcement Process detailed above. Your best option is working with a service provider to achieve and maintain compliance across your whole organization. To that end, RSI Security’s suite of HIPAA compliance services comprises everything you need to implement all the HIPAA rules and fully secure your clients’ PHI.
Whatever you need, we have it covered.
The most important thing to understand about the HIPAA Enforcement Rule is how to ensure it never affects your organization. To see just how simple this process can be and how strong your company’s overall cyberdefenses can become, contact RSI Security today!
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.