Do You Have to Follow the HIPAA Enforcement Rule?

HIPAA Enforcement Rule

Look within the pages of regulations that comprise the Health Insurance Portability and Accountability Act, and you will find a variety of rules, standards, and guidelines.

One of these rules is the ominously-named HIPAA Enforcement Rule. What is the HIPAA Enforcement rule, and how does it apply to your organization?

HIPAA Enforcement Rule Summary

It may help to look at the purpose of HIPAA and who must follow the provisions of the law. The primary focus of the law is to ensure the privacy and security of patients’ protected health information (PHI)  in both physical and electronic formats (ePHI). This includes providing patients the right to access their PHI and control its use.

The law defines standards that must be met to achieve HIPAA compliance. Four rules define the standards of compliance:

The HIPAA Privacy Rule This rule requires covered entities such as medical providers, health insurance companies, and health information clearinghouses to protect PHI. The rule mandates that guidelines be in place to protect the privacy of patient health information. It also requires limits and conditions on the use of PHI, controls for access to PHI, and limits disclosure of PHI.

It also guarantees that patients have the right to access their medical records, including PHI, to have copies of their records and correct errors found. Covered entities must have written HIPAA policies and procedures to fulfill all of the requirements of the Privacy Rule.

The HIPAA Security Rule This rule sets the security requirements and standards to protect PHI and ePHI when being transmitted and stored. Both Covered Entities and Business Associates (companies who perform services for covered entities that require them to possess patient PHI) must meet the requirement of the Security Rule, including:

  • Physical safeguards – Physical security such as access control security.
  • Technical safeguards – Protecting electronic data by using encryption. 
  • Administrative safeguards – PHI protection, management, and storage policies and procedures.

Make Sure You’re HIPAA Compliant

We can help you meet all HIPAA rules with a simplified software solution.

The HIPAA Breach Notification Rule This rule defines the actions an organization must take in case of a PHI data breach. All affected parties must be notified in writing if at all possible. If the breach involves fewer than 500 records, a breach notification report must be filed with the Secretary of Health and Human Services within 60 days of the end of the calendar year that it occurred.

Suppose the breach affects 500 or more patients. In that case, a breach notification report must be filed with the Secretary of Health and Human Services within 60 days of the breach’s discovery, and the breach must be reported to local media.

The Omnibus Rule – This rule was introduced to strengthen the privacy and security protections of PHI data under HIPAA by extending the HIPAA Privacy Rule’s obligations to Business Associates and their subcontractors. 

This rule also modified the breach notification standard, expanded patient rights to access and restrict disclosure of PHI, and imposed new rules governing the uses and disclosures of PHI.

The HIPAA Enforcement Rule and You

The HIPAA Enforcement Rule does not directly apply to covered entities or business associates. Instead, it details how the Department of Health and Human Services defines compliance.

It empowers the HHS Office for Civil Rights (OCR) to investigate possible HIPAA violations by Business Associates or Covered Entities and determine whether or not they complied with the standards of the law. 

If they are not in compliance with the law, OCR has the power to resolve the violation through voluntary compliance, corrective action plans, resolution agreements, or a combination of these. 

The Enforcement Rule also grants OCR the authority to impose civil and criminal penalties for HIPAA violations, depending upon several factors, including the severity of the violation. 

Civil money penalties – Companies may be fined up to $1,500,000 over a year across all individual fines, depending upon specific factors:

  • $100 – $50,000 if the entity committed a violation but “did not know.”
  • $1,000 – $50,000 if the entity had “reasonable cause” for violation.
  • $10,000 – $50,000 for companies’ “willful neglect” with correction.
  • $50,000 flat for companies’ “willful neglect” without correction.

Criminal penalties – Companies may be subject to criminal penalties for intentional non-compliance and fraud violations.

  • $50,000 and up to one-year imprisonment for intentional misuse of (e)PHI.
  • $100,000 and up to five years imprisonment if false pretenses are involved.
  • $250,000 and up to ten years imprisonment for violations committed for personal gain.

Avoiding the Consequences of the HIPAA Enforcement Rule

If your organization has an effective HIPAA compliance program, you will not need to worry about the HIPAA Enforcement Rule. The problem is that the law itself is written to be intentionally vague. For that reason, many organizations try to fulfill bits and pieces of the law and hope for the best

Unfortunately, OCR investigators expect full compliance. There’s no such thing as partial credit. Compliancy Group can help you achieve compliance quickly, easily, and completely.

Our web-based automated software solution, “The Guard,” was designed by HIPAA auditors and Compliance Officers to guide you through becoming fully compliant. Call us to see a demo of the software and how it can make your life easier. 

Learn How Simple Compliance Can Be

With HIPAA Compliance Software