1. News & Trends >
  2. Industry News >
  3. Medical Technical Facilities >
  4. Cybernet >
  5. Who Enforces HIPAA: What You Need to Know to Be in Compliance
Add to favorites

#Industry News

Who Enforces HIPAA: What You Need to Know to Be in Compliance

How the Office of Civil Rights keeps PHI private

The Health Insurance Portability and Accountability Act, or HIPAA, massively impacted the U.S. healthcare sector since it became law in 1996. While many in healthcare are aware of it, many either need to learn, or are unsure of, who actually enforces HIPAA.

We cover that subject today, from the government department(s) involved to the various penalties that can be passed onto companies not in compliance with the law.

Who is Responsible for Enforcing HIPAA Rules?

Simply, the Office of Civil Rights, or the OCR. The department falls under the U.S. Department of Health and Human Services (HHS).

The OCR bears the responsibility of enforcing HIPAA. It provides information for individuals under HIPAA and rules for Covered entities and business associates.

As previously discussed, “Covered entities” are basically anyone who has electronic protected health information (PHI) as defined by the HHS. They are usually broken down into:

Healthcare plans like health insurance companies, government programs that pay for healthcare (example: Medicare), and military and veterans’ health programs (example: the VA).

Healthcare clearinghouses are like medical billing services, repricing companies, or community health management information (HMI) systems.

Physicians, pharmacies, and nursing homes

The OCR is also involved in dealing with the opioid overdose crisis sweeping across the U.S.

Recently, the department announced it is expanding to include cybersecurity as one of its responsibilities.

Besides HIPAA, the OCR also is responsible for:

Enforcing federal civil rights laws that protect the rights of individuals and entities from unlawful discrimination based on race, color, national origin, disability, age, or sex in health and human services.

Enforcing federal laws that protect conscience and the free exercise of religion in health and human services. This includes prohibiting coercion and religious discrimination.

The OCR: List of Its Duties

HIPAA lays out three major rules for the protection of PHI. They are:

The Privacy Rule

The Security Rule

The Breach Notification Rule

The Privacy Rule

The Privacy Rule is designed to protect PHI. It can viewed in two parts:

Covered entities must have protections set to protect patient information—these range from setting limits and conditions in the information’s usage to how it’s accessed.

Patients have certain rights to access their PHI.

The Security Rule

These standards and requirements must be used to protect PHI when stored by covered entities and business associates or in its transmission. An example of the latter would be an exchange between an RN’s medical tablet to a doctor’s smartphone.

Safeguards are one way to comply with this rule, like using built-in RFID readers and single sign-on software like Imprivata in such a medical tablet.

The Breach Notification Rule

This rule establishes what happens when the covered entity and any business associates suffer a data breach.

Is the patient notified first? Or the director of the OCR? What about the HHS or even the media?

This rule answers those questions and more.

The OCR also enforces other, more specific HIPAA rules like the Transaction Rule, the Identifiers Rule, and the Enforcement Rule,

How the OCR Enforces Rulings

The OCR enforces HIPAA in several ways.

One is to investigate complaints. Each one must follow strict guidelines for the department to consider them.

The possible violation must have happened within the past six years.

The entity or business associate involved falls under HIPAA rules.

The action committed by the entity or business associate violated HIPAA rules.

The individual submitting the complaint must file it within 180 days after discovering the possible violation.

Compliance reviews or audits are another way the OCR enforces HIPAA. It will contact Covered entities to make sure their processes comply. This can be as part of an investigation of a complaint or randomly determined by the department.

The OCR, if it determines there was a lack of compliance with HIPAA by a Covered entity, will work with it by:

Voluntary Compliance by the Covered entity

Performance of Corrective action.

Establishment of a Resolution agreement.

The nature of the complaint, the violation, and the covered entities affect the OCR’s bargain with the particular entity or business associate.

Civil Money Penalties

Unfortunately, some Covered entities or their business associates may not uphold their end of the bargain with the OCR. When the department realizes this, it can impose civil money penalties (CMPs):

$100 to $50,000 for each violation the entity committed but “did not know.”

$1,000 to $50,000 for each violation the entity committed and had so-called “reasonable cause” for to violate

$10,000 to $50,000 for each violation the entity committed “wilful neglect” with corrective action.

A set of $50,000 if they commit “wilful neglect” without corrective action.

Covered entities or business associates may be fined up to a maximum of $1,500,000 for all violations of an identical provision during a calendar year (before inflation).

Criminal Penalties

The OCR, for more severe violations, can impose criminal penalties:

$50,000 and up to a year of imprisonment for the intentional misuse of PHI.

$100,000 and up to five years in prison if false pretenses are involved.

$250,000 and up to 10 years in prison for violations committed for personal gain.

Note the OCR does not work alone in enforcing HIPAA. If necessary, the OCR can tap the enforcement powers of:

Centers for Medicare and Medicaid Services

U.S. Food and Drug Administration

Federal Communications Commission

HHS

Finally, many state attorney generals can enforce HIPAA.

Closing Thoughts

The Office of Civil Rights (OCR) enforces HIPAA rules. A part of the U.S. Health and Human Services, the OCR makes sure covered entities are in compliance and are dealt with appropriately when they do not. These are providers, insurance companies, and any other entity and their business associates who fall under HIPAA.

Contact an expert at Cybernet if you want to ensure your medical computers and similar equipment are HIPAA-compliant. We can also suggest ways they can assist in your HIPAA compliance efforts, which may include meeting any OCR-mandated penalties.

More information
Who Enforces HIPAA: What You Need to Know to Be in Compliance
Who Enforces HIPAA: What You Need to Know to Be in Compliance

Details

  • 5 Holland, Irvine, CA 92618, USA
  • CYBERNET MANUFACTURING

    Associated Trend items

    Products associated

    quad-core medical tablet PC - Cybernet

    quad-core medical tablet PC

    CyberMed T10C

    Intel® Core i7 medical tablet PC - Cybernet

    Intel® Core i7 medical tablet PC

    CyberMed Rx

    fanless medical panel PC - Cybernet

    fanless medical panel PC

    CyberMed S Series

    *Prices are pre-tax. They exclude delivery charges and customs duties and do not include additional charges for installation or activation options. Prices are indicative only and may vary by country, with changes to the cost of raw materials and exchange rates.
    © 2025 All rights reserved - Terms - Privacy policy - General Terms - Manage cookies - 鄂ICP备16017613号-1