HIPAA Enforcement: What Federal Agency Regulates HIPAA?

The Evolution of HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was initially passed in 1996. The Act has been revised and updated numerous times in the last ten years to better reflect the rapidly changing healthcare landscape.

Initially, HIPAA focused on the portability of health insurance and the security of personal health information, but with the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, the scope of HIPAA was expanded to include provisions for the privacy and security of electronic health records (EHRs) and other health information technology.

The HITECH Act also made it mandatory for healthcare providers to notify individuals if their personal health information was breached. This allowed individuals to take legal action if their data was mishandled. Additionally, the HITECH Act increased the penalties for HIPAA violations, which have become more costly over time.

In 2013, the HIPAA Omnibus Rule was passed, which made sweeping changes to the HIPAA Privacy, Security, and Breach Notification Rules. These changes included giving individuals more control over their health information, allowing patients to access their data, and adding new protections against the inappropriate disclosure of personal health, like genetic information.

Finally, the most recent changes to HIPAA came in February 2021 with the passing of the 21st Century Cures Act. The Act includes provisions for sharing health information for research purposes and protecting patient data when stored or transferred.

Overall, HIPAA has become increasingly comprehensive, and the regulations now provide individuals with greater control over their personal health information and more robust protections against unauthorized disclosure.

Who Regulates HIPAA?

HIPAA is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR is responsible for investigating complaints and enforcing the HIPAA Privacy and Security Rules.

HIPAA is a federal law that requires covered entities, such as health care providers, health plans, and health care clearinghouses, to protect the privacy of individuals' health information. In addition, the law mandates that these entities must provide individuals with certain rights concerning their health information.

The HHS Office for Civil Rights is responsible for enforcing HIPAA's privacy provisions in non-criminal cases. The OCR is also responsible for providing technical assistance and guidance to covered entities to ensure they comply with HIPAA. When violations are reported, the OCR may conduct investigations and impose civil monetary penalties or corrective action plans.

The HHS Office of Inspector General (OIG) enforces HIPAA's criminal provisions. The OIG may take action against individuals, or organizations found to have knowingly and willfully violated HIPAA and may refer criminal cases to the Justice Department.

HIPAA is also enforced by state attorneys general, who can enforce HIPAA's privacy and security rules. They may investigate complaints and take appropriate action as needed.

In summary, the HHS Office for Civil Rights enforces HIPAA's privacy provisions in non-criminal cases. The HHS Office of Inspector General enforces HIPAA's criminal requirements.

Who Else Enforces HIPAA?

The Centers for Medicare and Medicaid Services (CMS) is the federal agency that administers the health care programs of Medicare and Medicaid. CMS enforces HIPAA through its Office of eHealth Standards and Services (OESS). OESS investigates complaints, conducts audits, and provides guidance to help entities comply with HIPAA.

The Federal Trade Commission (FTC) is an independent agency of the U.S. government whose mission is to protect consumers from deceptive and unfair practices. The FTC enforces HIPAA through its Health Breach Notification Rule, which requires entities to notify affected individuals within 60 days of a breach of unsecured protected health information.

The FTC also works with the Department of Health and Human Services to provide information on protecting health information.

How Has The Regulation of HIPAA Evolved?

The federal government has been involved in the supervision and enforcement of HIPAA since its passage in 1996. Initially, the Department of Health and Human Services (HHS) was responsible for the oversight of HIPAA, as it was the agency that developed the regulations and provided guidance to covered entities.

In 2003, the Office for Civil Rights (OCR) was established within HHS to focus specifically on HIPAA enforcement.

In 2009, the Department of Labor (DOL) and the Centers for Medicare and Medicaid Services (CMS) also became involved in HIPAA enforcement, providing guidance on compliance and conducting audits.

In 2013, the Office of the National Coordinator for Health Information Technology (ONC) was established to ensure that electronic health records (EHRs) met HIPAA requirements.

Today, HHS is still the primary enforcer of HIPAA, with the OCR leading the effort. The OCR is responsible for investigating complaints, conducting audits, and issuing fines for violations. The DOL also guides HIPAA compliance and may issue penalties for violations related to employee benefit plans.

The CMS and ONC are responsible for ensuring that EHRs meet HIPAA regulations.

Overall, the federal government's involvement in the supervision and enforcement of HIPAA has expanded quite a bit since 1996. This is due to the increased importance of protecting health information in the digital age and the need for stricter oversight to ensure compliance.

Enroll in HIPAA Training Online Today

For more information on how to stay HIPAA compliant, sign up for one of our HIPAA courses or head to the US Department of Health and Human Services (HHS) website.

Sources:

  1. Federal Trade Commission. (n.d.). Health Breach Notification Rule. Retrieved Jan 23, 2023, from https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/health-breach-notification-rule.
  2. U.S. Department of Health & Human Services. (2020). Office for Civil Rights. Retrieved Jan 23, 2023, from https://www.hhs.gov/civil-rights.
  3. U.S. Department of Health & Human Services. (2020). Office of the Inspector General. Retrieved Jan 23, 2023, from https://oig.hhs.gov.
  4. HIPAA, HHS.gov. (n.d.). Retrieved Jan 23, 2023, from https://www.hhs.gov/hipaa/index.html
  5. What is HIPAA?, HHS.gov. (n.d.). Retrieved Jan 23, 2023, from https://www.hhs.gov/hipaa/for-individuals/index.html.
  6. The HITECH Act, HHS.gov. (n.d.). Retrieved Jan 23, 2023, from https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html.
  7. HIPAA Omnibus Rule, HHS.gov. (n.d.). Retrieved Jan 23, 2023, from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html.
  8. 21st Century Cures Act, Congress.gov. (n.d.). Retrieved Jan 23, 2023, from https://www.congress.gov/bill/114th-congress/house-bill/34.
  9. Department of Health and Human Services. (n.d.) HIPAA Overview. Retrieved Jan 23, 2023, from https://www.hhs.gov/hipaa/for-individuals/index.html.
  10. Department of Health and Human Services. (n.d.) About OCR. Retrieved Jan 23, 2023, from https://www.hhs.gov/ocr/about-us/index.html.
  11. Department of Labor. (n.d.) HIPAA Privacy Rule. Retrieved from https://www.dol.gov/agencies/ebsa/laws-and-regulations/laws/hipaa.
  12. Centers for Medicare and Medicaid Services. (n.d.) HIPAA Enforcement. Retrieved Jan 23, 2023, from https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/Enforcements.
  13. Enforcement Office of the National Coordinator for Health Information Technology. (n.d.) About ONC. Retrieved Jan 23, 2023, from https://www.healthit.gov/topic/about-onc.