HIPAA commonly known as Health Insurance Portability and Accountability Act was brought by Congress in 1996 and this act was signed by President Bill Clinton. This law came into existence to provide privacy, security, and confidentiality to individual’s health care data, medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Under this law patients can get access to their health care records anytime and they get more control over how their personal health information is used and disclosed.
Who Enforces HIPAA Compliance?
U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules.
OCR enforces the Privacy and Security Rules in several ways:
- They investigate the complaints filed.
- Conducting compliance reviews to determine if covered entities are in compliance
- Several educational programs are conducted to educated and outreach covered entities with the rule’s requirements.
Office for Civil Rights (OCR) reviews the data and records that it gathers. After reviewing the information they decide if the covered entity violates the requirements of the Privacy and Security Rules. If OCR finds that agency does not comply with HIPAA compliance then they try to resolve the case with covered entity by obtaining:
- Voluntary compliance
- Corrective action
- Resolution agreement
If organizations fail to comply with HIPAA compliance then they can be slapped with civil and criminal penalties. In violation of the criminal provision of HIPAA, Office for Civil Rights may refer the complaint to the Department of Justice for further investigation.
Office for Civil Rights may impose money penalties on those covered entity who does not comply with HIPAA compliance. Money penalties for Health Insurance Portability and Accountability Act violations are determined based on a tiered civil penalty structure.
Penalties for civil violations
HIPAA violation: Unknowing
Penalty ranges from $100 – $50,000 per violation. If the violation is repeated then annual penalty can be of $25,000.
HIPAA violation: Reasonable Cause
Penalty ranges from $1,000 – $50,000 per violation. If the violation is repeated then annual penalty can be of $100,000.
HIPAA violation: Willful neglect but violation is corrected within the required time period
Penalty ranges from $10,000 – $50,000 per violation. If the violation is repeated then annual penalty can be of $250,000.
HIPAA violation: Willful neglect and is not corrected within required time period
Penalty ranges from $50,000 per violation. If the violation is repeated then annual penalty can be of $1.5 million.
Criminal violations of HIPAA are handled by the Department of Justice. Fine of $50,000 to $250,000 as well as imprisonment from 1 year to 10 years is charged in case of penalties.