HIPAA violations: Enforcement and consequences

By Dava Stewart

Anyone working in a sector of the healthcare industry is familiar with the Health Insurance and Portability and Accountability Act (HIPAA). The mammoth law has three main parts: the Privacy Rule, the Security Rule, and the Breach Notification Rule, and “covered entities”—including doctors of chiropractic—are required to adhere to these rules, according to the U.S. Department of Health and Human Services.

For many clinicians and their staffs, understanding exactly what compliance entails has meant training, extensive study, and perhaps even hiring a third party to assess risk. Most DCs and their staffs are up to speed on the subject, but what some may not know is how the rules laid out in HIPAA are enforced and what the consequences of violation are.

The Office for Civil Rights (OCR) is the entity responsible for enforcing the three parts of HIPAA. The two main ways it enforces the Privacy and Security Rules is to investigate complaints and to conduct compliance reviews. The OCR also conducts educational outreach programs to help covered entities understand the rules and remain in compliance.

When the OCR receives a complaint, the first step is intake and review. If a criminal violation is suspected, the OCR works with the Department of Justice (DOJ) to carry out an investigation; however, if a non-criminal violation is a possibility, the OCR completes an investigation.

There are several reasons an investigation would not be carried out:

• The possible violation did not occur after April 14, 2003 (the date the OCR began accepting complaints).

• The complaint was not filed within 180 and an extension was not granted.

• The entity is not covered by the Privacy Rule.

• The incident described does not violate the rules.

If the OCR (and/or DOJ) does carry out an investigation, there are several possible outcomes:

• No violation occurred.

• The entity voluntarily complies, the OCR takes corrective action, or other agreement is reached.

• The OCR issues a formal finding of violation.

Resolution agreements and civil money penalties are two possible outcomes when the OCR finds a covered entity to be in violation. According to the Health and Human Services website,

“A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into 21 resolution agreements and issued CMPs to one covered entity.”

The idea of an investigation is uncomfortable, but it’s important to note that an investigation doesn’t always have a negative outcome. Keeping your practice in compliance, your staff well-versed in exactly what compliance means, and all records in order are the best means of insuring any investigation will show that you are within the bounds of the law.