How Does HIPAA Enforcement Work?

OCR is responsible for enforcing the HIPAA Privacy rules and Security Rules. The OCR monitors and investigates about the complaints filled with it. OCR also works to check and review the Privacy and Security Rules.

How Does HIPAA Enforcement Function 

If there is any breach in Privacy and Security Rules, the person can send a complaint letter to the OCR. The OCR will then further notify the person who made the complaint and also the covered entity named in the complaint letter. Post this, both the complainee (covered entity) and the complainant is asked to cite the information about the particular incident mentioned in the complaint. To further establish its understanding on the facts , both the parties can be asked to present specific information individually. Covered entities are duty bound to cooperate with the complaint investigators. If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation.

The information possessed by OCR is then reviewed. On the basis of the evidence and information, the OCR then determines if the covered entity has violated the privacy rules or not. If the evidence indicates that the covered entity was at fault, OCR will attempt to resolve the case with the covered entity by obtaining:

  • Voluntary compliance;
  • Corrective action; and/or
  • Resolution agreement. 

The above resolutions help the OCR in conducting and reaching the outcome of the case. The complainant and the covered entity is then informed about the outcome or the resolution in writing.

Once the resolution reaches bot the parties, the covered entity is expected to take necessary action to rectify or compensate the privacy breach. If the covered entity fails to take the required action, the OCR can impose civil money penalties (CMPs) on the covered entities. The monetary penalties associated with HIPAA violations were raised considerably last year s part of the HIPAA Omnibus Rule included in the HITECH act. Certain cases are exceptions, individuals can be exposed to criminal risk as well. In such cases, the OCR sends the case to The Department of Justice.  The OCR, the Department of Justice, enforces the HIPAA privacy rule.

Leave a Reply

Your email address will not be published. Required fields are marked *