(42 USC § 1320d-5).
The HIPAA Enforcement Rule include the provisions affecting compliance and investigations by the Office for Civil Rights (OCR), the imposition of civil money penalties, liability of Covered Entities for acts or actions by Business Associates, liability of Business Associates for acts or actions of a Business Associates' contractors, and mandatory civil monetary penalties for violations due to willful neglect.
The compliance date for Covered Entities and Business Associates for compliance with the new or modified standards and implementation specifications in the HIPAA Omnibus is September 26, 2013.
The HIPAA Omnibus Rule amended the Enforcement Rule to require the OCR to investigate any complaint when a preliminary review of the facts indicates a possible violation due to willful neglect. As a result, Covered Entities and Business Associates will be faced with the possibility of a mandatory investigation of a complaint when a preliminary review of the facts by the OCR indicates a possible violation due to willful neglect. The HIPAA Enforcement Rule defines "willful neglect" as conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated."
OCR adopted a similar modification in the HIPAA Omnibus Rule to require the OCR to conduct a compliance review to determine whether a Covered Entity or Business Associate is complying with the applicable administrative simplification provisions when a preliminary review of the facts indicates a possible violation due to willful neglect.
The HITECH Act established four tiers of increasing penalty amounts to correspond to the levels of culpability associated with the violation of the HIPAA Rules. The first tier or category of violation (and lowest penalty tier) covers situations where the Covered Entity or Business Associate did not know, and by exercising reasonable diligence would not have known, of a violation. The second category of violation applies to violations due to reasonable cause and not to willful neglect. The third and fourth categories apply to circumstances where the violation was due to willful neglect that is corrected within a certain time period and willful neglect that is not corrected.
Another significant modification included in the HIPAA Omnibus Rule was the amendment to the HIPAA Enforcement Rule to make a Covered Entity liable for the acts of its Business Associates who are agents of the Covered Entity in accordance with the federal common law of agency. Prior to this modification, the HIPAA Enforcement Rule contained an exception that Covered Entities were not liable for the acts of Business Associates where the relevant business associate requirements have been satisfied, the Covered Entity did not know of a pattern or practice of the Business Associate in violation of their business associate agreement with the Covered Entity, and the Covered Entity did not fail to act as required by the HIPAA Privacy Rule or Security Rule with respect to such violations. The Omnibus Rule also provides for civil money penalty liability against a Business Associate for the acts of its workforce members and its business associates acting within the common law scope of agency.
The tiered structure for imposition of CMPs under the HITECH Act and Final Rule distinguishes the level of culpability as follows:
Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation.
Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect.
Willful Neglect – Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery.
Willful Neglect – Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery.
The corresponding tiers of CMP relating to each level of culpability are as follows:
$100 – $50,000
$1,000 – $50,000
Willful Neglect – Corrected
$10,000 – $50,000
Willful Neglect – Not Corrected
At least $50,000
Under the Omnibus Rule, HHS does not have the authority to automatically impose the maximum CMP for any given violation. Rather, in determining the amount of a CMP, HHS must consider the following:
The nature and extent of the violation, including the number of individuals affected and the time period during which the violation occurred;
The nature and extent of the harms resulting from the violation, including whether the violation caused physical harm, whether the violation resulted in financial harm, whether there was harm to an individual's reputation and whether the violation hindered an individual's ability to obtain healthcare;
The history of prior compliance, including previous violations; and
The financial condition of the covered entity or business associate, including whether financial difficulties affected the ability to comply and whether the imposition of the CMP would jeopardize the ability of the covered entity to continue to provide or pay for healthcare.
In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
The DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense. Specific knowledge of an action being in violation of the HIPAA statute is not required.
The Centers for Medicare & Medicaid (CMS) enforces both the transaction and code set standards and the security standards (65 FR 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.
The Office for Civil Rights, which is part of the U.S. Department of Health and Human Services that is responsible for HIPAA, will enforce the HIPAA Privacy Rule.
The California Department of Health Care Services' (DHCS) Privacy Office is within DHCS' Office of HIPAA Compliance (OHC). The OHC Privacy Office team works collaboratively with DHCS business associates, counties and other state agencies to safeguard Protected Health Information (PHI) and Personally Identifiable Information (PII). The Privacy Office investigates privacy breaches and complaints involving unauthorized access or disclosure of PHI, PII and confidential information of Medi-Cal members.
The Privacy Office also conducts:
Privacy Breach/Incident Investigations
Privacy Compliance Audits
Off-site link to the
Centers for Medicaid and Medicare Services (CMS) a Federal agency within the U.S. Department of Health and Human Services. (The CMS HIPAA glossary should not be considered a legal document.)