The HIPAA Enforcement Rule

The HIPAA Enforcement Rule is a decree from HIPAA that sets out the rules that govern the responsibilities and requirements of Covered Entities and Business Associates about how it expects them to cooperate in the enforcement process. The HIPAA Enforcement Rule also sets out another important principle: It lays out rules describing how the Human and Health Services (HHS) investigates noncompliance by Covered Entities and Business Associates. This the HHS does through two mechanisms: Investigation of complaints it receives, and through compliance reviews.

What does the HIPAA Enforcement Rule set out?

  1. The HIPAA Enforcement Rule has the primary role of establishing rules concerning the procedure and rationale for determining the extent of civil money liability that a Covered Entity or Business Associate has to cough up when it is proven to have caused or failed to prevent a breach of Protected Health Information (PHI) that contravenes the HIPAA Enforcement Rule.
  2. In addition, the HIPAA Enforcement Rule also sets out rules by which investigations and hearings and appeals are to be carried out in the event of the Covered Entity or Business Associate challenging an accusation of PHI violation.
  3. As part of HIPAA Enforcement Rule; there is a provision of the Privacy and Security Rules of the HITECH Act, which establishes by what proportion and method penalties collected by the HHS Office for Civil Rights (OCR) need to be set aside and distributed to individuals whose data has been impinged upon.

Modifications into the HIPAA Enforcement Rule

First enacted in 2003; the HIPAA Enforcement Rule has been undergoing changes from time to time. The original enactment of the HIPAA Enforcement Rule was modified subsequently in 2004, 2005, 2006 and 2009. As of early 2016, the HIPAA Enforcement Rule modification carried out in late 2009 applies.

By the latest of these modifications, namely, the one of 2009; the HITECH Act modified the penalty structure of civil money accrued for violating HIPAA Rules. It brought in a layered increment in the amount of penalties levied on Covered Entities and Business Associates found guilty of wrongdoing. The criterion is the level of blameworthiness by these entities. These penalties are to be levied with retrospective effect, i.e., violations happening from the date of enactment.

Also, the HIPAA Enforcement Rule of the HITECH Act gave State Attorneys General the authority for enforcing the HIPAA Rules. They can do this by bringing civil action against CE's and BA's accused of causing data breach. For the record, Connecticut has become the first State in which this section of the HIPAA Enforcement Rule has been applied.

How does the OCR implement the HIPAA Enforcement Rule?

The OCR implements the Privacy and Security Rules of the HIPAA Enforcement Rules in many ways: