The Office for Civil Rights (“OCR”) is the federal agency charged with the authority to enforce the HIPAA Privacy Rule. The primary way that OCR enforces this rule is by investigating complaints filed with it (though the OCR also has authority to conduct compliance reviews of covered entities). OCR recently launched an expanded website dedicated to HIPAA privacy compliance and enforcement. The website is divided into three sections (enforcement process, enforcement highlights and case examples) and can be accessed at: http://www.hhs.gov/ocr/privacy/enforcement/.
The enforcement process section of the website describes how OCR enforces the Privacy Rule and what factors OCR considers when deciding whether to take action on a complaint. Specifically, OCR If a complaint contains allegations that a HIPAA Security Rule requirement has been violated, OCRCMS”), which is the agency responsible for the enforcement of the Security Rule. If OCR accepts the privacy complaint, it will ask for additional information about the allegation, and covered entities are required by law to cooperate. Next, OCR reviews the collected information and determines whether the covered entity violated the Privacy Rule requirements. If a Privacy Rule violation is found, OCR will attempt to resolve the matter by obtaining voluntary compliance, corrective action and/or resolution agreements. determines whether (1) the alleged action took place after the compliance deadline for the Privacy Rule (April 14, 2003 for large health plans and April 14, 2004 for small health plans); (2) the complaint is against a covered entity; (3) the complaint was filed within 180 days of the date the person making the allegation knew or should have known about the violation; and (4) the action, if true, would violate the Privacy Rule. coordinates its investigation with the Centers for Medicare & Medicaid Services (“
The enforcement highlights section of the website sets forth statistics on OCR’s enforcement activity to date. OCR has received over 26,408 privacy complaints, of which 20,477 have been closed (4,447 required corrective action or other enforcement by OCR, 2,155 were investigated but no violation was found, and 13,875 complaints were not eligible for enforcement (for example, if the complaint was not filed in a timely manner)). OCR has referred 384 cased to the Department of Justice for a criminal investigation as allowed under the Privacy Rule. The case examples section of the website provides examples of the types of complaints that OCR has investigated and how those violations were resolved.
Group health plans and other covered entities are encouraged to continue focusing on HIPAA Privacy and Security Rule compliance and this website provides good information to assist in learning more about the Privacy Rule enforcement process.