HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients. In this post, we’ll take a closer look at the HIPAA Enforcement Rule (2006).
SEE ALSO: HIPAA stands for . . .
Understanding HIPAA is essential for covered entities and their business associates. Especially as they balance HIPAA compliance with patient care and protected health information (PHI) security. Since its enactment, the U.S. Department of Health and Human Services (HHS) has established various additions and amendments to HIPAA that ensure even more protections and responsibilities.
So what does the Enforcement Rule add to HIPAA and why is such a rule necessary? And how can Paubox Email Suite and HIPAA compliant email ensure a healthcare provider avoids an investigation and fine?
HIPAA compliant email and the HIPAA enforcement rule
HHS created HIPAA to improve healthcare standards and combat PHI fraud and abuse. The Office for Civil Rights (OCR) regulates and enforces the act, which consists of five sections (or titles). Most referenced is Title II as it sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form. Included with Title II are several later rules:
- Privacy Rule (2003): covers the protection of PHI as well as compliance standards
- Security Rule (2005): sets required security standards to protect ePHI
- HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
- Breach Notification Rule (2009): sets the procedures for reporting breaches
- Final Omnibus Rule (2013): incorporates HITECH further by improving privacy protections
And of course, the Enforcement Rule, which explores how OCR enforces HIPAA and penalizes noncompliant organizations.
RELATED: Understanding and implementing HIPAA rules
Generally, covered entities must make a concerted effort to prevent data breaches and protect patients’ PHI. If not, they may face an OCR audit and HIPAA violation. When covered entities send email that contains PHI they must make sure that they are sending HIPAA compliant email that is secure and encrypted.
The Enforcement Rule
As the name suggests, the Enforcement Rule establishes how OCR determines liability for HIPAA violations. It confirmed HHS’ desire to fine organizations for avoidable PHI breaches.
RELATED: Permitted use and disclosure of protected health information (PHI) under HIPAA
Before the rule’s enactment, OCR failed to bring a single enforcement action. At that time, it preferred to encourage and help covered entities comply. This narrow focus changed with the 2003 Interim HIPAA Enforcement Rule. It provided basic information on breach investigations and subsequent fines and delineated OCR’s procedures after a breach.
The second amendment in 2005 added the basis for issuing penalties. The maximum fine was set at $25,000 per year. The final Enforcement Rule of 2006 included further procedural and substantive requirements. It provided a general guide for compliance, investigation, and penalties for violations. Individuals could pursue civil legal action against noncompliant covered entities.
Furthermore, it gave OCR the power to bring criminal charges against offenders who fail to introduce corrective measures within 30 days. By 2008, there were more than 33,000 complaints filed with 8,000 investigated. About 5,600 of these led to corrective action plans (CAP) though no fines.
The HITECH Act added significant changes to the HIPAA enforcement process. This included the introduction of the HIPAA Breach Notification Rule and new compliance requirements for covered entities.
Furthermore, it required HHS to conduct Privacy and Security Rule audits and authorized HIPAA enforcement by states’ attorneys general. Finally, penalties increased up to $1.5 million for certain violations. And with the HITECH Act, enforcement increased dramatically. In 2009, OCR fined CVS Caremark $2.25 million for failure to properly dispose of PHI. Then in 2011, OCR fined Cignet Health Center $4.35 million for a violation and failure to cooperate with an investigation.
Finally, previous penalties increased even more with the Omnibus Rule, which added a fourth tier to the penalty system. And with this new rule, HIPAA applied directly to business associates.
The current Enforcement Rule
Since the enactment of the Privacy Rule, OCR received over 301,376 complaints, initiating over 1,134 compliance reviews. HHS resolved over 97% of these cases. From 2014 onward, OCR increased the number of investigations and fines. It also provided more technical assistance, reached more settlements, and issued more CAPs. Investigations now include different types of HIPAA violations, such as a patient’s right to personal PHI.
SEE ALSO: How Paubox can help with HIPAA Right of Access
HIPAA investigations can stem from a patient complaint or another healthcare provider. They can also transpire after a breach and subsequent reporting to OCR. Finally, HHS may review records for compliance on its own.
Currently, fines are broken into four tiers:
|Penalty tier||Level of culpability||Minimum penalty per violation||Maximum penalty per violation||Annual penalty limit|
|Tier 1||Lack of knowledge||$120||$30,113||$30,113|
|Tier 2||Reasonable cause||$1,205||$60,226||$120,452|
|Tier 3||Willful neglect||$12,045||$60,226||$301,130|
|Tier 4||Willful neglect (not corrected within 30 days)||$60,226||$1,806,757||$1,806,757|
The process to determine compliance begins with an OCR investigation and may end with a civil fine. If OCR suspects criminal activity, it will work directly with the U.S. Department of Justice.
Why is this important for you to understand?
HHS created the Enforcement Rule to inform covered entities and business associates of what happens after noncompliance. The rule provides the "what will happen" after an organization violates HIPAA. It also provides a "what to avoid," holding organizations accountable for patients’ PHI and their right to access.
Second, the Enforcement Rule and OCR’s past investigations can help organizations understand what to do after becoming a breach victim. They can figure out what they need to cooperate with OCR. Finally, the Enforcement Rule (e.g., financial penalties and sanctions) acts as a deterrent to stop healthcare providers from violating HIPAA.
It encourages organizations to utilize proper safeguards and adopt new technologies, including:
- EHRs (electronic health records)
- End-to-end encryption
- Strong access controls
- Mobile security
- Patched and updated systems
And of course, robust email security to protect the number one threat vector, email.
Avoid an investigation with strong email security and guaranteed HIPAA compliant email
HIPAA requires a healthcare provider to share PHI in the form and format requested. And this could mean through email, which is why it is necessary to have a strong email security strategy.
SEE ALSO: Does the HIPAA Privacy Rule allow healthcare providers to communicate with patients through email?
Healthcare organizations must always send/receive encrypted emails. They can do this with strong inbound and outbound email security and HIPAA compliant email, like Paubox Email Suite. Our HITRUST CSF certified solution encrypts all outgoing emails and delivers them directly to an inbox.
RELATED: How to send HIPAA compliant email
Moreover, our Zero Trust Email feature (for our Plus and Premium customers) ensures inbound messages are genuine. It protects healthcare organizations from malware, phishing, and spoofing, keeping email accounts locked from outsiders.
Paubox Email Suite helps healthcare organizations be compliant with HIPAA and its amendments, including the Enforcement Rule. By following the rules and understanding what happens after a breach, healthcare organizations can better protect their patients. And more importantly, they can continue to provide strong patient care.
HITRUST CSF certified 4.9/5.0 on the G2 Grid Paubox secures 70 million HIPAA compliant emails every month