Paubox blog: HIPAA compliant email made easy

What is the OCR and what does it do?

Written by Rick Kuwahara | January 07, 2023

What is the Office for Civil Rights?

 

The Office for Civil Rights (OCR) is a department within the United States Department of Health and Human Services (HHS). It enforces federal civil rights laws that prohibit discrimination based on race, color, national origin, disability, age and sex in programs and activities that receive federal financial help from HHS.

This includes enforcing the Health Insurance Portability and Accountability Act (HIPAA), which sets standards for protecting certain health information. The OCR also provides technical guidance to help covered entities comply with these laws and regulations.

 

How does the OCR enforce HIPAA?

 

The OCR enforces HIPAA by investigating complaints and conducting compliance reviews to ensure that covered entities, such as healthcare providers and insurance companies, comply with HIPAA regulations. If the OCR finds that a covered entity has violated HIPAA, it can take a number of enforcement actions, including:

  • Issuing a warning letter to the covered entity
  • Imposing a monetary fine on the covered entity
  • Requiring the covered entity to implement a corrective action plan to address the violation
  • Terminating the covered entity's ability to receive federal funding
  • Referring the case to the Department of Justice for criminal prosecution

 

The specific enforcement action that the OCR takes will depend on the severity of the violation and the covered entity's history of compliance with HIPAA.

 

What are the different fines for violating HIPAA?

 

There are two categories of HIPAA violations: civil and criminal.

Civil HIPAA violations can result in fines ranging from $100 to $50,000 per violation, with a maximum fine of $1.5 million per year for multiple violations of the same requirement.

Criminal HIPAA violations can result in much more severe fines and prison sentences. For example, obtaining or disclosing individually identifiable health information with the intent to sell, transfer or use it for personal gain is a criminal HIPAA violation. It can result in a fine of up to $50,000 and up to one year in prison.

Other criminal HIPAA violations, such as obtaining or disclosing individually identifiable health information under false pretenses, can result in fines of up to $100,000 and up to five years in prison.

It's important to note that these are maximum fines and prison sentences and that the actual penalties imposed by the courts may be lower. The specific penalty will depend on the circumstances of the case.

 

How do you report a HIPAA breach to the OCR?

 

If you suspect a HIPAA breach, you can report it to the OCR by:

  • Filing a complaint online: You can file a complaint through the OCR's website. You will need to provide your name and contact information, as well as the name of the covered entity that you believe has violated HIPAA.
  • Contacting the OCR by phone: You can call the OCR's toll-free hotline at 1-800-368-1019 to report a HIPAA breach.
  • Sending a written complaint: You can also send a written complaint to the OCR by mail or fax. The mailing address and fax number can be found on the OCR's website.

 

It's important to note that the OCR only has jurisdiction to investigate HIPAA violations by covered entities, such as healthcare providers, health plans and healthcare clearinghouses. If you want to report a HIPAA violation by a business associate of a covered entity, it's best to contact the covered entity directly.