The U.S. Health and Human Services' (HHS) Office for Civil Rights (OCR) enforces federal civil rights laws, conscience and religious freedom laws, and the HIPAA Act. To protect individuals and their rights, OCR educates and investigates any possible discrimination or violations.
The OCR upholds HIPAA's rules to protect patients' confidentiality and access to personal information. Healthcare organizations and their business associates are subject to HIPAA, so understanding the role the OCR plays is vital.
A HIPAA summary
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is U.S. legislation that protects the rights and privacy of patients. The act sets out the rules and regulations surrounding access to and disclosure of protected health information (PHI). HHS created HIPAA to improve healthcare standards and combat PHI fraud and abuse.
The legislation consists of five sections (or titles). Most referenced is Title II, which sets the policies and procedures for safeguarding PHI and includes several rules:
- Privacy Rule (2003) – provides guidelines on PHI use and disclosure
- Security Rule (2005) – sets necessary safeguards to protect electronic PHI (ePHI)
- Enforcement Rule (2006) – sets the standards of enforcing HIPAA and penalizing non-compliant healthcare providers
- HITECH Act (2009) – promotes the adoption and meaningful use of technology in healthcare
- Breach Notification Rule (2009) – requires healthcare providers to report data breaches
- Final Omnibus Rule (2013) – incorporates HITECH further by improving privacy protections
Related: A guide to HIPAA's rules
How does the OCR fit in?
Besides enforcing federal civil rights and conscience and religious freedom laws, OCR is most known for its enforcement of HIPAA. The OCR's primary responsibilities include investigating complaints, conducting compliance reviews, and enforcing penalties to ensure adherence to HIPAA. Under HIPAA and its addendums, covered entities must keep PHI secure.
Under the HIPAA Security Rule, healthcare organizations dealing with PHI must utilize strong administrative, physical, and technical safeguards. A HIPAA violation occurs when a practitioner does not maintain appropriate safeguards to prevent the intentional or unintentional use or disclosure of PHI.
The Enforcement Final Rule gave OCR the power to issue penalties to non-compliant organizations. If OCR finds a practitioner uncompliant and/or unable to verify due diligence, it could financially penalize an organization. And if a violation includes criminal charges, OCR could add jail time. HIPAA violations are costly, with notification and cleanup costs sometimes equaling fines.
Wall of Shame
The Breach Notification Rule and the HITECH Act played a role in OCR's creation of its Breach Notification Portal. It is also commonly known as the Wall of Shame. The portal first appeared in October 2009, and the agency overhauled it in 2017 for greater access and transparency.
The Breach Notification Rule requires organizations to report intentional and unintentional breaches to applicable authorities, affected individuals, and OCR. A breach that affects fewer than 500 patients means logging the incident with OCR within 60 days of the year's end. A breach affecting more than 500 patients means that OCR must be notified immediately.
Under the HITECH Act, the Secretary for HHS must post a list of the breaches that affect 500 or more individuals. The OCR portal includes all reported breaches from the last 24 months. Those earlier are archived but still accessible through the same portal.
The list took five years (2009-2014) to reach 1,000 reported organizations. Since then, the numbers have risen considerably. The portal already lists 263 organizations from the first five months of 2023. Those affected in just May 2023 include 18,824,372 individuals.
HIPAA Right of Access Initiative
The Privacy Rule establishes an individual's right to access their PHI. The provisions empower individuals by giving them greater control over their health information. OCR created the HIPAA Right of Access Initiative in 2019 to provide better support for such requests.
According to HHS' Right of Access guidance, "Putting individuals' in the driver's seat' with respects to their health . . . is a key component of health reform and the movement to a more patient centered health care system."
Patients can make a claim to OCR if a healthcare provider fails to timely provide access. OCR may then offer the non-compliant organization "technical assistance" to facilitate access. If nothing changes, OCR will more than likely find the healthcare provider in violation of HIPAA.
As of January 2023, OCR has settled 43 cases with healthcare providers for failure to provide access for various reasons.
The current direction of OCR
Melanie Fontes Rainer became director of OCR in August 2022. Under her direction, OCR has focused on federal civil rights, privacy laws, and individual rights. Generally, it looks as if OCR will continue to find ways to educate about and protect patient privacy. Within the past year, the agency has increased its partnerships with other agencies to help disseminate information.
And in February 2023, HHS announced three new divisions within OCR to better address enforcement, policy, and planning concerns. The reorganization should improve OCR's ability to respond to complaints and uphold them.
Finally, an update to HIPAA rules is expected sometime in 2023 after much discussion on necessary changes. While we wait to see how privacy laws are strengthened, OCR will continue to settle with and help organizations be in compliance. Moreover, they will continue to advocate for patients' rights.