HIPAA Security Implementation, Version 1.0

5.4 ENFORCEMENT RULE

The Department of Health and Human Services expects that most covered entities will voluntarily comply with the HIPAA rule and correct all violations as soon as they are made aware of the violation. When compliance is not voluntary, the Office for Civil Rights and the Center for Medicaid and Medicare Services will follow the Office of Inspector General's (OIG) procedures to enforce regulatory compliance. This decision is made based on the level of experience the OIG has in regulatory compliance issues.

5.4.1 Process if Covered Entity Discovers Violation

• Covered entity discovers unintentional disclosure of protected health information within 30 days of the disclosure occurring.

• Covered entity takes immediate action to prevent further disclosure and notifies HHS of unintended disclosures.

• Covered entity makes necessary changes to administrative, physical, and/or technical safeguards to prevent future disclosures

• HHS reviews covered entities action plan and can either

  • Implement civil/criminal penalties

  • Decide the covered entity acted reasonably and appropriately and takes no further action

5.4.2 Process if Individual Discovers Violation

Scenario One

• Individual notifies HHS in writing within 180 days of the unauthorized or unintended disclosure of their protected health information by a covered entity

• Covered entity corrects the problem and notifies HHS

• Individual is satisfied.

Scenario Two

• Individual notifies HHS in writing within 180 days of the unauthorized or unintended disclosure of their protected health information by a covered entity

• HHS notifies covered entity

• Covered entity corrects the problem within 30 days and notifies HHS

• HHS accepts corrections and may or may not impose fines based on severity of the disclosure

• Individual is satisfied

Scenario Three

• Individual notifies HHS in writing within 180 days of the unauthorized or unintended disclosure of their protected health information by a covered entity

• HHS notifies covered entity and gives 60 day response time

• Covered entity disagrees with allegation and requests hearing before an administrative law judge (ALJ) to review the facts

• ALJ reviews the facts and administers penalties according to HIPAA law.

• Individual is satisfied

These high-level overviews are for illustrative purposes only and should in no way be used by a covered entity to plan a course of action. The interim Enforcement Rule sets forth the discovery process, penalty implementation and collection process, and the authority vested to the Secretary of HHS under the HIPAA rule. Covered entities are encouraged to review this rule with their legal representative to decide how best to handle complaints when they cannot be satisfied through the organization's established complaint system. The text of the interim rule can be found at http://www.hhs.gov/ocr/moneypenalties.html