The question of which entity enforces HIPAA has a number of answers depending on which Title of HIPAA is being referred to. This is because the Health Insurance Portability and Accountability Act amended several existing sections of the U.S. Code, with some sections being enforced by more than one agency or by more than one department within the same agency.
In the preamble to the Health Insurance Portability and Accountability Act, the objectives of the Act are listed as “to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage […], to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes”.
To achieve these objectives, the Act not only amended the Internal Revenue Code, but also the Labor Code and the Public Health and Welfare Code, while subsequent amendments (introduced via HITECH) amended the Commerce and Trade Code. These amendments resulted in several agencies being responsible for enforcing HIPAA and – in some cases of who enforces HIPAA – different departments within the same agency being responsible for enforcing different areas of HIPAA.
Examples of Which Entity Enforces HIPAA
Because most of the text of HIPAA is concerned with improving the portability and continuity of health insurance coverage (Title I), most of the amendments made to the Internal Revenue Code impact the Employee Retirement Income Security Act (ERISA). In the context of which entity enforces HIPAA, ERISA is enforced by three bodies – the Labor Department’s Employee Benefits Security Administration, the Pension Benefit Guaranty Corporation, and the Internal Revenue Service.
Title II of HIPAA – relating to preventing fraud and abuse and administrative simplification – amended areas of the Social Security Act. The responsibility for enforcing the fraud and abuse provisions was assigned to the Attorney General and the Inspector General of the Department for Health and Human Services, while the responsibility for developing the Administrative Simplification Regulations was assigned to the Secretary for Health and Human Services.
When the Administrative Simplification Regulations were published, the responsibility for enforcing the Administrative Requirements (Part 162) was assigned to the Centers for Medicare and Medicaid Services, while the responsibility for enforcing the Privacy and Security Rules was assigned to the Office for Civil Rights. When the Breach Notification Rule was added, the responsibility for enforcing the Rule was divided between the Office for Civil Rights and the Federal Trade Commission.
Other Enforcers of HIPAA
The later Titles of HIPAA are mostly administered and enforced by the Internal Revenue Service with contributions from the Social Security Administration. However, one agency who enforces HIPAA – the Department of Justice – is barely mentioned in the text of HIPAA despite several changes to the Crimes and Criminal Procedure Code to account for prosecuting criminal violations of HIPAA – and there are many different ways in which HIPAA violations can be criminal, including:
- Disposing of assets in order to obtain Medicaid benefits is a criminal violation of HIPAA if assets are disposed of below market value.
- Knowingly attempting to defraud a health care benefit program is a criminal violation of HIPAA (even if the attempt if unsuccessful).
- The intentional misuse of any assets – including property – belonging to a health care benefit program is a criminal violation of HIPAA.
- The obstruction of an investigation into a criminal violation of HIPAA – even if done by somebody other than the perpetrator – is a criminal violation of HIPAA.
- The wrongful acquisition or disclosure of individually identifiable health information is a criminal violation of HIPAA, even if it was done for somebody else.
The threat of HIPAA enforcement action by the Department of Justice does not appear to be a deterrent for some people. Dozens of individuals have received custodial sentences for wrongfully acquiring or disclosing individually identifiable health information, while dozens of businesses have paid millions of dollars to resolve criminal charges relating to HIPAA fraud. Consequently, it is recommended that businesses know not only which entity enforces HIPAA but how they can adopt best practices to comply with HIPAA and avoid enforcement action.