In order to best answer the question who enforces HIPAA privacy provisions in non-criminal cases, it is necessary to be aware of what HIPAA is, what it does, what the privacy provisions are, who they apply to, who enforces them, and the difference between criminal and non-criminal cases.
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 with the primary objective of increasing the portability and continuity of health insurance between jobs. At the time, a “job lock” situation existed in which workers would stay in the jobs they had to avoid losing health benefits. This led to stagnation in the job market which was negatively affecting the economy.
To resolve this issue, Congress introduced a number of amendments (via HIPAA) to the Employee Retirement Income Security Act (ERISA) and the Social Security Act. These amendments guaranteed the availability and renewability of health insurance coverage, but there were costs attached – costs which Congress feared may be passed onto individuals and employers as increased premiums.
So that health plans could comply with HIPAA without increasing premiums, Congress introduced measures to reduce health plans´ costs. These included a fraud control program and the standardization of transactions between healthcare providers and health plans to streamline eligibility, authorization, claims, and payment processes to make them more efficient.
How the HIPAA Privacy Provisions Evolved
The task of standardizing transactions between healthcare providers and health plans was assigned to the Secretary for Health and Human Services in Title II of HIPAA. Under Subtitle F of Title II, the Secretary was also instructed to develop standards for the electronic transmission of health information and to make recommendations for the privacy of health information.
These instructions ultimately led to the publication of the HIPAA Security and Privacy Rules – the Privacy Rule specifically including the provisions for the privacy of individuals´ medical records and other individually identifiable health information. The privacy provisions stipulate the circumstances in which “Protected Health Information” (PHI) can be used or disclosed without an authorization from the subject of the information or their personal representative.
The circumstances in which PHI can be used or disclosed without an authorization fall into two categories – “required” and “permitted”. Required disclosures occur when access to PHI is requested by the subject of the information, their personal representative, or a representative from the Department of Health and Human Services´ Office for Civil Rights. Permitted uses and disclosures include, but are not limited to:
Treatment, payment, and health care operations
Health care operations includes quality assessments, competence evaluations, fraud detection programs, business planning, and internal grievance resolution.
Uses and disclosures required by law or for public health activities
These disclosures include reporting certain types of diseases, child abuse or neglect (mandatory in some states), and safety concerns related to FDA-regulated products.
To employers to fulfil reporting requirements
PHI can be disclosed to employers to comply with state and federal reporting requirements if an individual is hospitalized with a work-related injury or illness.
Responses to court orders and subpoenas
PHI can be disclosed for judicial or administrative proceedings if it is not possible to obtain PHI from the subject of the information.
Identification and location purposes
A limited amount of information (as stipulated in §164.512(f)(2)) can be disclosed to law enforcement officers in order to identify or locate an individual.
To coroners and medical examiners
To coroners and medical examiners to help establish the identity of an individual, the cause of death, or for other purposes required by law.
The privacy provisions apply to most health plans, health care clearinghouses, and healthcare providers (categorized as “Covered Entities”) and third party “Business Associates” who provide a service for or on behalf of a Covered Entity that involves a permissible use or disclosure of PHI. It is important to note not all health plans and healthcare providers are Covered Entities. In these circumstances, although the HIPAA Privacy Rule does not apply, it may be necessary to comply with other state and federal privacy regulations.
Who Enforces HIPAA Privacy Provisions?
Within each Covered Entity and Business Associate, the privacy provisions should be enforced by a HIPAA Privacy Officer and/or a HIPAA Security Officer depending on the nature of the organization´s activities and where (or how) PHI is created, collected, used, maintained, or transmitted.
HIPAA Privacy and/or Security Officers are responsible for developing HIPAA-compliant policies and procedures, training members of the workforce on the policies and procedures, and ensuring compliance with the policies and procedures – and applying sanctions when HIPAA policies and procedures are violated.
With regards to who enforces HIPAA privacy provisions in non-criminal cases, if a Covered Entity or Business Associate fails in the requirement to maintain the privacy of individuals´ medical records and other individually identifiable health information, individuals can make a complaint to the Department of Health and Human Services´ Office for Civil Rights or their state´s Attorney General.
Both HHS´ Office for Civil Rights and State Attorneys General have the authority to take enforcement action against a non-compliant Covered Entity or Business Associate – the most common enforcement action being a Corrective Action Plan to resolve the cause of the privacy violation and prevent it happening again. Only in rare cases do either agency issue fines for HIPAA violations.
Criminal vs Non-Criminal HIPAA Cases
There is a fine distinction in law between what constitutes a criminal violation and what constitutes a non-criminal (civil) violation. Criminal violations are defined as those which are an offense against the public, society, or state – even if the immediate victim is an individual – while civil violations are those which constitute an injury to an individual or other private party (i.e., a business).
In the context of who enforces HIPAA privacy provisions in non-criminal cases, this has been explained above. Criminal violations of HIPAA only occur when there has been a violation of 42 U.S.C. 1320d-6 – the Wrongful Disclosure of Individually Identifiable Health Information.
In most criminal cases, complaints are made to HHS´ Office for Civil Rights and State Attorneys General then referred to the Department of Justice by an enforcement agency – either HHS´ Office for Civil Rights, a state Attorney General, or a local law enforcement agency that has been notified of a criminal violation by a Covered Entity or Business Associate.
In order for a prosecution for a criminal violation of HIPAA to be successful, it has to be shown an individual or business knowingly and impermissibly obtained or disclosed PHI for commercial advantage, personal gain, or malicious harm – even if the final criminal act was committed by a third party.
However, prosecutions for a criminal violation of HIPAA are relatively rare; and Covered Entities and Business Associates should be more alert to civil violations of HIPAA and conscious of who enforces HIPAA privacy provisions in non-criminal cases.