OCR and HIPAA Compliance

William R. Pupkis, CMPE, Healthcare Consultant

In response to advances in electronic technology that could potentially compromise the privacy of health information, Congress incorporated Federal privacy protections into the provisions of the Health Information Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule set national standards to protect individually identifiable health information, while the Security Rule established national standards to protect electronic health information. Compliance with the Privacy and Security Rules is enforced by the Office of Civil Rights (OCR).

The OCR fosters compliance through education and outreach efforts. A variety of training materials, such as videos, FAQs, and printable guidelines, can be found on the OCR’s Medscape Destination page. Investigating complaints and conducting compliance reviews of covered entities also fall under the jurisdiction of the OCR.

Visit linked page for full size flow chartA flow chart of the complaint process can be viewed on the U.S. Department of Health and Human Services’ website. First, the OCR determines whether or not a complaint is legitimate. Basically, the complaint must be filed within 180 days of the person reporting the incident learning of the alleged violation and the violation must have occurred after the Rules took effect – April 14, 2003 for the Privacy Rule and April 20, 2005 for the Security Rule. Also, the complaint must be filed against an entity legally required to comply with the Rules, referred to as a “covered entity,” and the alleged action must have violated the Rules.

If the OCR determines that a complaint is valid, the person who filed the complaint and the involved entity are notified and asked to supply information about the incident or problem. The OCR may refer a violation of the criminal provision of HIPAA to the Department of Justice for investigation.

Most violations are resolved with the OCR through voluntary compliance, corrective action, and/or a resolution agreement. If the covered entity does not comply or does not comply in a satisfactory manner, the OCR may impose civil money penalties. The covered entity has a right to request a hearing with a U.S. Department of Health and Human Services administrative law judge, but if the decision to impose penalties stands, the fine collected is deposited in the U.S. Treasury. To date, 20 of 21 cases have resulted in the covered entity agreeing to a settlement (see previous article, HIPAA Risk Analysis). The remaining case resulted in a civil money penalty of $1 million. For a list of case examples and resolution agreements, visit www.hhs.gov/ocr/privacy/hipaa/enforcement/examples.

The Security Rule requires covered entities to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations” (45 C.F.R. § 164.308(a)(1)). With the large number of reported breaches and stricter enforcement actions, your practice must be proactive rather than reactionary. When a breach occurs, the OCR tends to base penalties on the underlying actions (or lack thereof) that created the condition for the breach rather than the breach itself.

As more health systems are going paperless, or electronic, covered entities must be vigilant to guard against security breaches both at the office and offsite on mobile devices. The Security Rule requires covered entities to perform continuous risk analyses to identify when updates are needed (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii)). HIPAA Security Guidance [PDF] provides risk scenarios and possible management strategies for safeguarding the remote use of and access to electronic personal health information. More guidance, such as videos, articles, and the New HIPAA Security Rule Toolkit, can be found on the National Institute of Standards and Technology’s website at www.nist.gov/healthcare.

Terms and Conditions

Statements and opinions expressed in the Newsletter, Preferred Talk, are those of the author(s) and do not necessarily reflect those of DT Preferred Group, LLC. DT Preferred Group, LLC makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. In publishing this Newsletter, neither the authors nor DT Preferred Group, LLC are engaged in rendering medical or other professional service. If medical advice or other expert assistance is required, the services of a competent professional should be sought. DT Preferred Group, LLC will not be liable for any losses, injuries, or damages from the display or use of this information. This policy is subject to change at anytime.


This entry was posted on Wednesday, May 28th, 2014 at 12:51 pm and is filed under Practice Management. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.