How HIPAA enforcement can help direct security best practices
How is HIPAA enforced? That may be a simple enough question, but it also contains more nuance than may initially be expected.
The answer is important because determining how HIPAA is enforced can depend upon how the term enforcement is viewed and interpreted.
The first step is to define enforcement. The dictionary definition of enforcement includes the following statements: To give force to; to urge with energy; constrain or compel; to effect or gain by force; and to carry out effectively. Looking at the definition comprehensively, enforcement is a means of compelling compliance with a concept or requiring another to follow a particular thing (in this case law and regulations). Enforcement by its nature is arguably imposing a non-voluntary action or requirement onto a person through some outside force.
Given the broad definition and impact of enforcement as a concept, how does that apply to HIPAA? For HIPAA, enforcement looks at how a person (defining a person to be an actual individual, an organization or any other entity) is forced into acting consistently with the dictates of the HIPAA statute and implementing regulations. As with the definition, means of enforcement in practice can and are quite varied.
The most obvious form of enforcement is through actions of the HHS Office for Civil Rights. OCR is currently designated by the federal government to oversee HIPAA. Oversight includes providing guidance and promulgating regulations to set out what is required to comply with HIPAA. When a person reports a violation, discloses a breach, a complaint is filed or some other disclosure occurs, OCR can also pursue an investigation and issue fines or penalties.
Fines or penalties grab headlines. In fact, a recent settlement imposing the first fine on a healthcare organization for failing to honor an individual’s right of access generated significant amounts of discussion. From the enforcement perspective, fines and penalties are clearly a form of monetary enforcement. A fine or penalty could also be seen as a form of public shaming. The dollar amount is announced and many will speculate as to the full extent of conduct that formed the basis for the amount.
As suggested, OCR also pursues enforcement in the form of investigations and audits. An investigation typically follows any disclosure of a breach or the filing of a complaint. OCR will seek verification from the disclosing entity or subject of the complaint about the extent of compliance with HIPAA regulations and dive into deeper levels of compliance. The act of the investigation itself can spur the subject to voluntarily take steps to improve compliance.
Another frequent outcome is for OCR to provide technical assistance in resolving the matter. Technical assistance is jargon for saying that the entity got advice from OCR as to what HIPAA expects and it is asserted that changes will be made. If an individual filed a complaint, enforcement in the form of technical assistance can feel less than satisfying, especially if issues keep recurring.
Aside from OCR, state attorneys general can also enforce HIPAA through the imposition of monetary fines or penalties. Historically, a settlement from an attorney general was quite infrequent. The pace of settlements from attorneys general has picked up over recent years, at least comparatively. Examples can be found in Massachusetts, New Jersey and New York, as well as some states piggybacking offer of settlements from OCR.
While monetary fines and penalties draw a lot of headlines, they represent a fraction of issues occurring with HIPAA non-compliance. OCR receives well over 10,000 complaints per year, but there have never been more than 15 monetary settlements in a year. That means the most likely form of enforcement from the government is an investigation resolved through technical assistance.
A growing alternative means of enforcement is a lawsuit initiated by one or more individuals impacted by a breach. Some large breaches have resulted in class action cases being brought against the breached organization. However, a lawsuit is not actually HIPAA enforcement. The lawsuit cannot be HIPAA enforcement because there is no private right of action under HIPAA, which means an impacted individual cannot claim that their “HIPAA rights” were violated.
Instead, it is necessary to identify a state law cause of action. The state law action may be premised upon HIPAA, but the issue is really one of state law. Another challenge for a lawsuit is that the impacted individuals may not have suffered any direct damages (yet). Some lawsuits have been dismissed for failure to state any damages, but other cases have been allowed to proceed based on an increased likelihood of harm. Lawsuits should be viewed as a potentially growing means of enforcement though.
One final means of enforcement to consider for now is contractual enforcement. Specifically, the focus is on business associates and subcontractors of business associates. As should hopefully be well known, the upstream entity must execute a business associate agreement before allowing the downstream entity to use or disclose its protected health information.
The business associate agreement is one form of enforcement, but it can be followed up by the upstream entity monitoring compliance with the terms of the agreement, which in effect means HIPAA compliance. While that is a possibility and the terms of some business associate agreements will be strong on the point, actual follow-thru may not be that common. Given the number of concerns though, there arguably should be more activity on this front.
The discussion about enforcement should demonstrate that it is not just a fine or penalty. Enforcement is layered and takes many forms. Ultimately, the goal is to not just demonstrate compliance with HIPAA requirements, but take actions above and beyond to truly secure the privacy and security of sensitive healthcare information.