Compliance with OCR standards involves following the directives outlined by the Office for Civil Rights under the Health Insurance Portability and Accountability Act (HIPAA). Any covered entity or business associate responsible for handling protected health information (PHI) in the United States must adhere to the OCR compliance protocols.

This involves establishing and enforcing policies, security rules, and procedures to protect PHI, conducting staff training, and consistently evaluating and enhancing security measures to adapt to changes in the threat landscape.

This article will uncover the role the OCR plays in HIPAA compliance for healthcare providers and how it upholds the rights of U.S. Healthcare patients.

Health and Human Services

The OCR is a division of the U.S. Department of Health and Human Services (HHS). They are responsible for investigating claims or complaints regarding potential HIPAA violations. The healthcare organization, clearinghouses, etc, are expected to self-refer in the event of a breach of compliance.

The OCR is instrumental in providing technical assistance and conducting compliance reviews to facilitate voluntary compliance, avoiding the imposition of civil money penalties wherever possible, but if required, the OCR can also proceed with enforcement actions, including imposing fines upon persistent offenders or cases of gross misconduct.

Their mandate extends to addressing complaints of disability discrimination and ensuring equal access to health care for all, irrespective of national origin, and carries the responsibility of imposing civil money penalties as a deterrent against violations while also fostering compliance and offering guidance and support to encourage adherence to civil rights laws.

The HHS oversees the OCR’s operations, providing the necessary resources and support to enforce HIPAA regulations effectively. Furthermore, the department works tirelessly to promote public health initiatives and advance biomedical research while maintaining a strong focus on protecting individual privacy and civil rights within the healthcare domain.

How OCR Enforces the HIPAA Privacy & Security Rules

The Office for Civil Rights (OCR) holds the vital responsibility of enforcing the HIPAA Privacy and Security Rules, which serve as the cornerstone for safeguarding individuals’ health information. The OCR ensures that covered entities adhere to these rules by actively investigating complaints and conducting meticulous compliance reviews of covered entities. When violations are identified, OCR has the authority to impose penalties as stipulated by the law.

In cases of noncompliance, OCR can impose significant penalties, ranging from $100 to $50,000 per violation, based on the severity and nature of the infraction. This authority acts as a deterrent, compelling covered entities receiving federal financial assistance to prioritize adherence to HIPAA regulations.

  • In 2019, Advocate Health Care agreed to pay $165 million to settle HIPAA violation charges from a 2013 data breach that affected millions of patients.
  • In 2016, UCLA Health System agreed to pay $8.5 million to settle charges related to the improper disclosure of protected health information (PHI) of nearly 4,500 patients.
  • In 2014, HIPAA.com, a company that provided HIPAA compliance services, was excluded from participating in federal healthcare programs after failing to take adequate measures to protect patient data.

Upon receiving a complaint for investigation, the OCR will notify the alleged offender. There follows a knowledge-gathering stage where the OCR will reach out for evidence and review each side’s evidence. If the evidence is not strong enough, the complaint is dropped, and no further action is taken.

If a violation has occurred, then a potential penalty is enforced. If, however, a severe breach has been uncovered with significant evidence of systemic wrongdoing is uncovered, the OCR will issue fines, impose civil money penalties, and, in extreme cases, pursue criminal provisions through the U.S. Department of Justice.

Criminal Penalties for Civil Violations

When the DOJ is involved, serious criminal violations may have potentially taken place. Anybody who “knowingly” discloses Protected Health Data could breach the Administrative Simplification Regulations, facing a $50,000 fine but 1 year in jail for each violation.

Any expected violation that is committed under false pretenses, such as intentionally deceiving someone, might be hit with a $100,000 fine and five years in prison.

If the person(s) were found guilty of selling or transferring protected health information, the fines could reach the eye-watering total of $250,000 per violation and 10 years in prison.

Federal Civil Rights Laws

Finally, if the violation is in breach of core federal civil rights laws, such as the Civil Rights Act of 1964, ADA, ADEA, and ECOA, the penalty may result in the healthcare organization being stuck off and excluded from participating in Medicare.