The Office for Civil Rights under the jurisdiction of the US Department of Health and Human Services (HHS) is the agency responsible for enforcing the HIPAA Privacy Rule. Readers will remember that the HIPAA Privacy Rule came into effect in April of 2003 for most entities, and April 2004 for certain smaller businesses that were granted an extension. In January of 2013 it was further updated. The rule protects confidential patient healthcare information (Protected Health Information – PHI) when it is in possession by healthcare providers or other third-party entities who are privy to this information, such as medical billing and coding professionals or insurance providers.
Key features that healthcare providers and other third-party entities – such as billing and coding professionals – must abide by according to the Privacy Rule are:
- PHI about individual patients must be disclosed to them within 30 days of a request
- PHI may be disclosed without the patient’s direct written consent…
- To law enforcement agencies to aid in an active criminal investigation
- To be used in treatment, billing, or additional healthcare operations
- Healthcare providers must take steps to ensure confidentiality when discussing PHI with patients
- Patients may request inaccurate PHI to be corrected
- Patients who believe their Privacy Rule rights are being violated may file a report with the HHS Office for Civil Rights
The HHS Office for Civil Rights ensures healthcare providers abide by these rules. It also investigates any claims by patients that their civil rights have been violated by a healthcare providers which receives federal funding. Each year it investigates around 10,000 complaints regarding HIPAA Privacy Rule and civil rights violations.
The Office for Civil Rights will often make one of the following conclusions as the result of an investigations:
- No violations occurred
- Violations occurred and guidance is provided to the offending agency
- Violations occurred and a fine or other regulatory action is taken
Up to this point, fines have usually been reserved for agencies which have made gross and negligent violations of the Privacy Rule, or which have been uncooperative with the Office for Civil Rights.
The current annual operating budget of the HHS Office for Civil Rights is approximately $38.8 million. While this may seem like a lot for the federal government to spare in tight budget times, the office is increasingly recouping much of its operating costs from fines resulting from Privacy Rule violations. Some of the more recent high-profile cases include:
- $4.3 million fine on Cignet Health in Temple Hills, Maryland for HIPAA violations relating to 41 patient reports that they were denied access to their own health care information
- $4.8 million fine on Columbia University Medical Center and New York Presbyterian Hospital for HIPAA violations stemming from a digital safeguarding error which exposed the private health care information about 6,800 patients
- $1.975 million against QCA Health Plan and Concentra Health Services for HIPAA violations stemming from two unencrypted laptops containing confidential medical information which were stolen
- $1 million against Rite Aid for HIPAA violations that occurred when store employees discarded patient prescription pill bottles in publicly-accessible trash bins
The Office for Civil Rights maintains ten regional operations facilities across the nation, located in:
- New York
- Kansas City
- San Francisco