Posted by: Pabrai
What is the HIPAA Enforcement Rule? The HIPAA Enforcement Rule establishes rules governing the compliance responsibilities of covered entities with respect to cooperation in the enforcement process. It also provides rules governing the investigation by HHS of compliance by covered entities, both through the investigation of complaints and the conduct of compliance reviews.
The Enforcement Rule establishes rules governing the process and grounds for establishing the amount of a civil money penalty where HHS has determined a covered entity has violated a requirement of a HIPAA Rule. The Enforcement Rule establishes rules governing the procedures for hearings and appeals where the covered entity challenges a violation determination.
The HITECH Act provides, for purposes of enforcement, for the transfer to the HHS Office for Civil Rights (OCR) of any civil money penalty or monetary settlement collected under the HIPAA Privacy and Security Rules and also requires HHS to establish by regulation a methodology for distributing to harmed individuals a percentage of the civil money penalties and monetary settlements collected under the Privacy and Security Rules.
Effective as of February 18, 2009, the HITECH Act also modified the civil money penalty structure for violations of the HIPAA Rules by implementing a tiered increase in the amount of penalties based on culpability. The tiered and increased civil money penalty provisions of the HITECH Act were effective for violations occurring after the date of enactment.
Further, the HITECH Act granted State Attorneys General the authority to enforce the HIPAA Rules by bringing civil action (Connecticut being the first example of such HIPAA enforcement).