OCR Takes First Steps at HIPAA Enforcement

On April 16, 2003 the United States Department of Health and Human Services Office of Civil Rights (OCR) released an Interim Final Rule for imposing Civil Monetary Penalties under the Heath Insurance Portability and Accountability Act (HIPAA). The Interim Rule is intended to be the first installment of the so-called “Enforcement Rule” that will govern how civil monetary penalties (CMP) are imposed for violations of HIPAA. This is not a final rule and will likely change somewhat as OCR begins to enforce HIPAA.

Under HIPAA, the government may imposes on any person who violates the Privacy Rule a penalty of not more than $100 for each separate violation, up to a total amount of $25,000 during a calendar year. There are also criminal penalties for serious violations of the law, as well as procedures to initiate exclusion of a person or entity from participation in federal health care programs, such as Medicare and Medicaid.

Overall, this Rule represents a first step in OCR’s mandate to enforce the Privacy Rule. The procedures described in the rule do not deviate very much from other, already established, procedures used by HHS to adjudicate other matters. Although these procedural guidelines are very helpful this Rule is as notable for what it doesn’t say. For instance, the Rule does not identify what constitutes a violation requiring a CMP. It also does not state what factors OCR will consider when determining the amount of a CMP. HHS intends to clarify these issues with a later rulemakings.

Further, HHS reiterated its position that enforcement of the Privacy Rule will “be complaint driven and that the Department will continue to seek and promote voluntary compliance through progressive steps that provide opportunities to demonstrate compliance.” Also, OCR plans to continue to issue additional guidance and assistance as problem areas become apparent.

The purpose of the Enforcment Rule is to establish the procedures by which OCR will investigate violations, impose civil monetary penalties, and conduct hearings for covered entities (the respondent) that violate the HIPAA Privacy Rule. The new Rule allows the OCR to issue subpoenas to conduct investigations, impose penalties, determine the amounts of penalties, and enter settlement agreements with entities that violate HIPAA.

Keep in mind that the enforcement process will be primarily complaint driven. The key sources of those complaints will likely be:

  • Patients
  • Current and former employees, volunteers or members
  • Other ambulance service providers

If you are not compliant with the Privacy Rule, and others know of the lack of compliance, that is when the risk of a complaint will be much higher. The key is to obtain compliance as soon as possible.

Additional HIPAA Web Sites of Importance

To review the Interim Final Rule on Enforcment:

Merginet Articles by PWW Atttorneys on HIPAA Compliance:
January 2003 Article on OCR Guidance and Ambulance Services
March 2003 Article on OCR Guidance and Ambulance Services

CMS HIPAA Administrative Simplification Home Page:

CMS HIPAA Privacy Rule FAQs:

OCR HIPAA Privacy Rule FAQs:

OCR Standards for Privacy of Individually Identifiable Health Information:

OCR Guidance on Privacy Rule:

(c) Copyright, 2003, Page, Wolfberg & Wirth, LLC