Benefit News

HHS makes HIPAA enforcement uniform

In a final rule that takes effect March 16, the U.S. Department of Health and Human Services (HHS) will start applying a uniform regulation to enforce all Health Insurance Portability and Accountability Act (HIPAA) rules, not just the privacy rule.

The new enforcement regulation, including its fine-tuned definition of “violation” and reliance on a complaint-based framework, will apply to a wide range of HIPAA standards, including the:

Privacy rule. The privacy rule requires that health plans and clearinghouses, such as services that process health information, obtain special written authorization from patients before using “protected health information” for anything besides treatment, payment or health care operations.

Security rule. The HIPAA security rule requires health plans to limit disclosure of protected health information to plan-sponsoring employers unless certain conditions are met.

Transaction rule. This rule defines a series of standards and guidelines for achieving a uniform approach for the processing of electronic health transactions.

Employer identification number (EIN) rule. Under this rule, covered health care providers, health plans and health care clearinghouses are bound to use a standard number—the employer identification number as assigned by the Internal Revenue Service—in electronic health transactions.

National provider identifier (NPI) rule. HIPAA-covered entities must use NPIs to identify health care providers in standard transactions such as claims.

A uniform enforcement and compliance policy is needed for all of these rules to minimize the potential for confusion and ensure consistent enforcement, the HHS noted in the preamble to its final rule.

Broad definition of ‘violation’

“Violation” will be defined expansively under the enforcement rule.

A covered entity may be liable for a violation by an independent contractor if it exercises direct control over the person in the performance of work for the covered entity, the HHS clarified. An organization covered by HIPAA also may be held liable for violations by volunteers and trainees who act as agents for entities covered by the law.


“A covered entity is required to train these categories of workforce members as necessary and appropriate for these volunteers and trainees to carry out their functions,” the HHS noted. For example, a volunteer who files lab results in patient medical records will require more extensive training than a volunteer in a hospital gift shop, it hypothesized.

A violation encompasses retaliation against persons who complain to HHS or otherwise assist or cooperate in the enforcement processes created by the final enforcement rule. “The intent of this addition to subpart C was to make these nonretaliation provisions applicable to all of the HIPAA rules, not just the privacy rule,” the HHS stated.

Complaint-based framework

To identify violations, the HHS will rely on a complaint-based system to identify and correct noncompliance.

The HHS retains the authority to conduct HIPAA compliance reviews as appropriate.

The first written communication with a covered entity about a complaint will note the basis for an investigation.

For further information about the final rule, contact the HHS, who can be reached at (202) 690-1840.

Source: HR News.