The responsibility for enforcement of the HIPAA Privacy Rule has been given to Office of Civil Rights (OCR) of the Department of Health and Human Services. Although OCR has the authority to conduct random reviews of physicians, pharmacies, or other covered entities in enforcement of the Privacy Rule, it has indicated that it will initially rely on “voluntary compliance.” And, rather than put its efforts into evaluating every covered entity to determine whether they are in compliance with the regulation, OCR will instead focus its efforts on investigating complaints of non-compliance it receives from patients or others.

COMPLAINTS. Under the HIPAA Privacy Rule, patients, as well as employees and members of the general public, may submit a complaint to a covered entity, or to the government, if they believe a covered entity has violated their privacy rights or has violated the Privacy Rule. Causes for complaints can range from refusing to allow a patient access to his or her protected health information, to making a disclosure of protected health information to a marketing concern without first obtaining the patient’s authorization.

If an individual files a complaint with a provider, he or she must document the complaint, review and investigate it, and decide how to handle it; and, the provider must document the complaint and all materials related to the complaint and maintain this documentation for a minimum of 6 years.

INTERNAL (PROVIDER) ENFORCEMENT. A physician, pharmacist or other covered entity’s best assurance against government investigation is to carefully follow his or her policies and procedures for the proper use and disclosure of protected health information. A provider should periodically review its policies and procedures to determine whether they are being followed appropriately, as well as whether the policies should be updated. If it becomes aware of a violation of the Privacy Rule, a covered provider must discipline or impose sanctions on the employee(s) who failed to follow its policies and procedures. The covered entity must document the sanctions applied, if any. And, the Privacy Rule requires that that a provider must attempt to mitigate any harmful effects associated with an improper use or disclosure of protected health information.

EXTERNAL (GOVERNMENT) ENFORCEMENT. If a patient makes a complaint to OCR claiming that a covered entity has violated the Privacy Rule, OCR is responsible for investigating. During the course of the investigation, OCR may request access to the provider’s office and his/her records relating to the complaint. OCR will examine the covered entity’s privacy policies and procedures and attempt to determine how the covered provider handled the protected health information in question.

Failure to comply with the HIPAA Privacy Rule can be costly. Congress enacted both civil and criminal penalties. For civil violations, OCR may impose monetary penalties up to $100 per violation, up to a ceiling of $25,000 per year, for each requirement or prohibition violated. Criminal penalties can range up to $50,000 and one year in prison for those who knowingly disclose protected health information in violation of the rules, to as much as $250,000 and ten years in prison for a disclosure of protected health information with the intent to sell, transfer or use the information for commercial advantage, personal gain, or malicious harm. OCR will consider the extent of a covered entity’s efforts to comply with the regulation when determining which penalty, if any, to apply.