When laws are made, they are meant to be implemented and enforced to ensure compliance with the laws by all those who should. If laws are not implemented and enforced after they are made, then there was no need making the laws. There will always be people who would deliberately or ignorantly contravene set laws. This is why there must be an agency saddled with the responsibilities of enforcing the laws to ensure compliance by those concerned. The enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules is the sole responsibility of the Human Health Service (HHS) Office for Civil Rights (OCR). If there is any report of a possible violation of any of the rules, an investigation will be carried out by the Office for Civil Rights (OCR). After the investigation is completed, if the Covered Entity (CE) is found guilty, he or she may be fined with a civil monetary penalty or a criminal penalty depending on the nature of the violation. Note that a criminal penalty is only enforced by the U.S. Department of Justice (DOJ).
Take a look at some of the most common noncompliance issues that are regularly noticed and reported: The uses and disclosures of Protected Health Information (PHI) without the authorization of the patient involved, lack of Protected Health Information (PHI) safeguards, lack of patients’ access to their own Protected Health Information (PHI), the use or disclosure of more than the permitted minimum Protected Health Information and lack of administrative electronic Protected Health Information (ePHI) safeguards.
These noncompliance issues are very common amongst health care providers. The penalties for these issues are sometimes depending on the level of risk that the patient is exposed to. They may be common noncompliance issues, but the penalties resulting from them may be a criminal penalty.