webinarsbreadcrumb separatorhipaa-ecommerce-guidelines-and-resources-part-8-hipaa-enforcement-rule

Chris Reddick (President and CEO at Clarity Ventures) and Ron Halversen (Vice-President of Sales and Marketing at Clarity) explain the importance of the HIPAA Enforcement Rule.

Part 8 of a 13-part series (Return to Part 7)

RON: So now we're on to the HIPAA enforcement guidelines. Back over to the HHS website, let's take a look at the HIPAA Enforcement Rule. This talks about information about how they're going to enforce. And I know that there were some words in there, and I can't remember—I'm going to have Chris dive into this in a second—but I remember one of the things that it said when I was reading through this was, it says that while it can [levy] financial penalties. It can just come in and help with guidance and enforce rules. So it's a tiered way that they punish.  

what is hipaa

RON: If you are actively trying to comply with HIPAA rules, if you're actively using the tools, it's going to bode very well for you because they're going to come in and go, “Okay, you're making an effort. You made a small mistake here. You just need to make this adjustment.” And there may be no financial penalty if there wasn't an egregious error or breach of the data.

what is hipaa

RON: It has a lot to do with your intentions and what you're trying to do to make your HIPAA website compliant. They understand that the rules are very vague. And so even when I went and read it, I got the feeling that they said, “Yes, we can apply penalty financial penalties, but we also can just apply enforcements of guidelines and things like that.” Chris, I want you to talk just briefly about that and then go ahead and dive into the enforcement rule. 

CHRIS: It's pretty interesting because [the OCR] basically states at the top of the page “the HIPAA Enforcement Rule contains provisions relating to compliance and investigations and the imposition of civil money, penalties for violations of the HIPAA Administrative Simplification Rules and procedures for hearings.” 

If you go to the enforcement process page, it shows a visual display of how they go through a complaint and how they go through the enforcement. So here you can see a visual of the enforcement process. They generally start by just intake and review of a complaint. And that's the most standard sort of scenario that occurs. They have the ability to run an audit as well, but most of the time what we're seeing reported is someone filing a complaint and then they're [the OCR] responding to it. So that, in its nature, means that if that is the standard right now and that is what's going on, typically, then it would make sense that you want to resolve any complaints quickly.

what is hipaa

CHRIS: Of course, if there is any HIPAA security breach—which we'll talk about later—you're going to want to report it and show that you've done everything possible to have prevented it, and have documentation and a plan for remedying it. But if you actually go into some of the case examples, which is further down on that left menu bar there, you'll see different case examples for all the different scenarios where there have been cases. And it's organized by the type of entity as well as by the issue. 
 
This can be really helpful to clarify some of the different HIPAA rules, and how they're supposed to be interpreted based on the enforcement of them. This can be very helpful to get information. But one of the big things that you'll see as a common theme—and this is my interpretation—they're basically saying, “Look, if you guys try to comply with this and you do a reasonable job and you document your plans and you train your team, and [you address] any complaints or issues that occur, you quickly remedy them, then we’re not going to throw the book at you. But if you don't respond after we give you a heads up...”  

I mean, there are cases in here, Ron, where the FBI contacts the covered entity and says, “Hey, we think you're getting hacked.” And then the covered entity still doesn't resolve the issue. You know, you're going to get some warning in a lot of cases. And there's no guarantee that they will or need to [let you off the hook,] it's just that's the tendency right now if you get a warning or heads up, respond to it, and take it seriously. And that's the message that they send with a lot of these different cases and how they handle them. 
 
RON: Okay. So let's head back to the Enforcement Rule. So that was a really good explanation, it was a complex picture, and it looked like they have a lot of steps. But I really think that the clear message is, “Hey, make a good effort. If you've made a good effort, they're not going to nail you.” But if they do come and put a shot across the bow, take it seriously. 

what is hipaa

RON: If we want to back up a little bit and give a little more detail about the Enforcement Rule, how it applies, and what it means to our listeners today, let's go ahead and do that. 
 
CHRIS: Yeah, absolutely. So really, just starting out, I would say that's my general interpretation of the current stance that we've seen. I would be prepared, that that's going to change and get more strict just based on the risk. Especially for your organization, you're going to want to assess, just like the Security Rule talks about, what the risk for your organization is. 
 
Unfortunately, the reality is that it’s on a spectrum, so please keep that in mind. Each scenario is different as far as what the risk level is and how much potential there is for breach, etc. So generally speaking, I would say go at least a little bit above and beyond, leverage HIPAA best practices, document what you're doing, and train your team. 
 
These are very big generalizations. But if you pursue those to their end, to the point which it makes sense, given your organization, then yes, I think that that ends up being the case that if there is an issue, it's going to be someone who is trying to do the right thing. And generally the tone of the OCR’s enforcement has been that—again, from my interpretation—if they see an issue and they give a warning, there may still be some enforcement, but it's going to be a lot less severe if you comply with them right away. 
 
You can see there's a lot of nuance to the enforcement rule history from this page. Generally speaking, the theme that you'll see, though, is that it's gotten more and more severe as far as who is responsible for making sure that HIPAA compliance occurs. It has become more and more clear as to what the responsibilities are with each of these different Enforcement Rule history changes. 
 
Ultimately, this is a really big thing. This is sort of like the teeth behind the HIPAA rules, and so you really want to understand them conceptually. And if you want to get into the details, these actual laws are where you would go as a jumping-off point to get into the legal detail laws that are the basis for this summary that we're going through. 
 
So we're going through just a summary, but it is from the OCR, which is essentially the group that's going to be enforcing this.  

Continue to Part 9 to discuss the HIPAA Enforcement Rule process.

Recent Search

HIPAA Compliance AngularJS Web Development ERP Sage Integrations Microsoft Dynamics Xamarin Framework Comparison Essential Website Features

Top Searches

B2B Supply Chain Management WooCommerce Integrations Catalog Product Tags Top B2B eCommerce Challenges Epic Integrations Optimizing Mobile Apps