It’s important to understand that the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA Privacy and Security Rules. It does so in several ways:
- Investigating filed complaints
- Conducting compliance reviews of covered entities
- Performing education and outreach to foster compliance with the rules’ requirements
The OCR reviews all the information that it gathers from HIPAA violation cases, where sometimes it may determine that the covered entity didn’t violate the Privacy and Security requirements.
If unlawful disclosure or accessing of records occurs, the incident must be reported to a Privacy Officer, who will then need to determine what actions to take to mitigate risk and reduce potential harm. An investigation will occur with a potential risk assessment and a report of the breach be sent to the OCR. The timeline for reporting the breach to the OCR is shown in Table 1.
The HIPAA Breach Notification Rule, 45 CFR, requires that covered entities and their business associates provide notification following a breach of protected health information. However, there three exceptions in defining a “breach.” The U.S. Department of Health and Human Services defines these exceptions as “the first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.”