Healthcare Data Breaches: Who are the Key Players Enforcing PHI Requirements?

Posted: February 5, 2016

cpis_PHIIn this blog series thus far, we’ve addressed the following questions:

  1. Who Needs PHI to Conduct Business?
  2. Who Wants PHI?
  3. What PHI IS Beyond the Scope of HIPAA?

In today’s post, I’d like to address who the key players are actively enforcing the requirements surrounding protected health information (PHI). One of these may surprise you!

First, we have The United States Department of Health and Human Services (HHS), also known as the Health Department. It is a cabinet-level department of the U.S. federal government tasked with protecting the health of all Americans and providing essential human services. HHS has 11 operating divisions, which include 8 agencies in the U.S. Public Health Service and 3 human services agencies.

Second, consider specifically The Office for Civil Rights (OCR). Under HHS, the OCR is charged with enforcing federal laws that prohibit discrimination by health care and human services providers that receive funds from HHS. OCR is charged with enforcing the Health Insurance Portability and Accountability Act (HIPAA). More specifically, OCR enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the HIPAA Breach Notification Rule, which requires covered entities and business assoiates to provide notification following a breach of unsecured protected health information.

Next, State Attorneys General have authority as well. The Health Information Technology for Clinical and Economic Health (HITECH) Act, gave State Attorneys General (SAG) the authority to bring civil actions on behalf of their residents for violations of the HIPAA Privacy and Security Rules, allowing them to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security Rules. This new enforcement authority requires significant coordination between OCR and SAG.  SAG are also required to serve HHS before bringing an action with a copy of the complaint.

And lastly, don’t forget about The Federal Trade Commission (FTC). The FTC is an independent agency of the United States government established to protect consumers and promote competition. The FTC issued the Health Breach Notification Ruleand commenced its enforcement in 2010. This Rule governs many web-based businesses that collect people’s health information but are not covered under HIPAA/HITECH. However, the FTC also commenced fining Covered Entities and Business Associates under the its Unfair and Deceptive Act when a breach occurred and the FTC’s investigation found that the organization put the consumer’s personal data at unreasonable risk in violation of the FTC Act. Although the FTC’s jurisdiction over these matters has been challenged, arguing that these organizations fell under the HIPAA jurisdiction, the FTC has prevailed in holding the organizations accountable under their Unfair and Deceptive Act.

I hope you found this information valuable and I look forward to continuing to share my thoughts with the health care security and privacy community. Please feel free to leave any comments or questions below!

I will continue to post regularly until the HIMSS16 convention in Las Vegas that begins February 29th. Let us know if you plan to be there too as we’d love to connect with you at the event!

If you have any questions regarding the healthcare information requirements or would like a HIPAA or HITECH compliance audit quote, please contact us at security@compliancepoint.com.

Maria Sanchez

Author: Maria Sanchez

Maria Sanchez is a Privacy and Security Professional at CompliancePoint working with Covered Entities and Business Associates in a variety of industries. She is committed to guiding customers through effective assessments covering the Security, Privacy, and Breach Rules from HIPAA/HITECH. Maria has a B.A. in Political Science and Sociology from Georgia State University and a J.D. from Florida Coastal School of Law. As an attorney, Maria concentrated her studies in international and comparative law. As a Privacy and Security Professional, Maria has earned her Healthcare Information Security and Privacy Practitioner (HCISPP) certification and Certified Information Privacy Professional for the US and Europe (CIPP/US and CIPP/EU) certifications.

Leave a Reply

Your email address will not be published. Required fields are marked *

Reduce risk, maintain a compliant posture, and protect info