|
HIPAA Enforcement Final Rule published On February 16, 2006, the Department of Heath and Human Services (HHS) published a final rule which details the bases and procedures for imposing civil money penalties on covered entities that violate any of the Health Insurance Portability & Accountability Act of 1996 (HIPAA) Administrative Simplification Rules. To view this information , see HIPAA Enforcement Final Rule in the Related Links Outside CMS section below. On October 15, 2002 the Centers for Medicare and Medicaid Services (CMS) was named to enforce HIPAA Transactions and Code Set Standards. The HHS Office for Civil Rights continues to enforce Privacy Standards. To view the press release regarding this topic, see the link in the Downloads section below. Enforcement Procedures On March 25, 2005 HHS published a Notice in the Federal Register detailing procedures for filing a non-privacy complaint with the Department. The Notice is entitled "Procedures for Non-Privacy Administrative Simplification Complaints Under the Health Insurance Portability and Accountability Act of 1996." See the HIPAA Enforcement Procedures link in the "Related Links Outside CMS" section below. HIPAA Onsite Compliance Reviews and Investigations The authority of CMS to investigate complaints, collect information and determine a covered entity's compliance is found at 45 CFR 160.300-160.316. These provisions require cooperation from covered entities, including, as deemed necessary, access to its facilities, records and other information during normal business hours, or at any time, without notice. The Office of E-Health Standards and Services (OESS) within CMS will utilize contracted services to assist with onsite investigations and onsite compliance reviews related to potential HIPAA Security Rule violations. Onsite investigations may be triggered by complaints alleging non-compliance, while onsite compliance reviews will typically arise from non-complaint related sources of information such as media reports or self-reported incidents. OESS will exercise its discretion to determine whether or not an onsite investigation or onsite compliance review is warranted on a case-by-case basis. A list of the type of information that might be requested in an onsite HIPAA Security investigation/compliance review is available for download from the link below; however, the document is not a comprehensive list of applicable investigation/review areas nor does it attempt to address all non-compliance scenarios. The individual circumstances of each applicable case will dictate the type of information that will be requested during an investigation or review. The document also serves to highlight several areas of vulnerability associated with the security of electronic protected health information, and may provide a starting point for evaluating or reevaluating an entity's general level of HIPAA Security Rule compliance. To view the "Information Request for Onsite Compliance Reviews" document, see the link in the "Downloads" section below.
Page Last Modified: 02/20/2008 9:40:07 AM
Help with File Formats and Plug-Ins
Submit Feedback
|
Email
Print