The Plexus Groupe’s Employee Benefits September 2018 Newsletter provides this toolkit intended to help employers that sponsor group health plans understand their compliance obligations under the Health Insurance Portability and Accountability Act (HIPAA). It also provides sample resources to help employers comply with HIPAA’s documentation requirements for their group health plans.

HIPAA is a broad federal law that includes rules for protecting the privacy and security of certain health information, which is called protected health information (PHI). HIPAA also includes notification requirements following a breach of PHI. This toolkit discusses the following rules, which are collectively referred to as the HIPAA Rules.

While employers are not directly regulated by the HIPAA Rules, most employer-sponsored group health plans are subject to the HIPAA Rules’ requirements to some degree. This means that employers that sponsor group health plans for their employees will usually have compliance obligations under the HIPAA Rules with respect to their group health plans.


To assess how the HIPAA Rules may apply to an employer-sponsored group health plan, employers should review their group health plans and their access to PHI. The following flowchart depicts these steps:


An employer is generally not subject to the HIPAA Rules when it performs employment-related functions, such as administering employee leaves of absence or fitness-for-duty requirements. However, the HIPAA Rules indirectly regulate employers in their role as health plan sponsors. When an employer receives PHI from its group health plan for plan administrative functions, the employer must agree to comply with certain requirements of the HIPAA Rules.

Employers should assess their group health plans to determine if the HIPAA Rules apply and, if so, to what extent. A HIPAA assessment flowchart is provided as part of this toolkit to help employers with this process. Also, key concepts and action items are explained throughout this toolkit. After performing a HIPAA assessment, employers should refer to the HIPAA checklist below that is applicable to them.

Covered Entities

Health Plans

In general, any individual or group plan that provides or pays the cost of health care is a covered entity subject to the HIPAA Rules. Health insurance issuers are also considered health plans subject to the HIPAA Rules.

There is a special exemption for certain small, self-funded health plans. Under this exemption, a self-funded health plan with fewer than 50 eligible employees that is administered by the employer that sponsors the plan is exempt from the HIPAA Rules. This exemption may apply to group medical plans, health reimbursement arrangements (HRAs) or health flexible spending accounts (FSAs) that satisfy the requirements for the exemption.

Health Care Clearinghouse

A health care clearinghouse is a public or private entity that processes another entity’s health care transactions from a standard format to a nonstandard format (or vice versa). In many cases, health care clearinghouses will receive individually identifiable health information when they provide services to a health plan or health care provider as a business associate. Health care clearinghouses may include, for example, repricing companies, value-added networks, billing services or community health management information systems.

Health Care Providers

Every health care provider, regardless of size, that electronically transmits any health information in connection with a HIPAA-covered transaction is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests and other transactions for which HHS has established standards under HIPAA. Covered health care providers may include, for example, chiropractors, medical clinics, dentists, doctors, nursing homes, pharmacies and hospitals.

Business Associates

A business associate is a person or organization (other than an employee of a covered entity) that performs certain functions on behalf of, or provides certain services to, a covered entity that involves access to PHI.

Examples of Business Associates:

·      Third-party administrators (TPAs)

·      Pharmacy benefit managers (PBMs)

·      Attorneys or auditors who use PHI in performing their services

·      Health plan consultants or brokers

In general, a business associate means a third party (including a subcontractor) that:

  • Creates, receives, maintains or transmits PHI on behalf of the covered entity for a HIPAA-regulated activity or function, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing; or

  • Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services for the covered entity where the provision of the service involves the disclosure of PHI from the covered entity (or from another business associate of the covered entity) to the service provider.

If a covered entity uses a business associate, there must be a written agreement between the parties, called a business associate agreement, that requires the business associate to comply with certain requirements under the HIPAA Rules. A sample business associate agreement is provided in this toolkit.

What Information is Protected?


The HIPAA Rules protect individually identifiable health information, called PHI, that is held or transmitted by a covered entity or its business associate. PHI includes information that relates to any of the following:

  • The past, present, or future physical or mental health or condition;

  • The provision of health care to an individual; or

  • The past, present or future payment for the provision of health care to the individual.

The HIPAA Privacy Rule applies to PHI in any form or media—written, verbal, electronic or in any other medium. The Security Rule’s requirements, however, only apply to ePHI.

PHI does not include employment records held by an employer. These records may include, for example, files or records related to occupational injury, disability insurance eligibility, leave requests, drug screenings, workplace medical surveillance and fitness-for-duty tests. Other laws, such as the federal Americans with Disabilities Act or state privacy laws, may impose confidentiality or privacy requirements on the information.

De-identified Health Information

De-identified health information is not governed by the HIPAA Rules because it is no longer individually identifiable. Covered entities may freely use and disclose de-identified information without taking into account the HIPAA Rules. There are two different methods that may be used to de-identify health information.

Statistical Method

Under the statistical method, a person with appropriate knowledge and experience applying generally applicable statistical and scientific principles and methods for rendering information not individually identifiable makes a determination that the risk is very small that the information could be used, either by itself or in combination with other available information, by anticipated recipients to identify the subject of the information. The covered entity must document the analysis and results that justify the determination.

Safe Harbor Method

Under the safe harbor method, information is presumed to be de-identified if a covered entity:

  • Has no actual knowledge that the information could be used to identify the subject of the information (alone or in combination with other information); and

  • Removes 18 specific identifiers from the information. The 18 identifiers that must be removed are:

  • Names;

    1. Geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code and their equivalent geocodes, except for the initial three digits of a ZIP code if, according to the current publicly available data from the Bureau of Census, (1) the geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people, and (2) the initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000;

    2. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age;

    3. Telephone numbers;

    4. Fax numbers;

    5. Email addresses;

    6. Social Security numbers;

    7. Medical record numbers;

    8. Health plan beneficiary numbers;

    9. Account numbers;

    10. Certificate/license numbers;

    11. Vehicle identifiers and serial numbers, including license plate numbers;

    12. Device identifiers and serial numbers;

    13. Web URLs;

    14. IP addresses;

    15. Biometric identifiers, including finger and voice prints;

    16. Full-face photographic images and any comparable images; and

    17. Any other unique identifying number, characteristic or code.


The HIPAA Privacy Rule requires covered entities to comply with national standards for the protection of PHI. The Privacy Rule includes the following three main protections for PHI:

Minimum Necessary Rule

In general, when a covered entity uses, discloses or requests PHI, it must limit its use, disclosure or request to the minimum necessary amount of information to accomplish the intended purpose.

Employers that sponsor group health plans are also subject to these use and disclosure rules if they have access to PHI.

Required Disclosures

A covered entity must disclose PHI in only two situations:

  • To individuals (or their personal representatives) when they request access to their PHI in a designated record set or when they request an accounting of disclosures of their PHI; and

  • To HHS when it is investigating the covered entity’s compliance with the HIPAA Rules.

Permitted Disclosures

A covered entity is permitted, but not required, to use and disclose PHI, without an individual’s authorization, in certain situations, including the following:

  • To the individual – A covered entity may disclose PHI to the individual who is the subject of the information.

  • Public policy purposes – A covered entity may use or disclose PHI for specific public policy purposes, such as uses and disclosures that are required by law; for public health activities; about victims of abuse, neglect or domestic violence; for health care oversight activities; for judicial or administrative proceedings; for law enforcement purposes; necessary to avert a serious threat to health or safety; and for work-related injuries or illnesses.

  • Treatment, payment and health care operations – A covered entity may use and disclose PHI for:

    • Its own treatment, payment and health care operations activities;

    • The treatment activities of any health care provider;

    • The payment activities of another covered entity or any health care provider; or

    • The health care operations of another covered entity if both covered entities has (or had) a relationship with the individual, the PHI pertains to the relationship and the disclosure involves quality or competency assessment activities or fraud and abuse detection and compliance activities.

Authorized Disclosures

A covered entity must obtain the individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. In general, a health plan may not condition payment, enrollment or benefits eligibility on an individual granting an authorization, except in limited circumstances.

An authorization must be written in specific terms. It may allow use and disclosure of PHI by the covered entity seeking the authorization or by a third party. The following information must be contained—in plain language—in HIPAA authorizations:

  • A description of the information to be used or disclosed;

  • The name or other specific identification of the person who is authorized to release the PHI;

  • The name or other specific identification of the person who is authorized to receive the PHI;

  • A description of the purpose of the requested use or disclosure (for example, at the request of the individual);

  • An expiration date or event;

  • A statement that the individual has a right to revoke an authorization in writing and an explanation of the procedures for revocation;

  • An explanation of the covered entity’s ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the receipt of an authorization;

  • A statement that informs the individual that the information used or disclosed pursuant to the authorization is subject to re-disclosure by the recipient and may no longer be protected by the HIPAA Privacy Rule; and

  • The individual’s signature and date of signature.

Reminder – An employer that is hands-on PHI (that is, it has access to PHI from the issuer for plan administration functions) takes on significant compliance responsibilities under the HIPAA Rules with respect to that PHI.

Other Disclosures

Disclosures to Plan Sponsors

A group health plan (and the health insurance issuer for a fully insured plan) may disclose the following PHI to the employer sponsoring the plan:

  • Plan enrollment or disenrollment information;

  • If requested by the plan sponsor, summary health information for the plan sponsor to use to obtain premium bids for providing health insurance coverage through the group health plan, or to modify, amend or terminate the group health plan; and

  • PHI of the group health plan’s enrollees for the plan sponsor to perform plan administration functions.If a plan sponsor has access to PHI other than summary health information and enrollment and disenrollment information, the plan must receive certification from the plan sponsor that the group health plan document has been amended to impose restrictions on the plan sponsor’s use and disclosure of the PHI. These restrictions must include the representation that the plan sponsor will not use or disclose the PHI for any employment-related action or decision or in connection with any other benefit plan.

Enforcement Example: No Business Associate Agreement

In April 2017, HHS entered into a HIPAA settlement with a small health care provider following an investigation of a business associate. Neither the health care provider nor the business associate could produce a signed business associate agreement. Based on this HIPAA violation, the health care provider agreed to pay HHS $31,000 to settle the investigation.

Disclosures to Business Associates

The HIPAA Rules allow a covered entity to share PHI with a business associate if the covered entity receives satisfactory assurances from the business associate—through a business associate agreement—that it will appropriately handle and safeguard PHI. A business associate may use or disclose PHI only as permitted or required by its business associate agreement or as required by law. In general, a business associate is prohibited from using or disclosing PHI in a manner that would violate the HIPAA Privacy Rule if done by the covered entity.

The business associate agreement must establish the permitted and required uses and disclosures of PHI by the business associate. The business associate agreement must also require the business associate to:

  • Not use or further disclose the PHI other than as permitted or required by the contract or as required by law;

  • Use appropriate safeguards to prevent improper use or disclosure of the PHI;

  • Report to the covered entity any known use or disclosure of PHI not permitted by the contract or any breach of unsecured PHI;

  • Ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions that apply to the business associate;

  • Make PHI available, including for amendment, to individuals as required by the HIPAA Rules;

  • Maintain an accounting of disclosures, made during the last six years, and make the accounting available upon request; and

  • Make its internal practices, books and records relating to use and disclosure of PHI available to HHS.

The business associate contract must also allow the covered entity to terminate the contract in the event of a material breach. At termination, the business associate must be required to destroy or return all PHI, if feasible, or extend the limitations on use and disclosure beyond termination of the contract.

Individual rights

Notice of Privacy Practices

The HIPAA Privacy Rule requires covered entities to provide a Notice of Privacy Practices to each individual who is the subject of PHI. The Privacy Notice for a health plan must be written in plain language and must:

  • Explain how the health plan may use and disclose an individual’s PHI;

  • Describe the individual’s rights with respect to his or her PHI; and

  • Summarize the health plan’s legal duties with respect to the PHI.

There are a number of specific provisions that must be incorporated into the Privacy Notice, such as details regarding how individuals may exercise their rights with respect to PHI. A typical Privacy Notice is multiple pages long due to the numerous content requirements.

The Privacy Notice requirements for a health plan vary depending on whether the plan is self-insured or fully insured, and, if the plan is fully insured, whether the plan sponsor has access to PHI for plan administration purposes. A self-insured plan must always issue its own Privacy Notice, while a fully insured plan is only required to maintain its own Privacy Notice if the employer has access to PHI for plan administration functions.

Delivery Requirements

At least once every three years, self-insured health plans must provide the Privacy Notice, or notify participants that the notice is available with instructions for how to obtain a copy. In addition, self-insured health plans must provide the Privacy Notice in the following circumstances:

  • To new enrollees at the time of enrollment;

  • Within 60 days of a material change to the notice; and

  • Any time upon a participant’s request.

If a health plan sends out a revised notice (for example, following a material change to the notice), it will reset the three-year notice requirement.

A health plan must provide the Privacy Notice to individuals covered by the plan. If the health plan provides the Privacy Notice to a covered employee, the plan is not required to provide a separate notice for dependents (for example, a spouse or child) covered through the employee.

The Privacy Notice must be actually delivered to participants. Merely posting the Privacy Notice on a website or on a bulletin board in the workplace is not sufficient. The Privacy Notice may be provided electronically via email to participants who have agreed to receive an electronic notice. The health plan must provide a participant with a paper copy of the Privacy Notice if it discovers that the electronic delivery has failed.

In general, the Privacy Notice may be provided with other plan documents. It does not need to be provided as a stand-alone document. For example, a health plan could provide the Privacy Notice with the plan’s enrollment materials or with the summary plan description (SPD). However, the Privacy Notice may not be combined in the same document as a HIPAA authorization.

If a health plan maintains a website about the plan’s services or benefits, the Privacy Notice must be posted on the website and must be electronically available through the website.

Model Privacy Notices

HHS has developed model Privacy Notices that health plans may customize and use. There are three designs for the model Privacy Notice for health plans—a booklet version, a full-page version and a layered version. Every design has the same language, although the layered notice includes an additional first page that summarizes key privacy rights, choices, uses and disclosures.

Each design is in a fillable Adobe PDF format and has some areas that can be customized for each health plan. More information on customizing the notice and best practices is available in the Health Plan Instructions and Questions and Instructions for using the Model Notices. For additional flexibility, HHS also maintains a text-only version of the model Privacy Notice


The HIPAA Security Rule establishes national standards for securing individuals’ ePHI. These standards require covered entities to analyze the risks and vulnerabilities of the confidentiality, integrity and availability of their ePHI. The risk assessment process helps covered entities implement reasonable and appropriate administrative, physical and technical safeguards to protect their ePHI.

Impact on Health Plans

In general, sponsors of self-insured and fully insured group health plans should conduct risk assessments and implement appropriate safeguards to protect their ePHI. Unlike the Privacy Rule, the Security Rule does not contain a special exception for fully insured plans that do not have access to PHI for plan administration purposes. However, fully insured health plans that do not handle ePHI will have fewer obligations under the Security Rule due to their hands-off approach to PHI.

Electronic phi

The Security Rule only applies to ePHI—it does not apply to PHI that is in paper or written form, and it does not apply to electronic personal information that is not PHI.

Electronic PHI is PHI that is transmitted by, or maintained in, electronic media. This includes PHI in computers, devices that are used with computers (such as disks and drives), and smartphones. It also includes PHI that is sent via email or in any manner using the internet.

The Security Rule’s requirements apply even when the ePHI is located on a device that is not owned by the covered entity (for example, an employee’s smartphone) or is accessed outside of the covered entity’s physical location (for example, on a home computer or on a laptop outside of work). HHS has cautioned that covered entities should be extremely careful about allowing off-site use of, or access to, ePHI due to security risks involved.

Security requirements

The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting ePHI. Each covered entity must analyze the risks to ePHI in its environment and create solutions appropriate for its own situation. What is reasonable and appropriate depends on the nature of the entity’s business, as well as its size, complexity and resources. Specifically, a covered entity must:

  • Ensure the confidentiality, integrity and availability of all ePHI it creates, receives, maintains or transmits;

  • Identify and protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI;

  • Protect against reasonably anticipated use or disclosure of ePHI that is not permitted or required under the HIPAA Privacy Rule; and

  • Ensure its workforce complies with the procedures implemented to comply with the HIPAA Security Rule.

    Risk Assessment

    According to HHS, performing a risk assessment is a crucial first step to comply with the Security Rule. A risk assessment helps an organization establish appropriate administrative, physical and technical safeguards for its ePHI. It directs what reasonable steps a covered entity or business associate should take to protect the ePHI it creates, transmits, receives or maintains.

    There are numerous methods of performing a risk assessment, and there is no single method or best practice that guarantees compliance with the Security Rule. However, most risk analysis processes have common steps. The following are examples of common risk analysis steps:

    Also, to better understand the risk analysis and management processes, covered entities should be familiar with the following terms:

    • Vulnerability means a flaw or weakness in system security procedures, design, implementation or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of security policy.

    • Risk means the net impact considering the probability that a particular threat will exercise a particular vulnerability and the resulting impact if this should occur.

    • Threat means the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Threats may be grouped into the following categories:

      • Natural threats, such as floods, earthquakes, tornadoes and landslides;

      • Human threats, including intentional (for example, network and computer-based attacks, malicious software upload and unauthorized access) and unintentional (for example, inadvertent data entry or deletion) actions; and

      • Environmental threats, such as power failures, pollution, chemicals and liquid leakage.

    Security Standards

    The security standards are divided into the following three categories:

    Enforcement Example: In January 2017, the Office for Civil Rights (OCR) announced a HIPAA settlement with an insurance company regarding an impermissible disclosure of ePHI. The disclosure involved a USB data storage device containing ePHI that was stolen from the company’s IT department, where the device was left without safeguards overnight. Pursuant to the settlement, the insurance company paid $2.2 million and implemented a corrective action plan.

    The standards and implementation specifications for each type of safeguard are listed in the Security Standards Matrix below. The Security Rule allows covered entities some flexibility in determining how to implement the standards and implementation specifications, including choosing which technology it will employ in order to achieve the required security standards. In deciding how to implement security measures, a covered entity is permitted to take into account:

    • Its size, complexity and capabilities;

    • Its technical infrastructure, hardware and software security capabilities;

    • The costs of security measures; and

    • The probability and criticality of potential risks to health information.

    However, HHS has stated that cost alone is not a justification for failing to implement a procedure.

    In an effort to provide covered entities with additional flexibility, the Security Rule categorizes implementation specifications as “required” or “addressable.” The “required” implementation specifications must be implemented.

    The “addressable” designation does not mean that an implementation specification is optional. However, it permits covered entities to determine whether the addressable implementation specification is reasonable and appropriate for that covered entity. If it is not, the Security Rule allows the covered entity to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate.

    Policies and Procedures

    Covered entities are required to implement reasonable and appropriate policies and procedures to comply with the Security Rule’s standards and implementation specifications. These policies and procedures must be documented in written form, which may be electronic. In addition, a covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of ePHI. Documentation supporting its security policies must be retained for at least six years from the date of its creation or the date when it was last in effect, whichever is later.


    The Health Information Technology for Economic and Clinical Health Act (HITECH Act) amended HIPAA to add breach notification requirements for unsecured PHI. The HITECH Act, and its underlying HIPAA breach notification rules, require covered entities to notify affected individuals following the discovery of a breach of unsecured PHI. Notification must also be provided to HHS and, in some cases, to the media.

    Unsecured PHI

    The breach notification requirements only apply to unsecured PHI. PHI is unsecured if it is not rendered unusable, unreadable or indecipherable to unauthorized individuals by a methodology specified by HHS. HHS has specified encryption and destruction as the methodologies for securing PHI.

    breach of unsecured phi

    The HIPAA Rules define a “breach” as the unauthorized acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the information. There are three exceptions to this definition.

    1. Disclosures where the recipient of the information would not reasonably have been able to retain the information;

    2. Certain unintentional acquisition, access, or use of information by employees or others acting under the authority of a covered entity or business associate; and

    3. Certain inadvertent disclosures among people similarly authorized to access PHI at a business associate or covered entity.An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates through a risk assessment that there is a low probability that the PHI has been compromised (or one of the three exceptions to the definition of breach applies). The risk assessment must, at a minimum, take into account these factors:

      • The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification;

      • The unauthorized person who used the PHI or to whom the disclosure was made;

      • Whether the PHI was actually acquired or viewed; and

      • The extent to which the risk to the PHI has been mitigated.

      If an evaluation of the factors fails to demonstrate that there is a low probability that PHI has been compromised, breach notification is required.

      Breach Notification

      Notice to Individuals

      If a covered entity discovers that it has experienced a breach of unsecured PHI, it must notify each individual whose unsecured PHI has been (or is reasonably believed by the covered entity to have been) accessed, acquired, used or disclosed as a result of the breach. The notice must be provided without unreasonable delay and in no case later than 60 calendar days after the breach is discovered.

      Enforcement Example: In January 2017, OCR announced a HIPAA settlement with a health care provider based on the untimely reporting of a breach of unsecured PHI. After receiving a breach notification report from the health care provider, OCR investigated and found that the provider failed to notify affected patients, media outlets and OCR within 60 days of the discovery. Pursuant to the settlement, the provider paid $475,000 to OCR and implemented a corrective action plan,

      The notice must be written in plain language and must contain the following information:

      • A brief description of what happened, including the dates the breach occurred and was discovered, if known;

      • A description of the types of unsecured PHI that were involved, such as names, Social Security numbers or other types of information;

      • Any steps individuals should take to protect themselves from potential harm resulting from the breach;

      • A brief description of what the covered entity involved is doing to investigate the breach, mitigate harm to individuals and protect against any further breaches; and

      • Contact procedures for individuals to ask questions or learn additional information, including a toll-free telephone number, an email address, website or postal address.

      In general, notice must be provided in writing, by first-class mail to the individual’s last known address. Notice can be sent electronically if the individual has agreed to electronic notice. In a case that requires urgency because of possible imminent misuse of unsecured PHI, the covered entity may provide notice by telephone or other means.

      Notice to HHS

      Covered entities must notify HHS of a breach of unsecured PHI. However, the notification required depends on the size of the group affected.

      Breaches involving fewer than 500 individualsThe covered entity must maintain a log or other documentation of the breaches. Within 60 days after the end of each calendar year, the covered entity must notify HHS of the breaches that occurred during the year.Breaches involving 500 or more individualsThe notice must be provided at the same time as the notice to the individuals and in the manner specified on the HHS website.

      Notice to the Media

      If the breach of unsecured PHI involves more than 500 residents of a state or jurisdiction, the covered entity must notify prominent media outlets that serve that area. The notice must include the same information as a notice to an individual. It must be provided without unreasonable delay and no later than 60 calendar days after the breach is discovered.

      Business Associate Role

      If a business associate discovers a breach of unsecured PHI, it must notify the covered entity of the breach. Notification must be provided without unreasonable delay and no later than 60 calendar days after the breach is discovered. The notice must include, to the extent possible, the identification of each individual whose unsecured PHI has been affected. The business associate must also give the covered entity any information necessary to notify the individual of the breach.


      Covered entities must incorporate compliance with the breach notification requirements into their HIPAA privacy policies and procedures. Covered entities and business associates have the burden of demonstrating that all notifications were provided or that an impermissible use or disclosure did not constitute a breach, and must maintain documentation to meet the burden of proof.


      HHS’ OCR is responsible for enforcing the HIPAA Privacy and Security Rules. OCR investigates complaints that individuals file, conducts compliance reviews, and performs education and outreach to encourage compliance. OCR also works with the Department of Justice regarding possible criminal violations of HIPAA.

      Enforcement Data

      As of July 31, 2018, OCR has received over 186,453 HIPAA complaints and has initiated over 905 compliance reviews. OCR has resolved 96 percent of these cases (178,834). In many cases involving HIPAA violations, OCR worked with the entities involved to apply corrective measures instead of imposing penalties. However, to date, OCR has settled or imposed a civil money penalty in 55 of these cases, resulting in a total dollar amount of $78,829,182. More information regarding HIPAA enforcement is available through OCR’s website.

      Most of OCR’s investigations are trigged by individuals’ complaints regarding HIPAA violations or a covered entity’s breach notification reports. OCR has investigated many different types of entities, including national pharmacy chains, major medical centers, group health plans, hospital chains and small provider offices.

      OCR’s most investigated compliance issues (in order of frequency):·         Impermissible uses and disclosures of PHI;

      ·         Lack of safeguards on PHI;

      ·         Lack of patient access to PHI;

      ·         Uses or disclosures of more than the minimum necessary PHI; and

      ·         Lack of administrative safeguards to protect ePHI.

      HIPAA Audits

      OCR has audited covered entities and business associates to ensure their compliance with the HIPAA Rules. According to OCR, these HIPAA audits are primarily a compliance improvement activity. However, if an audit reveals a serious compliance issue, OCR may initiate a review to investigate.


  • In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by covered entities to comply with HIPAA’s requirements.

  • In March 2016, OCR launched the second phase of its HIPAA audit program. This second phase of HIPAA audits included covered entities and their business associates.

  • Next, OCR is expected to release its findings regarding the second phase of its audit program. It is not clear at this point whether OCR will continue its HIPAA audit program in the future. However, OCR has indicated that it will continue to investigate covered entities of all sizes and types when it becomes aware of possible compliance failures.

    Civil Penalties

    OCR has the authority to assess civil penalties for violations of the HIPAA Privacy or Security Rules. The amount of the penalty depends on the type of violation involved. These penalties may not apply if the violation is corrected within 30 days of the date the person knew, or should have known, of the violation. HHS is also required to assess penalties for violations involving willful neglect and to formally investigate complaints of such violations.

    These civil penalty amounts are subject to annual inflation-related increases. The penalty amounts that apply to civil penalties that are assessed on or after Feb. 3, 2017, and relate to violations occurring after Nov. 2, 2015, are as follows:

    Criminal Penalties

    Criminal penalties may be assessed for violations of the HIPAA Privacy and Security Rules. These penalties are $50,000 and one year in prison for knowing violations, $100,000 and five years in prison for violations committed under false pretenses, and $250,000 and 10 years in prison for offenses committed for commercial or personal gain.

    Amount of Penalties – Important Factors

    The Enforcement Rule provides some guidance on the actions that constitute a single violation, but gives HHS the authority to determine the number of violations based on the nature of the covered entity’s obligation to act or not act under the provision that is violated. Where a violation is continuing, a separate violation occurs each day that the covered entity is in violation of the requirements. Also, HHS must consider certain aggravating or mitigating factors when imposing civil penalties. These factors include the following:

    • The nature and extent of the violation, including (but not limited to) the number of individuals affected and the time period during which the violation occurred;

    • The nature and extent of the harm resulting from the violation, including whether the violation resulted in physical harm, financial harm, harm to an individual’s reputation or hindered an individual’s ability to obtain health care;

    • The history of prior compliance with HIPAA’s administrative simplification requirements, including whether the current violation is the same or similar to previous instances of noncompliance, whether and to what extent the covered entity has attempt to correct prior instances of noncompliance, how the covered entity has responded to technical compliance assistance from OCR and how the covered entity has responded to prior complaints;

    • The financial condition and size of the covered entity; and

    • Any other matters as justice may require.Civil money penalties may not be imposed if HHS determines that the violation was not due to willful neglect and it is corrected within a time frame specified by HHS (that is, within 30 days). Willful neglect is defined as a conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provisions. HHS has discretion to expand the 30-day time period depending on the nature and extent of the covered entity’s compliance failure.For violations due to reasonable cause and not to willful neglect that are not corrected in a timely manner, HHS may waive civil money penalties, in whole or in part, to the extent that payment of the penalty would be excessive relative to the violation. In addition, HHS must initiate civil money penalty actions within six years from the date the alleged violation occurred.


Have questions regarding HIPAA Compliance, this newsletter, or any other employee benefits matters? Contact a client service team representative from The Plexus Groupe in Deer Park, Illinois at 847-307-6100, Chicago at 312-606-4800, Dallas at 972-770-5010 or Oklahoma City at 405-840-3033.We’re here to help and we’re happy to help.

Content provided by Zywave.