The Department of Health and Human Services (HHS) enforces HIPAA regulations, with the Office for Civil Rights (OCR) leading these efforts. The OCR is responsible for investigating complaints, conducting audits, and enforcing penalties for any violations.
In a recent YouTube video, OCR Director Melanie Fontes Rainer detailed OCR's busy and impactful year in 2024, pointing to how the office advanced a historic total of final rules.
The first rule focuses on ensuring non-discrimination in health programs and activities as outlined in Section 1557 of the Affordable Care Act. It requires equal access to healthcare services regardless of race, color, national origin, sex, age, or disability, reinforcing protections against discrimination in healthcare settings.
This rule emphasizes the commitment to respecting individuals' and entities' rights to act according to their moral or religious beliefs, ensuring that these rights are upheld within the healthcare system.
This rule is designed to protect the privacy of individuals seeking treatment for substance use disorders by setting strict guidelines on how their treatment records can be used and disclosed, thereby ensuring sensitive information remains confidential.
The fourth rule pertains to preventing discrimination based on disability within health and human service programs or activities, as specified in Section 504 of the Rehabilitation Act. This rule ensures that individuals with disabilities have equal access to services and programs, prohibiting any form of discrimination and promoting inclusivity in healthcare and related services.
The fifth rule involves updates to the HIPAA Privacy Rule aimed at enhancing the privacy of reproductive healthcare information. This rule seeks to strengthen protections around the confidentiality of reproductive health services, ensuring that individuals' sensitive health information is safeguarded and that privacy is maintained in the context of reproductive healthcare.
The sixth and final rule involves the Health and Human Services grants regulation, known as the HHS Grants Rule, along with proposed modifications to the HIPAA Security Rule to improve cybersecurity in healthcare. This Security Rule focuses on enhancing the security measures required to protect healthcare information from cyber threats, ensuring that healthcare organizations are better equipped to safeguard sensitive data in an increasingly digital landscape.
In 2024, OCR actively enforced civil rights and privacy laws through various initiatives. The year saw the resolution of numerous enforcement cases, including 693 HIPAA breach investigations and 21 completed HIPAA cybersecurity and privacy enforcement actions, marking the second-highest number of completed HIPAA enforcement actions in a single year. OCR representatives traveled to 13 states and one territory, participating in keynote speeches, roundtables, panel discussions, and engaging with patients, providers, advocates, and government partners. Additionally, 2024 commemorated the 60th anniversary of the Civil Rights Act, during which OCR led the Language Access Steering Committee and released HHS division-specific language access plans to enhance service accessibility for individuals with limited English proficiency and/or disabilities.
OCR investigates complaints by reviewing the alleged violations, conducting audits, and interviewing relevant parties. If violations are found, OCR can enforce penalties, including fines, corrective action plans, and other measures to ensure compliance with HIPAA regulations.
OCR plans to continue its efforts to strengthen cybersecurity in healthcare by advancing proposed rules, enforcing compliance, and providing education and technical assistance. These actions ensure that healthcare providers, patients, and communities are better prepared to face cyber threats.
Healthcare organizations can improve compliance by staying informed about new regulations, conducting regular risk assessments, implementing security measures, training employees on HIPAA requirements, and maintaining up-to-date policies and procedures.
Related: How to perform a risk assessment