Regulations Part 3, Everyone’s Favorite HIPAA topic: Compliance and Enforcement
For this lengthy section of the law, we’ll provide here a simplified primer on all subparts, boiling them down to points we believe will be most useful to you.
Principles for Achieving Compliance
This subpart says to cooperate with the Secretary of HHS in embarking on compliance and assist them. That’s about it.
Complaints to the Secretary
A patient has the right to complain to the HHS if they choose, but civil suits must be filed through state laws rather than HIPAA.
Compliance Reviews
HHS can conduct compliance audits on your business assuming you’re a covered entity.
Responsibilities of Covered Entities
If you’re a covered entity, you have to achieve compliance. To achieve compliance, you have to:
- Provide records and compliance reports.
- Cooperate with complaint investigations and compliance reviews.
- Permit access to information.
Basically, it’s in your best interest to keep good documentation to protect yourself from liability to the extent that you can. Also, it will help you to act in a helpful and cooperative manner if HHS arrives at your business to conduct an audit. These are the people we play nice with. No matter what.
Investigational Subpoenas and Inquiries
HHS can subpoena. If they want, they can make things very difficult for you. So, see above re: playing nice.
Refraining from Intimidation or Retaliation
If a patient files a complaint against you, go with it and do not strike back against them in any respect, or even do anything that could be construed as retaliation. Because, it’s not cool, plus, it’s illegal.
In a couple weeks watch for Part 4: Imposition of Civil Money Penalties. Because we all want to avoid hefty fines.
