Taking Proactive Steps Will Ensure Early HIPAA Compliance

Author: Tracy Morley, XpertHR Legal Editor

August 28, 2013

The September 23, 2013 deadline for complying with the omnibus final rule issued by the US Department of Health and Human Services (HHS) in January is quickly approaching. The final rule modified the privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. It also requires covered entities (CEs), including health care providers and health plans and their business associates (BAs), to take the following steps to ensure compliance by the deadline:

  1. Revise Notice of Privacy Practices to include information relating to breach notification requirements, uses and disclosures of protected health information (PHI) and marketing and sale of PHI.
  2. Amend BA agreements to reflect that BAs are required to comply with and enforce HIPAA's security and breach notification rules and to indicate that BAs will obtain written assurance of compliance from subcontractors.
  3. Update and implement policies and procedures to reflect changes regarding:
    • Revised rules related to the marketing and sale of PHI;
    • Expanded rights of individuals to restrict disclosure of PHI and to access PHI in electronic form;
    • Changes to the breach notification rules;
    • Disclosures to schools; and
    • Protection of decedents' PHI.
  4. Train the workforce on the requirements of the updated policies and procedures.

HIPAA violations can prove costly. Under the HITECH Act the following four levels of culpability apply, each with increasing penalties:

HIPAA Violation Category Penalty Range for Each Violation Maximum Penalty for Violations of an Identical Provision in a Calendar Year

The CE or BA did not know, and despite reasonable diligence still would not have known, of a HIPAA violation.

$100 - $50,000

$1,500,000

The violation is due to reasonable cause and the CE or BA knew, or should have known, of a violation but did not act with willful neglect.

$1,000 - $50,000

$1,500,000

The violation is due to willful neglect and is corrected during the 30-day period beginning on the day of discovery.

$10,000 - $50,000

$1,500,000

The violation is due to willful neglect and is not corrected within the 30-day period beginning on the day of discovery.

$50,000 minimum

$1,500,000

With the potential for such significant fines, CEs and BAs should work to develop a plan to ensure they are in compliance with the modified HIPAA rules.

Join us on LinkedIn for more discussion.