Changes are taking place in Washington with the Health and Human Services in regards to the enforcement of the HIPAA laws already on the books and also on some of the risks for business associates.
Practices also should expect increased activity by the Federal Trade Commission in the area of healthcare data breaches through its enforcement of consumer protection laws and from the Food and Drug Administration's protection of the integrity of medical devices, even though those federal agencies do not have the same comprehensive standards and clear regulations that OCR does to enforce HIPAA.
The activities of business associates will be under the microscope. The permanent HIPAA audit program, slated to begin in 2015, is expected to audit business associates as well as covered entities. The use of subcontractors by business associates also will be examined more carefully, especially those who use off-shore subcontractors.
All HIPAA-covered entities and business associates of covered entities must comply with the Security Rule requirements. The Security Rule applies only to electronic protected health information (ePHI). If a covered entity or business associate does not comply with the new legal requirements, under HITECH the fines have increased and are based on a new, tiered approach. The fine can range from $100 per violation to $50,000 per violation with a maximum fine amount of $1.5 million for willful misconduct. Additionally, HITECH gives the State Attorneys General the ability to enforce HIPAA violations with injunctions and civil damages.
HITECH amends HIPAA. HIPAA applies to "Covered Entities" and "Business Associates" of covered entities. If you experience a security breach and you have not implemented the HIPAA privacy and security rules, you may be fined by the Department of Health and Human Services.
Questions? Contact us today and let us manage your HIPAA compliance requirements.