Breach of Notification and Enhanced Enforcement HIPAA/HITECH AMENDMENTS effective March 26, 2013 ARE YOU PREPARED?

On January 17, 2013 the US Department of Health & Human Services (HHS) issued the long-anticipated final rule describing the privacy and security requirements for covered entities under the Health Insurance Portability and Accountability Act (HIPAA), as required by the Health Information Technology for Economic and Clinic Health (HITECH) Act. The new final HIPAA Privacy and Security Rule has been described as containing the most sweeping changes to HIPAA since the law was implemented. The Amendments became effective on March 26, 2013 and compliance is generally required by September 23, 2013.

The final rule lowers the “threshold of harm” so that occurrences that were not previously considered serious risks are now required to be reported to the affected patients and to the Office for Civil Rights. The burden of proof regarding breaches now lies with covered entities. Further, it is not presumed that any unauthorized use or disclosure of Patient Health Information (PHI) is a breach unless the covered entity can demonstrate there is a low probability that the Protected Health Information (PHI) can be compromised.

The rule requires the US Department of Health and Human Services (HHS) to investigate any complaint or violation if it determined that the possible violation is due to willful neglect. Further, the amendments make covered entities and Business Associates liable for acts of their Business Associates. The maximum penalty for noncompliance due to negligence has been increased to $1.5 million per violation. -Lisa Coleman

Comments Off