HIPAA updates: HITECH, Omnibus, Violations & Fines

Privacy Rule update 2003:

Sets limits on disclosure of ePHI and grants patients certain rights over their health information.

Security Rule 2004/2005:

Creates national standards to protect ePHI that is created, received, used, or maintained by healthcare organizations.

Breach Notification Rule 2009 (HITECH):

Within 60 days of large breaches, organizations must document response and notify the impacted individuals through letters and a press release.

Health Information Technology for Economic and Clinical Health (HITECH) Act 2009 (Signed by Barack Obama).

The Omnibus Rule (2013):

In part, expands certain HIPAA obligations to business associates and their subcontractors, modifies the breach notification standard, expands patient rights to access and to restrict disclosure of protected health information (PHI), imposes new rules governing uses and disclosures of PHI, clarifies enforcement approaches, and addresses obligations under the Genetic Information Nondiscrimination Act of 2008 (GINA)

The Omnibus Rule compels business associates to “report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required…” 

Violations:

TIER ONE

Unaware of the HIPAA violation and by exercising reasonable due diligence would have not have known HIPAA Rules have been violated

TIER TWO

Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence

TIER THREE

Willful neglect of HIPAA Rules with the violation corrected within 30 days of discovery

TIER FOUR

Willful neglect of HIPAA Rules with no effort made to correct the violation within 30 days of discovery

For the 8th year in a row, healthcare had the highest costs associated with breaches —
$408 per lost or stolen record. This is three times higher than the cross-industry average.

PTG Blog

Get email alerts when we publish new blog articles!

more blog posts:

Compliance

HIPAA Security Rule summary

The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI)

Read More