Six Points Health Care Professionals and Organizations (and those who do business with them) Need To Know NOW

• Possible fines have increased dramatically. Under prior law, fines were capped at $100 per violation, with a total annual cap of $25,000. The annual cap has now been increased to $1.5 million, and the minimum for a single violation is $50,000 if the HIPAA violation was due to willful neglect and not corrected in a timely fashion.
• Obligations for reporting breaches have changed significantly. Notifications of data breaches previously were required only if the breach posed a “significant risk of financial, reputational, or other harm to the individual.” The new rule presumes a breach must be reported unless the covered entity or business associate has conducted a risk analysis that demonstrates a low probability protected health information has been compromised.
• Having an incident-reporting plan is critical. Given the possible penalties and changes relating to reporting breaches, it is critical that management and key players know how to handle potential breach issues.
• Notices of Privacy Policy and Policies and Procedures need to be amended. Notices need to be revised to reflect (i) changes in rights to notification of breaches, (ii) additional requirements relating to using protected health information for marketing purposes and any sale of the information, and (iii) a new prohibition on use of genetic information for underwriting purposes.
• Business Associates – and their sub-contractors – are now directly liable. Professionals and organizations that are “covered entities” under HIPAA are now liable for penalties for violations committed by their “Business Associates,” and their sub-contractors and agents. Business Associates are directly responsible for compliance with HIPAA requirements and directly liable for penalties not only for their own violations, but also for those of their sub-contractors and agents. This liability is present even if there is no agreement identifying an entity as a “Business Associate.”  These changes are especially important because some of the most significant breaches have involved violations by vendors and subcontractors. As a result, Business Associate Agreements should be updated.
• Small organizations and small breaches are being targeted. Just prior to release of the new rule, the government announced that a hospice agency had been fined $50,000 for a breach tied to theft of a laptop, which involved protected health information of fewer than 500 patients. In 2012, a small cardiology practice was fined $100,000 for issues related to disclosures on an Internet-based appointments calendar.