HIPAA Final Omnibus Rule – published Jan. 25, 2013 Six Points Hea

Diane E. Felix

Email

314-342-8001

Bio and Articles

Find Your Next Job !

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Chief Operating Officer / Business Manager
On Balance Search Consultants

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Legal Support Specialist
Greenberg Traurig, LLP

Litigation Paralegal
Greenberg Traurig, LLP

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Explore More Job Openings

HIPAA Final Omnibus Rule – published Jan. 25, 2013 Six Points Health Care Professionals and Organizations (and those who do business with them) Need To Know NOW

by: Diane E. Felix of Armstrong Teasdale - Client Alerts

Wednesday, February 13, 2013

Print Mail Download info_icon_img

/>i

Six Points Health Care Professionals and Organizations (and those who do business with them) Need To Know NOW

Possible fines have increased dramatically. Under prior law, fines were capped at $100 per violation, with a total annual cap of $25,000. The annual cap has now been increased to $1.5 million, and the minimum for a single violation is $50,000 if the HIPAA violation was due to willful neglect and not corrected in a timely fashion.
Obligations for reporting breaches have changed significantly. Notifications of data breaches previously were required only if the breach posed a “significant risk of financial, reputational, or other harm to the individual.” The new rule presumes a breach must be reported unless the covered entity or business associate has conducted a risk analysis that demonstrates a low probability protected health information has been compromised.
Having an incident-reporting plan is critical. Given the possible penalties and changes relating to reporting breaches, it is critical that management and key players know how to handle potential breach issues.
Notices of Privacy Policy and Policies and Procedures need to be amended. Notices need to be revised to reflect (i) changes in rights to notification of breaches, (ii) additional requirements relating to using protected health information for marketing purposes and any sale of the information, and (iii) a new prohibition on use of genetic information for underwriting purposes.
Business Associates – and their sub-contractors – are now directly liable. Professionals and organizations that are “covered entities” under HIPAA are now liable for penalties for violations committed by their “Business Associates,” and their sub-contractors and agents. Business Associates are directly responsible for compliance with HIPAA requirements and directly liable for penalties not only for their own violations, but also for those of their sub-contractors and agents. This liability is present even if there is no agreement identifying an entity as a “Business Associate.” These changes are especially important because some of the most significant breaches have involved violations by vendors and subcontractors. As a result, Business Associate Agreements should be updated.
Small organizations and small breaches are being targeted. Just prior to release of the new rule, the government announced that a hospice agency had been fined $50,000 for a breach tied to theft of a laptop, which involved protected health information of fewer than 500 patients. In 2012, a small cardiology practice was fined $100,000 for issues related to disclosures on an Internet-based appointments calendar.