The enforcement of these new guidelines requires HHS to conduct periodic audits of HIPAA compliance by covered entities and business associates. Consequences will be determined according to the “nature and extent of the violation and the nature and extent of the harm resulting from such violation,” according to the final rule in the Federal Register. Penalties range from $100 to $50,000 for each violation. A cap of $1.5 million exists for violations of an identical provision in a calendar year.
Additionally, it is now required that covered entities must notify individuals if any of their unsecured PHI has been breached and as a result information has been accessed, acquired, or disclosed. In the event of a breach, a covered entity is required to take steps to alleviate the damage for such a breach. Furthermore, business associates must notify covered entities of any breach of unsecured PHI no later than 60 days following the date on which a breach has been discovered.
Covered entities should contact their business associates to ensure that they are in compliance with the Privacy Rule and Security Rule; they should also contact any transmission service organizations to discuss their obligations under HIPAA. Failure to make the necessary changes for the new guidelines could cost your practice.
For additional information on HIPAA or practice management guidelines, contact Antanya Chung at [email protected] or (404) 633-3777, ext. 818
