Focus Rheums| Dr. Jekyll or Mr. Hyde? (video)

An official publication of the ACR and the ARP serving rheumatologists and rheumatology professionals

Up to Date with the HIPAA Privacy Rule

  |  Issue: November 2018  |  

  • Individuals could be put at risk for personal penalties and sanctions; and
  • The organization is at risk for financial and reputational harm.

In 2003, the Department of Health and Human Services Office of Civil Rights (OCR) began enforcing the Privacy Rule, and there are penalties for non-compliance. Civil penalties are up to $1.5 million per year for identified types of violations, which may include willful neglect violations. Criminal penalties vary:

  • $50,000 fine and one year in prison for knowingly obtaining and wrongfully sharing information;
  • $100,000 fine and five years in prison for obtaining and disclosing information through false pretenses; or
  • $250,000 fine and 10 years in prison for obtaining and disclosing information for commercial advantage, personal gain or malicious harm.

Practices and organizations must implement policies and procedures designed to comply with the Department of Health and Human Services Breach and Privacy Rules. Changes to policies and procedures must be made as necessary and appropriate to comply with changes in the law and maintain consistency between policies, procedures and the Notice of Privacy Practices.

ADVERTISEMENT
SCROLL TO CONTINUE

If you are aware or suspicious of an accidental or intentional HIPAA violation, it is your responsibility to report it. Actions, with resolution and corrective actions, must be documented in written or electronic form. Document all changes made to policies and procedures and maintain all policies for six years. It is important for practices and organizations to train employees on changes made to policies and procedures related to HIPAA compliance.

Practices are required to provide training for all current and new employees, along with periodic refresher training. Although no clear definition for periodic is given, it is considered the best practice for all organizations to conduct HIPAA training annually. In the world of HIPAA privacy and security, training and awareness are among the most important aspects of prevention—especially given the possibility of an OCR audit.

ADVERTISEMENT
SCROLL TO CONTINUE

For questions, training or additional information on HIPAA security and privacy training, contact the ACR Practice Management Department at [email protected].

References

  1. The HIPAA Privacy Rule. HHS.gov.
  2. HIPAA security series. 3 security standards: Physical safeguards. Centers for Medicare & Medicaid Services. 45 C.F.R. §§164.310(d)(2)(i)-(ii). 2005 Feb (revised 2007 Mar).

Related Articles