The American Recovery and Reinvestment Act of 2009 require certain entities to notify affected individuals, regulatory bodies and the media of “unsecured protected health information.” The new breach provisions affect all entities that deal with protected health information, whether previously covered by HIPAA or not.
As part of the ARRA, the provisions of HIPAA have been significantly expanded. A key component of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH) that includes the following:
- The reach of HIPAA has now been expanded to encompass business partners of entities already covered by HIPAA like pharmacies, healthcare providers and others. The new HIPAA laws will now include attorneys, accounting firms, external billing companies and others that do business with covered entities.
- While these business associates were accountable to the covered entities with which they did business under the old HIPAA laws, these associates are now liable for governmental penalties under the new law.
- One provision of HITECH is that the process from HIPAA civil penalties will now be given directly to the Office of Civil Rights Enforcement within the US Department of Health and Human Services (HHS). What that means it that those who enforce HIPAA now have a direct financial incentive to levy fines and make them as large as possible, since these fines go directly to their budget. Further, individuals and lawyers can now collect fines for violations of the HIPAA Security Rule, dramatically increasing the incentive to sue privately when data is breached.
- Related to the point above is that penalties for HIPAA violations have been expanded dramatically. For example, if a covered entity or one of their business associates loses 500 or more patient records, they must notify HHS and a “prominent media outlet” to let them know what has occurred. Fines for violations can now reach as high as $1.5 million per calendar year.
Smarsh, Inc. assumes no liability for the accuracy or completeness of this information. Please consult with an attorney for specific information on specific rules and regulations and how they apply to your business.