Download - Allegheny County Medical Society
Download - Allegheny County Medical Society
Download - Allegheny County Medical Society
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
LEGAL REPORT<br />
administrative, accreditation or financial services to or<br />
for a covered entity where performing those services<br />
involves disclosure of individually identifiable health<br />
information by the covered entity or another business<br />
associate of the covered entity to that person or entity.<br />
Business associates typically enter into a business<br />
associate agreement that spells out its obligations under<br />
the HIPAA Privacy and Security Rules and the<br />
HITECH Act. Moreover, the HIPAA Privacy Rule<br />
requires that a covered entity obtain satisfactory assurances<br />
from its business associate that the business associate<br />
will appropriately safeguard the protected health<br />
information it receives or creates on behalf of the covered<br />
entity, such as in the form of a business associate<br />
agreement.<br />
Prior to the HITECH Act, the HHS secretary could<br />
not impose a penalty of more than $100 for each violation<br />
or $25,000 for all identical violations. A covered<br />
health care provider, health plan or clearinghouse, at the<br />
time, could avoid such penalty by demonstrating that it<br />
did not know that it violated the HIPAA Rules. Now,<br />
there is no such avoidance of penalty under the<br />
HITECH Act.<br />
The HITECH Act imposes both civil and criminal<br />
penalties. Civil penalties range from $100 to $50,000<br />
per violation, with caps of $25,000 to $1,500,000 for all<br />
violations of a single requirement in a calendar year. The<br />
amount of the civil penalty imposed varies depending on<br />
whether: (1) the offender did not know and with the<br />
exercise of reasonable diligence would not have known<br />
of the violation; (2) the violation was due to reasonable<br />
cause and not reasonable neglect; (3) the violation was<br />
due to willful neglect but was corrected; and (4) the<br />
violation was due to willful neglect and was not corrected.<br />
Criminal penalties are up to $50,000 in fines and<br />
one year of imprisonment.<br />
How does the federal government find out about<br />
who is violating HIPAA? (1) Anyone may file a complaint<br />
that there has been a violation of the HIPAA<br />
Privacy or Security Rule with the Office of Civil Rights<br />
(OCR), the enforcement arm of HHS. (2) The<br />
HITECH Act requires certain breach notification<br />
standards. In cases where a breach affects more than 500<br />
individuals, health care providers and other covered<br />
entities are to promptly notify affected individuals of a<br />
breach, as well as the HHS secretary and the media.<br />
Breaches affecting fewer than 500 individuals must be<br />
reported to the HHS secretary on an annual basis.<br />
April 2012 : Bulletin<br />
Further, business associates of covered entities must<br />
notify the covered entity of breaches by the business<br />
associate. (3) The HITECH Act makes HIPAA audit<br />
and enforcement mandatory. The act requires HHS to<br />
provide for periodic audits to ensure that covered entities<br />
and business associates are complying with the<br />
HIPAA Privacy and Security Rules and breach notification<br />
standards. To implement the mandate, OCR is<br />
piloting a program to perform up to 150 audits of covered<br />
entities to assess privacy and security compliance.<br />
In that vein, OCR announced a pilot program to<br />
perform audits of covered entities to assess their HIPAA<br />
Privacy and Security compliance. The covered entities to<br />
be audited include a wide variety of facilities of varying<br />
sizes, including very large health care systems and small<br />
physician practices. These entities will have an extensive<br />
review of their HIPAA Privacy and Security Rule policies<br />
and procedures, operations and documentation. OCR<br />
intends to audit health care providers, health plans,<br />
continued on page 161<br />
159