Recent HIPAA Changes and Deadlines
The HIPAA Omnibus Final Rule was enacted in 2013 by the United States Department of Health and Human Services (HHS) based on statutory changes under the HITECH Act. Most of it went into effect in 2013, but it also gave covered entities until September 22, 2014, to update the existing “Business Associate Agreements” they already had in place. HHS claims that some of the largest breaches of data have involved business associates. The ruling increased penalties for non-compliance to a maximum penalty of $1.5 million per violation.
On February 24, 2014, HHS announced it would survey 1,200 organizations in preparation for upcoming audits. Auditors will examine business associates in addition to covered entities. HHS is revamping their audit protocols to reflect changes brought by the 2013 Omnibus Final Rule.
There have been a number of enforcement actions taken by HHS for HIPAA non-compliance. However, the largest fine assessed to health care organizations to date came in May 2014 at $4.8 million for a technology-related data breach.
The New York Presbyterian Hospital and Columbia University, two separate covered entities, operated a joint arrangement where they shared a data network and shared network firewall. Weakness in their network security practices resulted in electronic protected health information (ePHI) being accessible on internet search engines.
If you haven’t already, now is the time to get your house in order. It sounds like business associate agreements will be a hot item for audits, so seeking legal counsel on those would be a wise option. To avoid being the next highest fine, consult your data security experts at i3 Business Solutions.