The feds recently published new regs that add some teeth to HIPAA’s health information privacy rules.
The Health Information Technology for Clinical and Economic Health (HITECH) Act significantly increases the penalties the Department of Health and Human Services (HHS) can level against employers and health care providers.
Before the HITECH Act, businesses faced a maximum fine of $100 for a single violation and $25,000 for all identical violations of the same provision. Now, the rules spell out a series of tiered minimum fines for individual claims, and a $1.5 million maximum when a group of employees are affected.
Increased notification duty
In addition to the uptick in fines, employers were also handed more responsibility in reporting breaches of health info. After discovering a security breach, companies will have to notify affected individuals, the HHS and, in some cases, “prominent media outlets.” Notice must be provided as soon as possible, no more than 60 days after the discovery.
What constitutes a breach? To trigger the notification requirements, the information leak must involve “personal health information” that’s lost or stolen and readable by whoever ends up with it (i.e. the data’s not encrypted).
The reporting rules go into effect on Feb. 22. The read the text of the rule, click here.
