The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) is finally exercising its power to levy fines on organizations for HIPAA compliance violations. In a landmark case, Cignet Health was assessed a $4.3M civil monetary penalty for its failure to comply with HIPAA privacy rules. Massachusetts General Hospital settled for $1M in a case involving the loss of 192 patient files. These penalties are the first of their kind and show that HHS is getting serious about enforcement.
OCR has started by cracking down on “easy” violations of obvious failures, but enforcement of more sophisticated violations is imminent as IT systems become part of the inspection of systemic violations and significant breaches. To meet the specific guidelines of HIPAA and HITECH, IT systems will require adherence to hardening configurations and security practices be addressed. Audit and integrity of systems are fundamental to detection and loss prevention.
As a result of the HITECH Act, there are a few salient changes in the definition of ‘business associates’ and their obligations. Previously, business associates could be held directly liable under the breach notification rule. The difference is that now, they can also be held directly liable for privacy and security rules. In addition, subcontractors will be held to the same liability standards as business associates.
For more information on the impact of the HITECH Act and new updates to HIPAA as well as best practices for securing patient information:
HIPAA and HITECH Act: Best Practices for Securing Patient Information
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Additional Articles of Interest:
HIPAA Enforcement Steps Up
Data Breach: How Well is Health Information Being Protected?
Interesting times ahead!