What is the New HIPAA?

In February 2009, the American Recovery and Reinvestment Act(ARRA) amended HIPAA. Known as HITECH, this amendment is fully effective in February 2010 and significantly increases data protection liabilities for all health-related organizations.

What’s New?

DATA BREACH NOTIFICATION

Any breach of confidentiality, such as improperly discarded documents or computers, must now be reported to the authorities, to patients and, when the breach involves more than 500 records, to the local media outlets as well. And, while failure to report violations of confidentiality is now a crime, reporting violations provides no relief from further criminal and civil prosecution.

INCREASED ENFORCEMENT

·         State Attorneys General are now responsible for enforcing HIPAA’s data security provisions. As enforcement incentive, this provision allows each enforcement office to retain the revenue from the fines they levy.

·         Fine Limits – have increased 6,000 percent – from $25,000 to $1,500,000 per incident as a result of the amendment

There are many examples of medical facilities being fined for not appropriately discarding Protected Health Information.

VENDOR CONTRACT REQUIREMENTS

The new amendment mandates that the legally required Business Associate agreements with data related service providers be modified to include the new requirement related to Data Breach Notification. The amendment also makes vendors as responsible as their customer for having the agreement in place.