HIPAA Compliance: Privacy and Security, Breach Notification and Enforcement

It’s time to revisit your health care data privacy and security policies and procedures.

The Omnibus Final Rule under HIPAA/HITECH is here to stay — the compliance date was in September 2013 — and it requires that health care providers and payors and their business associates update their health data privacy and security policies and procedures.

Some of the key changes to the rules center on Business Associates. The rules have broadened the definition of Business Associate and have added compliance responsibilities as well.

Enforcement efforts at the federal and state levels are ramping up, and significant fines may be imposed on covered entities, business associates and subcontractors that are out of compliance. Complaint investigations and random audits, performed by federal and state investigators, as well as outside contractors, will identify businesses at risk — and self-reporting rules will identify others when they must disclose their data breaches on The Wall of Shame.

Businesses who deal with health care providers and payors and their patient information — even shredding contractors and copy machine leasing and maintenance companies — are now subject to HIPAA/HITECH rules.

Covered Entities will need a review of their policies and procedures as well, to ensure that they are properly managing internal processes and those of their Business Associates.

State data privacy laws continue to interact with HIPAA/HITECH rules in ways that Covered Entities and Business Associates need to understand.

Contact us now to learn more about how David Harlow, Principal of The Harlow Group LLC, can help you prepare for health care data privacy and security compliance in this brave new world.

Related Resources:

HIPAA Compliance Tools and Services

A collection of posts on the HIPAA Omnibus Final Rule

HHS HIPAA Security Risk Assessment Tool

Leon Rodriguez, OCR Director and HIPAA/HITECH enforcement chief, speaks at a privacy and security conference shortly before the Final Rule is issued

HIPAA Privacy and Security Audit Protocol

All HealthBlawg posts on HIPAA

US HHS/OCR HIPAA Home Page