Health Providers Facing Stiff HIPAA Regulations
Introduction
By Sylvia Hsieh
In the coming months, health care providers and contractors to the
health industry can expect broader HIPAA coverage, beefed-up enforcement
and stiffer civil penalties for violations. Some of the changes have
already taken effect; others will soon. The changes to the Health
Insurance Portability and Accountability Act were passed under the
HITECH (Health Information Technology for Economic and Clinical Health)
Act as part of the economic stimulus legislation earlier in 2009. Steep
new fines, which can reach $1.5 million, were clarified in an interim
final rule from the Office of Civil Rights that took effect Nov. 30,
2009.
However, the rule did not elaborate on or alter the statutory
penalties that technically went into effect upon enactment in February
2009, according to health care attorneys. They are warning health care
providers to expect a heavier hand on HIPAA enforcement. “I think
the Office for Civil Rights is staffing up to take a more proactive
approach to enforcement,” says Kelly Hagan, a health care attorney
and shareholder at Shwabe, Williamson & Wyatt in Portland, Ore., who
noted that the statute also calls for the fines collected to be put back
into more enforcement.
One major change is that employees of health care providers can be
held personally (and criminally) liable for violations. State attorneys
general are also authorized to bring civil suits on behalf of a patient
or other individual whose data is breached by a HIPAA violation to
recover statutory penalties and attorney fees. In addition, the statute
requires that rules be promulgated within three years to allow
individuals harmed by a HIPAA violation to receive a percentage of any
civil monetary penalty, said Amy Fehn, an associate at Wachler &
Associates in Royal Oak, Mich., who represents health care
providers.
Next: Hefty
Fines and Fuzzy Definitions
|
|
|
|
