Georgia's Trusted Healthcare
& Medical Provider Attorneys

Archives for April 2014

Are YOU Compliant With New HIPAA Rules?

imgres-6It has been half a year since the new HIPAA Rules were fully implemented, are you compliant?

If you are a healthcare provider or work with healthcare providers you should already know that last year the Department of Health and Human Services published the HIPAA Omnibus Rule expanding the reach of HIPAA enforcement and bolstering notification requirements. Under the rule, business associates must comply with most of the requirements that previously only applied to covered entities.

Furthermore, HHS can now impose penalties directly on business associates, which range from $100 to $50,000 per violation.

Covered entities also have new requirements that they must follow. For example, such entities must provide notifications to the affected individuals and to HHS when a breach has occurred. If a large group of individuals are affected the entities must also notify the media. Furthermore, the definition of a breach is more expansive—an impermissible use or disclosure of protected health information (PHI) is presumed to be a “breach,” unless the HIPAA-covered entity demonstrates there is a low probability that the PHI has been compromised.

Entities that deal with protected health information in the form of electronic health records should also be aware that such entities have become an attractive target for hackers. The information in a medical record is extremely valuable on the black market making protected health information of patients susceptible to theft.

Given the new obligations and penalties under the Omnibus Rule and the increasing vulnerability of protected health information it is more important than ever to ensure that the proper measures are in place to prevent breaches. HIPAA-covered entities and business associates need to consider whether they are in a position to protect against and appropriately respond to breaches through periodic risk assessments and implementation of HIPAA-compliant policies and procedures.

Some threshold questions that your entity will want to ask include:

• Do you have a current written HIPAA policy that reflects the practices of the organization?

• Does your HIPAA policy address what is to be done in the event of a breach?

• Does your policy provide a proper means of assessing whether a breach has occurred?

You can view the Omnibus Rule, including the changes to the Privacy Rule, Security Rule and Breach Notification Rule here: – HIPAA Omnibus Rule