In January, 2013, The U.S. Department of Health and Human Services (HHS) announced the final Omnibus rule. Dramatically amending the HIPAA Privacy Rule and portions of the HIPAA Security Rule, Omnibus is intended to greatly enhance a patient’s privacy protections, provide individuals new rights to their health information, and strengthen the government’s ability to enforce the law. Since HIPAA was enacted 15 years ago, Omnibus is designed to address the expanding digital age and affects all Covered Entities, their Business Associates and subcontractors who have access to Protected Health Information.
The Omnibus rule requires Covered Entities and Business Associates to notify individuals of any breach in PHI as well as creating more direct liability for HIPAA compliance and enforcement within Business Associate Agreements. This includes having written assurance of compliance from all downstream vendors and contractors as well as policies and procedures for compliance in place. It is also no longer optional for covered entities to have Business Associate Agreements in place. By law, any vendor or service provider with access to PHI, whether a Business Associate or a subcontractor to a Business Associate must sign a Business Associate Agreement. The deadline for compliance with Omnibus is September 23, 2013.
Well what happens if a covered entity or BA fails to meet its compliance obligations? If exposed, the covered entity and/or BA could be subject to hefty fines for their violations. It could also damage the covered entity or BA’s reputation. Violations are publicly announced which results in bad publicity which is bad for business. No one wants to be the next headline exposing their ignorance, inability or neglect in safeguarding patients’ health information. Besides, everyone should have a sense of moral and ethical responsibility to protect PHI in compliance with the law.
The cost of non-compliance with HIPAA laws are real. Violation complaints have steadily risen. For those in violation of privacy and security laws, civil and criminal penalties may result. And the introduction of the HITECH Act, and now Omnibus, has strengthened HIPAA enforcement, with fines now ranging in excess of $1.5M and incarceration up to 10 years for those who knowingly misuse individually identifiable health information.
And if you think these fines can’t happen to you, or they only go after “the large providers,” think again. Here’s just a sample of fines and related headlines:
- Alaska Department of Health and Social Services fined $1.7M
- Wellpoint, a managed care company fined $1.7M
- Massachusetts Eye and EarInfirmary hit with a $1.5M fine
- $1.2M for Affinity Health Plan
- $400,000 for Idaho State University
- Shasta Regional Medical Center fined $275,000
- The Hospice of Northern Idaho fined $50,000 for violations affecting fewer than 500 individuals
To ensure adequate coverage for compliance, the Office of Civil Rights (OCR) continue to hire auditors and assessors certain to increase the number of audits and fines.
As a Covered Entity, Business Associate or subcontractor to a Business Associate with access to PHI, are you prepared for the September 23, 2013 Omnibus deadline? If not, your business could be the next headline.
For more specific information regarding HIPAA violations and related fines, please visit:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html