By William D. Dyer

Here is a short list of reasons why compliance is not optional for CE’s and BA’s:
1. HIPAA and HITECH requirements are laws, currently in effect, and CE’s and BA’s must be compliant with them right now.

2. The HHS has hired more auditors to actively review CE’s and BA’s for HIPAA and HITECH compliance.

3. The HHS has increased enforcement activities.

4. HITECH SIGNIFICANTLY increased possible sanctions and penalties.

5. State Attorney Generals are actively enforcing HIPAA and HITECH compliance.

6. Civil actions have already been filed.

7. Lawsuits have already been brought about for HIPAA violations because of poor safeguards and inadequate information security and privacy programs.

8. Lawsuits can result in heavy financial compensation payments that can put your business out of business.

9. ARRA funds require not only the risk assessment, but also actions to address risks; e.g., implement policies, procedures, and an effective and appropriate program.

10. Breach pain can include:
• fines, penalties and sanctions
• likely audit
• brand lessens in value
• bad press
• loss of clients, customers and patients
• lawsuits
• loss of insurance coverage and/or increased insurance premiums
• loss of ARRA funds
• loss of health plan contracts

11. Your own employees can report you under the whistleblower laws.

12. If you sign a BA agreement and you have not made a good effort to be compliant prior to signing the agreement you may be guilty of willful neglect, and be subject to criminal prosecution fines, as well as breach of contract.

The antecedent was garnered from correspondence with Rebecca Harold, the nation’s leading privacy, HIPAA, and HITECH expert.
HCP National provides risk management and training as it relates to insurance exposures. We are not in the practice of law or accounting. We are insurance brokers and risk consultants.

By William D. Dyer

HIPAA, or Health Insurance Portability and Accountability Act of 1996, according to the HHS or U.S. Department of Health and Human Services, “provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information is the federal protection health information privacy.” This means that any company with any access to one’s personal health information is legally liable for breach or disclosure of this information.

HITECH, or Health Information Technology for Economic and Clinical Health Act of 2009, is a supplement to HIPAA. Due to advancements in technology, especially in the health field in the form of systems such as EHR or electronic health records, this privacy and security rule went into effect to provide an extra layer of protection for one’s personal health information. HITECH provides further privacy and security protection by enforcing increased financial penalties to violators.

HIPAA and HITECH are enforced to prevent healthcare service providers or any organization with access to personal health information from unauthorized use, disclosure, security breach, or loss due to misplacement or theft of people’s personal health information. These laws are provided to protect patients from anything from identity theft to integrity entitlement.

HIPAA and HITECH compliance comes in the form of three required safeguards: administrative, physical, and technical, to ensure that one’s personal health information is kept confidential. Non-compliance will result in a fine of up to $50,000 per violation to a maximum of $1.5 million per year.

Below is a chart done by @radartweets at the cost of not being compliant with Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act.

HCP National provides HIPAA compliance training as well as HIPAA and HITECH liability insurance. HCP National is the liability insurance expert for healthcare: Medical Malpractice, Tech E & O, D & O and Employment Practices Liability. This article is not meant to be legal advice. HCP National is an insurance and risk management training company, not a law firm.