The passage of HIPAA Omnibus Rule heralds a new era of accountability for organizations that fall under the category of ‘business associates’ to a healthcare provider. The new rule has made some sweeping changes to the penalty system applied to each HIPAA violation category. Before you jump the gun and start worrying about the hefty fines, read this post to know whether you actually fit the role of a ‘business associate’ under the new rule.
The New Penalty System
Under the new rule, civil monetary penalties for noncompliance have been increased based on the level of violation. So, any breach of PHI (Protected Health Information) – whether intentional or accidental – can potentially set you back by up to USD 1.5 million. In fact, there is no theoretical maximum fine per year. The maximum will ultimately be at the discretion of HHS (US Department of Health and Human Services) and depends on how many different kinds of violations are found.
The final Omnibus rule establishes four categories of violations and four corresponding levels of penalties based on the gravity of the violation. The new penalty structure is summarized in the table below:
|VIOLATION TYPE||EACH VIOLATION||REPEAT VIOLATIONS/YR|
|Did Not Know||$100 – $50,000||$1,500,000|
|Reasonable Cause||$1,000 – $50,000||$1,500,000|
|Willful Neglect – Corrected||$10,000 – $50,000||$1,500,000|
|Willful Neglect – Not Corrected||$50,000||$1,500,000|
The biggest burden now falls on the business associates. If you support the healthcare industry or deal with patient data in any way, then you must ensure that all patient data are fully secured according to the standards established by the new rule.
Getting HIPAA compliant can neither be quick nor cost effective for those who just discovered their new status as business associates. And the task has been made even more daunting, with the deadline for compliance set at September 23rd, 2013.
So, you need to be swift in your actions. Talk to your legal team, study the breach notification guidelines and prepare a plan. Teach the employees about the best practices in handling PHI and HIPAA guidelines. Spruce up your IT security and get ready to demonstrate HIPAA compliance before September.
ManageEngine has a set of Windows Active Directory Management and Auditing tools to help you handle the IT part of HIPAA regulations effectively. The integrated Identity and Access Management (IAM) solutions from ManageEngine will help you deal with IT Security, and make you compliant with any regulatory law. The products that can help you in your HIPAA compliance objective:
AD360: An integrated Identity and Access Management Solution
ADManager Plus: Active Directory Management and Reporting Software
ADAudit Plus: Auditing solution for Active Directory, File Servers and NetApp Filers
Exchange Reporter Plus: Exchange Auditing and Reporting Solution
To learn more about how our tools can help you with HIPAA compliance, click here.