HITECH Adds Increased Fines to HIPAA: Important Information for Medical Providers

Dec 20, 2012

HIPAA, The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets standards to safeguard protected health information (PHI).  The HITECH (Health Information Technology for Economic and Clinical Health) Act, the most overlooked in Healthcare legislation, has recently expanded HIPAA enforcement, giving state attorneys general power to bring civil actions and obtain damages on behalf of state residents.  This is an important development for those providing health care services.

Why does HIPAA merit renewed attention now?

Companies should refocus on and assess their HIPAA-related exposure for several reasons.  The costs and consequences of non-compliance have increased.  We are seeing more enforcement actions, audits, and even criminal indictments.  More specifically, companies should be aware of:

  • Increased fines: The HITECH Act has raised the ceiling on HIPAA penalties, upping maximum fines for the same violation from $100 per day with a $25,000 annual cap, to $50,000 per day with a $1.5 million annual cap.
  • Random auditing:  Regulators have begun auditing covered entities and business associates to assess compliance with HIPAA.
  • Breach notification investigations:  The HITECH Act requires covered entities to notify individuals of certain unauthorized breaches of PHI.  Moreover, certain breaches affecting 500 or more individual must be reported to regulators or disclosed to the news media.  Notification can trigger regulatory investigations and media scrutiny.
  • Criminal indictments: Last year, the federal government indicted several individuals for alleged criminal violations of HIPAA, further evidence of greater enforcement and monitoring underway.

Why should healthcare businesses be aware of the HIPAA and HITECH Act?

This is an important development for clients providing healthcare services.  The HIPAA privacy and security regulations also extend to “business associates”, such as claims processing/billing/transcription companies or persons performing legal, accounting and administrative work).  Most Health Care providers are seriously under insured or completely uninsured and don’t know it.  Traditional policies routinely don’t cover fines and penalties.  Some policies may offer a small sub-limit of $25,000 but with HITECH that won’t begin to cover the exposure.

There are solutions in Enhanced Cyber Liability policies offered by McPhee & Associates that can be tailored to meet your specific needs, including legal defense, regulatory compliance, fines/penalties payment, notification and public relations costs.