Hogan Lovells privacy blog summaries:
- "In the most significant change to HIPAA since the law was enacted, the Department of Health and Human Services issued an omnibus HIPAA regulation, which will require substantial operational changes for HIPAA covered entities and their business associates."
- [These include]: "Changes to the data breach rule will make more incidents reportable. Business associates are directly liable for HIPAA violations and business associate agreements must be modified."
- "...the HITECH Act changed the game for Business Associates (BAs), including the many law firms acting in that capacity. BAs now have a legal obligation to comply with provisions of HIPAA and are subject to direct regulatory oversight... Lawyers acting as BAs face the added challenge of having to reconcile their obligations under the applicable Rules of Professional Conduct with potentially conflicting obligations under HIPAA/HITECH."
- "As a result of the HITECH Act, the maximum civil monetary penalty for a single HIPAA violation rose from $100 to a much more serious $50,000. Monetary penalties and settlements for HIPAA violations now go directly to fund future enforcement efforts, which gives regulators an incentive for vigorous enforcement."
- "Some firms have already done as [Office of Civil Rights] Director Rodriguez advises. We encourage other firms to take this opportunity to evaluate their compliance posture and develop plans to address any gaps. The alternative--remaining unaware--could be quite costly. (As you may recall from our last post, the HITECH Act established a tiered penalty scheme with greater penalties for higher levels of culpability. Violations made with willful neglect are subject to the highest penalty tier .) When asked why an organization wouldn't be better off remaining ignorant about its security problems, Rodiguez offered the following:
- 'I think that's why I'm here…We're looking for that high level of sensitivity [to security issues]... Another one of the big audit findings was activity monitoring, and failure to conduct activity monitoring was a consistent issue. . . So we are looking at that issue, and that is an issue that could easily turn into an enforcement issue.'"