The Rheumatologist
COVID-19 News
  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed
  • Home
  • Conditions
    • Rheumatoid Arthritis
    • SLE (Lupus)
    • Crystal Arthritis
      • Gout Resource Center
    • Spondyloarthritis
    • Osteoarthritis
    • Soft Tissue Pain
    • Scleroderma
    • Vasculitis
    • Systemic Inflammatory Syndromes
    • Guidelines
  • Resource Centers
    • Axial Spondyloarthritis Resource Center
    • Gout Resource Center
    • Psoriatic Arthritis Resource Center
    • Rheumatoid Arthritis Resource Center
    • Systemic Lupus Erythematosus Resource Center
  • Drug Updates
    • Biologics & Biosimilars
    • DMARDs & Immunosuppressives
    • Topical Drugs
    • Analgesics
    • Safety
    • Pharma Co. News
  • Professional Topics
    • Ethics
    • Legal
    • Legislation & Advocacy
    • Career Development
      • Certification
      • Education & Training
    • Awards
    • Profiles
    • President’s Perspective
    • Rheuminations
    • Interprofessional Perspective
  • Practice Management
    • Billing/Coding
    • Quality Assurance/Improvement
    • Workforce
    • Facility
    • Patient Perspective
    • Electronic Health Records
    • Apps
    • Information Technology
    • From the College
    • Multimedia
      • Audio
      • Video
  • Resources
    • Issue Archives
    • ACR Convergence
      • Systemic Lupus Erythematosus Resource Center
      • Rheumatoid Arthritis Resource Center
      • Gout Resource Center
      • Abstracts
      • Meeting Reports
      • ACR Convergence Home
    • American College of Rheumatology
    • ACR ExamRheum
    • Research Reviews
    • ACR Journals
      • Arthritis & Rheumatology
      • Arthritis Care & Research
      • ACR Open Rheumatology
    • Rheumatology Image Library
    • Treatment Guidelines
    • Rheumatology Research Foundation
    • Events
  • About Us
    • Mission/Vision
    • Meet the Authors
    • Meet the Editors
    • Contribute to The Rheumatologist
    • Subscription
    • Contact
  • Advertise
  • Search
You are here: Home / Articles / HHS Enforces Stricter Rules on HIPAA

HHS Enforces Stricter Rules on HIPAA

April 1, 2010 • By From the College

  • Tweet
  • Email
Print-Friendly Version / Save PDF

As of February 17, 2010, entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), such as group health plans and their business associates, will have to take certain actions to ensure continued compliance with the privacy and security provisions of the act.

You Might Also Like
  • HIPAA Privacy Rules Bring New Enforcement Guidelines
  • HIPAA Security Standards: What Rheumatologists Need to Know
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
Explore This Issue
April 2010
Also By This Author
  • Coding Corner Question: Evaluation & Management Documentation Quiz

HIPAA was put in place to guard the privacy of protected health information and regulate the manner in which covered entities—defined as a health plan or a healthcare provider that uses a healthcare clearinghouse or an electronic device to transmit health information—and business associates create, store, access, and disclose protected health information.

ad goes here:advert-1
ADVERTISEMENT
SCROLL TO CONTINUE

In the final rule from the Department of Health and Human Services (HHS), stricter penalties were applied for violations of the HIPAA privacy and security rules. The rule also amended HIPAA’s enforcement regulations to incorporate the violation categories of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The categories include violations, adding tiered ranges of civil money penalties, and revised limitations on the HHS secretary’s authority to impose civil money penalties.

Some of the changes to HIPAA include:

ad goes here:advert-2
ADVERTISEMENT
SCROLL TO CONTINUE
  • Business associates (people who provide services to a covered entity) of a covered entity must fully comply with HIPAA’s privacy and security requirements;
  • Covered entities must amend their business associate agreements to reflect the new obligations imposed on business associates;
  • Covered entities must notify individuals of any unauthorized disclosure of their unsecured protected health information (PHI);
  • Business associates must notify covered entities of any unauthorized disclosure of unsecured PHI;
  • Covered entities must honor individuals’ requests to restrict disclosure of PHI; and
  • The new HIPAA provisions will be enforced through heightened penalties and mandatory audits by the HHS secretary.

Also, under the new HIPPA security rules, covered entities will have to amend business associate agreements to reflect changes to the privacy regulation that addresses the storage and transmission of electronic PHI. This applies to a limited extent to business associates by requiring that they comply with the security safeguards set forth in business associate agreements.

Business associates will also need to adopt a security policy, appoint a security officer, and train their workforces on how to safeguard electronic PHI. Similarly, it appears that the rule requires business associates to comply with the privacy provisions of HIPAA to the same extent that covered entities must comply. Currently, business associates are required only to comply with the provisions of the Privacy Rule that are set forth in the business associate agreement.

The enforcement of these new guidelines requires HHS to conduct periodic audits of HIPAA compliance by covered entities and business associates. Consequences will be determined according to the “nature and extent of the violation and the nature and extent of the harm resulting from such violation,” according to the final rule in the Federal Register. Penalties range from $100 to $50,000 for each violation. A cap of $1.5 million exists for violations of an identical provision in a calendar year.

ad goes here:advert-3
ADVERTISEMENT
SCROLL TO CONTINUE

Additionally, it is now required that covered entities must notify individuals if any of their unsecured PHI has been breached and as a result information has been accessed, acquired, or disclosed. In the event of a breach, a covered entity is required to take steps to alleviate the damage for such a breach. Furthermore, business associates must notify covered entities of any breach of unsecured PHI no later than 60 days following the date on which a breach has been discovered.

Covered entities should contact their business associates to ensure that they are in compliance with the Privacy Rule and Security Rule; they should also contact any transmission service organizations to discuss their obligations under HIPAA. Failure to make the necessary changes for the new guidelines could cost your practice.

For additional information on HIPAA or practice management guidelines, contact Antanya Chung at [email protected] or (404) 633-3777, ext. 818

Pages: 1 2 | Multi-Page

Filed Under: From the College, Legislation & Advocacy, Practice Management, Quality Assurance/Improvement, Safety Tagged With: health information, Health Insurance Portability and Accountability Act, HHS, HIPAA, Patients, privacy, Security, TechnologyIssue: April 2010

You Might Also Like:
  • HIPAA Privacy Rules Bring New Enforcement Guidelines
  • HIPAA Security Standards: What Rheumatologists Need to Know
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
  • Email & Text in the World of HIPAA

American College of Rheumatology

Visit the official website for the American College of Rheumatology.

Visit the ACR »

Simple Tasks

Learn more about the ACR’s public awareness campaign and how you can get involved. Help increase visibility of rheumatic diseases and decrease the number of people left untreated.

Visit the Simple Tasks site »

Rheumatology Research Foundation

The Foundation is the largest private funding source for rheumatology research and training in the U.S.

Learn more »

The Rheumatologist newsmagazine reports on issues and trends in the management and treatment of rheumatic diseases. The Rheumatologist reaches 11,500 rheumatologists, internists, orthopedic surgeons, nurse practitioners, physician assistants, nurses, and other healthcare professionals who practice, research, or teach in the field of rheumatology.

About Us / Contact Us / Advertise / Privacy Policy / Terms of Use

  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed

Copyright © 2006–2022 American College of Rheumatology. All rights reserved.

ISSN 1931-3268 (print)
ISSN 1931-3209 (online)

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.