A change in the federal HIPAA regulation increases security mandates for health care software companies that could make them more liable for privacy breaches involving health information.
The Department of Health and Human Services (HHS) last week said that the changes will expand to so-called business associates of health providers that receive protected health information, such as contractors and subcontractors. Under the change companies that generate billing and transcription services, produce electronic health records will now be responsible for data leaks. Some of the largest breaches reported to the agency have involved provider business associates.
Under the rule, penalties for noncompliance based on the level of negligence are increased with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. Formerly penalties were about $250,000.
“Much has changed in health care since HIPAA was enacted over 15 years ago,” HHS Secretary Kathleen Sebelius said in a statement. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
The final rule takes effect on March 26, 2013 and companies must comply by Sept. 23. The threshold for which a company determines that a breach might harm patients and may need to be reported to HHS also changed.
From the NAHC Report Article