• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Business Associate To-Do List

March 17, 2009 American Recovery and Reinvestment Act No Comments

What are Business Associates Required to Do to Meet HIPAA Requirements?

With passage of the American Recovery and Reinvestment Act (ARRA), privacy and security compliance increased significantly with business associates immediately required to comply directly with many of HIPAA’s rules. It also dramatically expanded other remedial actions (such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA). Business associates also are subject to civil and criminal penalties , including a provision that allows individuals to receive financial compensation for the violation.

If you are a business associate, your “To-Do” list looks similar to the list the covered entities complied with in 2004. These tasks include: appointing a Security Official; developing written policies and procedures, including physical safeguards, (such as locking computers that contain EPHI), and technical safeguards (such as encrypting emails); and training workforce on how to protect electronic protected health information (“EPHI”). Also, effective immediately:

» You are required to notify each individual affected by a security breach by mail, or if specified as preference, by email.
» If you don’t have contact information for that individual, you may be required to post notice of the breach on your website, in newspapers, or other broadcast media.
» For breaches involving more than 500 residents in one area, you must notify a “prominent media outlet.”
» You also must contact the Department of Health and Human Services. DHHS is establishing a website listing these breaches. There is an exception for certain unintentional breaches. Consult a health law attorney if you have any questions or concerns about building your policies and procedures, or tasks assigned to the Security Official.

Penalties for ePHI Violations

Violation Penalty per Violation Maximum per Year
Reasonable cause, not willful neglect $1,000
Reasonable cause, corrected $25,000 $250,000
Reasonable cause, uncorrected $50,000 $1,500,000

Tags: HIPAA Business AssociatepenaltiesTraining
No Comments
Share
0

You also might be interested in

Reported Breaches of 500 or More Individuals up to 93 and Affecting Over 2.5 Million Individuals; Enforcement and Penalties

Jun 7, 2010

As of Friday, June 4, 2010, 93 breaches affecting 500[...]

HITECH Act Privacy and Security Final Rules Needed Now

Oct 25, 2011

Since September 23, 2009, the enforcement arm of the Department[...]

OCR’s Publicly Disclosed Large Breaches Now Top 20 Million Impacted Individuals

May 16, 2012

May 16, 2012.  The Department of Health and Human Services’[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next