• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Business Associate To-Do List

March 17, 2009 American Recovery and Reinvestment Act No Comments

What are Business Associates Required to Do to Meet HIPAA Requirements?

With passage of the American Recovery and Reinvestment Act (ARRA), privacy and security compliance increased significantly with business associates immediately required to comply directly with many of HIPAA’s rules. It also dramatically expanded other remedial actions (such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA). Business associates also are subject to civil and criminal penalties , including a provision that allows individuals to receive financial compensation for the violation.

If you are a business associate, your “To-Do” list looks similar to the list the covered entities complied with in 2004. These tasks include: appointing a Security Official; developing written policies and procedures, including physical safeguards, (such as locking computers that contain EPHI), and technical safeguards (such as encrypting emails); and training workforce on how to protect electronic protected health information (“EPHI”). Also, effective immediately:

» You are required to notify each individual affected by a security breach by mail, or if specified as preference, by email.
» If you don’t have contact information for that individual, you may be required to post notice of the breach on your website, in newspapers, or other broadcast media.
» For breaches involving more than 500 residents in one area, you must notify a “prominent media outlet.”
» You also must contact the Department of Health and Human Services. DHHS is establishing a website listing these breaches. There is an exception for certain unintentional breaches. Consult a health law attorney if you have any questions or concerns about building your policies and procedures, or tasks assigned to the Security Official.

Penalties for ePHI Violations

Violation Penalty per Violation Maximum per Year
Reasonable cause, not willful neglect $1,000
Reasonable cause, corrected $25,000 $250,000
Reasonable cause, uncorrected $50,000 $1,500,000

Tags: HIPAA Business AssociatepenaltiesTraining
No Comments
Share
0

You also might be interested in

Get Ready Now for Toughened HIPAA/HITECH Act Privacy and Security Rules and Enforcement, and Big Noncompliance Fines

Aug 17, 2011

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)[...]

ONC Issues Meaningful Use Guide for Privacy & Security Attestation Compliance

May 9, 2012

May 9, 2012.  The Office of the National Coordinator for[...]

ONC Touts its 10 Step Plan for Meeting Meaningful Use Privacy and Security Attestation Requirements

Dec 4, 2012

In a recent Tweet, the Office of the National Coordinator for[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next