Privacy Rule update 2003:
Sets limits on disclosure of ePHI and grants patients certain rights over their health information.
Security Rule 2004/2005:
Creates national standards to protect ePHI that is created, received, used, or maintained by healthcare organizations.
Breach Notification Rule 2009 (HITECH):
Within 60 days of large breaches, organizations must document response and notify the impacted individuals through letters and a press release.
Health Information Technology for Economic and Clinical Health (HITECH) Act 2009 (Signed by Barack Obama).
The Omnibus Rule (2013):
In part, expands certain HIPAA obligations to business associates and their subcontractors, modifies the breach notification standard, expands patient rights to access and to restrict disclosure of protected health information (PHI), imposes new rules governing uses and disclosures of PHI, clarifies enforcement approaches, and addresses obligations under the Genetic Information Nondiscrimination Act of 2008 (GINA)
The Omnibus Rule compels business associates to “report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required…”
Violations:
TIER ONE
Unaware of the HIPAA violation and by exercising reasonable due diligence would have not have known HIPAA Rules have been violated
TIER TWO
Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence
TIER THREE
Willful neglect of HIPAA Rules with the violation corrected within 30 days of discovery
TIER FOUR
Willful neglect of HIPAA Rules with no effort made to correct the violation within 30 days of discovery
For the 8th year in a row, healthcare had the highest costs associated with breaches —
$408 per lost or stolen record. This is three times higher than the cross-industry average.
