- Health Insurance Portability and Accountability Act (HIPAA) Compliance

Fail to Comply with HIPAA ☐ CMPs: $100 to $10,000/violation ☐ Criminal penalties ☐ Mandatory Health and Human Services (HHS) investigation and assessment

☐ Civil actions by state attorney generals (AGs) Security Breach Notification

☐ Must notify CEs of unsecured PHI breaches ☐ CEs must notify individuals ☐ CE may need to notify HHS and local media ☐ BAs bear burden to prove reasonable delay in notification ☐ Security breaches of unsecured PHI include unauthorized acquisition, access, use, or disclosure of PHI

☐ Unsecured PHI is not encrypted or destroyed

☐ CEs must notify patients within sixty days after discovery of breach

☐ Date of discovery or date breach should have been discovered ☐ Information BAs provide to CEs following breach ☐ Contractual obligations of BAs to notify on behalf of CEs ☐ Compliance with state laws ☐ BAs’ internal policy for notification ☐ Contractual binding of subcontractors

HIPAA Security Rule ☐ Administrative, physical, and technical safeguards ☐ Specific standards of implementation ☐ Gap analysis for shortfalls ☐ HHS recommends technical safeguards ☐ Subcontractor agreements ☐ Information security due diligence questionnaire

Statutory Liability ☐ Amending noncompliant BAAs ☐ Renegotiate with CEs ☐ BAAs increase in complexity ☐ Indemnifying CEs ☐ Required notification of breach on behalf of CEs ☐ Responsibility for costs of breach ☐ Draft form amendments to BAAs ☐ Minimize negotiation terms not required by law ☐ Reflect new obligations of BAs, but protect from liability for subcontractor breaches

Additional HIPAA Requirements ☐ Comply with new minimum necessary standards ☐ Use of a limited data set? ☐ Ongoing assessment of what is minimum necessary ☐ CEs must account to individuals of disclosures from electronic health records (EHRs)

☐ Monitor developing HHS advice ☐ No direct or indirect remunerations to BAs for EHR or PHI ☐ Making recommendations for products or services

Steps For Breach Notification Compliance ☐ Analyze existing policies and procedures ☐ State breach notification requirements?