Beruflich Dokumente
Kultur Dokumente
www.solutionary.com
(866) 333-2133
White Paper: Health Care Organizations and the HIPAA Omnibus Rule
responsible for complying with HIPAA and HITECH. Under the Omnibus Rule,
a Business Associate (BA) and any subcontractor or vendor who creates,
receives, maintains or transmits PHI are now all primarily responsible to
comply with HIPAA and HITECH. While a BA agreement is required for all BAs,
the agreement is not necessary to create this responsibility for the BA.
BAs and subcontractors, who have been delegated a function, activity
or service by the BA, are not only primarily responsible for compliance,
but can also be audited for this compliance (or lack thereof), and
may face fines or additional sanctions if found noncompliant.
3. Covered Entities must get proof of compliance from BAs: Under the Omnibus
Rule, a CE is responsible for ensuring that their BAs are taking appropriate
compliance actions. CEs are required to obtain satisfactory assurance that
all PHI managed by the BA receives security and privacy protections that meet
the requirements of HIPAA, HITECH and other portions of the Omnibus Rule.
1. Compliance date
2. CEs and BAs are responsible
3. CEs must get proof of compliance
from BAs
4. Unauthorized use or disclosure of
PHI is assumed to be a breach
5. If an HHS review reveals even
the possibility of willful neglect they
are required to initiate a formal
investigation
6. No penalty cap
7. Enhanced privacy rules may require
updated privacy notices
White Paper: Health Care Organizations and the HIPAA Omnibus Rule
The most important element is not only that organizations must be HIPAA/HITECH
compliant, but that their compliance programs must be able to produce enough
documentation and other information that the organization can prove they are
compliant. Proving compliance has historically been one of the most difficult parts
of a security program, but under the Omnibus Rule it must be an integral part.
6. No penalty cap: The Omnibus Rule is essentially silent on penalty caps for
violations. HITECH had language that seemed to limit the total fines that could be
assessed, but the language has changed for the Omnibus Rule. The Omnibus Rule
states that the business may be assessed civil penalties up to $1.5 million for all
violations of an identical HIPAA requirement in a calendar year. A CE or BA can be
assessed additional penalties in the event of willful neglect. The CE or BA can
also be assessed additional civil penalties for violations that are not identical.
White Paper: Health Care Organizations and the HIPAA Omnibus Rule
If a Health and Human Services auditor finds a significant violation, the CE,
BA or subcontractor can be assessed up to $1.5 million in civil penalties
for that one specific type of violation. If the auditors find a second violation,
the CE or BA can be assessed up to another $1.5 million for that one. In
addition, HITECH expanded penalties to enable attorneys general from
any state affected by a breach to seek additional compensation from
the CE, BA or subcontractor. Technically, the ultimate penalty is at the
discretion of the HHS, meaning that there is effectively no penalty cap!
The following examples demonstrate the types of fines that the U.S.
Department of Health and Human Services is willing to assess:
The $1.7M fine against the State of Alaska Department of Health and Social
Services for a 2012 breach. While the breach was originally traced to an
unsecured storage device that had been stolen from an employees vehicle,
investigations revealed a sequence of non-compliant activities and lack of
an active compliance program.
White Paper: Health Care Organizations and the HIPAA Omnibus Rule
Solutionary Services
to Support HIPAA/
HITECH Compliance
Solutionary is a trusted security advisor in the health care industry with demonstrable
understanding of the entire health care value chain. Solutionary is an expert in protecting
data while also enabling health care organizations to fulfill their mission to save lives.
Assessment
Assessment
Log Monitoring
Assessment
About Solutionary
Security Device
Management
Solutionary, an NTT Group security company, is the next generation managed security
Vulnerability
Management
Learn More
(SERT) researches the global threat landscape, providing actionable threat intelligence,
Solutionary.com
Solutionary, Inc.
9420 Underwood Avenue
Omaha, NE 68114
5010WP
5/2014