Avoid Penalties for not Protecting Health Records


Updated 2/28/2010

The amendment to the HITECH ACT became effective February 17, 2010. If you are a healthcare provider or business associate and you don’t understand the act or haven’t taken the steps every organization must take to comply, you may be at risk of litigation and financial penalties. The HITECH Act includes provisions and expands the activities covered by HIPAA, expanding the privacy and security requirements to protect medical records.

If records have been compromised, those affected individuals must be notified. If the breach involves more than 500 individuals, the covered entity is required to send notifications to the media. Some commons scenarios that could require notifications are: missing back-up tape (unencrypted), lost/stolen laptop with unencrypted medical records and email sent to an unauthorized party.

As of January 2010, there have already been 35 reports of breaches affecting 500-plus individuals, resulting in 712,000 notices. Most of the reports were electronic PHI contained in a lost or stolen unencrypted media or portable device.

To learn more about how to comply, read the full story or contact me at jrey@kaufmanrossin.com to pre-register for my upcoing seminar.


February 1, 2010

If you’re in the health care business, you needn’t wait for the House and Senate to reconcile their bills to find your world has changed. There’s a regulatory change you need to comply with, right around the corner. And you’d best take notice, because there are expensive penalties for non-compliance.

The federal government has recognized the immediate need for a transition in the way health records are managed. Effective February 17, 2010, covered entities (health plans, healthcare providers and/or healthcare clearing houses) must comply with new rules regarding electronic health records. Subcontractors are affected too.

With the Health Information Technology for Economic and Clinical Health Act (HITECH or “The Act”), a bill that was passed as part of the American Recovery and Reinvestment Act of 2009, a number of incentives have been created to encourage the adoption of health information technology such as electronic health records systems. The Act expects considerable exchange of electronic protected health information among health care providers and has increased the reach of privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), penalties for non-compliance and enforcement provisions.

To give it some teeth and ensure that patients are protected, there are increased civil monetary penalties for HIPAA violations. The state attorney general now has authority to enforce the rules. Penalties for HIPAA violations range from $100 to $50,000 per incident. The maximum civil penalties, on an annual basis for multiple violations, range from $25,000 to $1.5 million.

To learn more about how you should prepare, read the full story or contact me at jrey@kaufmanrossin.com.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.

Leave a Reply

Your email address will not be published. Required fields are marked *

We respect your personal information. Please review our Privacy Policy for more details.