Organizations Urged to Take Notice of HIPAA Omnibus Rule

Share this article on:

The addition of the HIPAA Omnibus rule means organizations need to reassess their privacy and security practices to avoid a wider range of penalties for data security violations. The HHS Office for Civil Rights will start conducting random compliance audits next year and any organization found to be in breach of any HIPAA regulations will face stiff penalties.

Recent audits have revealed numerous HIPAA violations which is a cause of serious concern. Many organizations have failed to implement strategies to protect data and become HIPAA compliant. If subjected to an audit, organizations must be able to produce documentation to demonstrate that appropriate efforts have been made to with regard to cybersecurity and that a compliance program has been put in place.

Ignorance of current data security regulations is no defense and stiff penalties are being issued for HIPAA failures, including many the new additional penalties under the new Omnibus Rule. Fines for violations have also been increased.

Under the new rule there are four areas under which a company can be fined for neglect with penalties ranging from $100 to $50,000 for each offense. In cases of multiple violations, fines of up to $1.5 million can be issued per offense; per year.

The majority of data breaches affecting healthcare organizations occur as a result of stolen or lost mHealth devices. The OHC is urging healthcare organizations to prevent lost and stolen mobile devices from exposing patient data by using strong data encryption. A lack of data encryption protecting patient information on any mobile device should be identified in a risk analysis as a security vulnerability. Should no action be taken to encrypt mHealth data, the decision must be documented and supported with a valid reason as to why data encryption cannot or is not being used.

Under the new Security Rule violations can be enforced by the Department of Justice with custodial sentences applicable for falsely obtaining medical information for personal gain or causing harm, deception and for snooping. It is important that organizations fully brief the staff on the importance of data security, the new HIPAA regulations and the penalties which can be applied to both companies and individuals for data breaches and theft of patient records.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On