HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Organizations Urged to Take Notice of HIPAA Omnibus Rule

The addition of the HIPAA Omnibus rule means organizations need to reassess their privacy and security practices to avoid a wider range of penalties for data security violations. The HHS Office for Civil Rights will start conducting random compliance audits next year and any organization found to be in breach of any HIPAA regulations will face stiff penalties.

Recent audits have revealed numerous HIPAA violations which is a cause of serious concern. Many organizations have failed to implement strategies to protect data and become HIPAA compliant. If subjected to an audit, organizations must be able to produce documentation to demonstrate that appropriate efforts have been made to with regard to cybersecurity and that a compliance program has been put in place.

Ignorance of current data security regulations is no defense and stiff penalties are being issued for HIPAA failures, including many the new additional penalties under the new Omnibus Rule. Fines for violations have also been increased.

Under the new rule there are four areas under which a company can be fined for neglect with penalties ranging from $100 to $50,000 for each offense. In cases of multiple violations, fines of up to $1.5 million can be issued per offense; per year.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The majority of data breaches affecting healthcare organizations occur as a result of stolen or lost mHealth devices. The OHC is urging healthcare organizations to prevent lost and stolen mobile devices from exposing patient data by using strong data encryption. A lack of data encryption protecting patient information on any mobile device should be identified in a risk analysis as a security vulnerability. Should no action be taken to encrypt mHealth data, the decision must be documented and supported with a valid reason as to why data encryption cannot or is not being used.

Under the new Security Rule violations can be enforced by the Department of Justice with custodial sentences applicable for falsely obtaining medical information for personal gain or causing harm, deception and for snooping. It is important that organizations fully brief the staff on the importance of data security, the new HIPAA regulations and the penalties which can be applied to both companies and individuals for data breaches and theft of patient records.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.