Health Information Management

HIPAA happenings: HIPAA, HITECH fines are the tip of the iceberg

HIM-HIPAA Insider, August 4, 2014

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

When you think about a data breach, you probably think about things like maximum fines and penalties of $1.5 million, willful neglect, corrective action plans, and so forth, right? Well, think again. When a breach occurs, HIPAA and HITECH are not the only laws covered entities (CE) and business associates (BA) are up against. Further, the fines and penalties associated with breaches under HIPAA and HITECH are only the tip of the iceberg.

A CE and BA may face many more liabilities than those that might be imposed by OCR for breaches under HIPAA and HITECH. These additional liabilities, or exposures, are of two types. The first is internal exposure, which disrupts the organization's operations. The second is external exposure, which comes from additional regulatory agencies and from laws outside HIPAA and HITECH. Although CEs and BAs may be aware that additional liabilities exist, the impact they may have on an organization's operations and its ability to conduct business may be less understood.

Once a breach occurs, various actions must follow. The most obvious is the need to assess the suspected breach, and if necessary report the breach to the relevant parties, including OCR. The timing of this reporting is contingent on the size of the breach. Organizations must report large breaches (those affecting 500 or more individuals) within 60 days of discovery. Small breaches (those affecting less than 500 individuals) must be reported within 60 days of the end of the calendar year. In addition to a breach assessment, additional actions must be taken to address the security of ePHI. These steps may have an enormous impact on an organization.

In its study The True Cost of Compliance: A Benchmark Study of Multinational Organizations, the Ponemon Institute analyzed the costs associated with a breach and assigned them to four categories:

  • Business disruptions
  • Business productivity losses
  • Lost revenues
  • Fines, penalties, and other settlement costs
Continue reading "HIPAA happenings: HIPAA, HITECH fines are the tip of the iceberg" on the HCPro website. Subscribers to Briefings on HIPAA have free access to this article in the August issue.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular