Any breach involving more than 500 records, such as improperly discarded documents or unsecured computers, must be reported to the authorities and affected patients. Such breaches often reach the media, making confidentiality violations a legal and reputational risk.
State Attorneys General now have direct enforcement authority over HIPAA’s data security provisions, with the added incentive of retaining revenue from imposed fines.
Fines for HIPAA violations have surged, with maximum penalties jumping from $25,000 to $1,500,000 per incident. Recently, two healthcare organizations paid a record $4.8 million settlement for failing to secure thousands of patients’ protected health information.
Under HIPAA’s amendment, healthcare providers must have a Business Associate Agreement with any data-related service providers. Existing agreements must be updated to meet the new standards, and vendors are now held equally accountable for having these agreements in place.
