The new, much more stringent HIPAA and HITECH security and breach notification laws included within the Economic Stimulus bill (called the American Recovery and Reinvestment Act of 2009) contain severe, mandatory financial and public relations penalties in the case of a breach or non-compliance, well beyond those contained in the Red Flag Rule.
There's Good News...and Bad News
The bad news... If you have a breach that could have affected 500 or more records (as any electronic breach might) you must inform major media outlets in your area AND have your name listed on the HHS website. The HHS website will keep a list on their site of all Providers who had a breach affecting 500 or more patients.
HITECH also mandates increased penalties for non-compliance:
1. Violation where the practitioner did not know and by exercise of reasonable diligence would not have known that a violation had occurred:
$100.00 for each violation; not to exceed $25,000.00 in a calendar year
2. Violation due to "reasonable cause":
$1,000.00 for each violation; not to exceed $100,000.00 in a calendar year
3. Violation due to "willful neglect", corrected within 30 days of discovery:
$10,000 for each violation, not to exceed $250,000 in a calendar year
4. Violations not corrected within 30 days:
$50,000.00 for each violation; not to exceed $1,500,000.00 in a calendar year
The Good News
We want to help protect our customers from such a consequence.
The new HITECH/HIPAA laws do not specifically update the Red Flag Rule, BUT because any breach may include a combination of financial information covered under Red Flag Rule and personal health information covered by HIPAA we decided to expand the Toolkit!
We have included updated electronic security policies in the Red Flag Rule Toolkit that will, if followed completely, comply with the new HITECH law and provide SAFE HARBOR from the HITECH public notification requirements.
This means that in the case of a breach, because you executed the encryption and electronic security policies in the Red Flag Rule Toolkit, you would NOT have to report your name to major media or list on the HHS website.
Your privacy will be protected, and you can be spared the financial and public relations consequences of having to publicly declare a breach
Not all of the 2009 HITECH provisions have been finalized by the government yet, so there are some points that may require further action in the future. If and when that occurs, we will update the Toolkit to comply with those requirements
It is our goal to do everything we can to ensure that those practitioners who are putting forth their best effort to protect their patients' identities get whatever help we can provide.
More Exciting News to Come
We are working on an exciting project that we hope all of you will benefit from - we hope to be able to release by August 1st. We'll keep you informed!
Thanks for checking in!