Applicability

Who must be compliant?

Organizations that must comply with HIPAA include healthcare providers, health care clearinghouses, such as billing services and community health information systems, and any provider that transmits healthcare data in a way that is regulated by HIPAA. The HITECH Act expands the scope of HIPAA, ensuring that entities that were not established when the Federal Privacy Rules were written, as well as those entities that do work on behalf of providers and insurers, are subject to the same privacy and security rules as providers and health insurers.

The cost of compliance and validating compliance with HIPAA and HITECH depends on several factors. This includes the nature of the covered entity, volume of transactions managed each year, data handling and storage practices, and the IT infrastructure within the organization. Many organizations have faced sanctions, regulatory oversight, and heavy fines because they did not properly protect sensitive healthcare information. The cost of being compliant significantly outweighs the cost of doing nothing.

Non-compliance

Non-compliance may result in:

• Incidental violations with fines from $100 per incident up to $25,000 for the same violation per calendar year.
• Wrongful disclosure, prosecuted by the Department of Justice, with penalties for responsible parties ranging from $50,000 and 1 year in prison up to $250,000 and 10 years in prison.
• Lawsuits, including class action lawsuits, by parties claiming that they have been damaged or suffered loss can be extremely costly.
• Ongoing Federal oversight
• Loss of customers
• Loss of patient confidence
• Termination of contracts