Dear OPRA Members,

 

Some of you have received alerts relating to HIPAA compliance that may imply a false sense of urgent need to react to changes in privacy and security regulations.  Not so.

 

Just a few months ago, Roger Severino, who heads the U.S. Office for Civil Rights (OCR), discussed recent and upcoming HIPAA updates at a conference in Washington, D.C.

 

Here are highlights from his presentation, along with recent memos from his office:

 

·         Going forward, organizations will be protected from exorbidant fines if they experience a breach while making a good-faith effort to comply with HIPAA.  If a breach happens within a compliant organization, fines will be capped at $25,000 a year, vs. the newly announced maximum of $1.7 million.  Here is a link to the federal notice.

 

·         Going forward, Business Associates who must comply with HIPAA can expect direct liability under HIPAA.  You may read the post on that at http://hipaa.opra.org/.

 

·         One of OCR’s top policy initiatives remains the enforcement of HIPAA privacy rights, and in addition to security, OCR will enforce requirements for individuals to have timely access to their health records at a reasonable cost. You may read more in the HIPAA Journal.

 

·         Currently, the Feds are working on standards for making HIPAA compliance “traceable”.

 

One other reminder -- relating to HIPAA compliance that is particular to I/DD:  The Feds and the Ohio Department of Medicaid have made clear that HIPAA compliance meets security standards under EVV.  

 

If any of you have questions, feel free to email me at devans@myhipaaguide.com. 

 

Best regards,

 

Diane Evans

 

--