The maximum fine per violation for health-care providers has increased to $1.5 million. And for the first time in HIPAA’s history, their business associates can also be held liable for noncompliance, and fined up to $50,000 per violation. Business associates can even face criminal liabilities for electronic security breaches.
Tech providers are also now required to have a written “Business Associate Agreement” (BAA) with their clients. This document establishes permitted uses of electronic protected health information (EPHI); requires the business associate to report breaches to the covered entity; and requires the business associate to make its records available to the U.S. Department of Health and Human Services for an audit. Other requirements can be found on the HHS website.
Cloud technology leads to new risks
Here’s an example of the sort of business associate that could unexpectedly find itself on the hook for noncompliance. In the past, email providers were largely protected by the “conduit” exemption, because people used to download email and delete it immediately from the email server. The cloud has changed all that, and now users often leave their email stored on servers so they can access it later from any device. So an email provider that used to only “transmit” EPHI might today be considered to “maintain EPHI” possibly making the provider vulnerable to new sanctions.
The stakes are higher than ever, so it’s vital for companies to get in compliance immediately. In an upcoming blog post, Matterform will show how it can help your company specifically address vulnerabilities in order to protect your business and your clients’ patients.