Johnson points to the fact that HITECH will soon mandate specific HIPAA fines between $10,000 and $50,000 per record when the Department of Health and Human Services (HHS) determines that unsecure disposal of paper or computers is the result of inadequate policies or training.
“This is more than idle conjecture,” insists the NAID CEO. “HHS put it in writing. If materials are found to be improperly discarded and there are no written policies and procedures, or no training program, HITECH leaves HHS regulators no choice. They have to assess fines according to a set schedule.” He adds, “This is a complete and absolute endorsement of our strategy to get members talking to customers about training and policies. Furthermore, it is going to provide strong ammunition to our Doctors Marketing Program.”
The new fine requirements were just one of many such subtleties discussed during last week’s free member webinar on how HHS is modifying HIPAA to accommodate the requirements of HITECH. Among the other revelations discussed in the webinar is the requirement for destruction companies (or any business associate) to have business associate agreements in place with any subcontractor to which they grant access to protected health information (PHI), and the new enforcement dates for the provision requiring revised BA Agreements.
Johnson also announced that NAID will be providing official comment to HHS in support of the modifications, as well as creating a BA agreement to respond to the new requirement to use one with subcontractors.