I’ve been blogging about health data breaches lately, but I’m not sure if there are more of them or if the reporting requirements are more strict. I suspect the latter.
One of the things I’ve noticed is that many of the breaches seem to be of multiple exposures by the same organization, which has led to recent legislative changes to the HITECH Act. You can see from the quote below that not only has the limit to the penalty been increased, but the penalties for repeat violators are higher.
Given the sensitive nature of health data, I’m still thinking that we need to move more towards criminal penalties for willful neglect and repeat violations.
In addition to redefining the scope and liabilities of business associates in the healthcare industry, the final HIPAA omnibus rule includes revisions to the penalties applied to each HIPAA violation category. While the American Recovery and Reinvestment Act of 2009 (ARRA) initially established a tiered penalty structure, it hasn’t been revised until now.
Section 160.404 refers to the amount of civil monetary penalty as administered under the HITECH (Health Information Technology for Economic and Clinical Health) Act. The original penalty structure used to be:
Do you think companies are bearing enough of the responsibility for protecting our data? Do you as a data professional get enough support from management to ensure that data is protected? –
No responses yet