HHS is Not the Only Federal Agency Enforcing HIPAA Breach Notification Rule
This week I am breaking down the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, directly from Health and Human Services (HHS).
HIPAA Breach Notification Rule requires hospitals, insurance companies, healthcare providers and their third-party vendors provide notification following a breach of unsecured protected health information (PHI).
Who Else is Watching Where Patient's Information Goes
The Federal Trade Commission (FTC) also enforces the Health Breach Notification Rule, when certain organizations (both businesses and nonprofits) not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information.
The FTC has not forgotten about makers of health apps, connected devices, and similar products. In a statement released on September 15, 2021, the FTC made it clear that developers and/or manufactures of health apps, connected devices, and similar products must comply with the Rule. To help they have provided developers with the following guidance: Mobile Health App Developers: FTC Best Practices.
And let’s not overlook State Attorney General’s have also implemented and enforced similar breach notification provisions to vendors (i.e., BAs) of personal health records and their third-party service providers.
CEs and BAs that fail to comply with HIPAA Rules can and have received civil and criminal penalties.
You should know the Office of Civil Rights opens a compliance review of all reported breaches that affect 500 or more individuals and many breaches affecting fewer than 500.
HIPAA Breach Notification Rule Enforcement
Significant breaches ARE investigated by OCR, and penalties may be imposed for failure to comply with the HIPAA Rules. Breaches that affect 500 or more patients are publicly reported on the OCR website, affectionately referred to as the “Wall of Shame.”
Once your name has been written on the wall, there it shall remain. Trust me when I tell you, this is not a list you want to see your organization’s name on.