Sign up for e-updates

Learn how compliance issues affect your business.

Enter your e-mail address

Privacy Policy   Join Now
Introducing the ComplyRight® Wholesale Poster Program
Multi-site posting compliance is now easy and affordable with ComplyRight labor law posters. Our Wholesale Poster Program offers employers a quality posting solution at a great price.

Click here to learn more.
Category Image

HIPAA Compliance

You are required to protect the privacy of your employees' personal health information under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Its purpose is three-fold: to ensure that employees have access to healthcare coverage when they change or lose their jobs; to regulate the delivery and payment of healthcare services; and to safeguard the use of employee health information.

Avoid fines and costly legal actions by keeping up with the latest guidelines. ComplyRight offers solutions for employers needing clear direction on the specific requirements.

FAQs:

What is the effective date of the new HIPAA Breach Notification Rules?
Who is affected by the new HIPAA breach notification rules?
What is considered a breach?
Steps covered entities should take

What is the effective date of the new HIPAA Breach Notification Rules?
The effective date was September 23, 2009. However, HHS will not impose penalties until February 22, 2010.

Back to the top

Who is affected by the new HIPAA breach notification rules?
The new rules generally apply to HIPAA-covered entities and business associates. Covered entities include most healthcare providers, health plans and healthcare clearinghouses.

Back to the top

What is considered a breach?
The term “breach” is defined in the rules as the acquisition, access, use or disclosure of protected health information, in a manner not permitted under the privacy regulations, that compromises the security or privacy of protected health information. The rules state that determining whether there is a significant risk of harm to an individual will require assessing several factors, such as who impermissibly used the information, and the type and amount of the information.

Back to the top

Steps covered entities should take:

  • Establish breach notification procedures and update policies — Covered entities need to establish procedures to determine when a breach has occurred, who will prepare individual notifications, and when a breach will trigger a requirement for notice to the media or immediate notice to HHS. Covered entities also need to amend their HIPAA privacy and security policies to incorporate information on the security breach notification rules.
  • Maintain breach incident log (for breaches affecting fewer than 500 employees) — Covered entities must set up a system to log security breaches, which the covered entity must file with HHS within 60 days after the end of the year.
  • Revise business associate agreements — Covered entities should negotiate with their business associates regarding the timing for them to notify the covered entity of a breach by the business associate, what information should be reported, and which party will issue the required notifications.
  • Train — HHS stated the need for additional training because the 60-day breach notification date will be triggered from the date a breach is discovered by anyone in the covered entity’s workforce. Employees should understand when they have encountered a breach and how to report it.

Back to the top