Christopher L. Nuland, Esq.
General Counsel

When the HIPAA Privacy Rule went into effect in 2003, physicians created a new industry in the form of Compliance Programs designed to protect the privacy of Protected Health Information. Compliance rates were high, and the Office of Civil Rights (the federal agency entrusted with the enforcement of HIPAA) had only a handful of agents dedicated to HIPAA enforcement. Moreover, penalties for non-deliberate noncompliance were low, limited to only $1,000 for deficiencies that could be corrected in thirty days or less.

The lenient times of HIPAA enforcement ended in 2009 with the new Obama Administration and the enactment of the HITECH Act. Fines were increased to $10,000 per violation, and the number of enforcement personnel was also increased exponentially. Requirements for business associate agreements were heightened, and enforcement of the new Security Rules, which added 18 new standards to HIPAA compliance requirements. Perhaps more importantly, the Office of Civil Rights was charged with performing random audits (it had previously only responded to consumer complaints) targeting covered entities.

The results of these random audits have been troubling for physicians. While compliance rates for the Privacy Rule remain fairly high, few covered entities have performed the Risk Assessment required by the Security Rule. Moreover, few Business Associate Agreements have been modified to require Business Associates (those outside the practice who may have access to Protected Health Information) to protect such information to the extent required by HIPAA, report unauthorized disclosures, and mitigate the damage of any such disclosures.

In addition, by September 22, 2013, all covered entities (including all physicians) must not only amend their Business Associate Agreements, but also their Privacy Notice to include notices that the patient may obtain their records in electronic form, must be informed of any breach of their PHI, have marketing communications made to them only if authorized by the patient and to decline to have PHI delivered to health insurers if the patient pays for services in full without submitting a claim.

Fines for violating these standards have been increased to up to $1.5 million.

For these reasons, physicians are urged to review their HIPAA Corporate Compliance Plans to ensure that they include the latest information and can survive a government audit. FSDDS members having questions may always contact the FSDDS Legal Affairs Division at