Web-Tones

Here are some of the relevant timelines for HITECH/HIPAA compliance. Refer to the Subtitle-D table of contents below for a quick reference to the respective sections.

• HITECH enactment (February 17, 2009) Tiered civil penalties based on the nature of HIPAA violations, up to $50,000 per violation and an annual maximum of $1.5 million (Section 13410).

• 180 days post enactment (August 17, 2009) HHS and the FTC will promulgate interim regulations on notification of breaches. The FTC rules will apply to breach notification by PHRs that are not covered by HIPAA (i.e. because generally the organization that produces the PHR is not a "covered entity") or business associate agreements (Section 13402, 13407).

• 24 months post-enactment (February 17, 2011) HHS clarification regarding ability to pursue civil penalties when criminal penalties are not pursued (Section 13405).

• 36 months post-enactment (February 17, 2012) HHS is obligated to establish regulations that will allow individuals harmed by privacy and security violations to receive a percentage of any HHS monies collected related to civil fines regarding such violations.

DIVISION A: TITLE XIII—HEALTH INFORMATION TECHNOLOGY

SUBTITLE D-PRIVACY.

Sec. 13400. Definitions.

PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS

Sec. 13401. Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions.

Sec. 13402. Notification in the case of breach.

Sec. 13403. Education on health information privacy.

Sec. 13404. Application of privacy provisions and penalties to business associates of covered entities.

Sec. 13405. Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format.

Sec. 13406. Conditions on certain contacts as part of health care operations.

Sec. 13407. Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities.

Sec. 13408. Business associate contracts required for certain entities.

Sec. 13409. Clarification of application of wrongful disclosures criminal penalties.

Sec. 13410. Improved enforcement.

Sec. 13411. Audits.

PART 2—RELATIONSHIP TO OTHER LAWS; REGULATORY REFERENCES; EFFECTIVE DATE; REPORTS

Sec. 13421. Relationship to other laws.

Check out a FREE EHR Checklist. To learn more about HITECH and HIPAA see the HIPAA Survival Guide. If you would like more information sign up for our FREE HITECH/HIPAA Compliance Newsletter.

The Red Flags Rule applies to “financial institutions” and “creditors.” The Rule requires you to conduct a periodic risk assessment to determine if you have “covered accounts.” You need to implement a written program only if you have covered accounts.

It’s important to look closely at how the Rule defines “financial institution” and “creditor” because the terms apply to groups that might not typically use those words to describe themselves. For example, many non-profit groups and government agencies are “creditors” under the Rule. The determination of whether your
business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions.

There are at least some eCommerce sites that would qualify as "creditors" but most, like almost all non-profits, do not think of themselves as such. For more information and guidance regarding the Rule click here. If you are still confused, then you are best advised to contact a Privacy & Data Security Lawyer..