According the Health Data Management magazine, The HHS Office for Civil Rights plans big changes to privacy and security regulations. Below are some sections from their article.
Adam Greene, senior health IT and privacy advisor in the OCR, outlined a slew of changes to existing regulations. The final HITECH privacy, security and breach notification rules will arrive in 2011 and be issued together, Greene said, to minimize staggered compliance dates and changes to notices of privacy practices. The rules need to be revised to reflect the more widespread use of electronic data and electronic health records, Greene said.
He told a packed room at HIMSS11 that financial penalties for single privacy and security violations will be increased to $50,000 per violation, with a maximum penalty per year of $1.5 million per provision of the rules. He noted that these penalties could be enormous considering that many breach incidents are found to contain multiple violations.
The penalties could be enormous. For example if a laptop containing patient information on 100 patients is lost the fines could hit the max $1.5 million. This could have devastating impact on many organizations. Unless the organization has purchased specific HIPAA or cyber insurance most liability insurance policies do not protect against HIPAA or HITECH fines.