Health plan sponsors have long been aware of the HIPAA privacy and security rules that apply to their employee’s protected health information (PHI). More recently, the HITECH Act added several new obligations, including breach notification requirements. These changes have made HIPAA compliance a much higher-stakes proposition. The HITECH Act empowers state attorneys general to enforce HIPAA violations, directs HHS to conduct HIPAA compliance audits, and increases penalties for HIPAA noncompliance from an annual per-provision maximum of $25,000 to $1.5 million. HHS and state attorneys general are taking their new enforcement role seriously, the former having announced it will conduct an audit of every entity reporting a breach that affects more than 500 people, and the latter having already pursued at least one enforcement action. With the compliance stakes raised so substantially, let’s consider some of the more pressing requirements and what you can do about them.

Develop a written breach response procedure.

The new breach notification rule requires both a written response procedure and employee training. The procedure should take into account how you will provide required notifications to affected individuals, HHS and, in some cases, the media. Ideally, it will also account for existing state breach notification laws that may also apply.