Philadelphia (PRWEB) December 30, 2012

Employers who ignore or are partially compliant with health care privacy issues could face greater government scrutiny and fines, says top Philadelphia attorney Christopher Ezold http://www.ezoldlaw.com.

This new focus on compliance applies to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA requires that a covered entity maintain the privacy of personal health information (PHI).

Covered entities can include health care providers, health plans and health clearing houses and their business associates. HIPAA does not apply to all employer-provided health insurance, but it does apply to employer-sponsored health plans and, therefore, to employers who sponsor those types of plans. A partner at Philadelphia-based The Ezold Law Firm, P.C., Christopher Ezold warns that while enforcement of PHI rules have been lax in the past, the U.S. Department of Health and Human Services (HHS) has recently imposed penalties of more than $ 1 million against companies found in violation of HIPAA.

For example, on June 26, 2012, HHS announced that the Alaska Department of Health and Social Services agreed to pay a $ 1.7 million fine to settle possible violations. (http://www.hhs.gov/news/press/2012pres/06/20120626a.html) On March 13, 2012, HHS said that Blue Cross Blue Shield of Tennessee agreed to pay $ 1.5 million to settle potential HIPAA violations. (http://www.hhs.gov/news/press/2012pres/03/20120313a.html) Smaller employers have also found themselves on the receiving end of a HIPAA audit. This is a strong reminder for businesses to revisit their compliance programs.

The HHSs Federal Office for Civil Rights (OCR) has stepped up HIPAA audits of covered entities that are subject to HIPAA. OCR has now begun levying significant monetary penalties for violations of HIPAAs privacy rule. In practice, OCR is not interested in small fines; it has levied penalties in the hundreds of thousands and even millions of dollars for what appeared at first glance to be small issues, according to Ezold. The lesson here is that you should assume you are not a covered entity you must ensure that you are not covered or, if you are covered, that you have met your obligations.

If OCR comes knocking, you may be able to avoid significant liability by showing that you have engaged in a good faith attempt to meet your obligations, says Ezold.

To protect yourself, hold an annual internal review to ensure that the privacy requirements are being met. OCR will not consider a once-and-done review to be sufficient; annual reviews provide better protection than merely doing an initial assessment. Ezold recommends: