The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/7599
www.iltanet.org 12 Peer to Peer BEST PRACTICES liability under the Business Associate Agreement. As of February 17, 2010, however, a Business Associate that violates applicable HIPAA regulations will be subject to the same civil and criminal penalties that apply to covered entities (see, 42 USC 1320d-5 and 42 USC 1320d-6). The HI-TECH Act revised the HIPAA civil penalties to provide increasing penalties based on four tiers of culpability: (1) when the entity did not know of the violation and would not have known by exercising reasonable diligence, (2) when the violation was due to reasonable cause but was not due to willful neglect, (3) when the violation was due to willful neglect but the covered entity corrected the violation within 30 days of discovery of the violation, and (4) when the violation was due to willful neglect but the covered entity failed to correct the violation within 30 days of discovery. When there is a penalty range, the penalty amount will be determined by the government upon assessment of the nature and extent of the violation, the nature and extent of the resulting harm, as well as other factors, such as the entity's history of noncompliance or financial condition. IT STAFF BewARe Business Associates should be familiar with the HI-TECH Act and should be be taking actions necessary to comply with the newly applicable HIPAA rules as of February 17, 2010. Most of the rules apply to electronic PHI and will heavily involve information technology personnel and systems. Law firms that receive medical records from clients that are covered entities will be facing new HIPAA compliance challenges and, unfortunately, serious financial risks associated with HIPAA non-compliance. Information about HIPAA and the HI-TECH Act can be found on Bricker & Eckler's resource page at: http://www. bricker.com/hipaa/. ILTA allen Killworth is a partner in the bricker & Eckler healthcare group, with a practice focusing on the day-to-day operations of a variety of healthcare facilities as well as those facilities' dealings with administrative agencies and court proceedings. his full bio can be found at http://www.bricker.com/ legalservices/attorney/bios/aKill.asp. SOX and HIPAA are only two of dozens of statutes under which privacy violations can be prosecuted. hEalth PRivacy laWs 1974 — The National Research Act 1996 — Health Insurance Portability and Accountability Act (HIPAA) financial PRivacy laWs 1970 — Bank Secrecy Act 1998 — Federal Trade Commission 1999 — Gramm-Leach-Bliley Act (GLB) 2002 — Sarbanes-Oxley Act (SOX) 2003 — Fair and Accurate Credit Transactions Act onlinE PRivacy laWs 1986 — Electronic Communications Privacy Act (ECPA), pen registers 1986 — Stored Communications Act (SCA) coMMunication PRivacy laWs 1978 — Foreign Intelligence Surveillance Act (FISA) 1984 — Cable Communications Policy Act 1986 — Electronic Communications Privacy Act (ECPA) 1994 — Digital Telephony Act - Communications Assistance for Law Enforcement Act (CALEA), 18 USC 2510-2522 EDucation PRivacy laWs 1974 — Family Educational Rights and Privacy Act (FERPA) infoRMation PRivacy laWs 2001 — USA Patriot Act, expanded pen registers othER 1974 — Privacy Act 2005 — Privacy Act, sale of online PII data for marketing Source: The IT Compliance Advisor