Any company that handles medical or health insurance info about employees should pay attention to some new federal regs.

The Health Information Technology for Clinical and Economic Health (HITECH) Act significantly increases the penalties the Department of Health and Human Services (HHS) can level against employers and health care providers.

Before the HITECH Act, businesses faced a maximum fine of $100 for a single violation and $25,000 for all identical violations of the same provision. Now, the rules spell out a series of tiered minimum fines for individual claims, and a $1.5 million maximum when a group of employees are affected.

Increased notification duty

In addition to the uptick in fines, companies were also handed more responsibility in reporting breaches of health information. After discovering a security breach, companies will have to notify affected individuals, the HHS and, in some cases, “prominent media outlets.” Notice must be provided as soon as possible, no more than 60 days after the discovery.

What constitutes a breach? To trigger the notification requirements, the information leak must involve “personal health information” that’s lost or stolen and readable by whoever ends up with it (i.e. the data’s not encrypted).

The reporting rules go into effect on Feb. 22. The read the text of the rule, click here.

Tags: HIPPA, HITECH