Note that compliance deadlines are subject to change.
As of 2-17-09: Civil penalties for HIPAA violations increase for covered entities.
As of 2-17-09: State attorneys general may bring HIPAA enforcement action against covered entities.
As of 8-16-09: Each Department of Health and Human Services (HHS) region is to provide guidance and education to covered entities, patients, and business associates.
As of 9-23-09: Covered entities and their business associates must comply with HITECH's breach notification provisions (in addition to state law requirements).
HHS must have a broad program to educate individuals about their HIPAA rights.
Business associates must comply with HIPAA's Security Rule and are subject to HIPAA's (increased) civil and criminal penalties.
State attorneys general can bring HIPAA enforcement action against business associates (in addition to covered entities).
Employees and other individuals are subject to HIPAA's criminal fines and penalties.
HHS is required to conduct audits of covered entities and business associates.
There is a new type of business associate—data transmission entities (for example, health information exchange organizations, regional health information organizations, e-prescribing gateways, vendors of personal health records).
Covered entities have to comply with patient's request to restrict disclosure to health plans for self-pay services.
Patient access to covered entity's electronic health record—patients have the right to obtain copies of a covered entity's electronic health record in electronic form.
Covered entities must limit PHI, to the extent practicable, to limited data set, or, if necessary, to minimum necessary (regulations /guidance coming).
Further restrictions on using patient information for marketing purposes.
If a covered entity's electronic health record was acquired after January 2009, covered entities and business associates must account for disclosures of the electronic health record even if disclosure is for treatment, payment, or health care operations (regulations coming).
HHS must investigate complaints of willful neglect and, if substantiated, must impose statutory penalty—at least $10,000-$50,000 per violation.
HHS and state attorneys general can pursue civil HIPAA violations in cases where criminal penalty could attach, but the Department of Justice declines to pursue.
Individuals can recover a percentage of penalties implosed or settlement proceeds from HIPAA investigations.
If a covered entity's electronic health record was acquired before January 2009, covered entities and business associates must account for disclosures of the electronic health record even if disclosure is for treatment, payment, or health care operations (regulations coming).