At health centers, the patient-provider relationship is based upon compassion, trust and respect. 

Protecting patient health information is one of the foundations upon which the patient-provider relationship is built. 

For health centers, protecting patient health information is also a legal requirement under the Health Insurance Portability and Accountability Act (HIPAA).

Recent modifications to the HIPAA Rules have increased both the compliance requirements and the penalties for non-compliance.  In 2013, the Department of Health and Human Services issued “the Final Rule” which included numerous changes to the HIPAA Rules, including:

  • Changes to procedures for determining whether a breach has occurred
  • New requirements for the Notice of Privacy Practices
  • New requirements related to business associates and Business Associate Agreements.

The penalties for non-compliance can range from $100 to $50,000 per violation.  The penalty amount is tied to a health center’s knowledge of the violation, its intent to violate the rules, and its effort to correct the violation by coming into compliance with the HIPAA Rules.  Penalties are determined on a case by case basis considering the nature and extent of the violation, the resulting harm and other factors.