The latest resources for regulatory compliance, cloud computing, and cybersecurity
Covered Entities (including health providers, health plans) and Business Associates (including healthcare vendors and digital health companies) are responsible for following complying with HIPAA and The Privacy Rule.
Both Covered Entities and Business Associates are responsible for implementing all required HIPAA safeguards when interacting with protected health information (PHI).
Violations can result in fines as well as jail time and criminal penalties in certain circumstances. Fines or civil money penalties (CMPs) for HIPAA violations are based on a tiered structure, and increase based on the number of effected patients and amount of neglect. The amount of the penalty is at the discretion of HHS OCR.
The penalty guidelines are outlined as followed:
Violation | Amount per violation | Maximum annual penalty |
---|---|---|
Did Not Know | $100 – $50,000 | $1,500,000 |
Reasonable Cause | $1,000 – $50,000 | $1,500,000 |
Willful Neglect — Corrected | $10,000 – $50,000 | $1,500,000 |
Willful Neglect — Not Corrected | $50,000 | $1,500,000 |
Source: HHS, Federal Register.gov
A Business Associates Agreement (BAA) dictates how a business associate (BA) operates and deals with protected health information (PHI). These agreements typically state how the business associate will maintain compliance and lays out responsibilities for both sides. Most cloud platforms, including Amazon Web Services (AWS) and Google Cloud Platform (GCP) operate on a “Shared Responsibility” model, where the cloud provider, as well as your organization are responsible for specific safeguards.
Although it is recommended you sign a BAA with service partners who will be storing PHI, BAAs do not automatically make your organization compliant. Your organization’s internal policies, procedures, and review of administrative, physical, and technical safeguards is an important responsibility that ultimately helps dictate if your organization is in compliance.
Best practices and steps for achieving HIPAA compliance in Amazon Web Services (AWS). Building an AWS HIPAA compliance program for compliant healthcare applications on AWS.
Read moreSee Infrastructure-as-Code best practices. Learn how teams use IaC tools such as Ansible, Terraform, and Azure Resource Manager, to streamline infrastructure management and provisioning.
Read moreDevOps best practices. Learn how DevOps teams implement CI/CD, Infrastructure-as-Code (IaC), microservices and other practices to meet DevOps objectives and speed up delivery.
Read moreBuild, monitor, and maintain your team’s compliance program