christian counseling today
Vol. 20 no. 2
67
breach unless a covered entity or busi-
ness associate can demonstrate that there
is a low probability that the PHI was
compromised. In order to determine if
a low probability exists, a covered entity
or business associate, as applicable, must
conduct a risk assessment based on at
least the following factors:
n
the nature and extent of the PHI
involved
n
the unauthorized person who used
the PHI or to whom the disclosure
was made
n
whether the PHI was acquired or
viewed
n
the extent to which the risk to the
PHI has been mitigated
Increased HHS Penalties
Penalties for violation of HIPAA Rules
now range from $100 to $50,000 per
infringement. There are four violation
categories and penalty tiers. Penalties are
capped at $1.5 million per calendar year
for multiple violations. The Department
of Health and Human Services makes
clear in the comments to the Omnibus
Rule that a covered entity, as well as a
business associate, can be liable for the
actions of a business associate who is
acting as an agent of the covered entity
in accordance with agency law.
Recommended Action Steps
for Christian Counselors
Licensed Christian counselors who
are HIPAA covered entities should
take action to assure compliance with
HIPAA as a result of the Omnibus Rule.
In particular, business associate agree-
ments, Notice of Privacy Practices, and
HIPAA policies and procedures must be
reviewed and modified as needed. Mem-
bers of the covered entity’s workforce
should be educated and trained to com-
ply with new HIPAA requirements.
✠
The information is current as of the date it is written. This
article is provided solely for general educational purposes and
does not constitute legal advice between an attorney and a
client. The law varies in different jurisdictions. Consultation
with an attorney is recommended if you desire legal advice.
John Sandy, J.D.,
M.A.B.C., M.S.J.,
is a
senior corporate attorney
for Brotherhood Mutual
Insurance Company, an
insurance provider for
churches and related ministries. He is a licensed
attorney in California and Illinois. John is also
an ordained minister, a board certified Christian
counselor, and board certified pastoral counselor.
Endnote
1
U.S. Department of Health and Human
Services (2013). “New Rule Protects Patient
Privacy, Secures Health Information.”
Retrieved May 18, 2013 at hhs.gov/news/
press/2013pres/01/20130117b.html.
