On October 30 the Department of Health and Human Services published an interim final rule to conform HIPAA’s enforcement regulations to the new statutory revisions required by the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA, commonly known as the “Stimulus Package”). This new rule revises HIPAA’s enforcement regulations with respect to the imposition of civil monetary penalties by incorporating HITECH’s categories of violations and tiered ranges of civil monetary penalty amounts, and by revising HIPAA’s limitations on the Secretary of HHS’s authority to impose civil monetary penalties for violations of the HIPAA rules. This interim final rule will be effective November 30, 2009
HHS issued this interim final rule in order to give covered entities (those entities regulated by HIPAA’s privacy and security provisions) additional notice as to how the HITECH Act strengthens the Secretary’s authority to impose civil monetary penalties for violations occurring on or after February 18, 2009, and to avoid any public misunderstanding of Congress’ intent to strengthen enforcement of the HIPAA rules.
Prior to the HITECH Act, HIPAA allowed the Secretary of HHS to impose civil monetary penalties on persons violating the HIPAA rules of not more than $100 per violation up to a maximum of $25,000 for all violations occurring during a calendar year. HIPAA also limited the Secretary’s authority to impose such penalties under various circumstances.
The HITECH Act strengthens the Secretary’s enforcement authority by establishing four categories of violations that reflect increasing levels of culpability on the part of the covered entity, by defining tiers of increasing civil monetary penalties that the Secretary can impose, and by requiring that the Secretary base penalties on the nature and extent of the violation as well as the nature and the extent of the harm resulting from the violation. HITECH’s tiered penalty structure represents a significant increase in the liability of covered entities for civil monetary penalties. Prior to the HITECH Act, HIPAA allowed the Secretary of HHS to impose civil monetary penalties on persons violating the HIPAA rules of not more than $100 per violation up to a maximum of $25,000 for all violations occurring during a calendar year. Under this new rule, applicable to violations occurring on or after February 18, 2009, the Secretary can impose civil monetary penalties for each violation ranging from at least $100 to a maximum of $50,000 for the lowest category violation. Under the highest category violation, the Secretary can impose a $50,000 penalty per violation. Additionally the HITECH Act increases the maximum penalty that the Secretary can impose for all such violations of the same HIPAA provision in a calendar year from $25,000 to $1,500,000.
The new rule also eliminates certain affirmative defenses which were previously available to covered entities. For example, under the prior rule, a covered entity had an affirmative defense if the entity did not know and reasonably should not have known that a violation occurred. Under the HITECH provisions of this new rule, this will only be an affirmative defense if the covered entity also corrects the violation during the 30-day period beginning on the first date of such knowledge or during the period determined by the Secretary to be appropriate based on the nature and extent of the covered entity’s failure to comply. The new rule also does not alter affirmative defenses with respect to violations due to willful neglect. HIPAA still operates to exclude violations due to willful neglect from those other violations that, if timely corrected, would be exempted from the imposition of a civil monetary penalty. Accordingly under this new rule, timely correction of a violation due to willful neglect will not constitute an affirmative defense. However, timely correction will determine which tier of penalty amounts is applicable.
The interim final rule is available at: http://frwebgate5.access.gpo.gov/cgi-bin/PDFgate.cgi?WAISdocID=208919184958+0+2+0&WAISaction=retrieve
