The HHS released HITECH Act Enforcement Interim Final Rule today…
This is an interim rule, so if you have comments, be sure to take advantage of the 60 day comment period (starting from today) and let your views be known.
The revised penalty scheme differs significantly from its predecessor by its establishment of several categories of violations that reflect increasing levels of culpability as shown in the table they provided:
TABLE 1.-Categories of Violations and Respective Penalty Amounts Available
(A) Did Not Know it was a violation: $100 – $50,000 per violation to a maximum $1,500,000 for all violations of an identical provision.
(B) Reasonable Cause violation: $1,000 – $50,000 per violation to a maximum $1,500,000 for all violations of an identical provision.
(C) Willful Neglect violation: $10,000 – $50,000 per violation to a maximum $1,500,000 for all violations of an identical provision.
It is worth noting that the interim final rule indicates that HHS will not impose the maximum penalty amount in all cases, but will determine penalty amounts
based on the nature and extent of the violation, the nature and extent of the resulting harm, as well as the other factors.
These are significantly higher than the original penalties.
Consider that the Office of Civil Rights (OCR) is hiring more HIPAA enforcement officers; I believe we’ll start seeing many more penalties than we have so far (a mere two) in 2010.
Here’s the text of the HHS announcement:
“HITECH Act Enforcement Interim Final Rule
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing:
- Four categories of violations that reflect increasing levels of culpability;
- Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
- A maximum penalty amount of $1.5 million for all violations of an identical provision.
It also amended section 1176(b) of the Act by:
- Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and
- Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.
This interim final rule conforms HIPAA’s enforcement regulations to these statutory revisions that are currently effective under section 13410(d) of the HITECH Act. This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions.
This interim final rule will become effective on November 30, 2009. HHS has invited public comments on the interim final rule, which will be considered if received by December 29, 2009.”
Tags: awareness and training, HIPAA, HITECH, Information Security, IT compliance, IT training, patient privacy, personally identifiable information, PIA, PII, policies and procedures, privacy impact assessment, privacy law, privacy training, security training