On October 30, 2009, the U.S. Department of Health and Human Services (HHS) published the interim final rule (the "Interim Final Rule") implementing statutory changes to HIPAA's civil enforcement rules resulting from the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH Act).1 The Interim Final Rule is effective November 30, 2009.
The HITECH Act and the Interim Final Rule significantly increase the penalties for HIPAA privacy and security violations and establish new categories of violations by covered entities.2 When considering potential civil exposure under HIPAA, the date of the violation is key because the changes to the civil enforcement provisions under the HITECH Act were effective February 18, 2009, and the Interim Final Rule distinguishes between violations that occurred prior to or after that date. Consequently, the type of violation and the amount of the civil monetary penalty (CMP) could vary significantly depending upon the date of the HIPAA violation and whether or not the violator is subject to pre-HITECH penalties or the new penalty scheme.
Under this new civil enforcement scheme, the HHS Secretary will consider the actions of health care providers and health plans when imposing a CMP following a HIPAA violation. As HHS wrote in the preamble to the Interim Final Rule, the categories of violations are intended to "reflect increasing levels of culpability" by a covered entity that has committed a HIPAA violation.
Under this new authority, the HHS Secretary can impose a range of CMP amounts for each of the following categories of violations:
- The covered entity did not know of the violation.
- The violation was due to reasonable cause and not willful neglect.
- The violation was due to willful neglect but was corrected within 30 days of discovery.
- The violation was due to willful neglect but was not corrected within 30 days of discovery.
Additionally, covered entities face significant increases in the corresponding minimum and maximum civil penalties that the HHS Secretary can impose. HHS summarized the penalty tiers in the preamble to the Interim Final Rule as follows:3
|
Violation |
Each |
Cap for All |
|
Covered entity |
$100−$50,000 |
$1,500,000 |
|
Covered entity had |
$1,000−$50,000 |
$1,500,000 |
|
Covered entity |
$10,000−$50,000 |
$1,500,000 |
|
Covered entity |
$50,000 |
$1,500,000 |
The Interim Final Rule makes clear that HHS will not impose the maximum penalty amount in all cases. Rather, the penalty amount will be based on the nature and extent of the violation, the nature and extent of resulting harm, and other factors, such as the covered entity's history of prior compliance or financial condition.
The Interim Final Rule also revises existing affirmative defenses to the Secretary's CMP authority in two significant ways. First, HHS may now impose a CMP even if a covered entity is able to establish that it did not know, and by exercising reasonable diligence, would not have known, of a violation. Second, HHS has extended the affirmative defense for violations that are timely corrected so that all violations not due to willful neglect are included (the previous limitation applied more narrowly to violations due to reasonable cause).
These new HIPAA penalties were effective under the HITECH Act as of February 18, 2009. The Interim Final Rule was published to alert covered entities to the new penalty scheme and to clarify its provisions. HHS is still interested in public input and will be accepting comments on the Interim Final Rule until December 29, 2009.
Footnotes
1 HIPAA Administrative Simplification: Enforcement, 74 Fed. Reg. 56,123 (Oct. 30, 2009) (to be codified at various sections of 42 C.F.R. pt. 160). The text of the Interim Final Rule is available at http://edocket.access.gpo.gov/2009/E9-26203.htm.
2 See generally section 1176 of the Social Security Act, 42 U.S.C. § 1320d-5.
3 74 Fed. Reg. at 56,127.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.