The U.S. Department of Health and Human Services (HHS) on Oct. 31 issued an interim final rule that increases penalties for violations of the privacy and security rules promulgated under the Health Insurance Portability and Accountability Act (HIPAA). The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, significantly increase the penalty amounts HHS may impose for violations of the HIPAA rules.
Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered healthcare provider, health plan or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules. Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts.
Under the new rule, the maximum individual penalty for civil violations of HIPAA will increase from $100 to $25,000 and the penalty cap will rise from $25,000 to $1.5 million for total violations of the same provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.
The interim final rule with request for comments will become effective on Nov. 30, and HHS will consider all comments received by Dec. 29, 2009.
Read the HHS press release.
