placeholder

HIPAA Final Rule: Enforcement: Four Penalty Tiers

February 21, 2013.  Today, we examine the four penalty tiers for violations of HIPAA Rules in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

We start with two definitions, the first of which, Reasonable cause, was modified in the Final Rule, and the second of which, was not modified:

“Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”  45 CFR 160.401, at 78 Federal Register 5691

As modified, this definition “would now include violations due both to circumstances that would make it unreasonable for the covered entity or business associate, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated, as well as to other circumstances in which a covered entity or business associate has knowledge of a violation but lacks the conscious intent or reckless indifference associated with the willful neglect category of violations.”  78 Federal Register 5580

Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.”

The Final Rule states:  “[S]ection 13410(d) of the HITECH Act revised section 1176 of the Social Security Act to establish four tiers of increasing penalty amounts to correspond to the levels of culpability associated with the violation.  The first category of violation (and lowest penalty tier) covers situations where the covered entity of business associate did not know, and by exercising reasonable diligence would not have known, of a violation.  The second category of violation (and next highest penalty tier) applies to violations due to reasonable cause and not to willful neglect.  The third and fourth categories apply to circumstances where the violation was due to willful neglect that is corrected with a certain time period (second highest penalty tier) and willful neglect that is not corrected (highest penalty tier).”  78 Federal Register 5580  Willful neglect was discussed in yesterday’s posting.

Here are the penalties for each tier from 45 CFR 160.404(b)(2), effective March 26, 2013, with modified paragraphs underlined and the modification in italics:

(i) For a violation in which it is established that the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision,

(A) In the amount of less than $100 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(ii) For a violation in which it is established that the violation was due to reasonable cause and not to willful neglect,

(A) In the amount of less than $1,000 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(iii) For a violation in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, would have known that the violation occurred,

(A) In the amount of less than $10,000 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(iv) For a violation in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred,

(A) In the amount of less than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

Tomorrow, we look at the relationship of FERPA and HIPAA vis-a-vis disclosure of immunization records to schools, with a return to enforcement Monday and Tuesday of next week.

Ed Jones, Author & Healthcare Authority

Filed Under: American Recovery and Reinvestment Act, Enforcement, HIPAA Law: Administrative Simplification, Health IT and HITECH, Identifiers, Privacy, Security, Transactions & Code Sets 
YY