On Friday, October 30, 2009, HHS published in the Federal Register its Interim Final Rule that strengthens HIPAA enforcement under HITECH Act civil penalty revisions enacted as part of the American Recovery and Reinvestment Act on February 17, 2009. “These HITECH Act revisions significantly increase the penalty amounts the Secretary [of HHS] may impose for violations of the HIPAA rules and encourage prompt corrective action,” according to the HHS press release. The Interim Final Rule is effective as federal policy on November 30, 2009, and HHS requests comments by December 29, 2009.
With the definition of ‘breach’ in the HITECH Act moving privacy and security violations under one requirement requiring remediation, and notification if protected health information is ‘unsecured’, HHS, on July 27, 2009, moved HIPAA Security Rule enforcement from the Centers for Medicare & Medicaid Services (CMS) to HHS’ Office of Civil Rights (OCR), which has been responsible for enforcement of the HIPAA Privacy Rule since compliance was required in April 2003, and now also enforces HITECH Act ‘breach notification’ requirements. Unified enforcement and higher penalties put a higher price on covered entities–and business associates after February 17, 2010–not being compliant with privacy and security rules pertaining to safeguarding of protected health information.
Prior to the HITECH Act revisions, civil penalties for HIPAA violations were “$100 for each violation or $25,000 for all identical violations of the same provision” in a year’s period. Now, penalties are tiered in four levels, with a maximum penalty of $1.5 million for all violations of an identical provision in each tier. By tier, the penalties range for each violation from $100-$50,000 for “Did Not Know”; $1,000-$50,000 for “Reasonable Cause”; $10,000-$50,000 for “Willful Neglect–Corrected”; and $50,000 for “Willful Neglect–Not Corrected”.
According to the OCR Director, Georgina Verdugo, “‘The Department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information…. This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules.'”
More information is available in the HHS October 30, 2009 press release, available at http://www.hhs.gov/news/press/2009pres/10/20091030a.html, and in the October 30, 2009, Interim Final Rule, available here.