As of Friday, June 4, 2010, 93 breaches affecting 500 or more individuals have been reported on the Office for Civil Rights (OCR) Web site. The total number affected has gone beyond 2-1/2 million individuals today, and stands at 2,565,352 individuals. Of the 87 breaches involving breach of hard copy or electronic protected health information, 26% involve hard copy or paper records and 74% records on electronic media or devices. Overall, 71% of the 93 breaches involve theft or loss of records, many of which might have been avoided by appropriate securing of hard copy records and electronic media and devices. Below we remind readers of the Department of Health and Human Services (HHS) enforcement efforts for violations of the HIPAA Privacy and Security rules, and the increased penalty structure for violations of those rules and the HITECH Act Breach Notification Rule.
On October 30, 2009, HHS published in the Federal Register the Interim Final Rule (IFR): HIPAA Administrative Simplification: Enforcement. This IFR strengthened HIPAA enforcement of February 17, 2009-enacted HITECH Act penalty revisions, which were effective for violations beginning on February 18, 2009. The enforcement IFR was effective on November 30, 2009. This IFR followed by several months HHS Secretary Kathleen Sebelius’ delegation of enforcement of the HIPAA Security Rule to the Office for Civil Rights (OCR), which had HIPAA Privacy Rule enforcement responsibilities since the April 14, 2003, compliance date for the Privacy Rule.
OCR’s unified enforcement of the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule and higher penalties increase the likelihood and severity of consequences of noncompliance with those rules, especially with the advent of compliance audits in addition of complaint investigations.
Before the February 17, 2009-enacted HITECH Act penalty revisions, civil penalties for HIPAA violations were $1000 for each violation or $25,000 for all violations of the same provision in a calendar year period. Under the HITECH Act, penalties are substantially increased and have been divided into four tiers, with a maximum of $1.5 million for all violations of an identical provision in a calendar year. The tiered Penalties now range as follows, for each violation:
- $100-$50,000 if the covered entity did not know an, by exercising reasonable diligence, would not have known, that it violated such provision.
- $1,000-$50,000 if the violation was due to reasonable cause and not to willful neglect.
- $10,000-$50,000 if the violation was due to willful neglect and was corrected “during the 30-day period beginning on the first date the covered entity liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred.”
- $50,000 or more if the violation was due to willful neglect and was not corrected as required.
In announcing strengthened enforcement, OCR Director Georgina Verdugo said:
“The Department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information…. This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules… Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”
Currently, there is at OMB for review as a Notice of Proposed Rulemaking (NPRM): Modifications to the HIPAA, Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act. According to the Abstract: “The Department of Health and Human Services Office for Civil Rights will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of subtitle D [Privacy] of the [HITECH Act].” After clearance at OMB, the NPRM will be published in the Federal Register. Be alert to NPRM modifications to privacy, security, and enforcement requirements, and the likelihood of relative quick—by HIPAA time standards—compliance dates for each through follow-on interim final rules.
Please visit the OCR Enforcement Web site for additional information now and updated information in the future.
 Department of Health and Human Services, Office of the Secretary, “45 CFR Part 160, HIPAA Administrative Simplification: Enforcement; Interim Final Rule,” Federal Register, v.74, n.209, October 30, 2009, pages 56123-56131. Citations to this document are in the format: 74 FR page(s). This document is available online at: www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf.  OCR also is responsible for enforcement of the HITECH Act Breach Notification Rule. The delegation of enforcement of the HIPAA Security Rule was from the Centers for Medicare & Medicaid Services (CMS), which retains enforcement authority for the HIPAA Transaction and Code Set and Identifiers Rules. See Department of Health and Human Services, Office of the Secretary, “Office for Civil Rights; Delegation of Authority,” Federal Register, v.74, n.148, August 4, 2009, page 38630. This document is available online at: www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/srdelegation.pdf.  74 Federal Register 56131.  Department of Health and Human Services, “HHS Strengthens HIPAA Enforcement, “ news release, October 30, 2009, which is available online at: http://www.hhs.gov/news/press/2009pres/10/20091030a.html.  This document, Regulation Identifier Number (RIN) 0991- AB57, was received at OMB on April 12, 2010, and attributes of this NPRM, but not its content, are available online at: http://www.reginfo.gov/public/do/eAgendaViewRule?pubId=201004&RIN=0991-AB57.