• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

HIPAA Final Rule: Enforcement: Four Penalty Tiers

February 21, 2013 American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Identifiers, Privacy, Security, Transactions & Code Sets No Comments

February 21, 2013.  Today, we examine the four penalty tiers for violations of HIPAA Rules in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

We start with two definitions, the first of which, Reasonable cause, was modified in the Final Rule, and the second of which, was not modified:

“Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”  45 CFR 160.401, at 78 Federal Register 5691

As modified, this definition “would now include violations due both to circumstances that would make it unreasonable for the covered entity or business associate, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated, as well as to other circumstances in which a covered entity or business associate has knowledge of a violation but lacks the conscious intent or reckless indifference associated with the willful neglect category of violations.”  78 Federal Register 5580

“Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.”

The Final Rule states:  “[S]ection 13410(d) of the HITECH Act revised section 1176 of the Social Security Act to establish four tiers of increasing penalty amounts to correspond to the levels of culpability associated with the violation.  The first category of violation (and lowest penalty tier) covers situations where the covered entity of business associate did not know, and by exercising reasonable diligence would not have known, of a violation.  The second category of violation (and next highest penalty tier) applies to violations due to reasonable cause and not to willful neglect.  The third and fourth categories apply to circumstances where the violation was due to willful neglect that is corrected with a certain time period (second highest penalty tier) and willful neglect that is not corrected (highest penalty tier).”  78 Federal Register 5580  Willful neglect was discussed in yesterday’s posting.

Here are the penalties for each tier from 45 CFR 160.404(b)(2), effective March 26, 2013, with modified paragraphs underlined and the modification in italics:

(i) For a violation in which it is established that the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision,

(A) In the amount of less than $100 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(ii) For a violation in which it is established that the violation was due to reasonable cause and not to willful neglect,

(A) In the amount of less than $1,000 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(iii) For a violation in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, would have known that the violation occurred,

(A) In the amount of less than $10,000 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(iv) For a violation in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred,

(A) In the amount of less than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

Tomorrow, we look at the relationship of FERPA and HIPAA vis-a-vis disclosure of immunization records to schools, with a return to enforcement Monday and Tuesday of next week.

Tags: administrative simplification provisionbusiness associatebusiness care and prudencecompliance dateconscious intentcovered entityeffective dateEnforcementFERPAFinal ruleHIPAAHIPAA Final RuleHIPAA rulesHITECH Actimmunization recordMarch 26 2013Modificationspenaltypenalty tiersreasonable causereasonable diligencereckless indifferencesection 1176September 23 2013Social Security Actviolationwillful neglectwillful neglect correctedwillful neglect not corrected
No Comments
Share
0

You also might be interested in

The Definition of Electronic Health Record

May 10, 2009

This posting is one of several that outline the HITECH[...]

Exploring HIPAA and HITECH Act Definitions: Part 12

Dec 15, 2009

From now through December, HIPAA.com is providing a run through[...]

ONC Issues Meaningful Use Guide for Privacy & Security Attestation Compliance

May 9, 2012

May 9, 2012.  The Office of the National Coordinator for[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next