Health Information

The Department of Health and Human Services has finalized rules that increase penalties for violations of the Health Insurance Portability and Accountability Act, implementing changes mandated by Congress in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The interim final rule--published in the Oct. 30 Federal Register--specifically amends the HIPAA enforcement regulations for civil monetary penalties by significantly increasing potential civil penalties for HIPAA violations and establishing a tiered penalty structure based on categories of violations (74 Fed. Reg. 56123).

The rule becomes effective Nov. 30, and applies to violations occurring on or after Feb. 18, 2009, when the HITECH Act became effective. Although an interim final rule, HHS will accept comments on the new regulations until Dec. 29.

Covered entities could be liable for a broad range of penalties--$100 to $50,000--for HIPAA violation in four categories. The lowest $100-per-violation penalty could be assessed in cases where entities were not aware of or would not have known about a violation even through “the exercise of reasonable diligence,” according to the rule. The minimum penalty for each violation where entities did not reasonably know of a violation is $1,000. In cases where violations are due to willful neglect but are corrected, the minimum penalty for each violation is $10,000.

Only the category for violations that are due to willful neglect but not corrected by a covered entity has a single, per-violation penalty of $50,000. For all categories of violations, the rule sets an annual $1.5 million penalty limit for multiple violations of an identical provision.

HHS said in the rule that it would not impose the maximum penalty of $50,000 in all cases where a range of penalties was available. Rather, the agency said, penalties would reflect the nature of a violation, the resulting harm, and other factors such as the covered entities' history of prior compliance and financial condition.

Attorney Kirk J. Nahra, with Wiley Rein LLP in Washington, told BNA that while the rule clarifies some “formalities” of the HIPAA enforcement rule, most enforcement actions would be resolved between HHS and covered entities through less formal negotiations, “using these formalities as the general framework.”

Nahra suggested that covered entities have a good basis for what they are doing in the area of HIPAA compliance and should be willing to address HHS concerns about HIPAA compliance where they can. He said that entities that face “the most aggressive and formal actions” will be those that take a “hard line” on defending a HIPAA position to which HHS objects.

Nahra also said it was important for covered entities to understand that they are subject to the higher penalty amounts now for violations of current HIPAA rules, not just new requirements under the HITECH Act.

Copyright 2009, The Bureau of National Affairs, Inc.