The U.S. Department of Health and Human Services (HHS) has issued an interim final rule with request for comments to strengthen its enforcement of the rules promulgated under the Health Insurance Portability and Accountability Act (HIPAA). Through the revision of the Health Information Technology for Economic and Clinical Health (HITECH) Act, there are significant increases in the penalty amounts the Secretary may impose for violations of the HIPAA rules.

According to the text of the interim final rule, it amends HIPAA's enforcement regulations as related to the imposition of civil money penalties and revised limitations on the Secretary's authority to impose civil money penalties for established violations of HIPAA's Administrative Simplification rules (HIPAA rules). The interim final rule explains that prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered entity could also avoid violations if the liable party did not know that it violated the provisions. In the most recent changes, the civil money penalty scheme has tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. In addition, a covered entity can no longer avoid the imposition of a civil money penalty due to not knowing of the violation, unless it corrects the violation within 30 days of discovery.

The interim final rule with request for comments may be viewed and commented on at: www.regulations.gov. The rule-making will become effective on Nov. 30, 2009. HHS will consider all comments received by Dec. 29, 2009.

"The Department's implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual's health information," said Georgina Verdugo in a press release on the HHS website. Verdugo is the director of the HHS Office for Civil Rights (OCR), which is responsible for administering and enforcing HIPAA's privacy, security and breach notification rules. "This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA, to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules."

Additional information about HIPAA and several related rulemakings may be found on OCR's Web site: http://www.hhs.gov/ocr/privacy/.

Adapted in part from a HHS press release.

Link: http://www.hhs.gov/news/press/2009pres/10/20091030a.html

More Industry Headlines