HHS issued its interim final rule increasing penalties for privacy and security violations under the HIPAA. The new rule significantly increases the maximum penalty for civil violations of HIPAA, and decreases the defenses available to providers. The new penalty amounts apply to HIPAA violations occurring on or after February 18, 2009. For more information about these requirements, click here.
HHS issued its interim final rule increasing penalties for privacy and security violations under the Health Information Portability and Accountability Act (HIPAA). The Health Information and Technology Act (HITECH) was the impetus for these increased penalties for privacy and security violations under HIPAA. The rule amends HIPAA's enforcement regulations to include new categories of violations and tiered civil penalties on covered entities, and revises limitations on the HHS secretary’s authority to impose civil penalties. The HHS rule significantly increased the maximum individual penalty for civil violations of HIPAA from $100 to $25,000 and increased the penalty cap from $25,000 to $1.5 million for total violations of the same provision.
The following penalties for HIPAA violations will apply on or after November 30, 2009:
- Minimum civil penalty of $100 per violation if the covered entity was unaware of the violation and, by exercising reasonable diligence, would not have known about the violation;
- Minimum civil penalty of $1,000 per violation resulting from “reasonable cause” involving circumstances that would make it unreasonable for the covered entity to comply;
- Minimum penalty of $10,000 for violations resulting from willful neglect that are subsequently corrected;
- Minimum penalty of $50,000 for violations resulting from willful neglect, but are not corrected; and
- Maximum penalty for multiple violations is $1.5 million per calendar year.
Additionally, providers may no longer claim "I didn't know about the violation" as a defense. Under the new rule, "[a] covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery."
The new penalty amounts apply to HIPAA violations occurring on or after February 18, 2009. To avoid increased penalties, providers need to be aware of the changes under HITECH and the interim final rule. HHS will be accepting comments on this interim final rule until December 29, 2009.
This Jackson Kelly PLLC E-News Alert is for informational purposes only and not for the purposes of offering legal advice or a legal opinion on any matter. No reader should act or refrain from acting on the basis of any statement in the Jackson Kelly PLLC E-News Alert without seeking advice from qualified legal counsel on the particular facts and circumstances involved.