HIPAA violators could face fines of up to $1.5M

By Bernie Monegain
09:38 AM

The U.S. Department of Health and Human Services has issued an interim final rule to strengthen enforcement and increase penalties for violations of the Health Insurance Portability and Accountability Act, known as HIPAA.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, modified the penalties that the HHS could impose for violations of the HIPAA rules.

Prior to the HITECH Act, the penalty could be no more than $100 for each violation or $25,000 for all identical violations of the same provision.

A healthcare provider, health plan or clearinghouse could also bar the secretary's imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.

Section 13410(d) of the HITECH Act strengthened the enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The interim final rule with request for comments, published last week, conforms the HIPAA enforcement regulations to the revisions made by the HITECH Act. This rule will become effective on Nov. 30. HHS will consider all comments received by Dec. 29.

"The department's implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual's health information," said Georgina Verdugo, director of the HHS Office for Civil Rights, which is responsible for administering and enforcing HIPAA's privacy, security and breach notification rules.

"This strengthened penalty scheme will encourage healthcare providers, health plans and other healthcare entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules," said Verdugo. "Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry's use of health information technology."

This interim final rule with request for comments is the first of several steps HHS is taking to implement the HITECH Act's enforcement provisions, Verdugo said. The remaining provisions, which have yet to become effective, will be addressed in the next few months in forthcoming rulemakings.