Health Care Law Update

Increased Penalties for HIPAA Violations Effective November 30

Monday, November 30, 2009

The Department of Health and Human Services (HHS) issued an interim final rule on October 30, 2009, to institute stronger enforcement of the rules promulgated under the Health Insurance Portability and Accountability Act (HIPAA). The interim final rule applies to the penalty provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

Prior to the interim final rule, Section 1176(a) of the Social Security Act authorized the secretary of HHS to impose on covered entities a fine of $100 per violation of HIPAA, with a yearly aggregate limit of $25,000 for identical violations. Pursuant to Section 1176(b), covered entities that were not aware of the violation were not subject to the civil monetary penalties.

Section 13410(d) of the HITECH Act revises Section 1176 to significantly increase the amount of the penalty for HIPAA violations occurring after February 18, 2009. The revised scheme establishes several penalty tiers to reflect increasing levels of culpability:

• Pursuant to Section 13410(d), covered entities are subject to fines of at least $100, but not exceeding $50,000 (with a maximum yearly aggregate fine of $1.5 million for identical violations), for violations of which they were unaware and would not have known through exercise of reasonable diligence. Covered entities maintain the Section 1176(b) affirmative defense of lack of knowledge as long as the violation is corrected within 30 days of the date of knowledge of such violation.
• Violations due to reasonable cause (and not willful neglect) now incur penalties of at least $1,000, but not exceeding $50,000 (aggregate of $1.5 million). Covered entities have reasonable cause to act in cases in which circumstances exist that would "make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated."
• Violations due to willful neglect that are not timely corrected incur penalties of $50,000 for each violation (aggregate of $1.5 million). Willful neglect is defined as the "conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated." The entity is subject to penalties of $10,000 to $50,000 (aggregate of $1.5 million) if they are able to correct the violation within 30 days of the first date on which the covered entity became aware (or should have become aware) of the violation.

The secretary is authorized to determine the nature and extent of the violation and resulting harm in assessing the appropriate penalty level.

The interim final rule is effective on November 30, 2009. HHS is accepting comments until December 29, 2009.

Andrew J. Siegel

Written by

The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.

View the PDF version