Civil Penalties for Violations of HIPAA Increased

The Department of Health and Human Services ("HHS") issued a final interim rule on October 30, 2009 amending the civil penalty guidelines for HIPAA violations. These amendments were required by the Health Information Technology for Economic and Clinical Health Act, commonly known as the HITECH Act. The HITECH Act is a part of the federal "Bailout Bill" passed in early 2009. Although the new guidelines become effective November 30, 2009, they apply to violations occurring after February 17, 2009, the date HITECH and the rest of the Bailout Bill was signed into law. Prior to HITECH, the civil penalties for violations of HIPAA were set at a maximum of $100 per violation, not to exceed $25,000 in any calendar year. HITECH increases the minimum penalties and, at the same time, breaks the potential civil penalties down into several "tiers".

Under the new rule, the $100 limit per violation changes from a maximum to a minimum penalty per violation. The maximum penalty has been increased to $50,000 per violation or $1.5 million per year. Penalties are now outlined in a tiered format, with each increasing tier corresponding to an increasingly level of neglect on the part of the HIPAA Covered Entity or Business Associate:

Tier One: If the Covered Entity or Business Associate did not know and reasonably could not have known of the violation, the civil penalty will be not less than $100 but not more than $50,000 per occurrence, up to a maximum of $1.5 million for all similar violations per calendar year.

Tier Two: If the violation was due to reasonable cause, but not willful neglect, the civil penalty will be not less than $1,000 but not more than $50,000 per occurrence, up to a maximum of $1.5 million for all similar violations per calendar year.

Tier Three: If the violation was due to willful neglect, but was corrected within 30 days after the Covered Entity or Business Associate discovered the violation, the civil penalty will be not less than $10,000 but not more than $50,000 per occurrence, up to a maximum of $1.5 million for all similar violations per calendar year. The Covered Entity or Business Associate will be treated as discovering a violation when the facts that would have been disclosed by an exercise of reasonable due diligence would have led to the discovery of the violation.

Tier Four: If the violation was due to willful neglect, and was not corrected within 30 days after the Covered Entity or Business Associate discovered the violation, the civil penalty will be not less than $50,000 per occurrence, up to a maximum of $1.5 million for all similar violations per calendar year. Again, the Covered Entity or Business Associate will be treated as discovering a violation when the facts that would have been disclosed by an exercise of reasonable due diligence would have led to the discovery of the violation.

In light of these increasing penalties, Health Care Providers and their Business Associates covered by HIPAA should increase their efforts to comply with HIPAA's Privacy and Security Rules.

For more information on HIPAA visit here

For more information, contact us here