HHS Issues HITECH Act HIPAA Enforcement Rule
The Department of Health and Human Services has published an interim final rule to conform the enforcement regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to the HITECH Act, the Health Information Technology for Economic and Clinical Health Act which was enacted as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act privacy and security provisions became effective on Feb. 18, 2009.
HITECH is concerned with defining the requirements for being compatible with the security and privacy regulations of the Privacy Rule. HITECH also facilitates the expansion of HIPAA standards.
The interim final rule is an amendment of HIPAA’s enforcement rules relating to civil monetary penalties incorporating the HITECH Act’s categories of violations, ranges of civil money penalty amounts, and revised limitations on the Secretary’s authority to impose civil money penalties for established violations of HIPAA’s Administrative Simplification Rules. This interim final rule is effective 30 days after today.
Prior to the HITECH Act, the money penalty for HIPAA violations was not more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered entity could also avoid the civil money penalty by showing that it did not know that it violated HIPAA regulations.
HITECH Act Enforcement Interim Final Rule
Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing:
- Four categories of violations that reflect increasing levels of culpability;
- Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
- A maximum penalty amount of $1.5 million for all violations of an identical provision.
It also amended section 1176(b) of the Act by:
- Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and
- Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.
This interim final rule will become effective on November 30, 2009.
The HITECH Act
The HIPAA Privacy Rule defines the regulations that are to be followed to become HIPAA-compliant but it is the HITECH Act that defines on the criticality of following these norms and elaborates on enforcement, accountability, penalty and persecution-related guidelines for those involved in sharing or accessing Protected Health Information.
You can find our more information on http://whatishipaa.org/hitech-act.php