Privacy & Cybersecurity Law Blog

The Department of Health and Human Services (“HHS”) released an interim final rule to incorporate the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) categories of violations and tiered civil penalty amounts.  The interim final rule is expected to be published in the Federal Register on October 30, 2009 and takes effect on November 30, 2009.  The rule applies to violations of the Health Insurance Portability and Accountability Act of 2003 (“HIPAA”) that occur on or after February 18, 2009.

The interim final rule amends HIPAA’s enforcement regulations.  Specifically, the rule incorporates the HITECH Act’s categories of violations, tiered ranges of civil penalty amounts, and revised limitations on the Secretary of HHS’s authority to impose civil penalties for violations of HIPAA's rules.  Pursuant to the interim final rule, covered entities may be subject to tiers of penalties as described below:

• If a covered entity did not know and, by exercising reasonable diligence, would not have known that it was in violation, the minimum civil penalty is $100 per violation.
• If a violation was the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity (despite the exercise of ordinary business care and prudence) to comply, the minimum penalty is $1000 per violation.
• The minimum penalty for a violation that is the result of willful neglect and subsequently corrected is $10,000.
• The minimum penalty for a violation that is the result of willful neglect and is not corrected is $50,000.
• The maximum penalty amount for multiple violations is set at $1.5 million per calendar year.

HHS will be accepting comments on the interim final rule until December 29, 2009.  Read our earlier blog posting for further information regarding the HITECH Act.

Access a copy of the interim final rule.