Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision, according to the release. A covered healthcare provider, health plan or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.
Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision, and a covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery, according to the release.
The interim final rule with request for comments published conforms the HIPAA enforcement regulations to these revisions made by the HITECH Act, according to the release. It may be viewed and commented on at www.regulations.gov. This rulemaking will become effective on Nov. 30, 2009, and HHS will consider all comments received by Dec. 29, 2009.
This interim final rule with request for comments is the first of several steps HHS is taking to implement the HITECH Act’s enforcement provisions. The remaining provisions, which are not yet effective, will be addressed in the next few months in forthcoming rulemakings, according to HHS. Additional information about HIPAA and several related rulemakings may be found on OCR’s Web site www.hhs.gov/ocr/privacy.
