Penalties for HIPAA Violations Increase Significantly

Posted on November 23, 2009 by Edward Zacharias

The Facts

On October 30, 2009, the U.S. Department of Health and Human Services issued an Interim Final Rule (the Rule) to amend the existing administrative simplification enforcement regulations adopted pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The Rule implements amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) enacted as part of the American Recovery and Reinvestment Act of 2009. Prior to enactment of the HITECH Act, covered entities under HIPAA (health care providers that conduct certain transactions in electronic form, health plans and health care clearinghouses) were subject to HIPAA civil money penalties of up to $100 per violation, with an annual cap of $25,000 for identical violations within a calendar year. The Rule preserves this structure for violations occurring prior to February 18, 2009. Violations occurring on or after February 18, 2009 are subject to a new penalties scheme, which ranges from a minimum per-offense penalty of $100 to $50,000, depending on the level of culpability. The Rule also increases the annual cap for identical violations from $25,000 to $1.5 million, and alters the available affirmative defenses to a HIPAA enforcement action. Business associates are directly subject to the new enforcement scheme beginning February 17, 2010. HIPAA’s criminal penalties remain unchanged.

What’s at Stake

The new HIPAA civil money penalties scheme that will be enforced under the Rule substantially increases the potential penalties for HIPAA violations by covered entities occurring on or after February 18, 2009. Business associates will be directly subject to HIPAA, including the new enforcement scheme, for the first time beginning February 17, 2010. Prior to February 17, 2010, business associates are only subject to HIPAA requirements through contracts with covered entities.

Steps to Consider

Covered entities and business associates should review their current HIPAA compliance policies and procedures to ensure they are meeting amended requirements.  Business associates that previously lacked HIPAA privacy and security policies and procedures should implement policies and train their work force. McDermott has prepared HIPAA privacy policies and forms for covered entities and business associates.  A preview of the manual's table of contents for covered entities can be viewed here, and the business associates table of contents can be viewed here.

Tags: , , ,
  • Email This
  • Print
  • Share Link

Security Breach Notifications

Posted on September 8, 2009 by Karen Sealander

The Facts

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) includes significant investment in health information technology to facilitate the adoption of a U.S.-wide health information network and requires HIPAA covered entities, business associates, vendors of personal health records and related entities to notify individuals when their personal health information is subject to a breach of security.  The U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) recently issued rules relating to these security breach notification requirements.  Compliance with these regulations will require the expenditure of significant time and expense, and, therefore, health care and related industries should begin immediately familiarizing themselves with the rulemakings and updating their processes and procedures to comply accordingly. 

What’s at Stake

HIPAA covered entities, business associates, vendors of personal health records and related entities could be subject to penalties for not properly notifying patients or customers, as applicable, of security breaches involving the patients’ or customers’ individually identifiable health information.  Note that while the HHS rule is effective September 23, 2009, HHS will delay enforcement for six months.  This means that HHS will not impose sanctions for failure to provide the required notification for breaches discovered before February 22, 2010.  Similarly, while the FTC rule is effective September 24, 2009, the FTC will delay enforcement for six months.  This means that the FTC will not impose sanctions for failure to provide the required notification for breaches discovered before February 22, 2010.

Steps to Consider

  • If your organization is a HIPAA covered entity, business associate, vendor of personal health records or related entity, review the HHS and FTC regulations, which can be viewed here and here, respectively. 
  • Affected entities should immediately begin to develop a compliance plan, because the effective date of the HHS rule is September 23, 2009, and the effective date of the FTC rule is September 24, 2009.
  • Consider filing comments on the HHS rule on or before the October 23, 2009, deadline. 
  • For a summary of these regulations, review McDermott’s White Paper entitled “Regulatory Update: HITECH’s HHS and FTC Security Breach Notification Requirements.”
Tags: , , , , ,
  • Email This
  • Print
  • Share Link