- As healthcare organizations read up on the HIPAA omnibus rule, a significant consideration should be the potential civil penalties tied to the HITECH act that are now associated with the rule. Calculating penalties is no longer just a maximum of $100 per violation and $25,000 per year and can put a far bigger dent in a healthcare organization’s budget.
Back on October 30, 2009, HHS issued an interim final rule (IFR) revising the HIPAA Enforcement Rule to incorporate the provisions of section 13410(d) of the HITECH Act that took effect immediately to apply to HIPAA violations occurring after the enactment date of February 18, 2009.
In the “Imposition of Civil Money Penalties” section, HHS explains the enforcement provisions of the IFR and the notice of proposed rulemaking (NPRM), responds to public comment received by the Department on both rules, and describes the final modifications to the Enforcement Rule adopted by this final rule. According to HHS, the IFR amended § 160.404 to revise the range of potential civil money penalty amounts a covered entity (or business associate) will be subject to for violations occurring on or after February 18, 2009, as a result of section 13410(d) of the HITECH Act.
Previous to the HITECH Act being enacted, section 1176(a) of the Social Security Act authorized the Secretary to impose a civil money penalty of not more than $100 for each violation, with the total amount imposed on a covered entity for all violations of an identical requirement or prohibition during a calendar year not to exceed $25,000. Accordingly, the IFR adopted at § 160.404(b) the new penalty scheme provided for at section 13410(d) of the HITECH Act for violations occurring on or after February 18, 2009. The IFR retained the pre-HITECH maximum penalty amounts of not more 69 than $100 per violation and $25,000 for identical violations during a calendar year, for violations occurring before February 18, 2009.
In implementing the HITECH Act’s penalty scheme, HHS recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers “for each violation,” each of which provided a penalty amount “for all such violations” of an identical requirement or prohibition in a calendar year). HHS fixed this discrepancy, with the exception of violations due to willful neglect that are not timely corrected, by having the IFR adopt a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year. Violations defined as “willful neglect” that are not timely corrected will draw a penalty amount of $50,000 as the minimum for each violation and $1.5 million for all such violations of an identical requirement or prohibition in one calendar year.
The IFR revised section §160.404 to provide, for violations occurring on or after February 18, 2009, the new HITECH penalty scheme, as follows:
(1) for violations in which it is established that the covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, an amount not less than $100 or more than $50,000 for each violation; (2) for a violation in which it is established that the violation was due to reasonable cause and not to willful neglect, an amount not less than $1000 or more than $50,000 for each violation; (3) for a violation in which it is established that the violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each 70 violation; and (4) for a violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation; except that a penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year.
The Civil Penalties Final Rule made revisions to penalty structure in § 160.404(b) as implemented by the IFR and took into account the provisions and penalty tiers of the HITECH Act. It’s important that healthcare organizations understand their level of culpability when it comes to civil penalties under § 160.404(b) of HIPAA.