HHS Strengthens HIPAA Enforcement

WASHINGTON--(Business Wire)--
The U.S. Department of Health and Human Services (HHS) issued an interim final
rule with request for comments today to strengthen its enforcement of the rules
promulgated under the Health Insurance Portability and Accountability Act
(HIPAA). The Health Information Technology for Economic and Clinical Health
(HITECH) Act, which was enacted as part of the American Recovery and
Reinvestment Act of 2009, modified the HHS Secretary`s authority to impose civil
money penalties for violations occurring after Feb. 18, 2009. These HITECH Act
revisions significantly increase the penalty amounts the Secretary may impose
for violations of the HIPAA rules and encourage prompt corrective action. 

Prior to the HITECH Act, the Secretary could not impose a penalty of more than
$100 for each violation or $25,000 for all identical violations of the same
provision. A covered health care provider, health plan or clearinghouse could
also bar the Secretary`s imposition of a civil money penalty by demonstrating
that it did not know that it violated the HIPAA rules. Section 13410(d) of the
HITECH Act strengthened the civil money penalty scheme by establishing tiered
ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5
million for all violations of an identical provision. A covered entity can no
longer bar the imposition of a civil money penalty for an unknown violation
unless it corrects the violation within 30 days of discovery. 

The interim final rule with request for comments published today conforms the
HIPAA enforcement regulations to these revisions made by the HITECH Act. It may
be viewed and commented on at: www.regulations.gov. This rulemaking will become
effective on Nov. 30, 2009, and HHS will consider all comments received by Dec.
29, 2009. 

"The Department`s implementation of these HITECH Act enforcement provisions will
strengthen the HIPAA protections and rights related to an individual`s health
information," said Georgina Verdugo, the director of HHS Office for Civil Rights
(OCR). OCR is responsible for administering and enforcing HIPAA`s privacy,
security and breach notification rules. 

"This strengthened penalty scheme will encourage health care providers, health
plans and other health care entities required to comply with HIPAA to ensure
that their compliance programs are effectively designed to prevent, detect and
quickly correct violations of the HIPAA rules," said Verdugo. "Such heightened
vigilance will give consumers greater confidence in the privacy and security of
their health information and in the industry`s use of health information
technology." 

This interim final rule with request for comments is the first of several steps
HHS is taking to implement the HITECH Act`s enforcement provisions. The
remaining provisions, which have yet to become effective, will be addressed in
the next few months in forthcoming rulemakings. Additional information about
HIPAA and several related rulemakings may be found on OCR`s Web site:
http://www.hhs.gov/ocr/privacy/. 

Note: All HHS press releases, fact sheets and other press materials are
available at http://www.hhs.gov/news.

HHS Press Office
202-690-6343 

Copyright Business Wire 2009