HIPAA Enforcement: New and Improved!

29. October 2009, 20:32 UhrHIPAA criminal actions, HIPAA Enforcement, HITECH Amendments to HIPAANorbert Kugele0 comments

A couple of new developments on the HIPAA enforcement front.

First, a Federal Court in Little Rock, Arkansas entered sentences earlier this week in a criminal case involving a doctor and two former hospital employees who had accessed information about a patient—a local news anchorwoman—out of curiosity.  According to this news article and the U.S. Attorney’s press release, all three were sentenced to a year’s probation.  Additionally, the doctor was fined $5000 and ordered to serve 50 hours of community service, one employee was fined $2500, and the other employee fined $1500.

For those of you who have been following HIPAA privacy and security, you’re likely aware of the new improved enforcement provisions found in the HITECH Act (also known as the Health Information Technology for Economic Clinical Health Act).  The HITECH Act significantly increased the penalties for a HIPAA violation.  Where the penalties were previously limited to no more than $100 per violation with an annual cap of $25,000, the HITECH Act introduced new penalty tiers with penalties ranging from a minimum of $100 up to a maximum of $1.5 million annually for violations within each category.  Because of some confusing and even conflicting language in the HITECH Act, it has been unclear as to what the maximum penalties are within each category.

The Department of Health & Human Services has now come out with new interim regulations that clarify the penalties:

  • For violations involving unknown violations (that is, where the covered entity did not know of the violation and would not have known of it if exercising reasonable diligence):
    • The penalty for each violation will be between $100 and $50,000.
    • The maximum annual penalties for all such violations:  $1.5 million
  • For violations involving reasonable cause (that is, where circumstances would make it unreasonable to comply with HIPAA, despite exercising ordinary business care and prudence):
    • The penalty for each violation will be between $1,000 and $50,000.
    • The maximum annual penalties for all such violations:  $1.5 million
  • For violations involving willful neglect (that is, conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA) when the violation is corrected within 30 days:
    • The penalty for each violation will be between $10,000 and $50,000.
    • The maximum annual penalties for all such violations:  $1.5 million
  • For violations involving willful neglect that are not corrected on a timely basis:
    • The penalty for each violation will be $50,000.
    • The maximum annual penalties for all such violations:  $1.5 million

The new penalty structure is in effect for violations occurring on or after February 18, 2009.  Keep in mind that the HITECH Act also requires HHS to conduct audits and allows it to keep monetary penalties to fund its enforcement activities.

HIPAA isn’t always easy, but these ramped up penalties create additional incentives to make sure that you have an effective HIPAA compliance program.  This means not only training your employees about privacy and security requirements, but also making sure that they appreciate how important it is to report potential violations so that you can react in a timely manner.

If you need help with HIPAA issues, Warner’s privacy team can help!  Give us a call.

No comments yet.

Write a comment: