The HIPAA Omnibus rule has held the attention of healthcare entities for some time now, and with this final rule coming to effect, covered entities have to give significant consideration to the potential civil penalties related to the HITECH Act, which are now associated with the rule. Penalties are no longer limited to the maximum of $100 per violation and $25000 per year, but they can be big enough to dent a healthcare entity’s budget.
On October 30, 2009, the Department of Health and Human Services (HHS) issued an interim final rule that made changes to the HIPAA enforcement rule, incorporating provisions of section 13410(d) of the HITECH Act as § 160.404 in HIPAA Act, revising the range of potential civil penalty amount in case of violations by a covered entity or a business associate. This was made applicable to HIPAA violations that occurred after February 18, 2009, the enactment date.
Before the enactment of the HITECH Act, section 1176(a) of the Social Security Act authorized the imposition of civil penalty of not more than $100 per violation with a ceiling of $25,000 in a calendar year for violations of an identical requirement. However, the interim final rule retained the pre-HITECH maximum penalty amounts for violations occurring before this enactment date.
But upon implementing the new penalty scheme and realizing that section 13410(d) contained inconsistent language relating to “each violation” and “for all such violations”, HHS corrected this discrepancy excepting violations that occurred as a result of willful neglect and not corrected in a timely manner.
Violations of “willful neglect”, not corrected timely, will draw a penalty amount of $50,000 as the minimum for each violation and $1.5 million for all such violations of an identical requirement or prohibition in one calendar year.
Amendments Made
For violations occurring on or after February 18, 2009, the interim final rule revised section 160.404 to provide the new HITECH penalty scheme:
- for violations where the covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, an amount not less than $100 or not more than $50,000 for each violation;
- for a violation that occurred due to reasonable cause and not due to willful neglect, an amount not less than $1000 or not more than $50,000 for each violation;
- for a violation that occurred due to willful neglect and was timely corrected, an amount not less than $10,000 or not more than $50,000 for each violation;
- for a violation that was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation; except that a penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year
Therefore, It is now time for healthcare entities to clearly understand the civil penalties under § 160.404(b) of HIPAA in case of violations. However, the primary aim of healthcare entities should be to devise means to prevent any such violation from taking place, for which, the highly cost-effective Aegify Security Posture Management and Aegify SecureGRC can prove highly valuable.