HHS requests comments on beefed up HIPAA enforcement abilities
The U.S. Department of Health and Human Services (HHS) has issued an interim final rule with request for comments to strengthen its enforcement of the rules promulgated under the modified version of HIPAA.

The Health IT for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, modified the HHS Secretary’s authority to impose civil money penalties for violations occurring after Feb. 18. According to the agency, the HITECH Act revisions “significantly increase” the penalty amounts the HHS secretary may impose for violations of the HIPAA rules and encourage prompt corrective action.

Prior to the HITECH Act, the HHS Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered healthcare provider, health plan or clearinghouse could also bar the HHS Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.

Now, section 13410(d) of the HITECH Act has strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision, according to HHS. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The interim final rule will help conform the HIPAA enforcement regulations to these revisions made by the HITECH Act. It will become effective on Nov. 30, and HHS will consider all comments received by Dec. 29.

“The department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information,” said Georgina Verdugo, the director of HHS Office for Civil Rights, which is responsible for administering and enforcing HIPAA’s privacy, security and breach notification rules.