New HIPAA penalties have real teeth
Submitted by Steve Meltzer on October 31, 2009 – 9:29 amComments
The Health & Human Services Department today published an interim final rule that strengthens its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) by aligning it with tougher privacy terms of the stimulus law.
“The Department`s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual`s healthinformation,” said Georgina Verdugo, the director of HHS Office for Civil Rights(OCR).
Under the previous HIPAA rule, HHS could not fine healthcare organizations more than $100 for each violation and imposed a ceiling of $25,000 for all similar violations of the same provision.
The new rule significantly increases the maximum individual penalty for civil violations of HIPAA
Under the new rule:
The minimum civil penalty is $100 per violation if the covered entity was unaware of it and, by exercising reasonable diligence, would not have known about the violation.
The minimum civil penalty is $1,000 per violation for those that were the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity to comply.
The minimum penalty is $10,000 for violations that result from willful neglect and are subsequently corrected.
The minimum penalty is $50,000 for violations that result from willful neglect but are not corrected.
The maximum penalty for multiple violations is $1.5 million per calendar year.
The new penalty amounts apply to HIPAA violations occurring on or after Feb. 18.
The law also removes a defense under HIPAA that barred HHS from imposing civil penalties on a so-called “covered entity” that could demonstrate “it did not know that it violated the HIPAA rules,” according to an HHS statement. Now, under the new rule, “A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.”
The new rule goes into effect November 30, 2009, The Office for Civil Rights is accepting comments on the interim final rule until Dec. 29.
The Health & Human Services Department today published an interim final rule that strengthens its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) by aligning it with tougher privacy terms of the stimulus law.“The Department`s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual`s healthinformation,” said Georgina Verdugo, the director of HHS Office for Civil Rights(OCR).
Under the previous HIPAA rule, HHS could not fine healthcare organizations more than $100 for each violation and imposed a ceiling of $25,000 for all similar violations of the same provision.
The new rule significantly increases the maximum individual penalty for civil violations of HIPAA
Under the new rule:
- The minimum civil penalty is $100 per violation if the covered entity was unaware of it and, by exercising reasonable diligence, would not have known about the violation.
- The minimum civil penalty is $1,000 per violation for those that were the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity to comply.
- The minimum penalty is $10,000 for violations that result from willful neglect and are subsequently corrected.
- The minimum penalty is $50,000 for violations that result from willful neglect but are not corrected.
- The maximum penalty for multiple violations is $1.5 million per calendar year.
The new penalty amounts apply to HIPAA violations occurring on or after Feb. 18.
The law also removes a defense under HIPAA that barred HHS from imposing civil penalties on a so-called “covered entity” that could demonstrate “it did not know that it violated the HIPAA rules,” according to an HHS statement. Now, under the new rule, “A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.”
The new rule goes into effect November 30, 2009, The Office for Civil Rights is accepting comments on the interim final rule until Dec. 29.
Popularity: 24% [?]
Related posts:
- Filing a HIPAA Complaint If you believe that a covered entity violated your (or someone else’s)...
- NCPA and Consumer, Privacy Advocates Urge Feds to Investigate CVS Caremark for Alleged HIPAA Violations The National Community Pharmacists Association announced that it has joined several consumer...
- Do New HIPAA Disclosure Rules Overburden Physicians? On Wednesday, the Medical Group Management Association sent a letter to HHS’...
- HIPAA covered entities need to get their HITECH houses in order More than 90 percent of health care companies are not ready to...
- When is HIPAA cool? When is HIPAA cool? Well the amendments have a cool acronym like...
- SC: Gov. Sanford says no to Feds REAL ID ’s Gov. Mark Sanford renewed his fight against the unfunded, federally-mandated REAL ID...
Support the LCA Trust