The Department of Health and Human Services (HHS) issued an interim final rule on October 29 that amends enforcement regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to incorporate civil monetary penalties under the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH addressed privacy and security issues related to the electronic transmission of health information. Under the interim final rule, covered entities are subject to a tiered penalty structure based on four categories of HIPAA violations. The categories range from the lowest, which applies to a violation that a covered entity was not aware of and would not have known about even if it had exercised "reasonable diligence," to the highest, which applies to a violation that was due to willful neglect and not corrected within a 30-day time period. The penalty for the lowest category ranges from a minimum of $100 per violation up to a maximum of $50,000 per violation. The penalty for the highest category is set at a flat amount of $50,000 per violation. The penalties are capped at $1.5 million annually for multiple violations of the same provision. The HHS is asking for public comments on the interim final rule by December 29, 2009.

The full text of the HHS final rule is available here.

BACK
Reports