The Department of Health and Human Services (HHS) has published interim final rules that conform the enforcement regulations of the Health Insurance Portability and Accountability Act (HIPAA) to those made by the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) regarding the electronic transmission of health information. Signed into law as part of the American Recovery and Reinvestment Act of 2009 (ARRA or ”Economic Stimulus”), the HITECH Act, among other things, modified the HHS Secretary’s authority to impose civil monetary penalties for violations of HIPAA rules occurring after Feb. 18, 2009. These HITECH Act revisions significantly increase the penalty amounts the Secretary may impose for such violations.

According to a HHS press release, prior to the HITECH Act, the Secretary was limited to imposing fines of $100 for each violation or $25,000 for all identical violations of the same HIPAA provision. The HITECH Act substantially increases these monetary fines by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. In addition, a covered health care provider, health plan or clearinghouse can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery. Before HITECH was enacted, covered entities could bar the Secretary’s imposition of a civil money penalty by demonstrating that it did not know that it had violated the HIPAA rules.

The HHS seeks comment on, among other topics, the calculation set forth in the interim final rules that determine when the 30-day cure period begins for the purpose of assessing the appropriate penalty tier for violations. In addition, the HHS invites comment on the definitions set forth for reasonable cause, reasonable diligence, and willful neglect.

These interim final rules are effective as of November 30, 2009. Comments must be made by December 29,2009, and can be sent to: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HIPAA Enforcement Rule IFR (RIN 0991-AB55), Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 20201, or via hand-delivery to: Office for Civil Rights, Attention: HIPAA Enforcement Rule IFR (RIN 0991-AB55), Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. Comments may also be made electronically through the federal eRulemaking Portal: http://www.regulations.gov.

Photo credit: VisualField