The new HIPAA civil money penalties scheme substantially increases the potential penalties for HIPAA violations occurring on or after February 18, 2009.

On October 30, 2009, the U.S. Department of Health and Human Services (HHS) issued an Interim Final Rule (the Rule) to amend the existing administrative simplification enforcement regulations adopted pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Rule implements the amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) enacted as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act, which significantly modified the categories of HIPAA violations, the range of civil money penalty amounts and the available defenses to a HIPAA action, became effective for covered entities on February 18, 2009. The HITECH Act also made business associates directly subject to HIPAA's enforcement scheme for the first time beginning February 17, 2010.

HHS waived the notice and comment requirements of the Administrative Procedure Act and issued the Interim Final Rule without first issuing a proposed rulemaking on the subject. HHS explained that it had "good cause" to issue an interim final rule in this instance because the HITECH Act became effective the day after the date of enactment and many covered entities are unaware that they are currently subject to significantly greater penalties for violations of the HIPAA regulations. Further, the HITECH Act's amendments caused a number of provisions of the enforcement regulations to conflict with HIPAA as amended. Despite the November 30, 2009, effective date of the Rule, HHS is accepting public comments on the Rule through December 29, 2009. For additional information regarding the HITECH Act, see McDermott's White Papers " Economic Stimulus Package: Policy Implications of the Financial Incentives to Promote Health IT and New Privacy," " Regulatory Update: HITECH's Security Breach Notification Requirements," and " Regulatory Update: HITECH's HHS and FTC Security Breach Notification Requirements."

New HIPAA Civil Money Penalties Scheme

Prior to the enactment of the HITECH Act, covered entities were subject to HIPAA civil money penalties of up to $100 per violation, with an annual cap of $25,000 for identical violations within a calendar year. The Rule preserves this scheme for violations occurring prior to February 18, 2009. For violations occurring on or after February 18, 2009, the Rule amends the HIPAA enforcement regulations to include the imposition of tiered ranges for civil money penalty amounts based upon the increasing levels of culpability associated with such violations. The amended penalties scheme is as follows:

Violation Category

Penalty Range for Each Violation

Maximum Penalty for all Violations of an Identical Provision in a Calendar Year

Entity did not know (and, by exercising reasonable diligence, would not have known) that it violated the applicable provision.

$100 to $50,000

$1,500,000

Violation is due to reasonable cause and not to willful neglect.

$1,000 to $50,000

$1,500,000

Violation is due to willful neglect and was corrected during the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred.

$10,000 to $50,000

$1,500,000

Violation is due to willful neglect and was not corrected during the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred.

At least $50,000

$1,500,000


This is a substantial increase from the previous enforcement range, which carried a maximum penalty of $100 per violation. Under the new scheme, the range of minimum penalty amounts for each offence increases from $100 for first-tier violations to $50,000 for fourth-tier violations. Similarly, the penalty amount available in a calendar year for identical violations is substantially increased from $25,000 to $1,500,000.

The Rule retains the definitions of the terms reasonable cause, reasonable diligence and willful neglect, but moves them from 45 C.F.R. § 160.410 (i.e., the affirmative defenses section) to a new section, 45 C.F.R. § 160.401. The purpose of the reorganization is to make these terms applicable to the entire Subpart D, which includes the tiered penalties scheme, as opposed to only the affirmative defenses section.

In the Rule's preamble, HHS states that it will not impose the maximum penalty amounts in all cases, and that its determinations will be based on the nature and extent of the violations, the nature and extent of the resulting harm, the violator's history of prior compliance and financial condition, and other factors set forth in § 160.408 of the existing enforcement regulations. HHS also states that it may continue to use its discretion in providing technical assistance, obtaining a corrective action and resolving possible noncompliance by informal means where such noncompliance is due to reasonable cause or in the event a person did not reasonably know that the violation occurred.

Affirmative Defenses

Prior to the HITECH Act, covered entities had three affirmative defenses available to an HHS action to impose a civil money penalty. HHS was prohibited from imposing civil money penalties for acts constituting an offense punishable under the criminal penalties provisions of Social Security Act; violations for which an entity did not know, and by exercising reasonable diligence would not have known, that it violated the law; and violations if the failure to comply was due to reasonable cause and not willful neglect, and was corrected within 30 days or pursuant to an extension determined to be appropriate by the Secretary of HHS. Following the HITECH Act and for violations occurring on or after February 18, 2009, the first affirmative defense remains intact, while the other two have been amended by the Rule.

Prior to the HITECH Act, HHS was prohibited from imposing civil money penalties if a covered entity established that it did not know, and by exercising reasonable diligence would not have known, that it violated the applicable provision. The HITECH Act abolished this "lack of knowledge" defense. The Rule conforms HIPAA to this statutory prohibition, eliminating the "lack of knowledge" defense for violations occurring on or after February 18, 2009. Such violations are now subject to the first tier of civil monetary penalties discussed above.

HHS was also previously prohibited from imposing civil money penalties for violations if a covered entity demonstrated that the failure to comply was due to reasonable cause and not willful neglect, and corrected the violation during a 30-day time period or pursuant to an extension granted by HHS based on facts and circumstances. The HITECH Act eased the threshold requirements to establish this defense by only requiring a showing that the violation was not due to willful neglect (as opposed to also requiring the violator to demonstrate that the violation was due to reasonable cause). The Rule conforms HIPAA to this approach. Accordingly, HHS is prohibited from imposing penalties for a violation that was not due to willful neglect and that was corrected within a 30-day time period. The determination of the 30-day cure period has not changed by the Rule and continues to run from "the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred."

Implications of the Rule

While the Rule is effective November 30, 2009, the new HIPAA civil money penalties scheme that will be enforced under the Rule substantially increases the potential penalties for HIPAA violations by covered entities occurring on or after February 18, 2009. Business associates will also be directly subject to HIPAA's enforcement scheme for the first time beginning February 17, 2010. Covered entities and business associates should review their current HIPAA compliance policies and procedures in order to ensure they are meeting amended requirements. Business associates that previously lacked HIPAA privacy and security policies and procedures should implement policies and train their work force.

The McDermott Difference

McDermott has developed HIPAA privacy and security policies and forms updated for the HITECH Act to assist covered entities and business associates implementing and updating their HIPAA compliance programs. For more information, please contact one of the authors listed to the right, or click here to learn more about our HIPAA practice and lawyers in your region.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.