As you may recall, the HITech Act made a number of changes to HIPAA, including beefing up the enforcement sections. Late last week, HHS published its interim final Enforcement Rule that incorporates the increased civil penalties from the HITech Act.
One of the less clear areas of the HITech Act was the penalties. The way the statute was worded, made it sound like the high end of the penalties was basically the same for all violations, which makes little sense. HHS acknowledged this problem in the comments to the rule and has proposed the following solution. The violations will be subject to the following ranges per violation:
Did not know -- $100 - $50,000
Reasonable cause -- $1,000 - $50,000
Willful Neglect - corrected -- $10,000 - $50,000
Willful Neglect not corrected -- $50,000
All categories will be subject to an overall cap of $1.5 million for all such violations of an identical provision in a year. This provides for some very broad penalty ranges on the bottom end, which still does not make a lot of sense, but at least you can understand the scheme. I do think that the notion that you can be penalized up to $50,000 for a violation at the lowest end and at the highest end is fundamentally flawed. I think HHS should have structured it so that each tier ends at a level below the next tier, although I understand that they felt the statute tied their hands. It will be interesting to see how penalties under these ranges play out.
The rule also amends the affirmative defenses to remove the defense that the entity did not know and by exercising reasonable diligence would not have known as well as expanding the we fixed it in time defense to all violations not due to willful neglect.
Finally, the interim rule defines a few terms. The terms reasonable cause, reasonable diligence, and willful neglect are all defined in the rule. These terms are part of the new penalty provisions and come into play in determining into which tier a violation falls.
Comments