On October 30, 2009, the U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), issued an interim final rule (Rule) to conform current regulations addressing Civil Money Penalties (CMPs) for violations of the HIPAA regulations to the statutory amendments made pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
HHS invited public comments to the interim final rules until December 29, 2009. The interim final rule becomes effective on November 30, 2009, and HHS will consider all public comments to the interim final rule that it receives through December 29, 2009. Please note, however, that ARRA established the effective date of February 18, 2009 for these new CMPs to be enforced, and the Rule now provides for varying penalties and affirmative defenses for violations of the HIPAA regulations depending on the date of occurrence, with the more rigorous HITECH penalties applicable to all violations occurring on or after February 18, 2009.
The interim final rule reflects the “tiered” approach established by ARRA for assessing degrees of culpability for the violation, setting minimum and maximum monetary penalties, and offering affirmative defenses to violations that do occur. Below is a table prepared by OCR reflecting those tiers and penalties:
Violation category - Section 1176(a)(1) |
Each violation |
All such violations of
an
identical provision
in
a calendar year |
(A) Did Not Know |
$100 -
$50,000 |
$1,500,000 |
(B) Reasonable Cause |
$1,000 - $50,000 |
$1,500,000 |
(C)(i) Willful Neglect – Corrected |
$10,000 - $50,000 |
$1,500,000 |
(D)(ii) Willful Neglect – Not Corrected |
$50,000 |
$1,500,000 |
The interim final rule also changes the affirmative defenses that are available to a covered entity. Prior to February 18, 2009, a covered entity may assert an affirmative defense to avoid monetary penalties if it did not have knowledge of the violation through the exercise of reasonable diligence or if the violation was due to reasonable cause, not willful neglect and was corrected within 30 days of learning of the violation. On or after February 18, 2009, however, covered entities can no longer assert lack of knowledge as an affirmative defense, but may still avoid penalties if the violation is not due to willful neglect and is corrected within 30 days after the covered entity knew or reasonable should have known of the violation.
While HITECH signals a change in the enforcement practices related to violations of HIPAA regulations making it more likely that penalties will be assessed for violations, the Secretary noted in the regulations that “…the Secretary [of HHS] may still use discretion in providing technical assistance, obtaining corrective action and resolving possible noncompliance by informal means where the possible noncompliance is due to reasonable cause or in the event a person did not reasonably know that the violation occurred.” 74 FR 56128. It remains to be seen whether enforcement will remain a collegial process with OCR or whether more onerous penalties will now apply to even unknown violations.
For more information:
To review the interim final rule and comments by OCR to the rule, go to www.regulations.gov. If you would like to discuss how this impacts your organization, please contact one of the following attorneys:
|
About Polsinelli Shughart PC
With more than 480 attorneys , Polsinelli Shughart PC is a national law firm that is a recognized leader in the areas of business litigation, financial services, bankruptcy, real estate, business law, labor and employment, construction, life sciences and health care. Serving corporate, institutional and individual clients regionally, nationally and worldwide, Polsinelli Shughart is known for successfully applying forward-thinking strategies for both straightforward and complex legal matters. The firm can be found online at www.polsinelli.com. |
