HIPAA Administrative Simplification: Enforcement
By Laura Sunyak
In February of 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA), and with it enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act contains regulations that significantly increase the penalty amounts the Secretary of the Department of Health and Human Services (HHS) may impose for violations of rules promulgated under the Health Information Portability and Accountability Act (HIPAA), and encourages corrective action. In order to incorporate the increased penalty structure into HIPAA, HHS has recently issued an interim final rule designed to strengthen its enforcement power and incorporate the new penalty structure of the HITECH Act into HIPAA.
Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation, or $25,000 for all identical violations of the same provision. A covered entity could also bar the imposition of a civil monetary penalty by simply showing that it did not know that it violated a HIPAA rule. As a result, enforcement of HIPAA rules has been weak, bordering on nonexistent. The number of covered entities that were in full compliance with the law was always very low, simply because HHS did not have a sufficient enforcement mechanism in place to deter violations. If covered entities did change their behavior to become compliant, it was out of a desire to follow the law, not due to fear of prosecution or administrative action.
Before ARRA was signed into law, although there were HIPAA audits that took place, they were few and far between. Covered entities complained that the requirements were not clear, and so hesitated to attempt to comply. With the enactment of ARRA and the HITECT Act, and the adoption of the interim rule, HIPAA covered entities will have no choice but to take notice and comply, or face much harsher penalties. The implementation of these acts also transfers authority for enforcement of HIPAA’s security rules from the Centers for Medicare and Medicaid to the Office of Civil Rights which, with 275 investigators and an annual budget of $40 million, is in a better position to bring enforcement actions and recover penalties. The penalties collected for violations will in turn be used to fund greater enforcement efforts. The interim rule amends 45 CFR part 160, subpart D, which establishes rules relating to the imposition of civil money penalties, to conform several provisions to section 13410(d) of the HITECH Act’s amendments to section 1176 of the Social Security Act, which became effective February 18, 2009. This interim final rule’s amendments distinguish between violations occurring before February 18, 2009, and violations occurring on or after that date, with respect to the potential amount of the civil money penalty and the affirmative defenses available to covered entities.
The interim final rule, effective as of November 30, 2009, modifies the penalties for HIPAA violations occurring after February 18, 2009. (For an explanation of the meaning of “interim final rule,” click here. According to this rule, the penalty for unknown violations, where the covered entity did not know of the violation, and would not have known by exercising reasonable diligence, is now between $100 and $50,000. For violations involving reasonable cause, such as circumstances that would make it unreasonable to comply with HIPAA despite extraordinary care, the penalty is now between $1,000 and $50,000. For violations involving willful neglect, or a conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA, the penalties are further broken down into whether or not the covered entity corrects the violation. If the violation is corrected within 30 days, the penalty is now between $10,000 and $50,000. If the penalty is not timely corrected, each violation will be fined $50,000. The rule also puts into place an annual cap of $1.5 million on all violations of an identical provision.
According to Georgina Verdugo, the director of OCR, the implementation of these tougher enforcement provisions strengthens HIPAA protections and rights related to protected health information, and should encourage covered entities, including health care providers and health plans, to “ensure that their compliance programs are designed to prevent, detect, and quickly correct violations of the HIPAA rules.… such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”
The enactment of these tougher enforcement penalties create additional incentives to make sure that covered entities have HIPAA compliance programs in place, which should include training employees to be compliant and ensuring that they are aware of how important it is to report potential violations so that they can be corrected in a timely manner.
When taking into account the lack of enforcement that had occurred prior to the recent HIPAA amendments, the new provisions seem to be a necessary step in enforcing the law and preventing the misuse of protected health information. With more resources available to track down HIPAA violations, and steeper penalties exacted against entities that violate HIPPA, the new rule is a step in the right direction toward greater protection of protected information. With the rampant rise of identity theft in this electronic age, consumers can never be too careful in ensuring that information stays in the right hands.
As HHS, acknowledges, this Interim Final Rule is only the first of several steps being taken to implement the HITECH Act’s tougher enforcement provisions. The remaining provisions, which are not yet effective, will be addressed in the near future.
Posts from Health Reform Watch have been cited by media sources throughout the country, including The New York Times, Washington Post, L.A. Times, Kaiser Health News, The Health Care Blog, NPR's Planet Money Blog, Duke Univ. Med. Center News, American Health Line Alerts, BusinessWeek.com, Concurring Opinions, Balkinization, The New England Journal of Medicine, Harvard's Nieman Foundation for Journalism, Las Vegas Sun, Maggie Mahar, Ezra Klein, Tom Geoghegan, and the official homepage of the Office of the Democratic Majority Leader of the House of Representatives, Steny Hoyer.
Terrific work! This is the type of information that should be shared around the web. Shame on the search engines for not positioning this post higher!