DHHS Shows Intention Through HIPAA Interim Enforcement RuleRule

Addressing those covered entities who may have thought HIPAA enforcement was an oxymoron, the U.S Department of Health and Human Services, issued its HIPAA Enforcement Interim Rule on October 30, 2009.  DHHS made sure there was no ambiguity about its intent, stating that the HITECH ACt, meant to “promote the adoption of meaningful use of heath information technology, “does so, in part, through several provisions that strengthen civil and criminal enforcement of HIPAA” (74 Fed. Reg. 209 at 56124).

Among other provisions, maximum civil monetary penalties for violations have  been doubled, from $25,000 per violation to $50,000.  Perhaps more significantly, the maximum penalty for violations of a single provision in a single year is now $1,500,000.  Simple math reveals that violations of multiple provisions can, in turn, result in fines which could reach multiples of $1,500,000. In addition, DHHS has removed the affirmative defense to civil monetary penalty proceedings that the covered entity did not know of the violation or, by reasonable diligence would not have known.

In the Background section of the Interim Rule, DHHS stated what all covered entities should not take to heart in seeking to tighten its HIPAA protocols:  “HHS also pursues this expedited rule making to avoid any public misunderstanding or undue delay with respect to Congress’s intent to strengthen enforcement of the HIPAA rules.”

• Tweet