HHS Increases Civil Monetary Penalties for HIPAA Violations
On October 30, 2009, the Department of Health and Human Services (HHS) published an interim final rule that significantly amends the civil monetary penalty guidelines for violations of the Health Insurance Portability and Accountability Act (HIPAA) (the "Interim Final Rule"). These amendments, mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), become effective on November 30, 2009, but apply to violations occurring on or after February 18, 2009.
Most significantly, the Interim Final Rule increases the civil monetary penalties for a covered entity's or business associate’s violation of the HIPAA Privacy and Security rules. Currently, civil monetary penalties for violating HIPAA are “not more than $100” per violation and a maximum of $25,000 “for all violations of an identical requirement or prohibition during a calendar year.” Under the Interim Final Rule, penalties range from $100 - $50,000 per violation and up to $1,500,000 for identical violations in a calendar year.
The Interim Final Rule also restricts possible defenses to alleged violations. Currently, a covered entity’s lack of knowledge of a violation is an affirmative defense to a claim. Under the Interim Final Rule, covered entities and business associates may be subject to civil monetary penalties ranging from $100 - $50,000 even if they did not know of the violation.
The Interim Final Rule establishes four categories of violations, and associated civil monetary penalties, as follows:
Violation Category |
Civil Monetary Penalty per Violation |
Cap for All Identical Violations per Calendar Year |
The covered entity did not know of the violation. |
$100-$50,000 |
$1,500,000 |
The violation was due to reasonable cause and not willful neglect. |
$1,000-$50,000 |
$1,500,000 |
The violation was due to willful neglect, but was corrected within 30 days of discovery. |
$10,000-50,000 |
$1,500,000 |
The violation was due to willful neglect, but was not corrected within 30 days of discovery. |
$50,000 |
$1,500,000 |
Within these ranges, HHS will determine penalties based on (i) the nature and extent of the violation, (ii) the nature and extent of the resulting harm, and (iii) other factors, including prior compliance with the rules or the financial condition of the covered entity or business associate at the time of the violation.
This Interim Final Rule is another signal from HHS that it will aggressively enforce the HIPAA Privacy and Security Rules, beginning immediately. If covered entities and business associates do not already have strong HIPAA compliance programs in place to prevent and detect potential violations of the Privacy and Security Rules, they should establish such programs now. Those that do have programs in place should review them to make sure that they comply with the HIPAA Privacy and Security Rules, including the new provisions of the HITECH Act.
For more information regarding HIPAA privacy and security compliance, the HITECH Act, and the new civil monetary penalties for violations of the HIPAA Privacy and Security rules, contact Steven D. Gravely, Health Care Practice Group Leader, Troutman Sanders LLP at (804) 697-1308 or steve.gravely@troutmansanders.com or Erin Whaley at (804) 697-1389 or erin.whaley@troutmansanders.com.