Health Law / Employee Benefits and Executive Compensation Alert: HHS Issues Interim Final Rule Implementing Civil Penalty Provisions of HITECH Act
11/4/2009
On October 30, 2009, the U.S. Department of Health and Human Services (HHS) published the interim final rule (the “Interim Final Rule”) implementing statutory changes to HIPAA’s civil enforcement rules resulting from the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH Act).1 The Interim Final Rule is effective November 30, 2009.
The HITECH Act and the Interim Final Rule significantly increase the penalties for HIPAA privacy and security violations and establish new categories of violations by covered entities.2 When considering potential civil exposure under HIPAA, the date of the violation is key because the changes to the civil enforcement provisions under the HITECH Act were effective February 18, 2009, and the Interim Final Rule distinguishes between violations that occurred prior to or after that date. Consequently, the type of violation and the amount of the civil monetary penalty (CMP) could vary significantly depending upon the date of the HIPAA violation and whether or not the violator is subject to pre-HITECH penalties or the new penalty scheme.
Under this new civil enforcement scheme, the HHS Secretary will consider the actions of health care providers and health plans when imposing a CMP following a HIPAA violation. As HHS wrote in the preamble to the Interim Final Rule, the categories of violations are intended to “reflect increasing levels of culpability” by a covered entity that has committed a HIPAA violation.
Under this new authority, the HHS Secretary can impose a range of CMP amounts for each of the following categories of violations:
- The covered entity did not know of the violation.
- The violation was due to reasonable cause and not willful neglect.
- The violation was due to willful neglect but was corrected within 30 days of discovery.
- The violation was due to willful neglect but was not corrected within 30 days of discovery.
Additionally, covered entities face significant increases in the corresponding minimum and maximum civil penalties that the HHS Secretary can impose. HHS summarized the penalty tiers in the preamble to the Interim Final Rule as follows:3
| Violation | Each | Cap for All |
| Covered entity | $100−$50,000 | $1,500,000 |
| Covered entity had | $1,000−$50,000 | $1,500,000 |
| Covered entity | $10,000−$50,000 | $1,500,000 |
| Covered entity | $50,000 | $1,500,000 |
The Interim Final Rule makes clear that HHS will not impose the maximum penalty amount in all cases. Rather, the penalty amount will be based on the nature and extent of the violation, the nature and extent of resulting harm, and other factors, such as the covered entity’s history of prior compliance or financial condition.
The Interim Final Rule also revises existing affirmative defenses to the Secretary’s CMP authority in two significant ways. First, HHS may now impose a CMP even if a covered entity is able to establish that it did not know, and by exercising reasonable diligence, would not have known, of a violation. Second, HHS has extended the affirmative defense for violations that are timely corrected so that all violations not due to willful neglect are included (the previous limitation applied more narrowly to violations due to reasonable cause).
These new HIPAA penalties were effective under the HITECH Act as of February 18, 2009. The Interim Final Rule was published to alert covered entities to the new penalty scheme and to clarify its provisions. HHS is still interested in public input and will be accepting comments on the Interim Final Rule until December 29, 2009.
Endnotes
1 HIPAA Administrative Simplification: Enforcement, 74 Fed. Reg. 56,123 (Oct. 30, 2009) (to be codified at various sections of 42 C.F.R. pt. 160). The text of the Interim Final Rule is available at http://edocket.access.gpo.gov/2009/E9-26203.htm.
2 See generally section 1176 of the Social Security Act, 42 U.S.C. § 1320d-5.
For assistance in this area, please contact one of the attorneys listed below or any member of your Mintz Levin client service team.
Health
Karen S. Lovitch
Managing Member, Health Law Practice
(202) 434-7324
KSLovitch@mintz.com
Stephen M. Weiner
Chair, Health Law Practice
(617) 348-1757
SWeiner@mintz.com
BOSTON
Dianne J. Bourque
(617) 348-1614
DBourque@mintz.com
Thomas S. Crane
(617) 348-1676
TSCrane@mintz.com
Deborah A. Daccord
(617) 348-4716
DADaccord@mintz.com
Brian P. Dunphy
(617) 348-1810
BDunphy@mintz.com
Garrett G. Gillespie
(617) 348-4499
GGGillespie@mintz.com
Rachel M. Irving
(617) 348-4454
RMIrving@mintz.com
Ellen L. Janos
(617) 348-1662
EJanos@mintz.com
Krietta Bowens Jones
(617) 348-3042
KBowensJones@mintz.com
M. Daria Niewenhous
(617) 348-4865
DNiewenhous@mintz.com
Andrea P. Testa
(617) 348-4407
ATesta@mintz.com
Melissa O'Neill Thatcher
(617) 348-3015
MOThatcher@mintz.com
NEW YORK
Stephen C. Curley
(212) 692-6217
SCCurley@mintz.com
Andrew B. Roth
(212) 692-6889
ARoth@mintz.com
Nili S. Yolin
(212) 692-6799
NSYolin@mintz.com
WASHINGTON
Susan W. Berson
Managing Member,
Washington, D.C. Office
(202) 661-8715
SBerson@mintz.com
Michael D. Bell
(202) 434-7481
MDBell@mintz.com
Stephen R. Bentfield
(202) 585-3515
SRBentfield@mintz.com
Theresa C. Carnegie
(202) 661-8710
TCCarnegie@mintz.com
Robert D. Clark
(202) 434-7402
RDClark@mintz.com
Hope S. Foster
(202) 661-8758
HSFoster@mintz.com
Lauren N. Haley
(202) 434-7386
LNHaley@mintz.com
Sarah A. Kaput
(202) 434-7423
SAKaput@mintz.com
Katina W. Lee
(202) 661-8729
KLee@mintz.com
Carrie A. Roll
(202) 434-7350
CARoll@mintz.com
Tara E. Swenson
(202) 585-3504
TESwenson@mintz.com
Jennifer E. Williams
(202) 585-3542
JEWilliams@mintz.com
Employee Benefits and Executive Compensation
BOSTON
Alden Bianchi
(617) 348-3057
AJBianchi@mintz.com
Tom Greene
(617) 348-1886
TMGreene@mintz.com
Addy Press
(617) 348-1659
ACPress@mintz.com
Patricia Moran
(617) 348-3085
PAMoran@mintz.com
NEW YORK
David R. Lagasse
(212) 692-6743
DRLagasse@mintz.com
Gregory R. Bennett
(212) 692-6842
GBennett@mintz.com
Jessica Catlow
(212) 692-6843
JCatlow@mintz.com
