Recently the Department of Health and Human Services announced an interim final rule that effectively increases the monetary penalties that are levied against providers violating the Health Insurance Portability and Accountability Act (HIPAA).
The new penalties bring the HIPAA enforcement penalties in line with penalties called for by the Health Information Technology for Economic and Clinical Health (HITECH) Act, a part of the American Recovery and Reinvestment Act, for security breaches
Since the HIPAA was enacted in 1996, the HHS has always had the authority to fine violators. Although the penalties were minor, a violator faced a fine of $100 for each offense or a grand total of $25,000 for all identical violations of one provision. Moreover, previously violators were allowed to argue that they weren’t aware that they had violated HIPAA and therefore were not required to pay the penalties; in most instances, the penalties were dropped. This added to the general feeling that HIPAA enforcement was a bit lax, which would not do under the new HITECH Act.
Therefore, the HHS created new penalties, which are tiered; fees start at $100 per violation but quickly escalate to $50,000 per violation with fees capped at $1.5 million for all violations of the same provisions. In addition, providers can no longer argue that they were unaware that they were breaking the law unless they fix the problem within 30 days of identifying it. So it becomes even more important that a healthcare provider understands what is necessary to be HIPAA compliant and how the HIPAA regulations are being applied to the HITECH act.
This is where it gets tricky for providers. There is still a lot of confusion about what exactly HITECH requires in regards to HIPAA. A specific portion of the HITECH address privacy and security of the electronic transmission of health information. For example, HITECH now applies certain HIPAA provisions directly to business associates. This will affect the relationship between the healthcare provider and any vendor, but especially between the provider and an electronic health record vendor.
It will be even more important for the “business associates” to a contract in place that spells out all the necessary privacy and security issues, if not that could lead to a violation under the Act. However, there is time to establish the contract language because how the HHS will enforcement the new provisions is unclear. It is believed that audits will be conducted but details as to whom, when and where are still up in the air.
