HITECH Expansion & Revised Civil Penalties
HITECH expanded the enforcement responsibilities and tools of OCR and imposed enhanced penalties for covered entities and business associates who violate HIPAA. One significant change is requiring investigation and enforcement of complaints. The Proposed Rule implementing HITECH would require the Secretary to investigate any HIPAA complaint when a preliminary review of the facts indicates a possible violation due to willful neglect. [1] It would also revise the Secretary’s discretion to conduct compliance reviews of covered entities and business associates, and require a review when there is a possible willful neglect violation.1 These revisions will apply to violations of all the HIPAA Administrative Simplification Rules, 2 including the Breach Notification Rule issued on August 24, 2009 (discussed below).
As required by HITECH, HHS established four tiers of increasing penalty amounts to correspond to the levels of culpability associated with a HIPAA violation.3 The Secretary must consider both “the nature and extent of the violation” and “the nature and extent of the harm resulting from the violation.”4 In the Proposed Rule, HHS identifies a more specific, optional list of circumstances that the Secretary may also examine before calculating a penalty.5 This list includes “the time period during which the violation occurred,” “the number of individuals affected,” and the “reputational harm” resulting from the violation.6 Additionally, HHS would amend the phrase “prior violations” in the current rule to “indications of noncompliance” to reflect HHS policy of considering an entity’s history of noncompliance with HIPAA rather than just its prior formal findings of violations.7
HITECH expanded the enforcement responsibilities and tools of OCR and imposed enhanced penalties for covered entities and business associates who violate HIPAA. One significant change is requiring investigation and enforcement of complaints. The Proposed Rule implementing HITECH would require the Secretary to investigate any HIPAA complaint when a preliminary review of the facts indicates a possible violation due to willful neglect. 1 It would also revise the Secretary’s discretion to conduct compliance reviews of covered entities and business associates, and require a review when there is a possible willful neglect violation.8 These revisions will apply to violations of all the HIPAA Administrative Simplification Rules, 9 including the Breach Notification Rule issued on August 24, 2009 (discussed below).
As required by HITECH, HHS established four tiers of increasing penalty amounts to correspond to the levels of culpability associated with a HIPAA violation.10 The Secretary must consider both “the nature and extent of the violation” and “the nature and extent of the harm resulting from the violation.”11 In the Proposed Rule, HHS identifies a more specific, optional list of circumstances that the Secretary may also examine before calculating a penalty.12 This list includes “the time period during which the violation occurred,” “the number of individuals affected,” and the “reputational harm” resulting from the violation.13 Additionally, HHS would amend the phrase “prior violations” in the current rule to “indications of noncompliance” to reflect HHS policy of considering an entity’s history of noncompliance with HIPAA rather than just its prior formal findings of violations.14
Footnotes
- 1. a. b. Id. (to be codified at 45 C.F.R. § 160.308).
- 2. Id. at 40,875.
- 3. ARRA, Pub. L. No. 111-5, Div. A, Title XIII, § 13410, 123 Stat. 271-76 (2009).
- 4. 45 U.S.C. 1320d–5
- 5. 75 Fed. Reg. at 40,880 (to be codified at 45 C.F.R. § 160.408).
- 6. Id.
- 7. Id. at 40,881.
- 8. Id. (to be codified at 45 C.F.R. § 160.308).
- 9. Id. at 40,875.
- 10. ARRA, Pub. L. No. 111-5, Div. A, Title XIII, § 13410, 123 Stat. 271-76 (2009).
- 11. 45 U.S.C. 1320d–5
- 12. 75 Fed. Reg. at 40,880 (to be codified at 45 C.F.R. § 160.408).
- 13. Id.
- 14. Id. at 40,881.
.png)