The federal government — in an effort to add muscle to its enforcement of already-existing privacy laws covering health information — published a rule that aligns its rules with new, more stringent regulations in the stimulus package.
HHS, as scheduled, published its new rule known by the oxymoronic label “interim final rule” two weeks ago. The new set of regulations aligns longstanding Health Insurance Portability and Accountability Act language with new privacy provisions in the HITECH portion of the American Recovery and Reinvestment Act.
The rule takes effect Nov. 30, but the public has until the end of the year (Dec. 29) to comment on it.
The Health Information Technology for Economic and Clinical Health Act, or HITECH, strengthened HHS enforcement authority to impose civil money penalties on HIPAA-covered entities by establishing categories of HIPAA rule violations that reflect increasing levels of culpability and penalty amounts for violations.Â
Increased Civil Money Penalties
In conformance with HITECH, the interim final rule sets out four categories of violations and corresponding tiers of penalty amounts.Â The four categories include violations:
- Where the covered entity did not know and by exercising reasonable diligence would not have known of the violations;
- Due to reasonable cause and not to willful neglect;
- Due to willful neglect but corrected during a 30-day time period; and
- Due to willful neglect and not corrected during a 30-day time period.
The interim final rule significantly increases the minimum penalty for each violation up to a maximum of $1.5 million for all violations of an identical provision in any calendar year. The regulations retain the original range of penalty amounts for violations that occurred before Feb. 18, 2009.
HHS will not impose the maximum penalty in all cases and will continue to base determinations on the nature and extent of the violation and resulting harm and other factors, such as the covered entity’s history of compliance or financial condition.
HHS also will include the proposed penalty amount and the violation category upon which it is based in the notice of proposed determination it sends to a covered entity.Â Although not required by HITECH, HHS notes this additional information will help covered entities better understand the nature of their violations.
Modified Affirmative Defenses
HITECH also modified some of the affirmative defenses to civil money penalties for HIPAA violations. HHS may now impose civil money penalties for a HIPAA violation even if the covered entity did not know and with the exercise of reasonable due diligence would not have known of the violation.Â
The interim final rule also extends the affirmative defense for violations that are “timely corrected” to encourage prompt corrective action. Thus, any violation — other than one due to willful neglect — that is corrected within a 30-day time period will not be subject to civil monetary penalties.
A covered entity does not have an affirmative defense if it corrects a violation due to willful neglect within a 30-day time period, but HHS notes that timely correction will determine which tier of penalty amounts will apply. HHS may also continue to waive penalties for violations due to reasonable cause but not willful neglect, that are not timely corrected.
The 30-day time period for correction begins on the first date that the covered entity knew or by exercising reasonable diligence would have known that a failure to comply occurred.Â HHS intends to calculate the 30-day cure period in the same manner for all violation categories, including those due to willful neglect.Â But HHS will determine when a covered entity first had actual or constructive knowledge of a violation due to willful neglect for purposes of setting the appropriate civil penalties on a case-by-case basis.
HHS is seeking public comment on alternative approaches to calculating the 30-day cure period for these purposes.
Other HITECH Revisions Not Addressed
The interim final rule does not amend the affirmative defenses pertaining to criminal violations because the HITECH revision is not effective until Feb. 18, 2011. It also does not amend the regulations regarding state attorneys’ general enforcement authority to bring civil actions because the authority operates pursuant to HITECH and does not require HHS rulemaking.
Requests for Comment
In addition to the requests for comments on calculating the 30-day cure period discussed above, HHS is also seeking comments on the interim final rule in general, its interpretation of congressional intent to address what it believes are clerical errors and any unintended consequences from rearranging the definitions of “reasonable cause,” “reasonable diligence” and “willful neglect” that previously only applied to the “Affirmative Defenses” provisions to now apply to the entirety of subpart D.Â