If the old HIPAA penalty rules confused you, don’t expect too much from the new one; it’s just a little better than the old one.
HSS issued an interim final rule with request for comments under the HITECH Act revisions on October 30, 2009. The HITECH stature requires HHS to develop new penalties for violations of health care security that occur after Feb 18, 2009. According to HHS, the rule making takes effect on Nov 30, 2009, which will consider comments until December 29 this year.
As per the proposed new rule, violations would be subject to penalty ranges that correspond to what the violator knew or didn’t know: if he did not know about the violation, he would be subject to a penalty of $100 to $50,000 per violation; if a violation occurred due to reasonable cause, the penalty would be $1,000 to $50,000 per violation. The penalty would be between $10,000 and $50,000 per violation if there was willful neglect. And in case it was not corrected, the minimum penalty is $50,000 per violation.
According to Robert Markette, a partner with Gilliland & Markette LLP, one of the less clear areas of the HITECH Act was the penalties. She adds, “The way the statute was worded made it sound like the high end of the penalties was basically the same for all violations, which did not make much sense.”
This can certainly be the case, but you should note that one can be penalized at the low and high ends for the exact amount of $50,000 per violation; HHS has tried to come up with a more rationale plan for civil penalties.
Markette says, “HHS should have structured it so that each tier ends at a level below the next tier, although I understand that they felt the statute tied their hands. It’ll be interesting to see how penalties under these ranges play out.”
Penalties are subject to an overall cap of $1.5 million for all violations of an identical provision in a year. That’s about 6,000 % increase in the maximum penalty an organization or provider can pay for a HIPAA violation.