The U.S. Department of Health and Human Services is implementingtougher penalties for violations of the Health InsurancePortability and Accountability Act.
|Before the passage of the Health Information Technology forEconomic and Clinical Health Act, civil monetary penaltiescould total $100 per violation and a maximum aggregate penalty of$25,000 per year for each violation. Typically, civilpenalties were only applied in egregious cases; however, as part ofthe HITECH Act, the final rule increases fines for civil penaltiesand now includes a tiered penalty structure in line with the natureand circumstances of the violation.
|As part of the final rule, the maximum penalty for a HIPAAviolation comes to $1.5 million while the assessed penalty relatesto the level of culpability characterizing the violation. Thisincludes:
- When the covered entity or business associate is unaware of theviolation and would not have known of the violation by exercisingreasonable due diligence, a civil penalty of $100 to $50,000 perviolation could be distributed.
- If reasonable cause leads to a violation, the civil penaltycould come to $1,000 to $50,000 for each violation.
- Following a violation of willful neglect that has beencorrected within 30 days of discovery, a civil penalty could total$10,000 to $50,000 per violation.
- For a violation of willful neglect that was not correctlyaddressed within the required time frame, the civil penalty couldbe $50,000 to $1.5 million per violation.
If multiple HIPAA violations occur, penalties could surpass $1.5million.
|The final rule also gives affirmative defense for all tier-oneviolations, defined as unknowable violations, as well as tier-twoviolations, which are of reasonable cause, when corrected within 30days of the date after the violation becomes known. Dependingupon the nature and extent of the covered entity or businessassociate's failure to comply, some discretion is allowed to spanpast the 30-day time frame.
|Under the final rule, HHS also does not have to try toinformally settle complaints. HHS now can determine whether it willattempt to do so or begin the formal penalty assessment processimmediately. HHS can share information found during allinvestigations and compliance reviews with other law enforcementagencies.
|For HIPAA violations by self-funded group health plans, thefinal rule allows civil penalties to be applied against a coveredentity by a business associate acting as its agent. Whenevaluating the existence of an agency relationship, HHS canpractice federal common law principles over a covered entity'sright or authority to control a business associate when decidingwhether the business associate is acting as an agent.
|This article was originally published at BenefitsPro.com, a sister siteof Credit Union Times.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
- Exclusive discounts on ALM and CU Times events.
- Access to other award-winning ALM websites including Law.com and GlobeSt.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
