Future violators of the Health Insurance Portability and Accountability Act (HIPAA) will have to dig deeper into their pockets to pay heftier fines. Beginning late last year, the Department of Health and Human Services made effective a previously passed rule that increases penalties.
On Oct. 29, 2009, the Department of Health and Human Services issued a final rule that is effective Nov. 30, 2009 that increases penalties for violations of the Health Insurance Portability and Accountability Act. The increased penalties are applicable to any violation occurring on or after Feb. 18, 2009, which is the date that the HITECH Act became effective. The rule contains harsher civil monetary penalties and criminal liabilities for covered entities and business associates than there previously were under HIPAA.
Under the rule, civil monetary penalties are assessed based upon a covered entity’s or business associate’s level of culpability. In other words, civil penalties will increase in tiers depending on whether the violation was committed unknowingly or due to reasonable cause or willful neglect. Civil penalties could be assessed anywhere from $100 to $50,000 for a HIPAA violation. For example, an unknowing violation can have a civil penalty of $100 per violation with a maximum penalty not to exceed $25,000 in a calendar year. If a violation is due to willful neglect and the violation is not corrected within 30 days of the first date the person liable for the penalty knew or should have known the violation occurred, then a civil penalty of $50,000 per violation may be appropriate.
The rule has also increased the maximum civil penalty for all violations of an identical requirement or prohibition during a calendar year from $25,000 to $1,500,000.
The rule has also expanded criminal liability for wrongful disclosure of PHI to any individual who, without authorization, obtains or discloses protected health information maintained by a covered entity. This means that individuals in a covered entity’s workforce may be criminally liable for a HIPAA breach.
Finally, the rule authorized State Attorneys General to bring civil actions in federal district court against individuals who violate HIPAA.