Under a new HIPAA interim rule, HIPAA rule violations can result in up to $1.5 million in total annual penalties, including for unintentional, multiple lesser violations. The interim final rule implements the civil penalties provided under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act sets forth four civil penalty categories: the lowest where the covered entity would not have known about a violation even through the exercise of reasonable diligence; the next level where the entity did not reasonably know of a violation; the third level where violations are due to willful neglect but are corrected; and the highest level where violations are due to willful neglect and are not corrected. The interim final rule does not limit the annual total penalties to the willfully negligent violations, but rather allows for multiple violations of all penalty categories. Industry groups have filed public comments contending that covered entities should not be subject to annual penalties up to $1.5 million for violations they either were not or could not reasonably have been aware of.

TIP: Be sure to implement an appropriate HIPAA compliance program to discover all potential violations and minimize the possibility of being subject to civil penalties.