HHS: tougher HIPAA rules apply Nov. 30

The Health & Human Services Department today published a rule that strengthens its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) by aligning it with tougher privacy terms of the stimulus law.

The Health Information Technology for Economic and Clinical Health (HITECH) Act significantly increased financial  penalties against healthcare providers and health plans for HIPAA infractions and called for a prompt response against violators.

The rule will take effect Nov. 30, but the public may comment on it until Dec. 29. 

“This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules,” said Georgina Verdugo, director of HHS’s Office for Civil Rights, which oversees HIPAA's privacy, security and breach notification rules.  

Under the previous HIPAA rule, HHS could not fine healthcare organizations more than $100 for each violation and imposed a ceiling of $25,000 for all similar violations of the same provision.

The stimulus made it more expensive for healthcare organizations to breach sensitive health information or put data at risk of unauthorized use. It also set tiered ranges of escalating minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. 

A provider or health plan also can no longer escape the imposition of a financial penalty for a violation it says it did not know about unless it corrects the problem within 30 days of discovery.

The HHS interim final rule is online, as well as more information about HIPAA privacy.