HHS has issued an interim final rule that stiffen penalties for privacy and security violations under the Health Insurance Portability Act of 1996.
The rule covers modifications of the civil penalty provisions of HIPAA that flesh out part of the health information technology privacy and security sections of the American Recovery and Reinvestment Act or 2009, also known as the stimulus law.
HHS also asked for public comment on the rule.
The stimulus law, and now the rule, significantly increased the maximum penalty cap for civil violations of HIPAA from $25,000 to $1.5 million for total violations of the same provision.
The law also removes a defense under HIPAA that barred HHS from imposing civil penalties on a so-called “covered entity” that could demonstrate “it did not know that it violated the HIPAA rules,” according to an HHS statement. Now, under the new rule, “A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery,”
according to the statement.
Copies of the proposed rule will be
posted online.
The stimulus law gave HHS authority to impose civil money penalties for violations occurring after Feb. 18, but the new rule doesn't go into effect until Nov. 30. The public-comment period is open until Dec. 29.
What do you think? Post a comment on this article and share your opinion with other readers. Submit your comments to Modern Healthcare Online at
mheditorial@modernhealthcare.com. Please be sure to include your hometown and state, along with your organization and title.
