HHS has issued an interim final rule that stiffens penalties for privacy and security violations under the Health Insurance Portability and Accountability Act of 1996. The rule covers modifications of the civil penalty provisions of HIPAA that flesh out part of the health information technology privacy and security sections of the American Recovery and Reinvestment Act or 2009, or the stimulus law.
The stimulus law, and now the rule, significantly increased the maximum penalty cap for civil violations of HIPAA from $25,000 to $1.5 million for total violations of the same provision.
The law also removes a defense under HIPAA that barred HHS from imposing civil penalties on a so-called “covered entity” that could demonstrate “it did not know that it violated the HIPAA rules,” according to an HHS statement. Under the new rule, “A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery,” according to the statement.
The stimulus law gave HHS authority to impose civil monetary penalties for violations occurring after Feb. 18, but the new rule doesn't go into effect until Nov. 30. A public-comment period is open until Dec. 29.