Benefits

Department of Health and Human Services Publishes Interim Final HIPAA Rule

By Staff Report

Nov. 2, 2009


The U.S. Department of Health and Human Services published an interim final rule Friday, October 30, that incorporates changes to the Health Insurance Portability and Accountability Act included in federal stimulus legislation enacted this year.

The interim final rule amends HIPAA’s enforcement regulations to include new categories of violations and tiered civil penalties on covered entities, and revises limitations on the authority of the HHS secretary to impose civil penalties for violations.


Under the interim final rule published Friday, the following penalties for HIPAA violations will apply on or after November 30:


• The minimum civil penalty is $100 per violation if the covered entity was unaware of it and, by exercising reasonable diligence, would not have known about the violation.


• The minimum civil penalty is $1,000 per violation for those that were the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity to comply.


• The minimum penalty is $10,000 for violations that result from willful neglect and are subsequently corrected.


• The minimum penalty is $50,000 for violations that result from willful neglect but are not corrected.


• The maximum penalty for multiple violations is $1.5 million per calendar year.


• The new penalty amounts apply to HIPAA violations occurring on or after February 18.


Several other changes also were made to HIPAA as part of the American Recovery and Reinvestment Act of 2009. They include:


• Notification within 60 days of a privacy breach involving an individual’s HIPAA-covered personal health information.


• Business associates, such as consultants and third-party administrators, must meet most security requirements that previously applied only to covered entities.


• Notification of the Department of HHS and the media in privacy breaches involving 500 or more individuals.


• Authorization of state attorneys general to bring suit for HIPAA violations.


HHS’ regulations implementing these other changes were published earlier this year.


The Office for Civil Rights is accepting comments on the interim final rule until December 29.


To access a copy of the interim final rule, go to http://edocket.access.gpo.gov/2009/E9-26203.htm.

Filed by Joanne Wojcik of Business Insurance, a sister publication of Workforce Management. To comment, e-mail editors@workforce.com.

Stay informed and connected. Get human resources news and HR features via Workforce Management’s Twitter feed or RSS feeds for mobile devices and news readers.


About Workforce.com

blog workforce

We build robust scheduling & attendance software for businesses with 500+ frontline workers. With custom BI reporting and demand-driven scheduling, we help our customers reduce labor spend and increase profitability across their business. It's as simple as that.

Book a call
See the software

Related Articles

workforce blog

Benefits

EEOC says that employers legally can offer incentives to employees to get vaccinated in almost all instances

If you’re an employer looking to get as many of your employees vaccinated as possible, you can rest eas...

ADA, CDC, COVID-19, EEOC, GINA, pandemic, vaccinated

workforce blog

Benefits

Fixing some common misconceptions about HIPAA

Ever since the CDC amended its COVID-19 guidance to say that the fully vaccinated no longer need to wea...

COVID-19, health care, HIPAA, human resources, wellness

workforce blog

Benefits

We are in the midst of a public mental health crisis; how employers can help

Do not ignore these issues or your employees who are living with them. Mental health illnesses are no d...

ADA, benefits, Coronavirus, FMLA, mental health, paid time off