Last week, HHS released an interim final rule updating the HIPAA privacy and security rules to correspond with the stricter penalties imposed under the federal economic stimulus package, Healthcare IT News reports.
The health IT provisions of the stimulus package increased fines for health care organizations that experience a breach of protected health data.
The interim final rule will take effect Nov. 30. HHS said it will consider public comments on the rule until Dec. 29 (Monegain, Healthcare IT News, 11/2).
Rule Details
In its interim rule, HHS described four categories of health data security violations:
- Did not know;
- Reasonable cause;
- Willful neglect that was corrected; and
- Willful neglect that was not corrected.
The rule establishes financial penalties ranging from $100 to $50,000 for each violation. It also sets a maximum yearly penalty of $1.5 million for all violations of an identical provision (Goedert, Health Data Management, 10/30).
Under the new rule, a health care organization can no longer avoid penalties for not knowing about a violation unless it fixes the problem within 30 days of identifying it (Mosquera, Government Health IT, 10/30).
Enforcement Still Unclear
The interim rule does not amend any of the HIPAA enforcement provisions included in the federal stimulus package.
Although the stimulus package calls for "periodic audits" to ensure HIPAA compliance, HHS has yet to release specific details about its audit and enforcement plans (Nicastro, HealthLeaders Media, 10/30).
The interim rule suggests that HHS will release further details about HIPAA enforcement during subsequent rulemaking (Health Data Management, 10/30).