An interim final rule by the U.S. Department of Health and Human Service has both strengthened enforcement and increase penalties for violations of HIPAA (Health Insurance Portability and Accountability Act).

The Health Information Technology for Economic and Clinical Health (HITECH) Act was created as part of the American Recovery and Reinvestment Act of 2009.  Before the HITECH Act, the maximum penalty was $100 for each violation or $25,000 for all identical violations of the same provision.

A healthcare provider, health plan or clearinghouse could also avoid any penalty by showing that they were unaware they had violated the HIPAA rules.

Section 13410(d) of the HITECH Act has strengthened the enforcement by introducing a wide range of penalty amounts with a maximum penalty of $1.5 million for all violations of an identical provision.  A healthcare provider, health plan or clearinghouse can no longer avoid penalties by pleading ignorance unless it corrects the violation within 30 days of discovery.  The interim rule will become effective on Nov. 30.

Georgina Verdugo is responsible for administering and enforcing HIPAA's privacy, security and breach notification rules.

This strengthened penalty scheme will encourage healthcare providers, health plans and other healthcare entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules.
Georgina Verdugo, Director of the HHS Office for Civil Rights