The maximum civil fine for violating HIPAA privacy regulations will jump to $1.5 million per provision from the current $25,000 under an interim final rule published by HHS this week. And no longer will a healthcare provider, insurer or data clearinghouse be able to avoid a civil monetary penalty by demonstrating that it did not know that it violated the HIPAA rules unless it corrects the problem within 30 days of discovering it. The more stringent penalties are to bring HIPAA in line with the requirements of the American Recovery and Reinvestment Act.
"This strengthened penalty scheme will encourage healthcare providers, health plans and other healthcare entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules," Georgina Verdugo, director of the HHS Office for Civil Rights, said upon the rule's publication. That office is responsible for enforcing HIPAA privacy and security rules. "Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry's use of health information technology."
HHS does not say, however, what its plans are to enforce the new standards, including how it will conduct audits of unauthorized uses and disclosures of electronic health data.
The interim rule takes effect Nov. 30, but HHS is soliciting comments through Dec. 29.