Implementing changes to HIPAA (Health Insurance Portability and Accountability Act) contained in the stimulus package (American Recovery and Reinvestment Act, or ARRA), the Department of Health and Human Services (HHS) on Oct. 30, 2009, published its Interim Final Rule in the Federal Register.

The Final Rule expands the power of the Health and Human Services Secretary to impose civil penalties and fines, which will take effect on Nov. 30 for all HIPAA violations occurring on or after Feb. 18, 2009.

The minimum civil penalty per violation is now $100 for violations that would not normally be detected using due diligence but rises to $1,000 if the violation is "due to reasonable cause and not to willful neglect." Violations that are due to willful neglect and are subsequently corrected will be fined a minimum of $10,000, but that rises to $50,000 if no corrective action is taken.

No covered entity (or business associate, which are now treated the same as covered entities) can be fined more than $1.5 million for all violations of a single provision.

In the past, covered entities could block imposition of any fine if they showed they had no knowledge of the violation. That loophole has been closed, but fines can be avoided if an unknown violation is corrected within 30 days of discovery.

“This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules,” said Georgina Verdugo, director of HHS’s Office for Civil Rights, which oversees HIPAA’s privacy, security and breach notification rules.  

The increased penalties in the Final Rule are in addition to breach notification requirements announced earlier this year.

The HHS’s Office of Civil Rights (OCR) will be accepting public commentary on the Interim Final Rule until Dec. 29, 2009.