HIPAA Changes in the HITECH Act of 2009: Improved Enforcement

House bill Sec. 4410
Senate bill Sec. 13410

Conference agreement Sec. 13410

This text is from the Conference Committee Report

Current Law

HIPAA authorized the Secretary to impose civil monetary
penalties on any person failing to comply with the privacy
and security standards. The maximum civil fine is $100 per
violation and up to $25,000 for all violations of an
identical requirement or prohibition during a calendar year.
Civil monetary penalties may not be imposed if (1) the
violation is a criminal offense under HIPAA's criminal
penalty provisions (see below); (2) the person did not have
actual or constructive knowledge of the violation; or (3) the

failure to comply was due to reasonable cause and not to
willful neglect, and the failure to comply was corrected
during a 30-day period beginning on the first date the person
liable for the penalty knew, or by exercising reasonable
diligence would have known, that the failure to comply
occurred. For certain wrongful disclosures of PHI, OCR may
refer the case to the Department of Justice for criminal
prosecution. HIPAA's criminal penalties include fines of up
to $250,000 and up to 10 years in prison for disclosing or
obtaining health information with the intent to sell,
transfer or use it for commercial advantage, personal gain,
or malicious harm.

House Bill

The House bill would amend HIPAA to permit OCR to pursue an
investigation and the imposition of civil monetary penalties
against any individual for an alleged criminal violation of
the Privacy and Security Rule of HIPAA if the Justice
Department had not prosecuted the individual. In addition,
the bill would amend HIPAA to require a formal investigation
of complaints and the imposition of civil monetary penalties
for violations due to willful neglect. The Secretary would be
required to issue regulations within 18 months to implement
those amendments. The bill also would require that any civil
monetary penalties collected be transferred to OCR to be used
for enforcing the HIPAA privacy and security standards.
Within 18 months of enactment, GAO would be required to
submit recommendations for giving a percentage of any civil
monetary penalties collected to the individuals harmed. Based
on those recommendations, the Secretary, within three years
of enactment, would be required to establish by regulation a
methodology to distribute a percentage of any collected
penalties to harmed individuals.

The House bill would increase and tier the penalties for
violations of HIPAA. It would preserve the current
requirement that a civil fine not be imposed if the violation
was due to reasonable cause and was corrected within 30 days.

Finally, the House bill would authorize State Attorneys
General to bring a civil action in Federal district court
against individuals who violate the HIPAA privacy and
security standards, in order to enjoin further such violation
and seek damages of up to $100 per violation, capped at
$25,000 for all violations of an identical requirement or
prohibition in any calendar year. State action against a
person would not be permitted if a federal civil action
against that same individual was pending. Nothing in this
section would prevent OCR from continuing to use corrective
action without a penalty in cases where the person did not
know, and by exercising reasonable diligence would not have
known, about the violation.

Senate Bill

Same provision.

Conference Agreement

Same provision.

 

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.