Learn about recent updates to enforcement policies under the new HIPAA rules.
Willful Neglect
Applicability Date: March 26, 2013
The final rule requires that the Secretary of the Department of Health and Human Services must formally investigate complaints indicating possible violations due to willful neglect. Further, the Secretary will impose civil money penalties after finding violations due to willful neglect.
The HHS retains the discretion to decide whether to conduct a compliance review where a preliminary review of the facts indicates action/inaction not amounting to willful neglect. The Secretary can also decide whether to attempt to resolve violations of the HIPAA rules by informal means or to move directly to a civil money penalty without exhausting informal resolution efforts.
REQUIRED ACTION:
ENSURE THAT THE PLAN IS NOT BEING ADMINISTERED WITH WILLFUL NEGLECT.
Civil Monies Penalties
Applicability Date: March 26, 2013
The HITECH Act established four tiers of civil penalties for HIPAA violations based upon varying levels of culpability ranging from “did not know” all the way to “willful neglect.” The penalty structure was changed in an interim final rule, and the HIPAA Privacy and Security final rule adopted the revised penalty structure. Considering HIPAA’s expansion of the term business associate and the direct liability that business associates can now face, covered entities and business associates are now subject to significant penalties ranging from $100 per violation up to a maximum penalty of $1.5 million for multiple violations of the same HIPAA provision in a calendar year.
Violation Category |
Each Violation |
All Such Violations of Same Provision in a Calendar Year |
Did Not Know |
$100-$50,000 |
$1,500,000 |
Reasonable Cause |
$1,000-$50,000 |
$1,500,000 |
Willful Neglect-Corrected |
$10,000-$50,000 |
$1,500,000 |
Willful Neglect-Not Corrected |
$50,000 |
$1,500,000 |
The final rule also provides for a penalty waiver if the violation is corrected within 30 days of the date that the entity had knowledge of the violation, as long as the violation was not due to willful neglect.
REQUIRED ACTION:
ENSURE THAT THE PLAN IS BEING ADMINISTERED WITH REASONABLE DILIGENCE.
Powered by Willis