HIPAA Omnibus Rule: Higher Penalties, More Exposure

The HIPAA Omnibus Rule incorporates the tiered civil monetary penalty scheme provided by the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.[1] The rule increases monetary penalties for violations and makes business associates subject to these penalties. The rules clarify that a covered entity may be penalized for a violation by an agent or a business associate, and that business associates may be penalized for violations by agents or business associates, including subcontractors.[2]

Violation

Penalty

Covered entity or Business Associate didn’t know of violation and wouldn’t have known of violation even if reasonable diligence was exercised At least $100 and not more than $50,000 per violation
Violation was due a to reasonable cause, and not to willful neglect At least $1000 and not more than $50,000 per violation
Violation was due to willful neglect and was corrected within 30 days from when they knew of the violation (or should have known by the exercise of reasonable diligence) At least $10,000 and not more than $50,000 per violation
Violation was due to willful neglect and was not corrected within 30 days from At least $50,000 and not more than $1.5 million

Penalties in excess of $1.5 million may not be assessed for identical violations within a calendar year.[3] It bears emphasizing that this $1.5 million cap applies only to identical violations, and does not apply to all violations for a given year. Therefore, the maximum amount an entity may be fined will depend upon the number of different types of violations found by the department of Health and Human Services.

To schedule a time to speak with one of our Health Law attorneys about compliance with the new HIPAA rules, contact Feldman Kieffer today via email or at (716) 852-5875.



[1] 45 CFR § 160.400 et seq (2013).

[2]Id. § 160.402.

[3]Id. § 160.406.

Comments are closed.