PAUL R. HALES, ATTORNEY AT LAW, LLC
                                                                                                                                                                                           
Tel: 314-534-3534
Fax: 314-534-0444
personal injury lawyer 
HIPAA Enforcement Rule 
What is the HIPAA ENFORCEMENT RULE?
 
The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the specifications for a Civil Monetary Penalty ("CMP") that may be imposed for HIPAA violations and procedures for hearings.
 
The HIPAA Omnibus Rule confirmed the increased amount of a civil monetary penalty (“CMP”) previously established on an interim basis that may be assessed for violations of HIPAA. A Business Associate (“BA”) is now directly subject to the Enforcement Rule and subject to assessment of CMPs. A Covered Entity (“CE”) is also liable for violations by a BA that is legally defined as an “agent” of the CE.
 
The U. S. Department of Health and Human Services ("HHS") publishes breaches of unsecured protected health information affecting 500 or more persons or more on its web site - a location often called the "Wall of Shame".  To visit the Wall of Shame click here.
  

The U. S. Department of Health and Human Services (“HHS”) is required to investigate violations if circumstances indicate a possible violation due to willful neglect.  However, HHS has discretion regarding whether to review possible violations when circumstances do not indicate it was due to willful neglect and HHS has additional discretion to choose between informal resolution and formal resolution of investigations.

 

HHS will not impose the maximum CMP in all cases but will determine the amount of a CMP on a case-by-case basis based on the circumstances of a violation and the CE or BA.  Factors in determining the amount of a CMP include:
  1. the nature of the violation;
  2. the nature and extent of the resulting harm;
  3. the number of individuals affected;
  4. the CE’s or BA’s history of prior compliance with HIPAA Privacy and Security standards; and
  5. the financial condition of the CE or BA.
 
Categories of Violations and Penalties
 

 

Type of Violation

 

Penalty Range
for Each Violation

Maximum Penalty for Violations of an Identical Provision in a Calendar Year

1. Unknowing Violation

 A CE or BA did not know and by reasonable diligence would not have known of the violation.

 

$100 to $50,000

 

$1,500,000

2. Reasonable Cause

 A CE or BA committed a violation due to reasonable cause not willful neglect

$1,000 to $50,000

$1,500,000

3. Willful Neglect, Corrected

 A CE or BA committed a violation due to willful neglect but corrected in a timely manner.

 

 
$10,000 to $50,000

 

$1,500,000


4. Willful Neglect,  Uncorrected

A CE or BA committed a violation due to willful neglect and not corrected in a timely manner.

 

 
At least $50,000

 

 
$1,500,000

Affirmative Defenses 
 
Violation Not Due to Willful Neglect and Corrected within 30 Days
HHS may not impose a CMP on a CE or BA for violations occurring on or after February 18, 2009 for a violation that is not due to willful neglect and is corrected within 30 days of actual or constructive knowledge of the violation, or a longer period if HHS deems such a longer period is reasonable and appropriate.
 

Recommended Action Steps when Violation Not Due to Willful Neglect

A CE or BA that discovers a violation not due to willful neglect should:
  1. Document the date on which it discovered the violation;
  2. Document the circumstances establishing lack of willful neglect;
  3. Correct the violation within 30 days of discovery; and
  4. Document all investigative and corrective actions.

 

Violations Subject to Previous Criminal Penalty
Another affirmative defense, although not a happy one, is that HHS may not impose a CMP for a violation that previously had been subject to a criminal penalty.
car accident lawyer personal injury personal injury accident personal injury malpractice will business trust St. Louis lawyer negligence 

© 2007-2016, Paul R. Hales, Attorney at Law, LLC