|
Back to Index of HIPAA Changes
HIPAA Changes in H.R. 1
The American Recovery and Reinvestment Act of 2009
Improved Enforcement
House bill Sec. 4410
Senate bill Sec.
13410
Conference agreement Sec. 13410
This text is from the Conference Committee Report
Current Law
HIPAA authorized the Secretary to impose civil monetary
penalties on any person failing to comply with the privacy
and security standards. The maximum civil fine is $100 per
violation and up to $25,000 for all violations of an
identical requirement or prohibition during a calendar year.
Civil monetary penalties may not be imposed if (1) the
violation is a criminal offense under HIPAA's criminal
penalty provisions (see below); (2) the person did not have
actual or constructive knowledge of the violation; or (3) the
failure to comply was due to reasonable cause and not to
willful neglect, and the failure to comply was corrected
during a 30-day period beginning on the first date the person
liable for the penalty knew, or by exercising reasonable
diligence would have known, that the failure to comply
occurred. For certain wrongful disclosures of PHI, OCR may
refer the case to the Department of Justice for criminal
prosecution. HIPAA's criminal penalties include fines of up
to $250,000 and up to 10 years in prison for disclosing or
obtaining health information with the intent to sell,
transfer or use it for commercial advantage, personal gain,
or malicious harm.
House Bill
The House bill would amend HIPAA to permit OCR to pursue an
investigation and the imposition of civil monetary penalties
against any individual for an alleged criminal violation of
the Privacy and Security Rule of HIPAA if the Justice
Department had not prosecuted the individual. In addition,
the bill would amend HIPAA to require a formal investigation
of complaints and the imposition of civil monetary penalties
for violations due to willful neglect. The Secretary would be
required to issue regulations within 18 months to implement
those amendments. The bill also would require that any civil
monetary penalties collected be transferred to OCR to be used
for enforcing the HIPAA privacy and security standards.
Within 18 months of enactment, GAO would be required to
submit recommendations for giving a percentage of any civil
monetary penalties collected to the individuals harmed. Based
on those recommendations, the Secretary, within three years
of enactment, would be required to establish by regulation a
methodology to distribute a percentage of any collected
penalties to harmed individuals.
The House bill would increase and tier the penalties for
violations of HIPAA. It would preserve the current
requirement that a civil fine not be imposed if the violation
was due to reasonable cause and was corrected within 30 days.
Finally, the House bill would authorize State Attorneys
General to bring a civil action in Federal district court
against individuals who violate the HIPAA privacy and
security standards, in order to enjoin further such violation
and seek damages of up to $100 per violation, capped at
$25,000 for all violations of an identical requirement or
prohibition in any calendar year. State action against a
person would not be permitted if a federal civil action
against that same individual was pending. Nothing in this
section would prevent OCR from continuing to use corrective
action without a penalty in cases where the person did not
know, and by exercising reasonable diligence would not have
known, about the violation.
Senate Bill
Same provision.
Conference Agreement
Same provision.
|
