HITECH Act

HITECH Act PenaltiesOn February 17, 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law.  The law was enacted as part of the American Recovery and Reinvestment Act of 2009.  The purpose of the HITECH Act is to promote the adoption and meaningful use of health information technology.   Privacy and security concerns associated with the electronic transmission of health information is addressed in Subtitle D of the HITECH Act. The law, through several provisions, serves to strengthen the civil and criminal enforcement of the Health Insurance Portability and Accountability Act (HIPAA).  HIPAA outlines patient privacy and security.

The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.

Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing:

  • Four categories of violations that reflect increasing levels of culpability;
  • Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
  • A maximum penalty amount of $1.5 million for all violations of an identical provision.

It also amended section 1176(b) of the Act by:

  • Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and
  • Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.

The introduction of the Act makes an all the more compelling reason to make sure those subject to HIPAA compliance are aware of, and adhere to the new guidelines. As previously outlined, HITECH Act penalties can run anywhere from $100 per single violation to $1,500,000 as the maximum for a calendar year worth of violations.  The fines are structured on a tier level.  Each level is meant to punish violations based on an increasing level of capability by the offender; the penalty will be decided based on the nature and the extent of the violation and the nature and the extent of the harm resulting from the violation.  If you are one of the entities( i.e. companies with a health care plan, health care clearinghouses, and  healthcare providers to name a few) required to be HIPAA compliant you could be subject to civil (money penalties) enforced by the Department of Health and Human Services, and or criminal penalties, enforced by the U.S. Department of Justice.