Written by attorney Jay Raftery Jr

HITECH changes to HIPAA - Enforcement and Sanctions

Enforcement and Sanctions

There have always been sanctions applicable to covered entities as a result of HIPAA violations. Moreover, those violations have always been comprised of a mix of both civil and criminal penalties enforceable by the Department of Heath and Human Resources and the Department of Justice respectively.

However, HITECH has strengthened the Secretary’s civil monetary penalty authority, increased the penalty amounts for violations made on or after February 18, 2009 and made even lack of knowledge a punishable offense. Additionally, HITECH incentivizes the Office of Civil Rights (OCR) to enforce the privacy law by allowing the OCR to participate in the revenue generated from the enforcement actions.

i. Civil Monetary Penalties

HITECH revises the Social Security Act in a number of different ways. First and foremost, the law implements a tiered level of civil penalties based on the both the culpability of a covered entity and the harm to the affected individual. Prior to the enactment of HITECH, the amount of the civil penalty imposed by the Secretary was capped at $100 per violation with an aggregate annual cap of $25,000 for all violations of an identical requirement or prohibition. Now, based on the nature and extent of the violation and the nature and the extent of the harm, the civil penalties can range from $100 to $50,000 for each violation, with an annual cap of $1,500,000 for identical violations.

The following table [1] summarizes the categories of violations and the respective penalty amounts:

Violation category – Section 1176(a)(1)

Each violation

All such violations of an identical provision in a calendar year.

(A) Did Not Know…………………………………………..…...

(B) Reasonable Cause …………………………………….…….

(C)(i) Willful Neglect–Corrected ………………………….……

(C)(ii) Willful Neglect–Not Corrected…………………….…….









It is important to recognize that prior to the passage of HITECH, a penalty could not be imposed on a covered entity if it was established that the person liable for the penalty did not know and, by exercising reasonable diligence, would not have known that the person violated HIPAA. HITECH did away with this knowledge requirement altogether. [2] Under the revised standard, the covered entity is subject to civil penalties, even if the covered entity was unaware that a violation had been committed. And, if the extent of the harm to the individual is severe, the covered entity could be subject to $50,000 in civil penalties.

ii. Whistleblowers

Under HIPAA and prior to the implementation of HITECH, the Secretary was charged with imposing civil penalties on those individuals that violated the HIPAA privacy provisions. Section 1176 of the Social Security Act provided no specific direction as to the Secretary’s use of the collected penalties. However, with the step up in penalties and the success of similar laws that incentivize government agencies for enforcement efforts, Congress enacted a several provisions to incentivize government enforcement of HIPAA privacy laws.

To incentivize enforcement of the new penalties, HITECH amended Section 1176 of the Social Security Act directing all civil monetary penalties and monetary settlements collected in connection with an offense punishable under HITECH or HIPAA to be transferred to the OCR in the Department of Health and Human Services for use in further enforcement of the HIPAA and HITECH provisions.

Additionally, under the new law, harmed individuals will also benefit from civil monetary penalties and monetary settlements collected by the OCR. However, it may be sometime before those individuals may realize any benefit. The Secretary has until February 18, 2012 to establish regulations articulating the methodology by which those harmed individuals may receive a percentage of those collected monies. Furthermore, the methodology will only be applied to those monetary penalties and settlements collected after the effective date of the regulation. [3]

iii. State Attorneys General Actions

To further the rights of individuals and to further enhance enforcement efforts of the HIPAA Privacy Rule, HITECH amended HIPAA to allow the attorney general of a State, as parens patriae, to bring a civil action on behalf of the State’s residents in an appropriate district court of the United States for HIPAA and HITECH violations.

Where the attorney general of the State has reason to believe that an interest of one of its residents has been or is threatened or adversely affected by any person who violates the Privacy Rule, the attorney general may bring an action to enjoin the defendant from further violations as well as to obtain damages on behalf of the harmed individuals.

State statutory damages are not dictated by the same-tiered penalty system that is applicable under the Section 1176 of the Social Security Act, but rather are calculated by multiplying the number of violations by up to $100. The maximum state penalty that may be imposed on a defendant for all violations of an identical requirement or prohibition during a calendar year cannot exceed $25,000. Additionally, a court may consider all of the statutory reductions on civil penalties applicable under Section 1176 of the Social Security Act when calculating damages in a civil matter brought by the attorney general.

[1] FR Vol. 74, No. 209 56127

[2] Health Information Technology for Economic and Clinical Health Act § 13410(d)(3)(A).

[3] Health Information Technology for Economic and Clinical Health Act § 13410(c)(4).

Free Q&A with lawyers in your area

Can’t find what you’re looking for?

Post a free question on our public forum.

Ask a Question

- or -

Search for lawyers by reviews and ratings.

Find a Lawyer