Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

HITECH Update #12: HHS Modifies HIPAA Enforcement Provisions

Posted in Health Privacy

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule adopts a number of modifications to Subparts C and D of Part 160 (HIPAA Enforcement Rule) to implement Section 13410 of the HITECH Act. Most significantly, the rule includes modifications to implement Section 13410(a) of the HITECH Act, which requires HHS to formally investigate a complaint if a preliminary investigation indicates a possible violation due to willful neglect, and to impose a civil money penalty for a violation due to willful neglect.

In addition, the rule:

  • Modifies the definition of “reasonable cause” in 45 C.F.R. § 160.401 to clarify the mens rea associated with this category of violations;
  • Amends 45 C.F.R. § 160.402(c) to make covered entities and business associates liable for the acts of their business associate agents;
  • Retains the revised penalty structure in 45 C.F.R. § 160.404(b) as implemented by the interim final rule; and
  • Adopts other proposed modifications and provisions in the interim final rule regarding factors considered in determining the amount of a civil penalty, affirmative defenses, HHS’s waiver authority, and calculation of the 30-day cure period for willful neglect violations.