The Final Rules establishes four categories of violations, and associated civil monetary penalties, as follows:
Violation Category
Civil Monetary Penalty per Violation
Cap for All Identical Violations per Calendar Year
The covered entity did not know of the violation.
The violation was due to reasonable cause and not willful neglect.
The violation was due to willful neglect, but was corrected within 30 days of discovery.
The violation was due to willful neglect, but was not corrected within 30 days of discovery.
Within these ranges, HHS will determine penalties based on (i) the nature and extent of the violation, (ii) the nature and extent of the resulting harm, and (iii) other factors, including prior compliance with the rules or the financial condition of the covered entity or business associate at the time of the violation.
This Final Rule is another signal from HHS that it will aggressively enforce the HIPAA Privacy and Security Rules, beginning immediately. If covered entities and business associates do not already have strong HIPAA compliance programs in place to prevent and detect potential violations of the Privacy and Security Rules, they should establish such programs now. Those that do have programs in place should review them to make sure that they comply with the HIPAA Privacy and Security Rules, including the new provisions of the HITECH Act.




ARRA’s HITECH Privacy and Security

On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the Omnibus Final Rule (Final Rule) interpreting and implementing various provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and the Genetic Information Nondiscrimination Act of 2008 (GINA). In the Final Rule, HHS modified the standard that HIPAA-covered entities, including healthcare providers and health plans, and their business associates must use to determine if a breach of protected health information (PHI) has occurred. Specifically, HHS replaced the previous standard, which required analysis of the risk of financial, reputational or other harm to an individual, with a standard that presumes that a breach has occurred .
Accordingly, breaches of limited data sets, regardless of their content, must be handled like all other breaches of PHI.

Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form.

When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.