The Scary World of Penalties and Enforcement Under the New HIPAA-HITECH Law

This is the second guest post by health care attorney Jennifer A. Stiller.  My gratitude to Jenny for providing this additional information.  She will be posting a detailed follow-up article on this topic on her own web site.  I encourage you to read it.


On January 22, I wrote about the new HITECH Act, which as of February 17th  will make HIPAA business associates – such as law firms that represent healthcare clients – directly subject to federal penalties if they fail to meet certain obligations with regard to implementing safeguards to keep their clients’ patient information secure when stored or transmitted electronically.


And we should care because…?


In addition to expanding HIPAA obligations, the HITECH Act (known to the cognoscenti as “HIPAA on Steroids”) substantially increases enforcement penalties and activities.  Previously, there was no affirmative government enforcement of the HIPAA patient-privacy requirements – only the ability of the Department of Health & Human Services’ Office of Civil Rights (OCR) to investigate complaints. If a complaint revealed a violation, fines were limited to $100 per incident, with a maximum annual total of $25,000 for violations of the same requirement. Under HITECH –


·         Civil money penalties increased to as much as $50,000 per violation, up to $1.5 million per year.

·         Starting February 17, 2011, OCR is required to impose civil penalties if a violation is due to “willful neglect.”

·         OCR will keep the penalties, to be plowed back into enforcement activities.

·         OCR is directed to conduct periodic audits of covered entities and business associates to evaluate HIPAA compliance.


·         State attorneys general are granted authority to bring civil actions to enforce HIPAA.

·         The Government Accountability Office is directed to prepare a report by August 17, 2012 recommending a methodology by which affected individuals can share in penalties collected for HIPAA violations. Once implemented, this will increase individuals’ incentives to file privacy and security complaints, similar to the effect of the False Claims Act’s “whistle-blower” provisions.


Next week, I’ll publish a full article on my website explaining the duties the HITECH law imposes on business associates, effective February 17, 2010.  My appreciation to Ellen Freedman for providing me with an ability to use this forum to get the word out.




To return to the main page of the blog, click here.  To return to the blog  Index, click here.

WordPress Themes