News & Resources

Publications & Media

HIPAA Has Some New Teeth: Update on Interim Final Rule On “Improved Enforcement” Under HITECH

Business Law Update Sarah E. Coyne, Kerry L. Moskol, Susan B. Trujillo

Even though "interim final" may seem like an oxymoron to some (as does "improved enforcement"), the Department of Health and Human Services nevertheless adopted an interim final rule implementing the Health Information Technology for Economic and Clinical Health Act ("HITECHs") "improved enforcement" provisions on October 30, 2009. The new rule significantly increases the penalty amounts that may be imposed for HIPAA violations and sets up a tiered system. There is more to come, so don't put your teething gel back in the cabinet too fast.

The revised penalty scheme establishes a tiered system for civil monetary penalties reflecting increasing levels of culpability and a range of penalty amounts:

Violation Category

Penalty for
Each Violation

Possible Total Penalty for Multiple Violations of Identical Provision in a Calendar Year

Did Not Know (covered entity was unaware and could not have known if exercised reasonable diligence)

$100 - $50,000


Reasonable Cause (violations were result of circumstances that would have made it unreasonable for covered entity to comply)

$1,000 - $50,000


Willful Neglect - Corrected (violation due to willful neglect but was timely corrected)

$10,000 - $50,000


Willful Neglect - Not Corrected (violation due to willful neglect and not corrected after discovery)



Prior to HITECH, a covered entity's exposure for violating any single HIPAA provision was capped at $25,000 annually (for multiple violations of the same provision).

The interim rule also limits a covered entity's ability to claim ignorance as a defense to a HIPAA violation. Specifically, a covered entity will not be able to rely on lack of knowledge or reasonable cause as a defense if the entity fails to correct the violation within: (1) 30 days of learning of the violation; (2) 30 days of when an entity by exercising reasonable diligence would have known of the violation; or (3) a time period determined appropriate by the Secretary of the Department of Health and Human Services. Essentially, you may be able to get out of any penalty by correcting the breach within 30 days, but if you don't, claiming ignorance will not help you with violations that occurred after February 18, 2009. If there is an ongoing criminal proceeding, providers may raise that issue as an affirmative defense to civil enforcement.

Ignorance will not bar a penalty for "willful neglect;" which is defined as a "conscious," "intentional", or "reckless indifference" to HIPAA obligations. It remains to be seen how the government will view "willful neglect," but in any event covered entities and business associates would be well served to avoid the "binder on the shelf" mode of HIPAA compliance. Surveyors will want to see active meaningful compliance with all aspects of HIPAA and HITECH.

The rule became effective November 30, 2009, and applies to HIPAA violations occurring on or after February 18, 2009. The comment period closed December 29, 2009. Comments to the Interim Final Rule raised issues regarding the definition of "corrected" (for example, is a breach corrected when the lost laptop is recovered or when the patients are notified of the breach), requested regulations regarding the factors applied when determining the appropriate penalty tier, and noted that even a minor infraction where the covered entity had no knowledge (for example, a rogue employee that stole information) could result in a $50,000 penalty. Stay tuned to see if these comments are incorporated into any later rulemaking.

If you have any questions about the new HITECH or HIPAA obligations, please contact Sarah Coyne at (608) 283-2435 /, Kerry Moskol at (608) 283-2609 /, Susan Trujillo at (602) 229-5318 / or your Quarles & Brady attorney.