On October 30, 2009, the Secretary of the HHS adopted an Interim Final Rule amending HIPAA’s enforcement regulations relating to the imposition of civil monetary penalties (“CMP”). Most significantly, the Interim Final Rule distinguishes between violations occurring before February 18, 2009 and violations occurring on or after that date with regard to the penalty amount and available affirmative defenses. For violations occurring prior to February 18, 2009, the range of CMP amounts will not change (i.e., maximum penalty amount for each violation is not more than $100 and maximum penalty amount for all violations of an identical requirement or prohibition during a calendar year is not to exceed $25,000). The amendments focus on a Covered Entity’s culpability, and provide the following categories of violations and penalties per violation:

  • Category 1 – Covered Entity did not know of the violation and would not have known through the exercise of reasonable diligence (each violation: $100-$50,000);
  • Category 2 – Violation was due to a reasonable cause (each violation: $1,000 to $ 50,000);
  • Category 3 – Covered Entity demonstrated willful neglect but corrected the violation ($10,000 to $50,000); and
  • Category 4 – Covered Entity demonstrated willful neglect and did not correct the violation ($50,000).

HHS will not impose the maximum penalty in all cases, but rather, will base the penalty on the nature and extent of the violation and resulting harm, as well as other factors including the Covered Entity’s compliance history and financial condition. Regarding affirmative defenses, on or after February 18, 2009, a Covered Entity may not assert an affirmative defense that it did not know and reasonably should not have known of a violation unless it also corrects the violation during the 30-day period beginning on the first date it learned of the violation or during another period of time determined by HHS (except in the case of violations due to willful neglect—uncorrected category, which are ineligible for an extension of the 30-day period and for which a timely correction cannot serve as an affirmative defense).

The Interim Final Rule specifies that HHS may continue to provide waivers for violations due to reasonable cause and not willful neglect if the violations are timely corrected. Finally, the amendments relocate the terms “reasonable cause”, “reasonable diligence”, and “willful neglect” to signal the terms’ applicability to the entire subpart D, and require HHS to identify the applicable violation category upon which a proposed penalty is based.

HHS invited public comments on: (1) the calculation of the start of the 30-day cure period for purposes of determining the penalty tier for a violation due to willful neglect; (2) whether the reorganization of the definitions of “reasonable cause”, “reasonable diligence”, and “willful neglect” will lead to any unintended consequences; and (3) HHS’ interpretation of certain ambiguous language. Comments are due by December 29, 2009.

For covered entities (CEs) who have tight privacy and security measures in place, the breach notification requirements under HITECH (amending HIPAA) might not seem especially onerous.  But what about breaches the CE doesn’t know about?  What if the CE’s business associate (BA) fails to report a breach of unsecured health information?  What if the BA doesn’t even know about the breach? 
The Interim Final Rule published by the Office of Civil Rights (OCR), Department of Health and Human Services (HHS) on August 24, 2009 confirms what others doubted when I raised the paranoid-sounding possibility:  "yes, a CE must meet the breach notification requirements and timeline, even when the CE is not responsible for, and does not even know about, a breach." The Interim Final Rule explains that the Secretary of HHS will "attribute knowledge of a breach by a workforce member or other agent (other than the person committing the breach), which may include certain business associates, to the covered entity itself." 
The date a breach is discovered is extremely important (triggering the 60-day notice requirement).  The fact that a CE has no actual knowledge of a BA’s breach, and might not even know whether the BA is exercising diligence in detecting possible breaches, will not protect the CE from liability for failing to find out about and provide required notice of the breach.  The clock starts running when the BA knew, or should have known, about the breach.  According to OCR, "covered entities should ensure their workforce members and other agents [such as BAs, depending on whether they count as "agents" under federal common laws of agency] are adequately trained and aware of the importance of timely reporting of privacy and security incidents and the consequences of failing to do so." 


The U.S. Department of Health and Human Services (HHS) announced today in a News Release that it has issued new regulations requiring health care providers, health plans, and other entities (e.g., now also Business Associates) covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify individuals, and in some instances the media and HHS, in the event of a "security breach" of "unsecured" protected health information (PHI).  Yesterday, the FTC also issued a Press Release that it finalized its final rule on security breach notification, which will apply to vendors of personal health records.  Both HHS’ and FTC’s  “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Both sets of regulations are effective 30 days after publication in the Federal Register (which has not occurred just yet), but the HHS press release indicates that its rule will includes a 60-day public comment period.   However, the HITECH Act specifies that compliance with breach notification requirements set forth in the HITECH Act (e.g., Sections 13401-13402) go into effect with respect to breaches that are discovered on or 30 days after the date upon which the publication of the interim final rules.  Therefore, those required to comply with such provisions in the HITECH Act should be prepared to comply with the HITECH Act’s security breach notification requirements by some time towards the end of September.

Click here to link to a copy of the HHS’ Interim Final Breach Notification Rule.

     Do you need help understanding what to do in light of HITECH’s privacy and security changes to HIPAA?  Are you concerned about HITECH’s increased penalties for HIPAA violations? Are you struggling to understand what needs to be done under the New Jersey Security Breach Notification Act, and how these state requirements reconcile with the HITECH breach notification requirements? 

     Join me on Wednesday, August 19, 2009 at 12:00 p.m. for a Webinar offered through the Medical Society of New Jersey called the "Privacy and Security Law Update" where I will cover the HITECH Act and how it changes HIPAA, required and recomended amendments to Business Associate Agreements, security breach notification obligations under HITECH and the New Jersey Identity Theft Prevention Act, the Red Flags Rule, and more.

     To register, visit MSNJ’s web site and click on the Events Registration link. Please note that non-MSNJ members who wish to register for the webinar must first create an "new user" account with MSNJ and establish a password to be able to register for the webinar.  To create a new user account, visit MSNJ’s Events Detail page by clicking here.

[Installment 5 – Governance Considerations from HIT for the Board and Other Hospital Stakeholders] 

This is the fifth in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT. 

The other week, two separate and apparently unrelated events occurred on consecutive days with respect to electronic health records (“EHRs”) that dramatically underscore the focus of this series. Governing Boards of hospitals and other stakeholders must place a very high priority in their struggle to cope with the new and somewhat uneven landscape of health information technology (“HIT”).

On July 16, 2009, Health Data Management reported that “[t]he federal HIT Policy Committee has approved revised recommendations of a workgroup for an initial definition of ‘meaningful use’ of electronic health records systems. The report goes on to emphasize that “[t]he definition is important because providers must demonstrate meaningful use of EHRs to qualify for Medicare and Medicaid incentive payments starting in 2011 under the economic stimulus law.”

Therefore, health providers will have to meet minimum prescribed standards for their EHRs if they are to benefit in the future from the federal economic stimulus package under the HITECH Act to recoup a portion of the heavy costs that they will incur to implement their EHRs programs. 

On the following day, July 17, 2009, the federal Department of Veterans Affairs (“VA”) published a press release on its Web site that it will temporarily halt 45 information technology projects which are either behind schedule or over budget. These projects will be reviewed by the VA, and it will be determined whether these projects should be continued. The release goes on to say that each of the 45 affected projects will be temporarily halted with no further development until a new project plan that meets the requirements of Program Management Accountability System is created.

Some of the titles of the VA projects that will be halted include significant EHRs-related projects such as “Health Data Repository II,” “Clinical Data Service,” “Home Telehealth Development,” “Occupational Health Record Keeping System,” “Lab Data Sharing & Interoperability – Anatomic Pathology/Microbiology” and many others.

By simply securing additional funding from Congress, the VA, as an agency of the federal government that is generally a favorite of the legislators, can retool and retrench its EHRs initiatives after making a relatively embarrassing press release and perhaps enduring some criticism and lost time. 

The Boards of health care providers do not have the luxuries of the VA. They simply cannot afford false starts and mistakes if they are to meet the meaningful use standards of the HITECH Act on a timely basis. As this blog has stated in earlier installments, the survival of many hospitals is threatened by the uncertainties of possible health care reform, declining patient population, reduced reimbursement, heavy regulation, intense competition, dwindling donor contributions and heavy endowment losses for non-profit hospitals, a history of unclear returns from past substantial investments in HIT and many other factors. The costs of mistakes for the private sector hospitals are not simply the embarrassment or lost time of the VA. They are the huge outlays for conversion to EHRs and the potential for losing access to the federal stimulus funds.

These questions and others must be properly considered at a high level in the hospital, with committed Board oversight, in order to avoid or mitigate liability and loss that will result from expensive choices made with inadequate or incomplete information. 

 [To be continued in Installment 6] 

When I first reviewed the Matrix and other documents released by the HIT Policy Committee’s “Meaningful Use” Workgroup, my initial reaction was “When did defining ‘Meaningful Use’ of EHR morph into attempting to use EHRs to ‘meaningfully’ reform the entire healthcare delivery system.”?  More simply put, the Workgroup’s initial recommendations seemed to me to be over-ambitious.

The term "Meaningful EHR User" in ARRA (at Title IV, subtitle A, section 4104) is described as "an eligible professional" who meets the following criteria: 

  1. demonstrates that he/she is using certified EHR technology in a "meaningful manner, which shall include the use of electronic prescribing";
  2. demonstrates that he/she uses the certified EHR technology to be "connected, in a manner that provides… for the electronic exchange of health information to improve the quality of health care, such as promoting care coordination"; and
  3. submits information on selected "clinical quality measures".   

In my view, the first round of "Meaningful Use" requirements should be specific and reasonably achievable by healthcare providers. For example, perhaps the terms could require that the healthcare provider demonstrate how he/she uses electronic prescribing at least 75% of the time; or, how a provider records patient notes and medical encounter information in a certified EHR for no less than 75% of his/her new patient encounters.   


Interestingly, the National Coordinator for HIT decided to “send the workgroup back to work on another set [of recommendations]" for defining Meaningful Use soon after the Workgroup released its first set of recommendations. In the second go around, I think that many in the healthcare industry hope to see Meaningful Use criteria that are attainable by healthcare providers on a practical level. Otherwise, the entire premise of the HITECH Act providing incentives to increase EHR adoption could be thwarted. 


The Office of the National Coordinator for Health Information Technology (ONC) is seeking comments on the preliminary definition of “Meaningful Use,” as presented to the HIT Policy Committee on June 16, 2009.  Comments on the draft description of Meaningful Use are due by    5:00 pm EST June 26, 2009.  Below are links to the HIT Policy Committee’s recomendations:

For directions on how to submit comments, visit the HIT Policy Committee’s website.

In accordance with the 90-day deadline established for an operating plan to be submitted to Congress on expenditures related to the $2 Billion Dollars appropriated under the American Recovery and Reinvestment Act ("ARRA") relating to health information technology ("HIT"), the Office of the National Coordinator ("ONC") has submitted its proposed ARRA Implementation Plan to Congress. The Plan’s proposed Funding Table is as follows:

Total Appropriated

(Dollars in Millions)

Privacy and Security*

$ 24.285

National Institute of Standards and Technology (NIST)


Regional HIT Exchange




Total towards HIT

$ 2,000.000

* Includes 9.5 Million for audits by OCR and CMS.

Of particular interest to many should be the Privacy and Security Spend Plan section.  It specifies that over $24 Million of the federal dollars made available through ARRA would be spent on activities such as enhancing enforcement. More specifically, the Plan indicates that the ARRA funding "will enable the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR) to carry out mandated audits, make modifications in their case and document management systems, and train State Attorneys General on their new enforcement role."   The Plan even aims to have State Attorneys General trained and ready to enforce HIPAA and HITECH by the end of the Third Quarter of 2009, or around September 2009!  If completed according to schedule, then the federal government could have a bastion of new HIPAA/HITECH enforcement soilders on the ground and ready when the interm final regulations for implementing breach notification for covered entities and business associates are released on August 18, 2009. 

For a copy of the entire Plan, visit HHS’ Recovery Website.

On April 17, 2009, the federal Department of Health and Human Services (HHS) issued guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA).  The guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH).  HITECH requires these regulations to be published within 180 days of enactment.  If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached !

In addition to this guidance, HHS has also concurrently issued a request for information (RFI) soliciting public comment on the breach notification provisions of the HITECH Act to inform future rulemaking and updates to the guidance.  Once published in the Federal Register, the guidance and RFI will also be available for public comment at www.regulations.gov.   View the HITECH Breach Notification Guidance and Request for Public Comment.

The guidance must be updated annually, but HHS may update and reissue it this year, after public comment is considered and at the same time HHS’s breach notification regulation is published.

The Federal Trade Commission (FTC) posted its proposed rule today implementing new breach notification requirements for health records, which were required to be promulgated by the Health Information Technology for Economic and Clinical Health ("HITECH") Act.  The FTC rule will apply to vendors of personal health records and related entities not covered directly by HIPAA.  

The Department of Health and Human Services is required to issue by August 17, 2009 proposed rules pertaining to similar breach notification provisions applicable to entities covered by HIPAA, namely Covered Entities (health care providers; health plans; clearinghouses) and now, as a result of the HITECH Act, Business Associates.  

To review the text of the FTC’s proposed rule, click herePublic comments are due on June 1, 2009.