The Department of Health and Human Services (HHS) published interim final regulations on October 30, 2009, to update existing enforcement regulations under HIPAA for statutory revisions made by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These regulations become effective November 30, 2009, and only address the provisions of the HITECH Act already in effect.

The interim final regulations, among other things, implement the increases in civil penalties and the four categories of violations and corresponding penalties established by the HITECH Act. Also, under the Act and the regulations, penalties will apply even where the covered entity did not know (and with the exercise of reasonable diligence would not have known) of the violation. However, HHS has the authority to reduce penalties in certain circumstances.

There have been a number of recent changes that enhance and strengthen HIPAA’s enforcement provisions – the HITECH Act, the interim final regulations discussed above and agency reorganization. These measures suggest an increasing likelihood of enforcement concerning the HIPAA privacy and security regulations.  As a result, health care providers and health plans should be reviewing their compliance with HIPAA and preparing for additional guidance expected to be issued shortly.