ENFORCEMENT:
Why Reviewing The Final Enforcement Rule's Provisions Could Save You Time And Money
Published on Wed Feb 14, 2007
HIPAA widens scope, toughens penalties with final rule.
How much do you know about the provisions of the Final Enforcement Rule? If you aren't up to speed on the changes that have been in effect since early last year, you should take some time now to get updated.
The basics: Lawmakers designed the final rule, in effect since February 2006, to establish more uniform enforcement and compliance policies. Thus, it widens the scope of the rules governing noncompliance by making them apply to all of the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification rules (or, "any requirement or prohibition established by the HIPAA provisions or HIPAA rules"), rather than just the privacy standards.
The final rule also modified the rules governing the imposition of civil monetary penalties on non-compliant organizations and entities. It mandates the implementation of the civil monetary penalty authority of the Administrative Simplification part of HIPAA.
Violations bring payouts: According to the final rule, non-compliant organizations can expect to receive civil monetary penalties and perhaps other applicable punishments, whether or not the organization in question requests a hearing.
The rule now says that the Department of Health and Human Services may levy a monetary penalty on any covered entity that is found to have violated any administrative simplification provision, unless the covered entity establishes that an affirmative defense exists.
More generally, the rule clarified several aspects of the enforcement process, including investigation, complaint filing, the bases for liability, determination of the penalty amount, the grounds for waiver, the conduct of the hearing and the appeal process.
The final rule outlines the procedure and requirements for filing a complaint against a covered entity. It says that a complaint must name the person against whom the complaint has been made and describe the alleged violations. It also says that complaints must be filed within 180 days of when the complainant knows that the act or omission occurred (unless this time limit has been waived).
The bottom line: With compliance becoming easier (and the penalties for noncompliance becoming more severe), you should ensure that your organization is violation-free.