Changes to the HIPAA Enforcement Rule -

Background: On October 30, 2009, HHS issued an interim final rule revising the Enforcement Rule to incorporate provisions of the HITECH Act. The NPRM then proposed a number of additional modifications to the Enforcement Rule, and the Final Rule adopts several of these modifications to implement HITECH Act requirements that the interim final rule did not address or adopt.

Modifications: The Final Rule implements provisions regarding enforcement of noncompliance due to willful neglect. The Final Rule requires the Secretary to formally investigate complaints indicating violations due to willful neglect and requires that the Secretary conduct a compliance review to determine whether a Business Associate is in compliance when a preliminary review of facts indicates a possible violation. The Final Rule provides the Secretary with discretion (and removes the former mandate) to resolve investigations or compliance reviews indicating noncompliance by informal means. In addition, the Final Rule requires the imposition of civil money penalties upon finding violations due to willful neglect.