Last week the Department of Health and Human Services published an interim final rule that sets forth the procedures the agency plans to follow in imposing civil penalties under HIPAA for violations of the privacy rule, as well as electronic data standards. The rule, which is effective May 19, states that enforcement activities will be complaint-driven and focus on obtaining voluntary compliance. HHS may impose penalties of up to $100 per day per violation, up to $25,000 annually.
>However, the rules do not specify what activities will constitute violations of HIPAA or how specific penalty amounts will be calculated, leaving those issues for a future release.
>Compliance with the federal privacy rule became mandatory for most covered entities last week, extending new privacy standards to protect medical records and other confidential health information. That information, referred to by HHS as protected health information (PHI), includes data that identifies, or could reasonably be used to identify, an individual. Protection is also extended to any information that relates to a past, present, or future physical or mental condition of the individual or the payment of health care for that individual.
The privacy standards guard PHI in all forms created or received by a health plan or employer: electronic, written, or oral. However, the security standards safeguard only protected health information stored in electronic media and electronically transmitted.
>The procedures will apply to enforcement of the HIPAA administrative simplification title by both the HHS Office for Civil Rights, which is charged with privacy enforcement, and the Centers for Medicare and Medicaid Services, which is charged with enforcing all other aspects of the title.
>Further information on the rule can be obtained from Karen Shaw at (202) 690-7711. Comments should be mailed to Centers for Medicare and Medicaid Services, Department of Health and Human Services, Attention: CMS-0010-IFC, P.O. Box 8010, Baltimore, MD 21244-8010
>Comments on the interim final rule must be received by June 16, 2003.