The final rule issued by the US Department of Health and Human Services (HHS) extends the existing privacy compliance and enforcement regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to all of HIPAA’s administrative simplification provisions. The latest HHS release also modifies and expands an interim final rule that addressed procedural requirements for imposition of civil money penalties.
In the new regulation version is a provision relating to the amount of penalty and the number of violations. The final rule retains the proposed rule’s provision imposing a penalty if a covered entity violates an “administrative simplification provision,” which is defined as “any requirement or prohibition established by” the statute or regulations.
The final rule has dropped the list of variables to be used by HHS in determining the number of violations. Instead, it provides that the number of violations will be determined based on the nature of the covered entity’s obligation to act or not act under the provision that is violated, and that each day of a continuing violation will constitute a separate violation. The rule also provides that an act that violates one provision in a subpart and another more general provision in the same subpart will not be counted as more than one violation.
However, if a single act violates different subparts it may result in multiple penalties. For example, if a covered entity sells its used computers without scrubbing all protected patient health information from the hard drives, that act may violate several different obligations of the security and privacy rules, and “it is appropriate that such violations be treated separately.”
Also in the new HHS release is a section on the liability for acts of agents. The final rule retains the proposed provision that makes a covered entity liable for violations committed by an agent if the agent acted within the scope of its authority. However, a covered entity that complies with the business associate provisions of the privacy and security rules would not be liable for the actions of the business associate. The final rule makes it clear that the federal law of agency will be used to determine whether a principal-agent relationship exists and whether the agent acted beyond the scope of its authority.
Finally, the rule addresses violations of addressable security implementation specifications. It explains that if enacting an addressable implementation specification is reasonable and appropriate, then the addressable implementation specification is a requirement. If implementation of the addressable implementation specification is not reasonable and appropriate, the covered entity is required to document why implementation is not reasonable and appropriate and is required to implement an equivalent alternative measure if reasonable and appropriate.
General information about the health privacy law is here .