HIPAA Compliance Plan
« Previous PageHITECH Act Table of ContentsNext Page »

Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.

Sec. 13410. Improved Enforcement.

(a) IN GENERAL.—

(1) NONCOMPLIANCE DUE TO WILLFUL NEGLECT.—Section 1176 of the Social Security Act (42 U.S.C. 1320d–5) is amended—

(A) in subsection (b)(1), by striking ‘‘the act constitutes an offense punishable under section 1177’’ and inserting ‘‘a penalty has been imposed under section 1177 with respect to such act’’; and

(B) by adding at the end the following new subsection: ‘‘(c) NONCOMPLIANCE DUE TO WILLFUL NEGLECT.—

‘‘(1) IN GENERAL.—A violation of a provision of this part due to willful neglect is a violation for which the Secretary is required to impose a penalty under subsection (a)(1).

‘‘(2) REQUIRED INVESTIGATION.—For purposes of paragraph (1), the Secretary shall formally investigate any complaint of a violation of a provision of this part if a preliminary investigation of the facts of the complaint indicate such a possible violation due to willful neglect.’’.

(2) ENFORCEMENT UNDER SOCIAL SECURITY ACT.—Any violation by a covered entity under thus subtitle is subject to enforcement and penalties under section 1176 and 1177 of the Social Security Act.

(b) EFFECTIVE DATE; REGULATIONS.—

(1) The amendments made by subsection (a) shall apply to penalties imposed on or after the date that is 24 months after the date of the enactment of this title.

(2) Not later than 18 months after the date of the enactment of this title, the Secretary of Health and Human Services shall promulgate regulations to implement such amendments.

(c) DISTRIBUTION OF CERTAIN CIVIL MONETARY PENALTIES COLLECTED.—

(1) IN GENERAL.— Subject to the regulation promulgated pursuant to paragraph (3), any civil monetary penalty or monetary settlement collected with respect to an offense punishable under this subtitle or section 1176 of the Social Security Act (42 U.S.C. 1320d–5) insofar as such section relates to privacy or security shall be transferred to the Office for Civil Rights of the Department of Health and Human Services to be used for purposes of enforcing the provisions of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act.

(2) GAO REPORT.— Not later than 18 months after the date of the enactment of this title, the Comptroller General shall submit to the Secretary a report including recommendations for a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.

(3) ESTABLISHMENT OF METHODOLOGY TO DISTRIBUTE PERCENTAGE OF CMPS COLLECTED TO HARMED INDIVIDUALS.— Not later than 3 years after the date of the enactment of this title, the Secretary shall establish by regulation and based on the recommendations submitted under paragraph (2), a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.

(4) APPLICATION OF METHODOLOGY.—The methodology under paragraph (3) shall be applied with respect to civil monetary penalties or monetary settlements imposed on or after the effective date of the regulation.

(d) TIERED INCREASE IN AMOUNT OF CIVIL MONETARY PENALTIES.—

(1) IN GENERAL.—Section 1176(a)(1) of the Social Security Act (42 U.S.C. 1320d–5(a)(1)) is amended by striking ‘‘who violates a provision of this part a penalty of not more than’’ and all that follows and inserting the following: ‘‘who violates a provision of this part—

‘‘(A) in the case of a violation of such provision in which it is established that the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(A) but not to exceed the amount described in paragraph (3)(D);

‘‘(B) in the case of a violation of such provision in which it is established that the violation was due to reasonable cause and not to willful neglect, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D); and

‘‘(C) in the case of a violation of such provision in which it is established that the violation was due to willful neglect—

‘‘(i) if the violation is corrected as described in subsection (b)(3)(A), a penalty in an amount that is at least the amount described in paragraph (3)(C) but not to exceed the amount described in paragraph (3)(D); and

‘‘(ii) if the violation is not corrected as described in such subsection, a penalty in an amount that is at least the amount described in paragraph (3)(D). In determining the amount of a penalty under this section for a violation, the Secretary shall base such determination on the nature and extent of the violation and the nature and extent of the harm resulting from such violation.’’.

(2) TIERS OF PENALTIES DESCRIBED.—Section 1176(a) of such Act (42 U.S.C. 1320d–5(a)) is further amended by adding at the end the following new paragraph:

‘‘(3) TIERS OF PENALTIES DESCRIBED.—For purposes of paragraph (1), with respect to a violation by a person of a provision of this part—

‘‘(A) the amount described in this subparagraph is $100 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000;

‘‘(B) the amount described in this subparagraph is $1,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000;

‘‘(C) the amount described in this subparagraph is $10,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000; and

‘‘(D) the amount described in this subparagraph is $50,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.’’.

(3) CONFORMING AMENDMENTS.—Section 1176(b) of such Act (42 U.S.C. 1320d–5(b)) is amended—(A) by striking paragraph (2) and redesignating paragraphs (3) and (4) as paragraphs (2) and (3), respectively; and (B) in paragraph (2), as so redesignated—(i) in subparagraph (A), by striking ‘‘in subparagraph (B), a penalty may not be imposed under subsection (a) if’’ and all that follows through ‘‘the failure to comply is corrected’’ and inserting ‘‘in subparagraph (B) or subsection (a)(1)(C), a penalty may not be imposed under subsection (a) if the failure to comply is corrected’’; and (ii) in subparagraph (B), by striking ‘‘(A)(ii)’’ and inserting ‘‘(A)’’ each place it appears.

(4) EFFECTIVE DATE.—The amendments made by this subsection shall apply to violations occurring after the date of the enactment of this title.

(e) ENFORCEMENT THROUGH STATE ATTORNEYS GENERAL.—

(1) IN GENERAL.—Section 1176 of the Social Security Act (42 U.S.C. 1320d–5) is amended by adding at the end the following new subsection:

‘‘(d) ENFORCEMENT BY STATE ATTORNEYS GENERAL.—

‘‘(1) CIVIL ACTION.—Except as provided in subsection (b), in any case in which the attorney general of a State has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision of this part, the attorney general of the State, as parens patriae, may bring a civil action on behalf of such residents of the State in a district court of the United States of appropriate jurisdiction—

‘‘(A) to enjoin further such violation by the defendant; or

‘‘(B) to obtain damages on behalf of such residents of the State, in an amount equal to the amount determined under paragraph (2).

‘‘(2) STATUTORY DAMAGES.—

‘‘(A) IN GENERAL.—For purposes of paragraph (1)(B), the amount determined under this paragraph is the amount calculated by multiplying the number of violations by up to $100. For purposes of the preceding sentence, in the case of a continuing violation, the number of violations shall be determined consistent with the HIPAA privacy regulations (as defined in section 1180(b)(3)) for violations of subsection (a).

‘‘(B) LIMITATION.—The total amount of damages imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

‘‘(C) REDUCTION OF DAMAGES.—In assessing damages under subparagraph (A), the court may consider the factors the Secretary may consider in determining the amount of a civil money penalty under subsection (a) under the HIPAA privacy regulations.

‘‘(3) ATTORNEY FEES.—In the case of any successful action under paragraph (1), the court, in its discretion, may award the costs of the action and reasonable attorney fees to the State.

‘‘(4) NOTICE TO SECRETARY.—The State shall serve prior written notice of any action under paragraph (1) upon the Secretary and provide the Secretary with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Secretary shall have the right—

‘‘(A) to intervene in the action;

‘‘(B) upon so intervening, to be heard on all matters arising therein; and

‘‘(C) to file petitions for appeal.

‘‘(5) CONSTRUCTION.—For purposes of bringing any civil action under paragraph (1), nothing in this section shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State.

‘‘(6) VENUE; SERVICE OF PROCESS.—

‘‘(A) VENUE.—Any action brought under paragraph (1) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

‘‘(B) SERVICE OF PROCESS.—In an action brought under paragraph (1), process may be served in any district in which the defendant—

‘‘(i) is an inhabitant; or

‘‘(ii) maintains a physical place of business.

‘‘(7) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS PENDING.—If the Secretary has instituted an action against a person under subsection (a) with respect to a specific violation of this part, no State attorney general may bring an action under this subsection against the person with respect to such violation during the pendency of that action.

‘‘(8) APPLICATION OF CMP STATUTE OF LIMITATION.—A civil action may not be instituted with respect to a violation of this part unless an action to impose a civil money penalty may be instituted under subsection (a) with respect to such violation consistent with the second sentence of section 1128A(c)(1).’’.

(2) CONFORMING AMENDMENTS.—Subsection (b) of such section, as amended by subsection (d)(3), is amended—

(A) in paragraph (1), by striking ‘‘A penalty may not be imposed under subsection (a)’’ and inserting ‘‘No penalty may be imposed under subsection (a) and no damages obtained under subsection (d)’’;

(B) in paragraph (2)(A)—

(i) after ‘‘subsection (a)(1)(C),’’, by striking ‘‘a penalty may not be imposed under subsection (a)’’ and inserting ‘‘no penalty may be imposed under subsection (a) and no damages obtained under subsection (d)’’; and

(ii) in clause (ii), by inserting ‘‘or damages’’ after ‘‘the penalty’’;

(C) in paragraph (2)(B)(i), by striking ‘‘The period’’ and inserting ‘‘With respect to the imposition of a penalty by the Secretary under subsection (a), the period’’; and (D) in paragraph (3), by inserting ‘‘and any damages under subsection (d)’’ after ‘‘any penalty under subsection (a)’’.

(3) EFFECTIVE DATE.—The amendments made by this subsection shall apply to violations occurring after the date of the enactment of this Act.

(f) ALLOWING CONTINUED USE OF CORRECTIVE ACTION.—Such section is further amended by adding at the end the following new subsection: ‘‘(e) ALLOWING CONTINUED USE OF CORRECTIVE ACTION.—Nothing in this section shall be construed as preventing the Office for Civil Rights of the Department of Health and Human Services from continuing, in its discretion, to use corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) of the violation involved.’’.

Download a FREE copy of our Breach Notification Training Module.

« Previous PageHITECH Act Table of ContentsNext Page »