[Federal Register: April 18, 2005 (Volume 70, Number 73)]
[Proposed Rules]
[Page 20223-20258]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr18ap05-27]
[[Page 20223]]
-----------------------------------------------------------------------
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
HIPAA Administrative Simplification; Enforcement; Proposed Rule
[[Page 20224]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB29
HIPAA Administrative Simplification; Enforcement
AGENCY: Office of the Secretary, HHS.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Secretary of Health and Human Services is proposing rules
for the imposition of civil money penalties on entities that violate
rules adopted by the Secretary to implement the Administrative
Simplification provisions of the Health Insurance Portability and
Accountability Act of 1996, Pub. L. 104-191 (HIPAA). The proposed rule
would amend the existing rules relating to the investigation of
noncompliance to make them apply to all of the HIPAA Administrative
Simplification rules, rather than exclusively to the privacy standards.
It would also amend the existing rules relating to the process for
imposition of civil money penalties. Among other matters, the proposed
rules would clarify and elaborate upon the investigation process, bases
for liability, determination of the penalty amount, grounds for waiver,
conduct of the hearing, and the appeal process.
DATES: Comments on the proposed rule will be considered if we receive
them at the appropriate address, as provided below, no later than June
17, 2005.
ADDRESSES: You may submit comments by any of the following methods:
Federal eRulemaking Portal: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov.
Include agency name and ``RIN: 0991-AB29.''
E-mail: CMS0010.Comments@hhs.gov. Include ``RIN: 0991-
AB29'' in the subject line of the message.
Mail: U.S. Department of Health and Human Services, Office
of General Counsel, Attention: HIPAA Enforcement Rule, 330 Independence
Ave., SW., Washington, DC 20201.
Hand Delivery/Courier: Attention: HIPAA Enforcement Rule,
Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington,
DC 20201.
Instructions: Because of staff and resource limitations, we cannot
accept comments by facsimile (FAX) transmission. For detailed
instructions on submitting comments and additional information on the
rulemaking process, see the ``Public Participation'' heading of the
SUPPLEMENTARY INFORMATION section of this document.
FOR FURTHER INFORMATION CONTACT: Carol Conrad, (202) 690-1840.
SUPPLEMENTARY INFORMATION:
I. Public Participation
We welcome comments from the public on all issues set forth in this
rule to assist us in fully considering issues and developing policies.
You can assist us by referencing the RIN number (RIN: 0991-AB29) and by
preceding your discussion of any particular provision with a citation
to the section of the proposed rule being discussed.
A. Inspection of Public Comments
Comments received timely will be available for public inspection as
they are received, generally beginning approximately 6 weeks after
publication of this document, at the mail address provided above,
Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule
an appointment to view public comments, call Karen Shaw, (202) 205-
0154.
B. Electronic Comments
We will consider all electronic comments that include the full
name, postal address, and affiliation (if applicable) of the sender and
are submitted to either of the electronic addresses identified in the
ADDRESSES section of this preamble. All comments must be incorporated
in the e-mail message, because we may not be able to access
attachments. Copies of electronically submitted comments will be
available for public inspection as soon as practicable at the address
provided, and subject to the process described, in the preceding
paragraph.
C. Mailed Comments and Hand Delivered/Couriered Comments
Mailed comments may be subject to delivery delays due to security
procedures. Please allow sufficient time for mailed comments to be
timely received in the event of delivery delays. Comments mailed to the
address indicated for hand or courier delivery may be delayed and could
be considered late.
D. Copies
To order copies of the Federal Register containing this document,
send your request to: New Orders, Superintendent of Documents, P.O. Box
371954, Pittsburgh, PA 15250-7954. Specify the date of the issue
requested and enclose a check or money order payable to the
Superintendent of Documents, or enclose your Visa or Master Card number
and expiration date. Credit card orders can also be placed by calling
the order desk at (202) 512-1800 (or toll-free at 1-866-512-1800) or by
faxing to (202) 512-2250. The cost for each copy is $10. As an
alternative, you may view and photocopy the Federal Register document
at most libraries designated as Federal Depository Libraries and at
many other public and academic libraries throughout the country that
receive the Federal Register.
E. Electronic Access
This Federal Register document is available from the Federal
Register online database through GPO Access, a service of the U.S.
Government Printing Office. The web site address is: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.gpoaccess.gov/nara/index.html.
This document is available
electronically at the following web sites of the Department of Health
and Human Services (HHS): http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.hhs.gov/ocr/hipaa/ and http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.cms.gov/hipaa/hipaa2.F.
Response to Comments
Because of the large number of public comments we normally receive
on Federal Register documents, we are not able to acknowledge or
respond to them individually. We will consider all comments we receive
in accordance with the methods described above and by the date
specified in the DATES section of this preamble. When we proceed with a
final rule, we will respond to comments in the preamble to that rule.
II. Background
HHS proposes to amend or renumber existing rules that relate to
compliance with, and enforcement of, the Administrative Simplification
regulations (HIPAA rules) adopted by the Secretary of Health and Human
Services (Secretary) under subtitle F of Title II of HIPAA (HIPAA
provisions). These rules are codified at 45 CFR part 160, subparts C
and E. In addition, this proposed rule would add a new subpart D to
part 160. The new subpart D would contain additional rules relating to
the imposition by the Secretary of civil money penalties on covered
entities that violate the HIPAA rules. The full set of rules that will
ultimately be codified at subparts C, D, and E of 45 CFR part 160 is
collectively referred to in this proposed rule as the ``Enforcement
Rule.'' Finally, HHS proposes conforming changes to subpart A of part
160 and subpart E of part 164.
The statutory and regulatory background of the proposed rule is set
out below. A description of HHS's approach to enforcement of the HIPAA
provisions and the HIPAA rules in general, the approach of this
proposed
[[Page 20225]]
rule in particular, and each section of the proposed rule follows. The
preamble concludes with HHS's analyses of impact and other issues under
applicable law.
A. Statutory Background
Subtitle F of Title II of HIPAA, entitled ``Administrative
Simplification,'' requires the Secretary to adopt national standards
for certain information-related activities of the health care industry.
The purpose of subtitle F is to improve the Medicare program under
title XVIII of the Social Security Act (Act), the Medicaid program
under title XIX of the Act, and the efficiency and effectiveness of the
health care system, by mandating the development of standards and
requirements to enable the electronic exchange of certain health
information. Section 262 of subtitle F added a new Part C to Title XI
of the Act. Part C (sections 1171-1179 of the Act, 42 U.S.C. 1320d-
1320d-8) requires the Secretary to adopt national standards for certain
financial and administrative transactions and various data elements to
be used in those transactions, such as code sets and certain unique
health identifiers. Recognizing that the industry trend toward
computerizing health information, which HIPAA encourages, may increase
the accessibility of that information, sections 262 and 264 of HIPAA
also require the Secretary to adopt national standards to protect the
security and privacy of the information.
Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a), the HIPAA
provisions apply only to--
The following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information
in electronic form in connection with a transaction referred to in
section 1173(a)(1).
These entities are collectively known as ``covered entities.'' An
additional category of covered entities was added by the Medicare
Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L.
108-173) (MMA). As added by MMA, section 1860D-31(h)(6)(A) of the Act,
42 U.S.C. 1395w-141(h)(6)(A), provides that:
a prescription drug card sponsor is a covered entity for purposes of
applying part C of title XI and all regulatory provisions
promulgated thereunder, including regulations (relating to privacy)
adopted pursuant to the authority of the Secretary under section
264(c) of the Health Insurance Portability and Accountability Act of
1996 (42 U.S.C. 1320d-2 note).
HIPAA requires certain consultations with industry as a predicate
to the issuance of the HIPAA standards and provides that most covered
entities have up to 2 years (small health plans have up to 3 years) to
come into compliance with the standards, once adopted. The statute
establishes civil money penalties and criminal penalties for
violations. Act, sections 1172(c) (42 U.S.C. 1320d-1(c)), 1175(b) (42
U.S.C. 1320d-4(b)), 1176 (42 U.S.C. 1320d-5), 1177 (42 U.S.C. 1320d-6).
HHS enforces the civil money penalties, while the U.S. Department of
Justice enforces the criminal penalties.
HIPAA's civil money penalty provision, section 1176(a) of the Act,
42 U.S.C. 1320d-5(a), authorizes the Secretary to impose a civil money
penalty, as follows:
(1) IN GENERAL. Except as provided in subsection (b), the
Secretary shall impose on any person who violates a provision of
this part [42 U.S.C. Sec. 1320d et seq.] a penalty of not more than
$100 for each such violation, except that the total amount imposed
on the person for all violations of an identical requirement or
prohibition during a calendar year may not exceed $25,000.
(2) PROCEDURES. The provisions of section 1128A [42 U.S.C.
1320a-7a] (other than subsections (a) and (b) and the second
sentence of subsection (f)) shall apply to the imposition of a civil
money penalty under this subsection in the same manner as such
provisions apply to the imposition of a penalty under such section
1128A.
For simplicity, we refer throughout this preamble to this provision,
the related provisions at section 1128A of the Act, and other related
provisions of the Act, by their Social Security Act citations, rather
than by their U.S. Code citations.
Subsection (b) of section 1176 sets out limitations on the
Secretary's authority to impose civil money penalties and also provides
authority for waiving such penalties. Under section 1176(b)(1), a civil
money penalty may not be imposed with respect to an act that
``constitutes an offense punishable'' under the criminal penalty
provision. Under section 1176(b)(2), a civil money penalty may not be
imposed ``if it is established to the satisfaction of the Secretary
that the person liable for the penalty did not know, and by exercising
reasonable diligence would not have known, that such person violated
the provision.'' Under section 1176(b)(3), a civil money penalty may
not be imposed if the failure to comply was due ``to reasonable cause
and not to willful neglect'' and is corrected within a certain time.
Finally, under section 1176(b)(4), a civil money penalty may be reduced
or entirely waived ``to the extent that the payment of such penalty
would be excessive relative to the compliance failure involved.''
As noted above, HIPAA incorporates by reference certain provisions
of section 1128A of the Act. Those provisions, as relevant here,
establish a number of requirements with respect to the imposition of
civil money penalties. Under section 1128A(c)(1), the Secretary may not
initiate a civil money penalty action ``later than six years after the
date'' of the occurrence that forms the basis for the civil money
penalty. Under section 1128A(c)(2), a person upon whom the Secretary
seeks to impose a civil money penalty must be given written notice and
an opportunity for a determination to be made ``on the record after a
hearing at which the person is entitled to be represented by counsel,
to present witnesses, and to cross-examine witnesses against the
person.'' Section 1128A also provides, at subsections (c), (e), and
(j), respectively, requirements for: service of the notice and
authority for sanctions which the hearing officer may impose for
misconduct in connection with the civil money penalty proceeding;
judicial review of the Secretary's determination in the United States
Court of Appeals for the circuit in which the person resides or
maintains his/its principal place of business; and the issuance of
subpoenas by the Secretary and the enforcement of those subpoenas. In
addition, section 1128A of the Act contains provisions relating to
liability for civil money penalties and how they are dealt with, once
imposed. For example, section 1128A(d) provides that the Secretary must
take into account certain factors ``in determining the amount * * * of
any penalty,'' section 1128A(h) requires certain notifications once a
civil money penalty is imposed, and section 1128A(l) makes a principal
liable for penalties ``for the actions of the principal's agent acting
within the scope of the agency.'' These provisions are discussed more
fully below.
B. Regulatory Background
As noted above, HIPAA requires the Secretary to adopt a number of
national standards to facilitate the exchange, and protect the privacy
and security, of certain health information. The Secretary has already
adopted many of these HIPAA standards by regulation.
Regulations implementing the statutory requirement for the
adoption of standards for transactions and code sets, Health Insurance
Reform: Standards for Electronic Transactions (Transactions Rule), were
published on August 17, 2000 (65 FR 50312), and were modified on
February 20, 2003 (68 FR 8381). The Transactions Rule
[[Page 20226]]
became effective on October 16, 2000, with an initial compliance date
of October 16, 2002 for covered entities other than small health plans.
The passage of the Administrative Simplification Compliance Act (ASCA),
Pub. L. 107-105, in 2001 enabled covered entities to obtain an
extension of the compliance date to October 16, 2003 by filing a
compliance plan by October 15, 2002. If a covered entity (other than a
small health plan) did not file such a plan, it was required to comply
with the Transactions Rule by October 16, 2002. All covered entities
were required to be in compliance with the Transactions Rule, as
modified, by October 16, 2003.
Regulations implementing the statutory requirement for the
adoption of privacy standards, Standards for Privacy of Individually
Identifiable Health Information (Privacy Rule), were published on
December 28, 2000 (65 FR 82462). The Privacy Rule became effective on
April 14, 2001. Modifications to simplify and increase the workability
of the Privacy Rule were published on August 14, 2002 (67 FR 53182).
Compliance with the Privacy Rule, as modified, was required by April
14, 2003 for covered entities other than small health plans; small
health plans were required to come into compliance by April 14, 2004.
The Privacy Rule adopted rules relating to compliance and
enforcement. These rules are codified at 45 CFR part 160, subpart C.
Subpart C presently applies only to compliance with, and enforcement
of, the Privacy Rule.
Regulations implementing the statutory requirement for the
adoption of an employer identifier standard, Health Insurance Reform:
Standard Unique Employer Identifier (EIN Rule), were published on May
31, 2002 (67 FR 38009) and became effective on July 30, 2002. The
initial compliance date was July 30, 2004 for most covered entities;
small health plans have until July 30, 2005 to come into compliance.
These regulations were modified on January 23, 2004 (69 FR 3434),
effective the same date.
Regulations implementing the statutory requirement for the
adoption of security standards, Health Insurance Reform: Security
Standards, were published on February 20, 2003 (68 FR 8334), effective
on April 21, 2003. The initial compliance date for covered entities
other than small health plans is April 20, 2005; small health plans
have until April 20, 2006 to come into compliance.
An interim final rule promulgating procedural requirements
for imposition of civil money penalties, Civil Money Penalties:
Procedures for Investigations, Imposition of Penalties, and Hearings
(April 17, 2003 interim final rule), was published on April 17, 2003
(68 FR 18895), was effective on May 19, 2003, with a sunset date of
September 16, 2004 (as corrected at 68 FR 22453, April 28, 2003). The
April 17, 2003 interim final rule adopted a new subpart E of part 160.
The sunset date of the April 17, 2003 interim final rule was extended
to September 16, 2005 on September 15, 2004 (69 FR 55515).
Regulations implementing the requirement to issue
standards for a unique identifier for health care providers, HIPAA
Administrative Simplification: Standard Unique Health Identifier for
Health Care Providers (NPI Rule), were issued on January 23, 2004 (69
FR 3434), effective on May 23, 2005. The compliance date is May 23,
2007 for most covered entities; small health plans have until May 23,
2008 to come into compliance.
In addition to the foregoing regulations implementing the HIPAA
provisions, HHS has adopted two other regulations that are relevant,
for some covered entities, to compliance with those provisions.
Section 3 of the ASCA amended section 1862 of the Act to
require Medicare providers, with certain exceptions, to submit claims
to Medicare electronically (and, thus, in conformity with the
Transactions Rule) by October 16, 2003. Regulations implementing
section 3, Medicare Program: Electronic Submission of Medicare Claims,
were published on August 15, 2003 (68 FR 48805), effective on October
16, 2003.
Regulations implementing the Medicare Prescription Drug
Discount Card program under MMA and the statutory provision that
Medicare prescription drug discount card sponsors are covered entities
under HIPAA, were issued on December 15, 2003 (68 FR 69840), effective
the same date. These rules require such sponsors to comply with the
HIPAA rules when they become sponsors, except and to the extent that
the Secretary temporarily waives the Privacy Rule requirements, and
provides some rules regarding how these entities are to comply with the
HIPAA rules. The Secretary has indicated that he does not anticipate
that it will be necessary to waive the Privacy Rule requirements and
has not done so. 68 FR 69871.
III. General Approach
As the discussion above makes clear, the duty to comply with
certain HIPAA rules is now a reality for all covered entities. The
immediacy of the compliance obligation brings with it the issue of how
these rules will be enforced. Accordingly, we discuss below our general
approach to enforcement, how the rules proposed below would fit in with
the existing components of the Enforcement Rule, and the basic approach
of the proposed rule.
A. HHS's General Approach to Enforcement
One of the Secretary's priorities is ``One HHS'': HHS's public
health and welfare mission and message must be consistent, and HHS
should speak with one voice. Because of the Secretary's One HHS policy
and because there is one statutory provision for imposing civil money
penalties on covered entities that violate the HIPAA rules, there is
one enforcement and compliance policy for the HIPAA rules. We are
committed to promoting and encouraging voluntary compliance with the
HIPAA rules through education, cooperation, and technical assistance.
Many educational and technical assistance materials on HIPAA,
including the HIPAA rules, are already available on HHS's Web sites.
See http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.hhs.gov/ocr/hipaa for the Privacy Rule and http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.cms.gov/hipaa/hipaa2
for the other HIPAA rules. We continue to work
on educational and technical assistance materials, including additional
guidance on compliance and enforcement and targeted technical
assistance materials focused on particular segments of the health care
industry. We anticipate developing additional materials relevant to new
HIPAA rules as the need arises.
The authority for administering and enforcing compliance with the
Privacy Rule has been delegated to the HHS Office for Civil Rights
(OCR). 65 FR 82381 (December 28, 2000). The authority for administering
and enforcing compliance with the non-privacy HIPAA rules has been
delegated to the Centers for Medicare & Medicaid Services (CMS). 68 FR
60694 (October 23, 2003).
At present, our compliance and enforcement activities are primarily
complaint-based. Although our enforcement efforts are focused on
investigating complaints, they may also include conducting compliance
reviews to determine if a covered entity is in compliance. When
potential violations come to our attention through a complaint or a
compliance review, OCR or CMS's Office of HIPAA Standards (OHS), as
appropriate, attempts to resolve the matter informally. Many such
matters are resolved at the initial stage of contact. However, even
where a
[[Page 20227]]
matter is not resolved at this initial stage and the investigation
continues, the matter can still be resolved through voluntary
compliance (for example, by means of a corrective action plan); and OCR
or CMS may provide technical assistance to help the covered entity
achieve compliance. Resolving issues through such informal means is
often the quickest and most effective means of ensuring that the
benefits of the HIPAA rules are realized. However, if we are unable to
obtain compliance effectively on matters within our jurisdiction
through voluntary means, we may seek to impose civil money penalties.
Moreover, matters subject to criminal penalties are referred to the
Department of Justice.
B. HHS's Approach to the Enforcement Rule
The Enforcement Rule would bring together and adopt rules governing
the implementation of the civil money penalty authority of section 1176
of the Act for all of the HIPAA rules. As previously noted, parts of
the Enforcement Rule are already in place: subpart C of part 160
establishes certain investigative procedures for the Privacy Rule, and
subpart E establishes interim procedures for investigations and for the
imposition of, and challenges to the imposition of, civil money
penalties for all of the HIPAA rules. This proposed rule would complete
the Enforcement Rule by addressing, among other issues, our policies
for determining violations and calculating civil money penalties, how
we will address the statutory limitations on the imposition of civil
money penalties, and various procedural issues, such as provisions for
appellate review within HHS of a hearing decision, burden of proof, and
notification of other agencies of the imposition of a civil money
penalty.
In developing these regulations, several principles guided our
choice of policies from among the available options. The Enforcement
Rule should promote voluntary compliance with the HIPAA rules, be clear
and easy to understand, provide consistent results in the interest of
fairness, provide the Secretary with reasonable discretion,
particularly in areas where the exercise of judgment is called for by
the statute or rules, and avoid being overly prescriptive in areas
where it would be helpful to gain experience with the practical impact
of the HIPAA rules, to avoid unintended adverse effects.
With respect to many of the Enforcement Rule's provisions, we were
also mindful that section 1176(a) requires the Secretary to apply the
incorporated provisions of section 1128A to the imposition of a civil
money penalty under section 1176 ``in the same manner as'' they apply
to the imposition of civil money penalties under section 1128A itself.
As we explained in the preamble to the April 17, 2003 interim final
rule, the imposition of civil money penalties under section 1128A is
administered by the HHS Office of the Inspector General (OIG).
Accordingly, the rules proposed below, like those in the current
Subpart E, generally look to the regulations of the OIG that implement
section 1128A, which are codified at 42 CFR parts 1003, 1005, and 1006
(OIG regulations).
The Enforcement Rule does not adopt standards, as that term is
defined and interpreted under HIPAA. Thus, the requirement for industry
consultations in section 1172(c) of the Act does not apply. For the
same reason, HIPAA's time frames for compliance, set forth in section
1175 of the Act, will not apply to the Enforcement Rule, when adopted
in final form.
IV. Provisions of the Proposed Rule
The proposed rule would revise 45 CFR part 160 as follows: it would
revise the existing subpart C, adopt a new subpart D, and revise the
existing subpart E; a minor amendment of subpart A is also proposed.
Subpart A, which contains general provisions, would be amended to
include a definition of ``person.'' Subpart C includes all provisions
that relate to activities for determining compliance, including
investigations and cooperation by covered entities. The proposed
revisions of subpart C are largely technical, incorporating several
provisions currently found in subpart E. We also propose to make
subpart C applicable to the non-privacy HIPAA rules. The new subpart D
would establish rules relating to the imposition of civil money
penalties, including those which apply whether or not there is a
hearing. Subpart D would also incorporate several provisions currently
found in subpart E. Proposed subpart E would address the pre-hearing
and hearing phases of the enforcement process. Many of the provisions
of proposed subpart E were adopted by the April 17, 2003 interim final
rule and would not be substantively changed, although they would, in
general, be renumbered.
Finally, a conforming change to the privacy standards in subpart E
of part 164 is proposed. This conforming change is discussed in
connection with proposed Sec. 160.316 at section IV.B.5 below.
A. Subpart A
We propose to amend Sec. 160.103 to add a definition of the term
``person.'' This would replace the definition of that term adopted by
the April 17, 2003 interim final rule. We propose to place this
definition in Sec. 160.103 so that it applies to all of the HIPAA
rules. The term ``person'' appears throughout the HIPAA rules, and the
definition of the term we propose is a universal one that should work
in each of the contexts in which the term ``person'' occurs. If the
proposed placement would create problems, commenters should bring that
to our attention.
In Sec. 160.502 of the April 17, 2003 interim final rule, we
defined a ``person'' as ``a natural or legal person'' to clarify, in
the context of administrative subpoenas, the distinction between an
entity (defined as a ``legal person'') and natural persons who would
testify on the entity's behalf. The proposed rule would revise and
expand this definition.
The statutory definition of a ``person'' that would otherwise apply
to the HIPAA provisions is found in section 1101(3) of the Act. That
section, which has been in the Act since it was originally enacted in
1935, defines a person as ``an individual, a trust or estate, a
partnership, or a corporation.'' However, Part C of title XI specifies
that the class of ``persons'' to whom the HIPAA standards apply--health
plans, certain health care providers, and health care clearinghouses--
includes certain State and federal programs, which are not included in
the definition of ``person'' in section 1101(3). For example, section
1171(2) defines a health care clearinghouse as a ``public or private''
entity. Under section 1171(3), a ``health care provider'' is defined to
include a provider of services as defined in section 1861(u), for
purposes of the Medicare program. The definition includes hospitals,
which in turn include State or local government-owned hospitals.
Finally, the definition of ``health plan'' in section 1171(5) includes
State and federal health plans: section 1171(5)(A) includes a group
health plan ``as defined in section 2791(a) of the Public Health
Service Act,'' and this definition includes State and local
governmental group health plans; section 1171(5)(E) includes ``the
medicaid program under title XIX,'' which is a State program; and other
provisions of section 1171(5) explicitly include as health plans
various federal health plans, such as Medicare, the Federal Employee
Benefit Health Plan, CHAMPUS, and the program of benefits for veterans.
Section 1176, by its terms,
[[Page 20228]]
applies to ``any person who violates a provision of this part.''
Nothing in this language suggests that Congress intended to exempt any
class of covered entities from liability for a civil money penalty
under this section.
Thus, to effectuate Congress's purpose in enacting the HIPAA
provisions, it is necessary to define ``person'' sufficiently broadly
to encompass the entities to which the HIPAA rules apply. The Supreme
Court has recognized that this is a valid approach in appropriate
instances. See, e.g., Lawson v. Suwanee S.S. Co., 336 U.S. 198 (1949).
This proposed approach is also consistent with that taken by the OIG
regulations, the preamble to which explained that it was necessary to
expand the definition of ``person'' in the context of section 1128A of
the Act to include States because of clear Congressional intent to
include them in the class of entities subject to civil money penalties.
48 FR 38837, 38828 (August 26, 1983).
Accordingly, the proposed rule generally tracks the definition of
``person'' in the OIG regulations. In particular, by defining the term
as ``a natural person, trust or estate, partnership, corporation,
professional association or corporation, or other entity, public or
private,'' the proposed rule clarifies, consistent with the HIPAA
provisions, that the term includes States and other public entities.
However, we propose to adapt the language used in the OIG regulations
by substituting the term ``natural person'' for the term ``individual''
in the definition of ``person'' in the OIG regulations. The term
``individual'' is defined in Sec. 160.103 as ``the person who is the
subject of protected health information.'' Since the term
``individual'' has a defined, and narrower, meaning in the HIPAA rules
than it does in the OIG regulations, the proposed rule uses the term
``natural person'' to make the definition of ``person'' have the same
scope as in the OIG regulations.
B. Subpart C--Compliance and Investigations
We propose to amend subpart C to make the compliance and
investigation provisions of the subpart--which at present apply only to
the Privacy Rule--applicable to all of the HIPAA rules. In addition, we
propose to include in subpart C the definitions that apply to subparts
C, D, and E. In accordance with the organizational scheme described
above, we also propose to move to subpart C from subpart E the
provision relating to investigational subpoenas, which is currently
codified at Sec. 160.504. The title of this subpart has also been
changed (from ``Compliance and Enforcement'') to reflect the focus of
this subpart within the larger Enforcement Rule. Finally, we propose to
add to subpart C provisions prohibiting intimidation or retaliation
that are currently found in the Privacy Rule but not in the other HIPAA
rules. Aside from making conforming changes to Sec. 160.312, discussed
at section IV.B.3 below, we propose to leave the substance of the
existing provisions of subpart C unchanged. We solicit comment as to
whether these provisions should be revised and, if so, in what manner.
1. Application of Subpart C to the Non-Privacy HIPAA Rules
Subpart C is intended to provide a cooperative approach to
obtaining compliance, including use of technical assistance and
informal means to resolve disputes, and currently provides as follows.
Section 160.304 provides that the Secretary will, to the extent
practicable, seek the cooperation of covered entities in obtaining
compliance and may provide technical assistance to this end. Section
160.306 provides for the investigation of complaints by the Secretary
and provides requirements relating to the filing of such complaints.
Section 160.308 provides for the conduct of compliance reviews by the
Secretary. Section 160.310 requires covered entities to keep and submit
such records as the Secretary determines are necessary to determine
compliance and cooperate with the Secretary in an investigation or
compliance review. A covered entity must provide access during normal
business hours to their books and records pertinent to ascertaining
compliance; while we think such circumstances are very unlikely ever to
arise, a covered entity is also required, where exigent circumstances
exist, to permit such access at any time and without notice. This
section also provides that the Secretary may disclose protected health
information obtained in the course of an investigation or compliance
review only if necessary for ascertaining or enforcing compliance with
the applicable requirements of the Privacy Rule or if otherwise
required by law. Section 160.312 addresses Secretarial action regarding
complaints and compliance reviews. It provides that where noncompliance
is indicated, the Secretary will attempt to resolve the matter by
informal means wherever possible and provides for certain notifications
to the covered entity (and the complainant, if the matter arose from a
complaint).
At present, subpart C applies only to the Privacy Rule. However, to
simplify, clarify, and reduce the burden of the compliance process for
covered entities, the proposed rule would make this subpart applicable
to the other HIPAA rules as well. A uniform regulatory scheme would
simplify the compliance and enforcement process in the event that a
covered entity violates provisions of more than one HIPAA rule (for
example, where violations of both the Privacy Rule and the Security
Rule are at issue) and is also consistent with the Secretary's ``One
HHS'' policy.
Accordingly, we propose to amend the following sections of subpart
C to make them applicable to all of the HIPAA rules: Sec. 160.300--
Applicability; Sec. 160.304--Principles for achieving compliance;
Sec. 160.306--Complaints to the Secretary; Sec. 160.308--Compliance
reviews; and Sec. 160.310--Responsibilities of covered entities. This
would be accomplished by changing the present references in these
sections from ``subpart E of part 164'' to the more inclusive, defined
term, ``administrative simplification provision'' or ``administrative
simplification provisions,'' as appropriate.
2. Section 160.302--Definitions
Section 160.302 presently states that the terms used in subpart C
that are defined in Sec. 164.501 have the same meaning as defined in
that section. The terms that were initially defined in Sec. 164.501
that would continue to be used in this subpart ( ``individual,''
``disclose,'' ``protected health information,'' ``use'') have
subsequently been moved to Sec. 160.103. The term ``payment'' is used
in this subpart, but not as defined in Sec. 164.501. Thus, we propose
to delete this text, as it is no longer appropriate.
We propose to move to Sec. 160.302 three definitions that were
adopted in the April 17, 2003 interim final rule at Sec. 160.502:
``ALJ'', ``civil money penalty or penalty'', and ``respondent.'' These
terms are placed at the outset of the provisions that address
compliance and enforcement for clarity, since they are used in more
than one of the subparts that address compliance and enforcement. We do
not discuss these terms, as we do not propose to change them. We
discuss below two new terms which we propose to add to Sec. 160.302
and which are likewise used throughout subparts C, D, and E:
``administrative simplification provision'' and ``violation or
violate.''
[[Page 20229]]
a. ``Administrative Simplification Provision''
Section 1176(a)(1) provides that, except as provided in section
1176(b), the Secretary shall impose ``on any person who violates a
provision of this part a penalty of not more than $100 for each such
violation, except that the total amount imposed on the person for all
violations of an identical requirement or prohibition during a calendar
year may not exceed $25,000.'' (Emphasis added.) Based on this
statutory language, and also taking into account the structures of each
of the HIPAA rules, HHS considered a number of different options for
defining the term ``provision of this part'' in section 1176(a)(1) as
it applies to the HIPAA rules.
The HIPAA rules generally are comprised of standards,
implementation specifications, and requirements and prohibitions.
However, the structure and composition of the HIPAA rules with respect
to these elements vary. The Privacy Rule is generally comprised of
standards that contain implementation specifications and other
requirements or prohibitions. The identifier rules (the EIN Rule and
the NPI Rule) contain standards and implementation specifications, and
all requirements that apply to covered entities are in a standard or an
implementation specification. In the Security Rule, most requirements
are in standards or their related implementation specifications, but
some requirements are freestanding. The Transactions Rule contains
requirements and prohibitions, not all of which are contained in
standards and implementation specifications, and adopts standards that
are also implementation specifications. The provisions of subpart C of
part 160 that apply to covered entities are framed as requirements. The
HIPAA rules are silent as to which of these elements is a ``provision
of this part'' that may be violated and for which civil money penalties
may be assessed.
We propose to define a new term--``administrative simplification
provision''--to express the scope and application of the compliance and
investigation provisions, as well as the enforcement and penalty
provisions. This proposed provision interprets ``provision of this
part'' in section 1176 to refer to any requirement or prohibition
established by the statute or any of the HIPAA rules that are adopted
under the statute.
In determining how to define a ``provision of this part'' that
could be violated, we considered options in light of our goal of
implementing a unified approach with respect to all of the HIPAA rules.
Given the variation in structure of the HIPAA rules, we sought an
approach which would be flexible enough to apply to all the rules but
which would not be too complex. Accordingly, we decided against an
approach that would define the ``provision of this part'' that could be
violated as either any ``standard,'' or any ``implementation
specification,'' or both. These approaches would not have captured
stand-alone requirements or prohibitions--i.e., those requirements and
prohibitions in the HIPAA rules that fall outside of the structure of a
standard or implementation specification. For example, in the
Transactions Rule, the prohibition on a health plan delaying or
rejecting a transaction that is a standard transaction (Sec.
162.925(a)(2)), which implements the statutory prohibition at section
1175(a)(1)(B), is a stand-alone requirement. It would be anomalous to
create an enforcement scheme that, in effect, insulated this provision
from enforcement. These options would also have resulted in complexity
and inconsistency in the application of the Enforcement Rule to each of
the HIPAA rules, given their varied structures with respect to
standards and implementation specifications.
Instead, we propose to define a ``provision of this part'' that can
be violated as any ``requirement or prohibition'' found within the
rules, regardless of whether the requirement or prohibition falls
within a standard, implementation specification, or elsewhere in the
rules. This definition flows directly from the statutory language in
section 1176(a)(1) of the Act, which refers to ``violations of an
identical requirement or prohibition.'' It is also a definition that
can be applied consistently across the HIPAA rules, regardless of how
they are structured or titled. Accordingly, we propose to define the
term ``administrative simplification provision'' in Sec. 160.302 to
mean any requirement or prohibition established by the HIPAA provisions
or HIPAA rules: ``* * * any requirement or prohibition established by:
(1) 42 U.S.C. 1320d-1320d4, 1320d-7, and 1320d-8; (2) Section 264 of
Pub. L. 104-191; or (3) This subchapter.'' This definition would
include those provisions in subpart C which apply to covered entities.
b. ``Violation'' or ``Violate''
Building on this proposed definition of ``administrative
simplification provision,'' we propose to define a ``violation'' (or
``to violate'') to mean a ``failure to comply with an administrative
simplification provision.'' Like the proposed definition of
``administrative simplification provision,'' the proposed definition of
``violation'' flows directly from the statutory language: subsections
(b)(3) and (b)(4) of section 1176 equate a ``violation'' with a
``failure to comply.'' The proposed definition is likewise one that can
be applied consistently across the HIPAA rules. This proposed
definition would make no distinction between commissions and
omissions--that is, a violation occurs when a covered entity fails to
take an action required by a HIPAA rule, as well as when a covered
entity takes an action prohibited by a HIPAA rule.
3. Section 160.312--Secretarial Action Regarding Complaints and
Compliance Reviews
Section 160.312(a) currently provides that the Secretary will
inform the covered entity and the complainant, if applicable, if an
investigation or compliance review indicates a failure to comply and
attempt to resolve the matter by informal means whenever possible. If
the Secretary determines that the matter cannot be resolved by informal
means, the Secretary may issue findings to the covered entity and, if
applicable, the complainant.
Like the current Sec. 160.312(a), proposed Sec. 160.312(a)(1)
provides that, where noncompliance is indicated, the Secretary would
seek to reach a resolution of the matter satisfactory to the Secretary
by informal means. Informal means would include demonstrated
compliance, or a completed corrective action plan or other agreement.
Under this provision, entering into a corrective action plan or other
agreement would not, in and of itself, resolve the noncompliance;
rather, the full performance by the covered entity of its obligations
under the corrective action plan or other agreement would be necessary
to resolve the noncompliance.
Proposed Sec. Sec. 160.312(a)(2) and (3) address what
notifications will be provided by the Secretary where noncompliance is
indicated, based on an investigation or compliance review. Notification
under this paragraph would not be required where the only contacts made
were with the complainant, to determine whether the complaint warrants
investigation. Paragraph (a)(2) provides for written notice to the
covered entity and, if the matter arose from a complaint, the
complainant, where the matter is resolved by informal means. If the
matter is not resolved by informal means, paragraph (a)(3)(i) requires
the Secretary to so inform the covered entity and provide the covered
[[Page 20230]]
entity an opportunity to submit written evidence of any mitigating
factors or affirmative defenses for consideration under Sec. Sec.
160.408 and 160.410; the covered entity must submit any such evidence
to the Secretary within 30 days of receipt of such notification.
Paragraph (a)(3)(ii) would revise the current Sec. 160.312(a)(2) to
avoid confusion with the notice of proposed determination process
provided for at proposed Sec. 160.420. Where a matter is not resolved
by informal means and the Secretary finds that imposition of a civil
money penalty is warranted, the formal finding would be contained in
the notice of proposed determination issued under proposed Sec.
160.420. See also the discussion at section V.J below.
Paragraph (b) of the current Sec. 160.312 provides that if the
Secretary finds after an investigation or compliance review that no
further action is warranted, the Secretary will so inform the covered
entity and, if the matter arose from a complaint, the complainant. This
section does not apply where no investigation or compliance review has
been initiated, such as where a complaint has been dismissed due to
lack of jurisdiction. Paragraph (b) would remain largely unchanged.
4. Section 160.314--Investigational Subpoenas and Inquiries
The text of Sec. 160.314 was adopted by the April 17, 2003 interim
final rule as Sec. 160.504. We propose to move this section to subpart
C, consistent with our overall approach of organizing subparts C, D,
and E to reflect the stages of the enforcement process. Since the
investigational subpoenas and inquiries occur prior to the imposition
of a civil money penalty, we propose to move the rules relating to them
to subpart C, where other rules related to this stage of the process
are located. This organizational arrangement should facilitate use of
the Rule by covered entities and others.
One substantive change is proposed to paragraph (a). We would add
to the introductory language of this paragraph a sentence which states
that, for the purposes of paragraph (a), a person other than a natural
person is termed an ``entity.'' This permits us to avoid creating a
definition of the term ``entity'' that would have a broader application
and might be incorrect in other contexts, but preserves the utility of
the definition in this specific context. The term ``entity'' would no
longer be a defined term for the rest of the Rule, unlike the approach
taken in Sec. 160.502 of the April 17, 2003 interim final rule.
Proposed paragraphs (b)(1), (2) and (8) are unchanged from the
current paragraphs (b)(1)--(3) of Sec. 160.504. We propose to add new
paragraphs (3) through (7) and (9) to Sec. 160.314(b) and also to add
a new paragraph (c). Together, these additions would clarify the manner
in which investigational inquiries will be conducted, and how testimony
given, and evidence obtained, during such an investigation may be used.
The new paragraphs are based upon similar provisions in 42 CFR
1006.4. Proposed Sec. Sec. 160.314(b)(3)--(7) describe the rights of
the Secretary and the witness in the inquiry process: representatives
of the Secretary are entitled to attend and ask questions, a witness
may clarify his or her answers on the record following questioning by
the Secretary, the witness must place any claim of privilege on the
record, what requirements apply to the assertion of objections, and
under what circumstances and how the Secretary may seek enforcement of
the subpoena. Proposed Sec. 160.314(b)(8) (currently Sec.
160.504(b)(3) and which, as noted above, has not changed) recognizes
that investigational inquiries are non-public proceedings. Accordingly,
a witness's right to retain a copy of the transcript of his or her
testimony may be limited for good cause (5 U.S.C. 555(c)). Proposed
Sec. 160.314(b)(9) explains what would happen in such a case: The
witness would nonetheless be entitled to inspect the transcript and to
propose any corrections. If the witness is provided a copy of the
transcript, paragraph (b)(9)(i) would provide for the opportunity to
review the transcript and offer proposed corrections. This provision is
consistent with the practice under Rule 30(e) of the Federal Rules of
Civil Procedure (F.R.C.P.). Paragraph (b)(9)(ii) would allow the
Secretary to attach corrections to the transcript of a witness's
testimonial interview if the record transcribing the interview is
incorrect. Consistent with the practice under the OIG regulations, this
provision would not permit the Secretary to propose substantive changes
to the witness's testimony.
Proposed Sec. 160.314(c) provides that, consistent with Sec.
160.310, testimony and other evidence obtained in an investigational
inquiry may be used by HHS in any of its activities and may be used or
offered into evidence in any administrative or judicial proceeding.
This provision follows Sec. 1006.4(h) of the OIG regulations, but is
tailored to be consistent with the existing Sec. 160.310(c)(3). Under
this provision, evidence obtained in an investigational inquiry could
be used in any of HHS's activities and could be used or offered into
evidence in any administrative or judicial proceeding, except to the
extent it consists of protected health information. Evidence that is
protected health information may be disclosed only ``if necessary for
ascertaining or enforcing compliance with the applicable administrative
simplification provisions, or if otherwise required by law,'' as
provided at Sec. 160.310(c).
5. Section 160.316--Refraining From Intimidation or Retaliation
Proposed Sec. 160.316 would prohibit covered entities from
threatening, intimidating, coercing, discriminating against, or taking
any other retaliatory action against individuals or other persons
(including other covered entities) who complain to HHS or otherwise
assist or cooperate in the enforcement processes created by this rule.
This provision is taken from Sec. 164.530(g)(2) of the Privacy Rule,
with only minor changes designed to adapt the provision to the new
subparts which this rule would add. The intent of this addition to
subpart C is to make these non-retaliation provisions applicable to all
of the HIPAA rules, not just the Privacy Rule. The placement of these
provisions in subpart C accomplishes this.
Section 164.530(g) would retain existing provisions which provide
that a covered entity may not intimidate, threaten, coerce,
discriminate against, or take other retaliatory action against an
individual for exercising his or her rights or for participating in any
process established by the Privacy Rule, including filing a complaint
with a covered entity. A conforming change to Sec. 164.530(g) of the
Privacy Rule is proposed, to cross-reference proposed Sec. 160.316.
As with other provisions of subpart C that impose requirements or
prohibitions on covered entities, the provisions of Sec. 160.316 are
``administrative simplification provisions.'' Thus, a violation of a
requirement or prohibition of this section would be a basis for
imposition of a civil money penalty.
C. Subpart D--Imposition of Civil Money Penalties
Proposed subpart D addresses the issuance of a notice of proposed
determination to impose a civil money penalty and other events that
would be relevant thereafter, whether or not a hearing follows the
issuance of the notice of proposed determination. This subpart also
would contain provisions on identifying violations, determining the
number of violations, calculating civil money penalties for such
violations, and establishing affirmative
[[Page 20231]]
defenses to the imposition of civil money penalties. It would, thus,
implement the provisions of section 1176, as well as related provisions
of section 1128A. As noted above, many provisions of the Rule are based
in large part upon the OIG regulations, but, as with subpart E, we
propose to adapt the OIG language to reflect issues presented by, or
the authority underlying, the HIPAA rules.
1. Section 160.402--Basis for a Civil Money Penalty
Proposed Sec. 160.402(a) would require the Secretary to impose a
civil money penalty on any covered entity which the Secretary
determines has violated an administrative simplification provision,
unless the covered entity establishes that an affirmative defense, as
provided for by Sec. 160.410, exists. See the discussion at section
IV.C.3 below. This provision is based on the language in section
1176(a) that ``* * * the Secretary shall impose on any person who
violates a provision of this part a penalty * * *''. This proposed
provision interprets ``provision of this part'' in section 1176(a)(1)
to refer to any requirement or prohibition established by the statute
or any of the HIPAA rules that are adopted under the statute. See the
discussion of the definitions of ``administrative simplification
provision'' and ``violation'' in section IV.B.2 above.
The use of the term ``shall impose'' in section 1176(a) is more
than a mere conveyance of authority to the Secretary to impose a
penalty for a violation of an administrative simplification provision.
If the Secretary finds in a notice of proposed determination that a
covered entity has violated an administrative simplification provision,
he is required to impose a penalty unless a basis for not imposing the
penalty under section 1176 exists. Section 1176(a) does not limit the
Secretary's discretion to encourage a covered entity to come into
compliance voluntarily, to close a case without issuing a notice of
proposed determination if voluntary compliance is obtained, or to set
the amount of the penalty below the statutory caps. Nor does section
1176(a) limit the Secretary's discretion to settle any matter,
including cases in which a civil money penalty has been proposed or
which are in hearing. The first sentence of section 1128A(f) of the
Act, which is incorporated by reference in section 1176, states, in
part, ``Civil money penalties * * * imposed under this section may be
compromised by the Secretary * * *''. Therefore, the Secretary may
settle a case even after a civil money penalty has been proposed.
a. Section 160.402(b)--Violations by More than One Covered Entity
The proposed rule includes a provision, at Sec. 160.402(b), that
addresses what would happen if multiple covered entities were
responsible for violating a HIPAA provision. Proposed Sec.
160.402(b)(1) provides that, except with respect to covered entities
that are members of an affiliated covered entity, if the Secretary
determines that more than one covered entity was responsible for
violating an administrative simplification provision, the Secretary
will impose a civil money penalty against each such covered entity.
Proposed Sec. 160.402(b)(2) provides that each covered entity that is
a member of an affiliated covered entity would be jointly and severally
liable for a civil money penalty for a violation by the affiliated
covered entity.
Proposed Sec. 160.402(b)(1) is based on a similar provision in the
OIG regulations at 42 CFR 1003.102(d). It differs from the OIG
provision in that this proposed provision requires the imposition of a
penalty on each covered entity that the Secretary determines has
violated an administrative simplification provision, rather than giving
the Secretary discretion to determine whether to impose a civil money
penalty on one or all. This is based on the statutory language in
section 1176(a) which states that the Secretary ``* * * shall impose a
penalty * * *'' when there is a determination that an entity has
violated a HIPAA provision. As discussed above, the language in the
statute mandates the imposition of a penalty in appropriate situations
where there has been a finding of a violation. However, nothing in this
section would limit the Secretary's ability to exercise enforcement
discretion to investigate only one covered entity, to encourage one or
more covered entities to come into compliance, to close a case against
one or more covered entities without issuing a notice of proposed
determination if voluntary compliance is obtained, or to set the amount
of the penalty differently for each covered entity when multiple
covered entities are responsible for violating an administrative
simplification provision, to the extent section 1176 and this Rule
would allow.
With the exception of affiliated covered entity arrangements, this
provision may apply to any two covered entities, including, but not
limited to, those that are part of a joint arrangement, such as an
organized health care arrangement. The determination of whether or not
an entity is responsible for the violation would be based on the facts.
Simply being part of a joint arrangement would not, in and of itself,
make a covered entity responsible for a violation by another entity in
the joint arrangement, although it may be a factor considered in the
analysis.
Proposed Sec. 160.402(b)(2) provides that each covered entity that
is a member of an affiliated covered entity would be jointly and
severally liable for a civil money penalty for a violation by the
affiliated covered entity. An affiliated covered entity is a group of
covered entities under common ownership or control, which have elected
to be treated as if they were one covered entity for purposes of
compliance with the Security and Privacy Rules. See 45 CFR 164.105(b).
Electing to become an affiliated covered entity may reduce the
administrative burden and create certain efficiencies with respect to
compliance. There is no requirement to form an affiliated covered
entity; the entities that choose to form an affiliated covered entity
must designate themselves as such and must document the designation in
writing.
The December 2000 Privacy Rule stated as follows with respect to
the liability of the component covered entities of an affiliated
covered entity: ``The covered entities that together make up the
affiliated covered entity are separately subject to liability under
this rule.'' 65 FR 82503. We clarify this language in the proposed
rule. Under proposed Sec. 160.402(b)(2), each covered entity that is a
member of an affiliated covered entity would be jointly and severally
liable for a civil money penalty for a violation by the affiliated
covered entity. This means that we could enforce a violation of the
Security Rule or Privacy Rule by an affiliated covered entity against
any covered entity member of the affiliated covered entity separately
or against all of the covered entity members of the affiliated covered
entity jointly. The reason for joint and several liability is that the
affiliated covered entity is treated, under the Security and Privacy
Rules, as one entity. Thus, it may be impossible to know or prove which
covered entity within an affiliated covered entity is responsible for a
violation, particularly in the case of a failure to act. For example,
if an affiliated covered entity fails to appoint a privacy official as
required by Sec. 164.530(a)(1)(i), it may be impossible to identify
one entity as responsible for the omission.
Proposed Sec. 160.402(b)(2) differs from proposed Sec.
160.402(b)(1) in two ways. First, no covered entity in an affiliated
covered entity could avoid a civil money penalty by demonstrating that
it
[[Page 20232]]
was not responsible for the act or omission constituting the violation
or that another covered entity member of the affiliated covered entity
was the culpable entity. Second, the maximum penalty that could be
imposed on all members of the affiliated covered entity for identical
violations in a calendar year would be the maximum allowed for one
covered entity--$25,000. By contrast, under Sec. 160.402(b)(1), if
more than one covered entity were responsible for a violation of an
administrative simplification provision, each covered entity would be
treated as separately violating the provision, and each could be
assessed the maximum penalty of $25,000 in a calendar year for
sufficient identical violations.
b. Section 160.402(c)--Violations Attributed to a Covered Entity
Under section 1176(a)(2), ``the provisions of section 1128A * * *
shall apply to the imposition of a civil money penalty under [HIPAA] in
the same manner as such provisions apply to the imposition of a penalty
under such section 1128A.'' Section 1128A(l) of the Act addresses the
liability of a covered entity for violations committed by an agent. It
states that ``a principal is liable for penalties * * * under this
section for the actions of the principal's agents acting within the
scope of the agency.'' This is similar to the traditional rule of
agency in which principals are vicariously liable for the acts of their
agents acting within the scope of their authority. See Meyer v. Holley,
537 U.S. 280 (2003). The preamble to the December 2000 Privacy Rule
discussed the applicability of section 1128A(l) as follows:
we note that section 1128A(l) of the Social Security Act, which
applies to the imposition of civil monetary penalties under HIPAA,
provides that a principal is liable for penalties for the actions of
its agent acting within the scope of the agency. Therefore, a
covered entity will generally be responsible for the actions of its
employees such as where the employee discloses protected health
information in violation of the regulation.
65 FR 82603.
We clarify in proposed Sec. 160.402(c) that, in the context of the
HIPAA rules, this means that a covered entity generally can be held
liable for a civil money penalty based on the actions of any agent,
including an employee or other workforce member, acting within the
scope of the agency or employment. A business associate will often be
an agent of a covered entity, but, as discussed below, a covered entity
that complies with the HIPAA rules governing business associates will
not be held liable for a business associate's actions that violate the
rules.
i. Federal Common Law of Agency
A principal's liability for the actions of its agents is generally
governed by State law. However, the Supreme Court has provided that the
federal common law of agency may be applied where there is a strong
governmental interest in nationwide uniformity and a predictable
standard and when the federal rule in question is interpreting a
federal statute. Burlington Indus. v. Ellerth, 524 U.S. 742 (1998).
Here, there is a strong interest in nationwide uniformity. The
fundamental goal of the HIPAA provisions is to achieve standardization
of certain health care transactions, to standardize certain security
practices, and to set a federal floor of privacy practices, in order to
increase the efficiency and effectiveness of the health care system.
Therefore, it is essential for HHS to apply one consistent body of law
regardless of where an action is brought. The same considerations
support a strong federal interest in the predictable operation of the
standards, to ensure that the various covered entities operating
thereunder can do so consistently so as to facilitate the legitimate
exchange of information. Finally, the HIPAA rules interpret a federal
statute, the HIPAA provisions. Thus, the tests for application of the
federal common law of agency are met here. Accordingly, proposed Sec.
160.402(c) contains specific language to make clear that the federal
law of agency applies.
Where the federal common law of agency applies, the courts often
look to the Restatement (Second) of Agency (1958) (Restatement) as a
basis for explaining the common law's application. While the
determination of whether an agent is acting within the scope of its
authority must be decided on a case-by-case basis, the Restatement
provides guidelines for this determination. Section 229 of the
Restatement provides:
(1) To be within the scope of the employment, conduct must be of
the same general nature as that authorized, or incidental to the
conduct authorized.
(2) In determining whether or not the conduct, although not
authorized, is nevertheless so similar to or incidental to the
conduct authorized as to be within the scope of employment, the
following matters of fact are to be considered;
(a) Whether or not the act is one commonly done by such
servants;
(b) The time, place and purpose of the act;
(c) The previous relations between the master and the servant;
(d) The extent to which the business of the master is
apportioned between different servants;
(e) Whether or not the act is outside the enterprise of the
master or, if within the enterprise, has not been entrusted to any
servant;
(f) Whether or not the master has reason to expect that such an
act will be done;
(g) The similarity in quality of the act done to the act
authorized;
(h) Whether or not the instrumentality by which the harm is done
has been furnished by the master to the servant;
(i) The extent of departure from the normal method of
accomplishing an authorized result; and
(j) Whether or not the act is seriously criminal.
In some cases, under federal agency law, a principal may be liable
for an agent's acts even if the agent acts outside the scope of its
authority. Rest. 2nd Agency Sec. 219(2). However, proposed Sec.
160.402(c) would follow section 1128A(l), which limits liability for
the actions of an agent to those actions that are within the scope of
the agency.
ii. Agents
Various categories of persons may be agents of a covered entity.
These are workforce members, business associates, and others.
``Workforce'' is defined as ``employees, volunteers, trainees, and
other persons whose conduct, in the performance of work for a covered
entity, is under the direct control of such entity, whether or not they
are paid by the covered entity.'' 45 CFR 160.103. Because of the
``direct control'' language of the rule, we believe that all workforce
members, including those who are not employees, are agents of a covered
entity. This conclusion is consistent with the requirements at
Sec. Sec. 164.308(a)(5) and 164.530(b) for a covered entity to train
all workforce members and with the requirement at Sec. 164.514(d)(2)
for a covered entity to adopt minimum necessary policies and procedures
for use of protected health information by all workforce members. The
workforce may include an independent contractor; as explained in the
preamble to the Privacy Rule, independent contractors ``may or may not
be workforce members.'' 65 FR 82480. Under the proposed rule, a covered
entity could be liable for a civil money penalty for a violation by any
workforce member, whether an employee, contractor, volunteer, trainee,
etc., acting within the scope of his or her employment or agency. We
specifically request comment on whether there are categories of
workforce members whom it would be
[[Page 20233]]
inappropriate to treat as agents under Sec. 160.402(c).
The definition of the term ``business associate,'' set forth at
Sec. 160.103, includes any agents of a covered entity, other than
members of its workforce, that perform on its behalf any function or
activity regulated by the HIPAA rules or perform certain specified
services for the covered entity that involve the use or disclosure of
protected health information. Under the Security and Privacy Rules, the
covered entity may disclose protected health information to the
business associate, and allow the business associate to create or
receive protected health information on its behalf, if the covered
entity complies with relevant requirements to obtain satisfactory
assurances that the business associate will appropriately safeguard the
information. In particular, Sec. Sec. 164.308(b) and 164.502(e) of the
HIPAA rules require covered entities using the services of business
associates to obtain satisfactory assurances, by a written contract or
other arrangement, that the business associate will safeguard the
protected health information. If the covered entity complies with these
requirements, then it can protect itself from what could otherwise be
liability for actions of its agent business associates that violate the
HIPAA rules. As specified in Sec. Sec. 164.314(a)(1)(ii) and
164.504(e)(1)(ii), even if a covered entity knows of a pattern of
activity or practice by the business associate that constitutes a
material breach or violation of the business associate's obligations
under the contract, the covered entity will not be considered to be in
violation of the regulations if it takes certain actions. If the
covered entity fails to take these steps, however, it is outside the
safe harbor provided by the Security and Privacy Rules and may be
subject to penalty.
Some business associates are also covered entities. Health care
clearinghouses are one example of this situation, but a covered health
care provider or a health plan may also act as a business associate of
another covered entity. The business associate provisions of the
Security and Privacy Rules provide that where one covered entity acts
as the business associate of another covered entity and violates the
satisfactory assurances it provided as a business associate, it is
separately liable for violation of the business associate provisions of
the Security and Privacy Rules. See Sec. Sec. 164.308(b)(3) and
164.502(e)(1)(iii). If the act or omission that resulted in a breach of
the business associate contract by the covered entity business
associate would also constitute a violation of an underlying provision
of the Security or Privacy Rule by that covered entity business
associate, it would be in violation of the underlying provision as
well.
To make this proposed rule consistent with the business associate
provisions of the HIPAA rules, the proposed rule would carve out from
the provision for vicarious liability those actions by a business
associate that would be shielded by the business associate provisions
of the Security and Privacy Rules. Thus, a covered entity that is in
compliance with the business associate provisions of the Security and
Privacy Rules would not be liable for a violation of those rules by the
business associate, even though the business associate is the covered
entity's agent and was acting within the scope of its agency when it
violated the rule. We recognize that in many cases, a business
associate contract may establish an agency relationship. However, there
may also be situations in which the business associate may not be an
agent. For example, the Privacy Rule permits a covered entity to rely,
if such reliance is reasonable, on the request of a professional who is
a business associate as the minimum necessary. This suggests that a
business associate may not always be sufficiently under the direct
control of the covered entity to qualify as an agent.
HHS has issued guidance stating that a covered entity is not
required to monitor the activities of its business associate:
The HIPAA Privacy Rule requires covered entities to enter into
written contracts or other arrangements with business associates
which protect the privacy of protected health information; but
covered entities are not required to monitor or oversee the means by
which their business associate carry out privacy safeguards or the
extent to which the business associate abides by the privacy
requirements of the contract. Nor is the covered entity responsible
or liable for the actions of its business associates. However, if a
covered entity finds out about a material breach or violation of the
contract by the business associate, it must take reasonable steps to
cure the breach or end the violation, and, if unsuccessful,
terminate the contract with the business associate. If termination
is not feasible (e.g., where there are no other viable business
alternatives for the covered entity), the covered entity must report
the problem to the Department of Health and Human Services Office
for Civil Rights.
FAQ Answer ID 236 at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.hhs.gov/ocr/hipaa, entitled ``Is a
covered entity liable for, or required to monitor, the actions of its
business associates?'' (Click on the link for Answers to Your
Frequently Asked Questions, and then select and search on the
subcategory for Business Associates.) Proposed Sec. 160.402(c) is
consistent with this guidance. If the covered entity complies with the
applicable business associate provisions, the covered entity will not
be held liable for the actions of its business associate.
Concomitantly, if the covered entity fails to comply with those
provisions, such as by not entering into the requisite arrangements or
contracts, or by not taking reasonable steps to cure the breach or end
the violation, it could be held liable under proposed Sec. 160.402(c)
for the actions of its business associate agent.
2. Sections 160.404, 160.406, 160.408--Calculation of Penalties
a. Section 160.404--Amount of a Civil Money Penalty
Section 1176(a)(1) establishes maximum penalty amounts for
violations. The statute provides a maximum penalty of ``not more than
$100'' for each violation (see section IV.B.2 above for the discussion
of ``violation''), and the penalty imposed on a covered entity ``for
all violations of an identical requirement or prohibition during a
calendar year may not exceed $25,000.''
The statute establishes only maximum penalty amounts, so the
Secretary has the discretion to impose penalties that are less than the
statutory maximum. This proposed regulation would not establish minimum
penalties. Under proposed Sec. 160.404(a), the penalty amount would be
determined through the method provided for in proposed Sec. 160.406,
using the factors set forth in proposed Sec. 160.408, and subject to
the statutory caps reflected in proposed Sec. 160.404(b) and any
reduction under proposed Sec. 160.412.
Proposed Sec. 160.404 would follow the language of the statute and
establish the maximum penalties for a violation and for identical
violations during a calendar year, as set forth in the statute--up to
$100 per violation and up to $25,000 for identical violations in a
calendar year. Proposed Sec. 160.404(b) makes clear that the term
``calendar year'' means the period from January 1 through the following
December 31.
An identical violation is a violation of the same requirement or
prohibition in one of the HIPAA rules or in the statute. It is based on
the provision of the regulation or statute that has been violated and
not on whether the violations relate to the same individual's protected
health information, the same transaction, or are with the same trading
partner. For example, assume that a health plan includes in its trading
partner
[[Page 20234]]
agreements a provision that requires the submission of a data element
that is not included in the implementation guides for transactions
covered by the agreement and requires 7,500 different trading partners
to sign such agreements in a calendar year. Inclusion of the provision
violates Sec. 162.915(b), which prohibits covered entities from
entering into a trading partner agreement which adds any data element
or segments to the maximum defined data set. If the penalty is assessed
at $100/violation, the total penalty for all such violations would
amount to $750,000 ($100 x 7500). However, the maximum penalty that may
be assessed for the calendar year for those violations is $25,000,
because they all relate to the same prohibition. This is the case even
though the violations involve 7,500 different trading partners.
b. Section 160.404(b)(2)--Violations of Repeated or Overlapping
Provisions in a HIPAA Rule
Some requirements or prohibitions in the provisions of a HIPAA rule
may be repeated in, or may overlap, other provisions in the same rule.
We propose Sec. 160.404(b)(2) to make clear that a violation of a more
specific requirement or prohibition, such as one contained within an
implementation specification, is not also counted, for purposes of
determining civil money penalties, as an automatic violation of a
broader requirement or prohibition that entirely encompasses the more
specific one, in that such duplicative requirements generally reflect
considerations of drafting and not of substance. Under this proposal,
the Secretary could impose a civil money penalty for violation of
either the general or the specific requirement, but not both.
For example, if, after the applicable compliance date for the
Security Rule, a covered entity violates the requirement to implement
policies and procedures for facility access controls at Sec.
164.310(a)(1), the covered entity will also have violated the Security
Rule's provision at Sec. 164.316(a), which is the general standard
requiring the implementation of policies and procedures. Similarly, if
a covered entity fails to implement minimum necessary policies and
procedures for uses of protected health information as required by the
implementation specification at Sec. 164.514(d)(2) of the Privacy
Rule, the covered entity also has violated the minimum necessary
standard at Sec. 164.514(d)(1), which requires compliance with the
implementation specification. In these two examples, the proposed
provision would treat the act or omission as a violation of only one of
the identified administrative simplification provisions, not both, for
purposes of imposing civil money penalties.
Proposed Sec. 160.404(b)(2) would not apply where a covered
entity's action results in violations of multiple, differing
requirements or prohibitions within the same HIPAA rule, however. The
following is an example: due to inadequate safeguards, a covered entity
uses protected health information in a manner prohibited by the Privacy
Rule. Civil money penalties may be imposed on the covered entity for
its violation of the use provision in Sec. 164.502(a), as well as for
its violation of the safeguards requirement in Sec. 164.530(c).
Proposed Sec. 160.404(b)(2) would also not apply where a covered
entity's action may result in a violation of more than one HIPAA rule;
for example, failure to adopt administrative safeguards may violate
both the Privacy Rule (Sec. 164.530(c)) and the Security Rule (Sec.
164.308). In such a case, more than one regulatory standard has been
violated, and the Secretary may assess a penalty under both HIPAA
rules. The proposed provision is limited to duplicate provisions in the
same subpart, or HIPAA rule, and would not apply to limit civil money
penalties for violations of more than one HIPAA rule.
Proposed Sec. 160.404(b)(2) would also not preclude assessing
civil money penalties for multiple violations of an identical
requirement or prohibition.
c. Section 160.406--Number of Violations
As stated above, section 1176(a) provides a maximum penalty for
identical violations by a covered entity in a calendar year. However,
in many cases, it may not be clear exactly how to quantify the number
of violations. Furthermore, the types of requirements and prohibitions
vary among and within the HIPAA rules--for example, requirements to
adopt policies and procedures versus requirements to conduct
transactions in standard format.
There are various possible measures, or variables, that can be used
to count violations, and different laws use one or multiple approaches.
See, e.g., 42 CFR part 488, subpart F. In the context of the HIPAA
rules, there are three basic variables that seem reasonable to use in
calculating the number of violations that have occurred--(1) the number
of impermissible actions or failures to take required actions, (2) the
number of persons involved, and (3) the amount of time during which the
violation occurred.
i. Variables
Actions--The number of violations could be based on the number of
times a covered entity takes a prohibited action (commission) or the
number of times a covered entity fails to take a required action
(omission). The ``action'' variable seems likely to be a workable
variable for determining the number of violations where the acts in
question are discrete and/or repetitive, such as could be the case with
the Transactions Rule. However, the ``action'' variable may have a very
different result in other circumstances. For example, if a covered
entity fails to implement a required policy, there is only one failure
to act, and, therefore, using this variable, the number of violations
of the requirement would be one, even though such a failure to act
might have extended over a long period of time, be intentional, and
have serious consequences for other entities or individuals. Thus, the
``action'' variable might not be appropriate in many circumstances.
Persons--The number of violations could be measured in terms of the
number of persons involved or affected. Persons may be natural persons
or entities, and violations could be counted in terms of one of four
categories of persons.
Individuals who are the subject of protected health
information--for example, the number of individuals who did not receive
access to their records.
Employees for whom the covered entity has an obligation--
for example, the number of employees who improperly took one or more
impermissible actions, such as improperly using protected health
information.
Persons who receive information in violation of the
rules--for example, the number of employees who have access to
protected health information but who should not have such access,
either in violation of the covered entity's minimum necessary policies
or in violation of its access control security procedures.
Other persons affected by the violation--for example, the
number of providers affected by an impermissible health plan
requirement that providers use codes not permitted under subpart J of
the Transactions Rule.
Using the ``person'' variable to determine the number of violations
of a HIPAA rule may or may not be an appropriate approach, depending on
the purpose of the regulatory provision. For example, counting by the
``person'' variable may not be appropriate for
[[Page 20235]]
purposes of counting violations of most of the Transactions Rule
requirements.
Time--When violations are continuous, they could be calculated in
terms of a unit of time, such as calendar days. For example, inclusion
of a term in a trading partner agreement that is not permitted by Sec.
162.915 would be one action, if counted as an action, but, if counted
by time, the number of violations would depend on how long the
impermissible agreement was in effect and what unit of time was applied
to count the number of violations. However, using a time variable makes
less sense for violations that are distinct and repetitive, such as
many Transactions Rule violations would be. For example, if a covered
entity conducted 3000 transactions that were not in standard form over
a two-day period and another covered entity conducted two transactions
that were not in standard form over a two-day period, each set of facts
would result in two violations under a ``per day'' approach.
ii. Determining the Number of Violations
Proposed Sec. 160.406 would establish the general rule that the
Secretary will determine the number of violations of an identical
requirement or prohibition by a covered entity by applying any of the
variables of action, person, or time, as follows: (1) The number of
times the covered entity failed to engage in required conduct or
engaged in a prohibited act; (2) the number of persons involved in, or
affected by, the violation; or (3) the duration of the violation,
counted in days (because many of the HIPAA requirements are in terms of
days, this seems to be the most appropriate unit of time to use).
Paragraph (a) of this section would require the Secretary to determine
the appropriate variable or variables for counting the number of
violations based on the specific facts and circumstances related to the
violation, and take into consideration the underlying purpose of the
particular HIPAA rule that is violated. More than one variable could be
used to determine the number of violations (for example, the number of
people affected times the time (number of days) over which the
violation occurred). Because of the range of circumstances that can be
presented in determining the number of violations and the very
different nature of the HIPAA rules that may be implicated by those
violations, the Secretary would have discretion in determining which
variable or variables were appropriate for determining the number of
violations rather than being required to use a rigid formula, which
could produce arbitrary results. Under this proposal, the policy for
determining which variable(s) to use for which type of violation would
be developed in the context of specific cases rather than established
by regulation. Subsequent cases would be decided consistently with
prior similar cases. This option would defer more specific decisions
regarding the appropriate variable(s) for counting penalties to such
time as a case raising the HIPAA provision occurs.
Several approaches were considered in deciding how to determine the
number of violations:
Use one variable for all of the HIPAA rules. While this
approach has greater consistency, the variation among the rules in
terms of their types of requirements and prohibitions makes it
difficult to identify one variable that would work equally well in each
rule.
Use one variable or approach for each individual HIPAA
rule. This approach would also have greater consistency and certainty.
However, it would not address the variations within HIPAA rules and
could be confusing when a covered entity violated more than one rule.
Categorize requirements and prohibitions and assign
variables to each. This approach would increase certainty and
consistency across all of the HIPAA rules but would likely result in a
complex scheme that might operate unfairly.
After weighing the advantages and disadvantages of each approach,
it was determined that it would be preferable to determine the
appropriate variable(s) for particular types of violations based on the
context of a specific case. We welcome comments on this approach, the
options that were considered, and other potential options for
determining the number of violations.
d. Section 160.408--Factors Considered in Determining the Amount of a
Civil Money Penalty
Section 1176(a)(2) states that, with some exceptions, the
provisions of section 1128A of the Act shall apply to the imposition of
a civil money penalty under section 1176 ``in the same manner as'' such
provisions apply to the imposition of a civil money penalty under
section 1128A. Section 1128A(d) requires that--
in determining the amount of * * * any penalty, * * * the Secretary
shall take into account--
(1) The nature of the claims and the circumstances under which
they were presented,
(2) The degree of culpability, history of prior offenses and
financial condition of the person presenting the claims, and
(3) Such other matters as justice may require.
This language establishes factors to be considered in determining
the ultimate amount of a civil money penalty. Because section 1176
requires that civil money penalties be imposed in the same manner as
civil money penalties are imposed under section 1128A, such factors
should be applied to determining the amount of a civil money penalty
for HIPAA violations. This approach is consistent with the approach
taken in other regulations that cross-reference section 1128A, which
rely on these factors for purposes of determining civil money penalty
amounts. See, e.g., 42 CFR 488.438.
The factors listed in section 1128A(d) were drafted to apply to
violations involving claims for payment under federally funded health
programs. Because HIPAA violations will usually not be about specific
claims, HHS proposes to tailor the section 1128A(d) factors to the
HIPAA rules and break them into their component elements for ease of
understanding and application, as follows: (1) The nature of the
violation; (2) the circumstances under which the violation occurred;
(3) degree of culpability; (4) history of prior offenses; (5) financial
condition of the covered entity; and (6) such other matters as justice
may require.
Many regulations that implement section 1128A, such as the OIG
regulations, further particularize the statutory factors by providing
discrete criteria. Consistent with these other regulations, and in
order to provide more guidance to covered entities as to the factors
that would be used in calculating civil money penalties for violations
of the HIPAA rules, we propose a more specific list of circumstances
that would be considered in calculating penalty amounts. Therefore,
proposed Sec. 160.408 provides detailed factors, within the categories
stated above, to consider in determining the amount of a civil money
penalty, as follows:
(1) The nature of the violation, when considered in light of the
purposes of the rule violated.
(2) The circumstances under which the violation occurred and the
consequences, including the time period during which the violation(s)
occurred, whether the violation caused physical harm, whether the
violation hindered or facilitated an individual's ability to obtain
health care, and whether the violation resulted in financial harm.
(3) The degree of culpability of the covered entity, including
whether the violation was intentional, and whether the violation was
beyond the direct control of the covered entity.
[[Page 20236]]
(4) Any history of prior offenses of the covered entity, including
whether the current violation is the same or similar to prior
violation(s), whether and to what extent the covered entity has
attempted to correct previous violations, how the covered entity has
responded to technical assistance from the Secretary provided in the
context of a compliance effort, and how the covered entity has
responded to prior complaints. This could include any violations that
have been brought to the covered entity's attention, including
complaints raised by individuals directly to the covered entity,
violations of which the covered entity became aware on its own, and
violations that have been raised in the context of a complaint to the
Secretary.
(5) The financial condition of the covered entity, including
whether the covered entity had financial difficulties that affected its
ability to comply, whether the imposition of a civil money penalty
would jeopardize the ability of the covered entity to continue to
provide, or to pay for, health care, and the size of the covered
entity.
(6) Such other matters as justice may require.
In many regulations that implement section 1128A, including the OIG
regulations, the statutory factors and/or the discrete criteria are
designated as either aggravating or mitigating. See, e.g., 42 CFR
1003.106(b)-(d). For example, in some of these regulations, history of
prior offenses is listed as an aggravating factor. See, e.g., 42 CFR
1003.106(b)(3). However, because the Enforcement Rule will apply to a
number of rules and an enormous number of entities and circumstances,
factors may be aggravating or mitigating, depending on the context. For
example, the factor ``time period during which the violation(s)
occurred'' could be an aggravating circumstance where the covered
entity decided not to comply at all with a HIPAA provision, but be a
mitigating circumstance where a covered entity quickly found and
corrected repetitive noncompliance. Thus, we do not propose to label
any of these factors as aggravating or mitigating. Rather, proposed
Sec. 160.408 lists factors that may be considered by the Secretary as
aggravating or mitigating in determining the amount of the civil money
penalty to impose. The proposed approach would allow the Secretary to
choose whether to consider a particular factor and how to consider each
factor as appropriate in each situation to avoid unfair or
inappropriate results. It also would keep the rule simple and makes
possible a list of factors to consider in determining penalties that
can work in all cases.
We propose to leave to the Secretary's discretion the decision
regarding when aggravating and mitigating factors will be taken into
account in determining the amount of the civil money penalty. This
approach is consistent with other regulations implementing section
1128A, which do not explain how or at what point in the process these
factors apply. See, e.g., 42 CFR 488.438.
3. Section 160.410--Affirmative Defenses to the Imposition of a Civil
Money Penalty
Proposed Sec. 160.410 implements section 1176(b)(1)--(3) of the
Act, which specify certain limitations with respect to when civil money
penalties may be imposed. Paragraphs (1), (2), and (3) of section
1176(b) each state that, if the conditions described in those
paragraphs are met, ``a penalty may not be imposed under subsection
(a)'' of section 1176. Under section 1176(b)(1), a civil money penalty
may not be imposed with respect to an act that would be punishable by a
criminal penalty under section 1177 of the Act. Under section
1176(b)(2), a civil money penalty may not be imposed if it is
established to the satisfaction of the Secretary that the person who
would be liable for the civil money penalty ``did not know, and by
exercising reasonable diligence would not have known'' that the person
violated the provision. Under section 1176(b)(3), a civil money penalty
may not be imposed if the failure to comply ``was due to reasonable
cause and not to willful neglect'' and is corrected within a certain
period.
Where it is shown that one or more of these grounds exists with
respect to a violation for which a civil money penalty is sought, such
a showing bars the imposition of a civil money penalty for the
violation. The provisions at section 1176(b)(1), (2), and (3), thus,
constitute complete defenses to the imposition of a civil money
penalty. As such, they meet the definition of an affirmative defense:
``A defendant's assertion raising new facts and arguments that, if
true, will defeat the plaintiff's or prosecution's claim, even if all
allegations in the complaint are true.'' Black's Law Dictionary (West,
7th ed. 1999).
Accordingly, proposed Sec. 160.410 would characterize the
limitations under section 1176(b)(1), (2), and (3) as ``affirmative
defenses,'' to make clear that they must be raised in the first
instance by the respondent. See the discussion at section IV.D.10 below
regarding proposed Sec. 160.534, with respect to the burden of proof.
However, characterizing these grounds as affirmative defenses would not
prevent the Secretary from concluding, based on information already in
his possession, that one of these limitations applied. If the Secretary
were to conclude, based on his investigation or on information provided
by the covered entity under proposed Sec. 160.312(a)(3)(i), that one
or more of these limitations applied with respect to a violation, the
Secretary would not pursue the civil money penalty action with respect
to the violation. However, proposed Sec. 160.410 assumes the situation
where the Secretary, through OCR or CMS, has concluded that none of the
statutory limitations at section 1176(b)(1), (2), or (3) applies to a
particular case and has, accordingly, issued a notice of proposed
determination to impose a civil money penalty. The purpose of Sec.
160.410, therefore, is to describe what the respondent must show in
order to establish such a defense in the proceeding that could then
follow.
The grounds stated in sections 1176(b)(2) and (b)(3) are grounds
about which the covered entity would be knowledgeable and could produce
evidence. Treating them as affirmative defenses is consistent with how
similar language in other statutes has been implemented. For example,
similar language in section 102 of HIPAA has been treated as an
affirmative defense: Under the implementing regulations at 45 CFR
150.341(b), the burden of persuasion is on the entity to establish that
no responsible entity knew, or, exercising reasonable diligence, would
have known of the violation. Examples of a similar assignment of burden
in connection with similar statutory language are found elsewhere. See,
e.g., 26 CFR 301.6651-1(c), implementing 26 U.S.C. 6651 (a failure to
timely file a tax return ``is due to reasonable cause and not due to
willful neglect * * * ''), requires ``an affirmative showing of all
facts alleged as a reasonable cause * * * '' by the taxpayer; 8 CFR
280.5, 280.51, implementing 8 U.S.C. 1323 (remission of penalty for
bringing in illegal aliens if the person ``could not have ascertained,
by the exercise of reasonable diligence, that * * * ''), place the
burden on the party seeking remission; 11 U.S.C. 110 (penalties for
persons who fraudulently prepare bankruptcy petitions except where
failure is ``due to reasonable cause'') has been treated as an
affirmative defense, U.S. Trustee v. Womack, 201 B.R. 511, 518 (E.D.
Ark. 1996).
Under section 1176(b)(1), a civil money penalty may not be imposed
if the act in question ``constitutes an offense punishable under
section 1177.'' While it might appear unlikely that a
[[Page 20237]]
covered entity would raise this as an affirmative defense, section
1176(b)(1) parallels sections 1176(b)(2) and (b)(3) in both structure
and function. This construction suggests that Congress intended that it
be treated in a parallel manner. Proposed Sec. 160.410, accordingly,
would do so.
Finally, we recognize that other affirmative defenses might be
available in a particular case. In order not to preclude the raising of
affirmative defenses that could legitimately be raised, the
introductory text of proposed Sec. 160.410 is drafted to permit a
respondent to offer affirmative defenses other than those provided in
section 1176(b).
a. Section 160.410(b)(1)--Affirmative Defense Based on Violation Being
a Criminal Offense
Section 1176(b)(1) provides that the Secretary may not impose a
civil money penalty ``with respect to an act if the act constitutes an
offense punishable under section 1177.'' Section 1177(a) provides as
follows:
A person who knowingly and in violation of this part--
(1) Uses or causes to be used a unique health identifier;
(2) Obtains individually identifiable health information
relating to an individual; or
(3) Discloses individually identifiable health information
relating to another person, shall be punished as provided in
subsection (b).
Subsection (b) of section 1177, in turn, sets out three levels of
penalties. The level of penalty varies depending on the circumstances
under which the offense was committed.
The proposed rule simply refers to the statutory provision. As the
criminal penalty provision that provides the basis for this defense is
administered by the U.S. Department of Justice, we do not propose to
elaborate upon it in this regulation.
b. Section 160.410(b)(2)--Affirmative Defense Based on Lack of
Knowledge
Section 1176(b)(2) provides as follows:
A penalty may not be imposed under subsection (a) with respect
to a provision of this part if it is established to the satisfaction
of the Secretary that the person liable for the penalty did not
know, and by exercising reasonable diligence would not have known,
that such person violated the provision.
For a covered entity to establish an affirmative defense under section
1176(b)(2), it must show that it did not have actual or constructive
knowledge of the violation. What is required for such a showing raises
several issues: (1) What ``knowledge'' will make the ``lack of
knowledge'' defense no longer available; (2) when is the ``knowledge''
of an agent imputed to the covered entity; and (3) what constitutes
``reasonable diligence.''
i. ``Knowledge''
The first question is what must the covered entity ``know'' in
order for the defense of section 1176(b)(2) to be no longer available.
Specifically, if the covered entity knows of the facts that constitute
the violation, but does not know that they constitute a violation, is
the defense under section 1176(b)(2) no longer available?
A civil money penalty may not be imposed for a violation ``if it is
established to the satisfaction of the Secretary that the person liable
for the penalty did not know * * * that such person violated the
provision.'' This language on its face suggests that the knowledge
involved must be knowledge that a ``violation'' has occurred, not just
knowledge of the facts constituting the violation. Section 1176(b)(3)
supports this reading. Under section 1176(b)(3)(A)(i), the cure
period--i.e., the period in which the violation must be corrected if
the covered entity is to avail itself of the defense under section
1176(b)(3)--begins to run ``on the first date the person liable for the
penalty knew, or by exercising reasonable diligence would have known,
that the failure to comply occurred.'' The duty to take corrective
action under section 1176(b)(3), thus, flows from knowledge that ``the
failure to comply occurred.'' We, thus, interpret this knowledge
requirement to mean that the covered entity must have knowledge that a
violation has occurred, not just knowledge of the facts underlying the
violation. We use the statutory language in framing this requirement.
This reading of the statute would not reward ignorance that is
careless or deliberate. The requirement of section 1176(b)(2) that the
covered entity exercise ``reasonable diligence,'' discussed below,
would make a lack of knowledge defense unavailable where a covered
entity's ignorance arises from its failure to inform itself about its
compliance obligations or to investigate complaints or other
information it receives indicating likely noncompliance.
ii. Imputed Knowledge
In order to avail itself of the lack of knowledge defense, a
corporate entity must show that (1) its responsible officers or
managers did not know about the violation, and (2) even if an employee
or other agent had actual knowledge of the violation, why that
knowledge should not be imputed to the managers and, thus, to the
corporate entity itself. Whether knowledge can be imputed to a covered
entity's responsible officers or managers will be determined by
principles of agency. We clarify this by providing in proposed Sec.
160.410(b)(2) that such knowledge will be ``determined by the federal
common law of agency.'' As noted in the discussion in section
IV.C.1.b.i above, we would expect, as a general matter, to follow the
principles set forth in the Restatement (Second) of Agency with respect
to this issue. Under the general rule at section 272 of the
Restatement, an agent's actual or constructive knowledge is imputed to
the principal, subject to certain exceptions. Rest. 2nd of Agency
(1958), comments a and b. Whether any of these exceptions are
applicable would depend on the circumstances of each case. We solicit
comment on this approach and, in particular, illustrations and
explanations of cases where more or less specificity might be helpful.
iii. Reasonable Diligence
The defense under section 1176(b)(2) is available only if the
covered entity ``by exercising reasonable diligence would not have
known ... that the [covered entity] violated the provision.'' The
question this language raises is what action is required in order for a
covered entity to be able to show that it has exercised reasonable
diligence and that its ignorance of the violation is, hence, excused.
The phrase ``reasonable diligence'' has applications in many areas
of the law. ``Reasonable diligence'' is typically defined as ``1. A
fair degree of diligence expected from someone of ordinary prudence
under circumstances like those at issue. 2. See due diligence (1).''
Black's Law Dictionary (West, 7th edition, 1999). ``Due diligence'' is,
in turn, defined as ``1. The diligence reasonably expected from, and
ordinarily exercised by, a person who seeks to satisfy a legal
requirement or to discharge an obligation.--Also termed reasonable
diligence.'' Id. In the context of section 1176(b)(2), these concepts
equate, we believe, to the concept of ``constructive knowledge.'' As
usually defined, ``constructive knowledge'' is the ``knowledge that one
using reasonable care or diligence should have, and therefore that is
attributed by law to a given person.'' Id.
The determination of whether a person acted with reasonable
diligence is generally a factual one, since what is reasonable depends
on the circumstances. Martin v. OSHRC (Milliken & Co.), 947 F.2d 1483
(11th Cir. 1991); Bell Telephone Laboratories,
[[Page 20238]]
Inc. v. Hughes Aircraft Co., 564 F.2d 654 (3rd Cir. 1977). The courts
use a variety of formulations to articulate when a person will be
deemed to have known--i.e., to have constructive knowledge--that a
particular incident occurred. However, the various formulations have
common elements. They identify a ``prudent'' or ``reasonable'' person
and consider whether that person would, under similar circumstances,
have become aware of the information in question. They consider how
``available'' the information is; for example, was the information in
the covered entity's possession (such as in its electronic information
system) or not. They consider whether there was ``some reason to awaken
inquiry and suggest investigation;'' for example, had prior experience
suggested that there could be problems, which a reasonable person would
have investigated.
We considered three options for implementing the provisions at
section 1176(b)(2). One approach would be simply to repeat the
statutory language; a second approach would be to provide a more
detailed statement of criteria for establishing reasonable diligence;
and the third approach would be to provide examples of situations that
would (or would not) constitute reasonable diligence. We selected the
second in order to provide some guidance, but not unduly circumscribe
future decisions. Adapting the Black's definition of due diligence to
the present context, proposed Sec. 160.410(a) would define
``reasonable diligence'' to mean ``the business care and prudence
expected from a person seeking to satisfy a legal requirement under
similar circumstances.'' Factors to be considered in evaluating the
applicability of this affirmative defense would include whether the
covered entity took reasonable steps to learn of such violations and
whether there were indications of possible violations, such as a
complaint or other information made known to the entity, that a person
seeking to satisfy a legal requirement would have investigated under
similar circumstances.
c. Section 160.410(b)(3)--Affirmative Defense Based on Reasonable Cause
Section 1176(b)(3) provides as follows:
(A) In general. Except as provided in subparagraph (B), a
penalty may not be imposed under subsection (a) if--
(i) The failure to comply was due to reasonable cause and not to
willful neglect; and
(ii) The failure to comply is corrected during the 30-day period
beginning on the first date the person liable for the penalty knew,
or by exercising reasonable diligence would have known, that the
failure to comply occurred.
(B) Extension of period.
(i) No penalty. The period referred to in subparagraph (a)(ii)
may be extended as determined appropriate by the Secretary based on
the nature and extent of the failure to comply.
These provisions raise several issues: (1) What is reasonable cause;
(2) what is willful neglect; and (3) how should the cure period be
determined.
i. Reasonable Cause
For the defense under section 1176 (b)(3) to be available, the
failure to comply at issue must be ``due to reasonable cause and not to
willful neglect'' (as well as corrected within the cure period). This
language has a close analog in the Internal Revenue Code (IRC), which
provides for an exemption from penalties for late filing where the late
filing ``is due to reasonable cause and not due to willful neglect.''
26 U.S.C. 6651(a). This IRC language was construed by the United States
Supreme Court in United States v. Boyle, 469 U.S. 241, 245 (1985). The
Internal Revenue Service (IRS) had articulated specific factors that
would constitute reasonable cause for late filing; in discussing these
factors, the Court noted that the underlying principle was whether the
circumstances were beyond the taxpayer's control.
HHS has already adopted criteria interpreting paragraph (b)(3) that
are not unlike those adopted by the IRS in connection with its late
filing penalty statute. In the guidance published on July 24, 2003 (CMS
Guidance), the criteria developed to address the October 16, 2003
compliance deadline problems for the Transactions Rule are similar in
nature to those developed by the IRS. Like the IRS criteria, they
premise the existence of reasonable cause on the existence of
circumstances outside of the covered entity's control which make
compliance with the Transactions Rule unreasonable.
We considered three options for implementing the reasonable cause
language of section 1176(b)(3): repeating the statutory language;
providing a more detailed statement of the criteria for establishing
reasonable cause; or providing examples of situations that would (or
would not) constitute reasonable cause. As with our decision about
reasonable diligence, we took the second approach. Proposed Sec.
160.410(a) would define ``reasonable cause'' as ``circumstances that
make it unreasonable for the covered entity, despite the exercise of
ordinary business care and prudence, to comply with the administrative
simplification provision violated.'' This definition is generally based
on the view of the Supreme Court in Boyle, but it is tailored to the
HIPAA context in which the judgment in question would be made. It
describes with more specificity the test for determining whether
reasonable cause exists, but does not limit this test by specific
examples. Thus, establishing reasonable cause under section 1176(b)(3)
would require demonstrating circumstances that would make it
unreasonable to expect an entity exercising ordinary business care and
prudence to comply with the particular requirement that has been
violated. The determination of whether reasonable cause exists is
generally, and under this definition would be, a factual one, since
what is ``reasonable'' depends on the circumstances.
ii. Willful Neglect
For the defense under section 1176(b)(3) to be available, the
failure of compliance must not be due to ``willful neglect.'' In Boyle,
discussed above, the Supreme Court defined ``willful neglect'' as
``conscious, intentional failure or reckless indifference'' and
indicated that this concept includes carelessness or other types of
fault. 469 U.S. at 245. Since the definition of the term ``willful
neglect'' is well settled, we propose to adapt this definition of the
term in proposed Sec. 160.410(a): ``conscious, intentional failure or
reckless indifference to the obligation to comply with the
administrative simplification provision violated.'' This definition
reflects the concern that underlies the statutory language: where
willful neglect caused the ``failure to comply'' in question, the
penalty should not be excused.
The proposed definition is also consistent with the approach
already taken by HHS in the CMS Guidance. In the CMS Guidance, HHS
stated that, in determining whether noncompliance with the Transactions
Rule would be penalized, it would consider the ``good faith efforts''
of the covered entities deploying contingency measures after October
16, 2003 as they work to come into compliance with the Transactions
Rule. The presence of such ``good faith'' or diligent efforts to comply
evidences the absence of willful neglect, because it demonstrates the
absence of a ``reckless indifference to the obligation to comply with
the administrative simplification provision violated.''
The issue of whether there was willful neglect would be a factual
inquiry separate from the question of whether reasonable cause existed,
because section 1176(b)(3) requires both the presence of reasonable
cause and the
[[Page 20239]]
absence of willful neglect. In the IRC cases discussed above, for
example, proving the lack of willful neglect does not establish the
existence of reasonable cause. However, a finding concerning one
element may obviate the necessity of determining the other element, by
ruling out the existence of a condition precedent for the affirmative
defense. Thus, where it is found that reasonable cause does not exist,
the presence or absence of willful neglect need not be determined;
similarly, if it is found that willful neglect exists, the presence or
absence of reasonable cause need not be determined.
iii. Determination of the Cure Period
The presence of reasonable cause and absence of willful neglect are
not sufficient, in themselves, to establish an affirmative defense
under section 1176(b)(3). The covered entity must also correct the
violation during the 30-day period beginning when the person knew or
should have known that the violation existed. The statute gives the
Secretary the right to extend this period to the extent he determines
appropriate based on the nature and the extent of the failure to
comply. This language presents two issues with respect to the cure
period: (1) When does the cure period begin; and (2) what limitations,
if any, should be placed on the Secretary's ability to extend the cure
period.
Beginning of the Cure Period. Section 1176(b)(3)(A) provides that
the cure period begins ``on the first date the person liable for the
penalty knew, or by exercising reasonable diligence would have known,
that the failure to comply occurred.'' This language is the converse of
section 1176(b)(2). These two provisions, accordingly, dictate a
sequential analysis. The first question is whether the covered entity
knew, or with reasonable diligence would have known, about the
violation. If the covered entity was ignorant of the violation (i.e.,
it did not have actual or constructive knowledge of the violation),
then no civil money penalty may be imposed for the period in which such
ignorance existed. In such a situation, the covered entity's ignorance
of the violation is a complete defense to imposition of the civil money
penalty, so it is not necessary to reach the question of whether the
grounds for a defense under section 1176(b)(3) are also met. However,
as soon as the covered entity knows (or should have known) of the
violation, then the cure period under section 1176(b)(3)(A)(ii) begins;
simultaneously, the defense of ignorance stops being available to the
covered entity. At that point, the question is whether the grounds for
the ``reasonable cause'' defense (the presence of reasonable cause, the
absence of willful neglect, and cure) exist.
We do not propose to elaborate on the statutory language with
regard to when the cure period begins. The text of proposed Sec.
160.410(b)(3), like the statute, uses the defined term ``reasonable
diligence'' and, thus, builds on the analysis conducted under proposed
Sec. 160.410(b)(2).
Extension of the Cure Period. Section 1176(b)(3)(A)(i) provides
that the cure period may be extended ``as determined appropriate by the
Secretary based on the nature and extent of the failure to comply.''
This statutory language is a broad grant of discretion to the Secretary
to determine what is ``appropriate,'' requiring only that the Secretary
base his decision on the ``nature and extent of the failure to
comply.'' The statutory language requires an analysis based on the
specific circumstances of the particular failure to comply at issue.
Given the enormous number of covered entities, the almost infinite
possible combinations of violations and circumstances, the extensive
and varying experiences of covered entities in coming into compliance,
the newness of both their and our experience with respect to compliance
with the HIPAA rules, and the brevity of the 30-day period during which
changes are required, the Secretary should be afforded significant
discretion to decide when it is appropriate to extend the cure period.
Proposed Sec. 160.410(b)(3)(ii)(B) accordingly follows the statutory
language and would permit the Secretary to use the full discretion
provided by the statute.
4. Section 160.412--Waiver
Section 1176(b)(4) of the Act provides for waiver of a civil money
penalty in certain circumstances. Section 1176(b)(4) provides that, if
the failure to comply is ``due to reasonable cause and not to willful
neglect,'' a penalty that has not already been waived under section
1176(b)(3) ``may be waived to the extent that the payment of such
penalty would be excessive relative to the compliance failure
involved.'' If there is reasonable cause and no willful neglect and
violation has been timely cured, the imposition of the civil money
penalty would be precluded under section 1176(b)(3). Therefore, waiver
under this section would be available only where there is reasonable
cause for the violation and no willful neglect, but the violation was
not timely cured.
Section 1176(b)(4) affords a covered entity a statutory right to
request a waiver. However, the Secretary is not required to grant such
a request: the words ``may be waived'' indicate that the decision to
grant the waiver is discretionary. Moreover, the language ``to the
extent that'' and ``excessive relative to'' indicate that the Secretary
must consider the facts of the case to determine whether, and by what
amount, a penalty may be reduced.
While section 1176(b)(4) might appear to be subsumed by certain of
the statutory factors that could be seen as mitigating factors, this
provision duplicates neither those factors nor the affirmative
defenses. In contrast to the statutory factors, which apply to
determining the amount of a civil money penalty, section 1176(b)(4)
comes formally into play once the penalty amount has been determined,
because only after there is a specific proposed penalty amount can it
be determined whether the penalty ``would be excessive relative to the
compliance failure involved.'' Section 1176(b)(4) differs from the
affirmative defenses in that it is not an absolute preclusion of civil
money penalties; rather, waiver or reduction under section 1176(b)(4)
is discretionary. Finally, in contrast to the mitigating factors and
affirmative defenses, section 1176(b)(4) provides a ground on which a
covered entity may request waiver or reduction of a penalty, once the
penalty amount has been determined.
Proposed Sec. 160.412 does not elaborate on the statute in any
material way. This provision would provide the Secretary with the
flexibility to utilize the discretion provided by the statutory
language as necessary. We deem the statutory criterion itself
reasonably capable of application, and, therefore, are not stating
further criteria at this time.
5. Section 160.414--Limitations
Proposed Sec. 160.414 was adopted by the April 17, 2003 interim
final rule as Sec. 160.522. We propose to move this section, which
sets forth the 6-year limitation period provided for in section
1128A(c)(1), from subpart E to subpart D. We propose to do so because
this provision applies generally to the imposition of civil money
penalties and is not dependent on whether a hearing is requested. We
also propose to change the language of this provision so that the date
of the occurrence of the violation is the date from which the
limitation is determined. We propose this change because the term
``violation'' is defined in this proposed rule, whereas it was not
defined in the April 17, 2003
[[Page 20240]]
interim final rule. Thus, the date of the violation can now be
accurately used to calculate when ``the occurrence took place,'' as
referenced in the statute. See also the discussion at section V.G
below.
6. Section 160.416--Authority To Settle
Proposed Sec. 160.416 was adopted by the April 17, 2003 interim
final rule as Sec. 160.510. We propose to move this section, which
addresses the authority of the Secretary to settle any issue or case or
to compromise any penalty imposed on a covered entity, from subpart E
to subpart D. We propose to do so because this provision applies
generally to the imposition of civil money penalties, and is not
dependent on whether a hearing is requested. No change is made to the
text of the provision.
7. Section 160.418--Penalty Not Exclusive
Proposed Sec. 160.418 is new. It is based upon Sec. 1003.109 of
the OIG regulations. We propose to add this section to make clear that
penalties imposed under this part are not intended to be exclusive
where a violation under this part may also be a violation of, and
subject the respondent to penalties under, another federal or a State
law. Proposed Sec. 160.418 would, however, recognize that, under
section 1176(b)(1) of the Act, a penalty may not be imposed under
section 1176(a) if the act constitutes an offense punishable under
section 1177.
8. Section 160.420--Notice of Proposed Determination
The text of proposed Sec. 160.420 was adopted by the April 17,
2003 interim final rule as Sec. 160.514. We propose to move this
section from subpart E, which sets out the procedures and rights of the
parties to a hearing, to subpart D. We propose to do so because the
notice provided for in this section must be given whenever a civil
money penalty is proposed, regardless of whether a hearing is
requested. No changes are proposed to paragraphs (a)(1) and (a)(3),
(4), or to paragraph (b), except conforming changes. Paragraph (a)(2)
would be revised by adding that, in the event the Secretary employs
statistical sampling techniques under Sec. 160.536, the sample relied
upon and the methodology employed must be generally described in the
notice of proposed determination. A new paragraph (a)(5) would require
the notice to describe any circumstances described in Sec. 160.408
that were considered in determining the amount of the proposed penalty;
this provision corresponds to Sec. 1003.109(a)(5) of the OIG
regulations. The present paragraph (a)(5) would be renumbered as
(a)(6). See also the discussion at sections V.H-V.J below.
9. Section 160.422--Failure To Request a Hearing
The text of proposed Sec. 160.422 was adopted by the April 17,
2003 interim final rule as Sec. 160.516. We would add language (``and
the matter is not settled pursuant to Sec. 160.416'') to recognize
that the Secretary and the respondent may agree to a settlement after
the Secretary has issued a notice of proposed determination. We also
provide that the penalty is final upon receipt of the penalty notice,
to make clear when subsequent actions, such as collection, may
commence.
10. Section 160.424--Collection of Penalty
The text of Sec. 160.424 was adopted by the April 17, 2003 interim
final rule as Sec. 160.518. We propose to move this section, which
addresses how a final penalty is collected, from subpart E to subpart
D. We propose to do so because this provision applies generally to the
imposition of civil money penalties and is not dependent upon whether a
hearing is requested.
11. Section 160.426--Notification of the Public and Other Agencies
Proposed Sec. 160.426 would implement section 1128A(h) of the Act.
When a penalty proposed by the Secretary becomes final, section
1128A(h) directs the Secretary to notify certain specified appropriate
State or local agencies, organizations, and associations and to provide
the reasons for the penalty. We propose to add the public generally, in
order to make the information available to anyone who must make
decisions with respect to covered entities. For instance, knowledge of
the imposition of a civil money penalty for violation of the Privacy
Rule could be important to health care consumers, as well as to covered
entities throughout the industry, while information about the
imposition of a civil money penalty for violation of the Transactions
Rule or other HIPAA rules could be of interest to a covered entity's
trading partners.
The regulatory language would provide for notification in such
manner as the Secretary deems appropriate. Posting to an HHS Web site
and/or the periodic publication of a notice in the Federal Register are
among the methods which the Secretary is considering using for the
efficient dissemination of such information. These methods would avoid
the need for the Secretary to determine which entities, among a
potentially large universe, should be notified and would also permit
the general public served by covered entities upon whom civil money
penalties have been imposed to be apprised of this fact, where that
information is of interest to them. While the Secretary could provide
notice to individual agencies where desired, the Secretary could, at
his option, use a single public method of notice, such as posting to an
HHS Web site, to satisfy the obligation to notify the specified
agencies and the public. See also the discussion at V.B below.
D. Subpart E--Procedures for Hearings
As previously explained, the provisions of section 1128A of the Act
apply to the imposition of a civil money penalty under section 1176
``in the same manner as'' they apply to the imposition of civil money
penalties under section 1128A itself. The provisions of subpart E are,
as a consequence, based in large part upon, and are in many respects
the same as, the OIG regulations. We propose to adapt, re-order, or
combine the language of the OIG regulations in a number of places for
clarity of presentation or to reflect concepts unique to the HIPAA
provisions or rules. To avoid confusion, we have also employed certain
language usages in order to make the usage in the rules consistent with
that in the other HIPAA rules (for example, for mandatory duties,
``must'' or ``will'' instead of ``shall'' is used; for discretionary
duties,