[Federal Register: February 16, 2006 (Volume 71, Number 32)]
[Rules and Regulations]
[Page 8389-8433]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr16fe06-11]
[[Page 8389]]
-----------------------------------------------------------------------
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
HIPAA Administrative Simplification: Enforcement; Final Rule
[[Page 8390]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB29
HIPAA Administrative Simplification: Enforcement
AGENCY: Office of the Secretary, HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Secretary of Health and Human Services is adopting rules
for the imposition of civil money penalties on entities that violate
rules adopted by the Secretary to implement the Administrative
Simplification provisions of the Health Insurance Portability and
Accountability Act of 1996, Public Law 104-191 (HIPAA). The final rule
amends the existing rules relating to the investigation of
noncompliance to make them apply to all of the HIPAA Administrative
Simplification rules, rather than exclusively to the privacy standards.
It also amends the existing rules relating to the process for
imposition of civil money penalties. Among other matters, the final
rule clarifies and elaborates upon the investigation process, bases for
liability, determination of the penalty amount, grounds for waiver,
conduct of the hearing, and the appeal process.
DATES: This final rule is effective on March 16, 2006.
FOR FURTHER INFORMATION CONTACT: Carol C. Conrad, (202) 690-1840.
SUPPLEMENTARY INFORMATION: On April 18, 2005, the Department of Health
and Human Services (HHS) published a Notice of Proposed Rulemaking
(proposed rule) proposing to revise the existing rules relating to
compliance with, and enforcement of, the Administrative Simplification
regulations (HIPAA rules) adopted by the Secretary of Health and Human
Services (Secretary) under subtitle F of Title II of HIPAA (HIPAA
provisions). 70 FR 20224. The proposed rule also proposed the adoption
of new provisions relating to the imposition of civil money penalties
on covered entities that violate a HIPAA provision or HIPAA rule. The
comment period on the proposed rule closed on June 17, 2005. Forty-nine
comments, principally from health care organizations, were received
during the comment period.
In this final rule, HHS revises existing rules that relate to
compliance with, and enforcement of, the HIPAA rules. These rules are
codified at 45 CFR part 160, subparts C and E. In addition, this final
rule adds a new subpart D to part 160. The new subpart D contains
additional rules relating to the imposition by the Secretary of civil
money penalties on covered entities that violate the HIPAA rules. The
full set of rules to be codified at subparts C, D, and E of 45 CFR part
160 is collectively referred to in this final rule as the ``Enforcement
Rule.'' Finally, HHS makes minor and conforming changes to subpart A of
part 160 and subpart E of part 164.
The statutory and regulatory background of the final rule is set
out below. A description of the provisions of the proposed rule, the
public comments, and HHS's responses to the comments follows. The
preamble concludes with HHS's analyses of impact and other issues under
applicable law.
I. Background
A. Statutory Background
Subtitle F of Title II of HIPAA, entitled ``Administrative
Simplification,'' requires the Secretary to adopt national standards
for certain information-related activities of the health care industry.
Under section 1173 of the Social Security Act (Act), 42 U.S.C. 1320d-2,
the Secretary is required to adopt national standards for certain
financial and administrative transactions, code sets, the security of
health information, and certain unique health identifiers. In addition,
section 264 of HIPAA, 42 U.S.C. 1320d-2 note, requires the Secretary to
promulgate standards to protect the privacy of certain health
information. Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a),
the provisions of Subtitle F apply only to--
The following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information
in electronic form in connection with a transaction referred to in
section 1173(a)(1).
These entities are collectively known as ``covered entities.'' \1\
---------------------------------------------------------------------------
\1\ An additional category of covered entities was added by the
Medicare Prescription Drug, Improvement, and Modernization Act of
2003 (Pub. L. 108-173) (MMA). As added by MMA, section 1860D-
31(h)(6)(A) of the Act, 42 U.S.C. 1395w-141(h)(6)(A), provides that
a prescription drug card sponsor is a covered entity for purposes of
applying part C of title XI and all regulatory provisions
promulgated thereunder, including regulations (relating to privacy)
adopted pursuant to the authority of the Secretary under section
264(c) of the Health Insurance Portability and Accountability Act of
1996 (42 U.S.C. 1320d-2 note).
---------------------------------------------------------------------------
HIPAA requires certain consultations with industry as a predicate
to the issuance of the HIPAA standards and provides that most covered
entities have up to 2 years (small health plans have up to 3 years) to
come into compliance with the standards, once adopted. Act, sections
1172(c) (42 U.S.C. 1320d-1(c)), 1175(b) (42 U.S.C. 1320d-4(b)). The
statute establishes civil money penalties and criminal penalties for
violations. Act, sections 1176 (42 U.S.C. 1320d-5), 1177 (42 U.S.C.
1320d-6). HHS enforces the civil money penalties, while the U.S.
Department of Justice enforces the criminal penalties.
HIPAA's civil money penalty provision, section 1176(a) of the Act,
42 U.S.C. 1320d-5(a), authorizes the Secretary to impose a civil money
penalty, as follows:
(1) IN GENERAL. Except as provided in subsection (b), the
Secretary shall impose on any person who violates a provision of
this part [42 U.S.C. 1320d, et seq.] a penalty of not more than $100
for each such violation, except that the total amount imposed on the
person for all violations of an identical requirement or prohibition
during a calendar year may not exceed $25,000.
(2) PROCEDURES. The provisions of section 1128A [42 U.S.C.
1320a-7a] (other than subsections (a) and (b) and the second
sentence of subsection (f)) shall apply to the imposition of a civil
money penalty under this subsection in the same manner as such
provisions apply to the imposition of a penalty under such section
1128A.
For simplicity, we refer throughout this preamble to this provision,
the related provisions at section 1128A of the Act, and other related
provisions of the Act, by their Social Security Act citations, rather
than by their U.S. Code citations.
Subsection (b) of section 1176 sets out limitations on the
Secretary's authority to impose civil money penalties and also provides
authority for waiving such penalties. Under section 1176(b)(1), a civil
money penalty may not be imposed with respect to an act that
``constitutes an offense punishable'' under the related criminal
penalty provision, section 1177 of the Act. Under section 1176(b)(2), a
civil money penalty may not be imposed ``if it is established to the
satisfaction of the Secretary that the person liable for the penalty
did not know, and by exercising reasonable diligence would not have
known, that such person violated the provision.'' Under section
1176(b)(3), a civil money penalty may not be imposed if the failure to
comply was due ``to reasonable cause and not to willful neglect'' and
is corrected within a certain time. Finally, under section 1176(b)(4),
a civil money penalty may be reduced or entirely waived ``to the extent
that the payment of such penalty would be excessive relative to the
compliance failure involved.''
As noted above, section 1176(a) incorporates by reference certain
[[Page 8391]]
provisions of section 1128A of the Act. Those provisions, as relevant
here, establish a number of requirements with respect to the imposition
of civil money penalties. Under section 1128A(c)(1), the Secretary may
not initiate a civil money penalty action ``later than six years after
the date'' of the occurrence that forms the basis for the civil money
penalty. Under section 1128A(c)(2), a person upon whom the Secretary
seeks to impose a civil money penalty must be given written notice and
an opportunity for a determination to be made ``on the record after a
hearing at which the person is entitled to be represented by counsel,
to present witnesses, and to cross-examine witnesses against the
person.'' Section 1128A also provides, at subsections (c), (e), and
(j), respectively, requirements for: Service of the notice and
authority for sanctions which the hearing officer may impose for
misconduct in connection with the civil money penalty proceeding;
judicial review of the Secretary's determination in the United States
Court of Appeals for the circuit in which the person resides or
maintains his/its principal place of business; and the issuance and
enforcement of subpoenas by the Secretary. In addition, section 1128A
of the Act contains provisions relating to liability for civil money
penalties and what measures must be taken once they are imposed. For
example, section 1128A(d) provides that the Secretary must take into
account certain factors ``in determining the amount * * * of any
penalty''; section 1128A(h) requires certain notifications once a civil
money penalty is imposed; and section 1128A(l) makes a principal liable
for penalties ``for the actions of the principal's agent acting within
the scope of the agency.'' These provisions are discussed more fully
below.
B. Regulatory Background
As noted above, section 1173 of the Act and section 264 of HIPAA
require the Secretary to adopt a number of national standards to
facilitate the exchange, and protect the privacy and security, of
certain health information. The Secretary has already adopted many of
these HIPAA standards by regulation. These regulations consist of the
following: Health Insurance Reform: Standards for Electronic
Transactions (Transactions Rule); Standards for Privacy of Individually
Identifiable Health Information (Privacy Rule); Health Insurance
Reform: Standard Unique Employer Identifier (EIN Rule); Health
Insurance Reform: Security Standards (Security Rule); and HIPAA
Administrative Simplification: Standard Unique Health Identifier for
Health Care Providers (NPI Rule). Proposed standards for certain claims
attachments were published on September 23, 2005 (70 FR 55990) and
proposed standards for health plan identifiers are under development.
The history of these and related rules is described in a proposed rule
published on April 18, 2005 at 70 FR 20225-20226.
An interim final rule promulgating procedural requirements for
imposition of civil money penalties, Civil Money Penalties: Procedures
for Investigations, Imposition of Penalties, and Hearings (April 17,
2003 interim final rule), was published on April 17, 2003 (68 FR
18895), and was effective on May 19, 2003, with a sunset date of
September 16, 2004 (as corrected at 68 FR 22453, April 28, 2003). The
April 17, 2003 interim final rule adopted a new subpart E of part 160.
The sunset date of the April 17, 2003 interim final rule was extended
to September 16, 2005 on September 15, 2004 (69 FR 55515) and was
further extended to March 16, 2006 on September 14, 2005 (70 FR 54293).
The authority for administering and enforcing compliance with the
Privacy Rule has been delegated to the HHS Office for Civil Rights
(OCR). 65 FR 82381 (December 28, 2000). The authority for administering
and enforcing compliance with the non-privacy HIPAA rules has been
delegated to the HHS Centers for Medicare & Medicaid Services (CMS). 68
FR 60694 (October 23, 2003).
II. Overview of the Proposed and Final Rules
A. The Proposed Rule
In the proposed rule, we proposed to bring together and adopt rules
governing the implementation of the civil money penalty authority of
section 1176 of the Act for all of the HIPAA rules. As previously
noted, parts of the Enforcement Rule are already in place: subpart C of
part 160 establishes certain investigative procedures for the Privacy
Rule, and subpart E establishes interim procedures for investigations
and for the imposition, and challenges to the imposition, of civil
money penalties for all of the HIPAA rules. The proposed rule would
complete the Enforcement Rule by (1) making subpart C applicable to all
of the HIPAA rules; (2) adopting on a permanent basis most of the
provisions of subpart E; and (3) addressing, among other issues, our
policies for determining violations and calculating civil money
penalties, how we will address the statutory limitations on the
imposition of civil money penalties, and various procedural issues,
such as provisions for appellate review within HHS of a hearing
decision, burden of proof, and notification of other agencies of the
imposition of a civil money penalty.
Several fundamental considerations shaped the proposed rule. First,
there is one statutory provision for imposing civil money penalties on
covered entities that violate the HIPAA rules; thus, the proposed rule
sought to establish a uniform enforcement and compliance policy for all
of the HIPAA rules to minimize the potential for confusion and burden
and maximize the potential for fairness and consistency in enforcement.
Second, the proposed rule sought to facilitate the movement from
noncompliance to compliance by covered entities by extending to all of
the HIPAA rules the regulatory commitment to promoting and encouraging
voluntary compliance with the HIPAA rules that currently applies to the
Privacy Rule, subpart C of part 160. Third, the proposed rule sought to
minimize confusion with the procedures for investigations and hearings
by building upon pre-existing Departmental procedures for
investigations and hearings under section 1128A of the Act--the civil
money penalty regulations of the Office of the Inspector General, which
are codified at 42 CFR parts 1003, 1005, and 1006 (OIG regulations).
Fourth, the proposed rule was intended to be clear and easy to
understand. Finally, the proposed rule sought to provide the Secretary
with reasonable discretion, particularly in areas where the exercise of
judgment is called for by the statute or rules, and to avoid being
overly prescriptive in areas where it would be helpful to gain
experience with the practical impact of the HIPAA rules, to avoid
unintended adverse effects.
We proposed to amend subpart A of part 160, which contains general
provisions, to include a definition of ``person.'' With respect to
subpart C of part 160, we proposed to incorporate several provisions
currently found in subpart E and to make subpart C applicable to the
non-privacy HIPAA rules. We also proposed to add to part 160 a new
subpart D, which would establish rules relating to the imposition of
civil money penalties, including those which apply whether or not there
is a hearing. We also proposed to incorporate into subpart D several
provisions currently found in subpart E. Proposed subpart E addressed
the pre-hearing and hearing phases of the enforcement process. Many of
the provisions of proposed subpart E were adopted by the April 17, 2003
interim final rule; we did not propose to change them substantively,
although we
[[Page 8392]]
proposed to renumber them. Finally, a conforming change to the privacy
standards in subpart E of part 164 was proposed.
B. The Final Rule
While the final rule adopts most of the provisions of the proposed
rule without change, several significant changes to certain provisions
of the proposed rule have been made in response to comments. We do not
list variables in the final rule, as was proposed, to count the number
of violations of an identical requirement or prohibition; rather, the
final rule clarifies that the method for determining the number of such
violations is grounded in the substantive requirement or prohibition
violated. In addition, the ALJ will be able to review the number of
violations determined as part of his or her review of the proposed
civil money penalty. The provision for joint and several liability of
the members of an affiliated covered entity is retained, unless it is
established that another member of the affiliated covered entity was
responsible for the violation. While we continue to treat section
1176(b)(1) as an affirmative defense, we provide that it may be raised
at any time. We retain the provision for statistical sampling, but we
provide that, where statistical sampling is used, HHS must provide a
copy of the study on which its statistical findings are based with the
notice of proposed determination. As a corollary, we provide that a
respondent who intends to introduce evidence of its statistical expert
at the hearing must provide the study prepared by its expert to HHS at
least 30 days prior to the scheduled hearing. We also provide that a
respondent will have 90, rather than 60, days in which to file its
request for hearing. Other changes made by the final rule are described
below.
The Enforcement Rule does not adopt standards, as that term is
defined and interpreted under Subtitle F of Title II of HIPAA. Thus,
the requirement for industry consultations in section 1172(c) of the
Act does not apply. For the same reason, the statute's time frames for
compliance, set forth in section 1175 of the Act, do not apply to the
Enforcement Rule. Accordingly, the Enforcement Rule is effective on
March 16, 2006.
III. Section-by-Section Description of the Final Rule and Response to
Comments
We received 49 comments on the proposed rule. Many of these
comments were from associations or interest groups involved in the
health care industry. We also received comments from covered entities,
a state agency, a law school class, and a number of individuals.
While the comments addressed most of the provisions of the proposed
rule, the following 14 sections of the proposed rule received no
comment: proposed Sec. Sec. 160.400, 160.418, 160.500, 160.502,
160.506, 160.510, 160.514, 160.524, 160.526, 160.528, 160.530, 160.532,
160.544, and 160.550. We have, accordingly, not changed these sections
in the final rule from what was proposed, and we do not discuss them
below. The basis and purpose of sections that are unchanged from the
proposed rule and are not discussed below are set out in the proposed
rule published on April 18, 2005 at 70 FR 20240-20247 and, in certain
cases, in the interim final rule published on April 17, 2003 at 68 FR
18895-18901.
A number of comments also expressed support for particular
provisions. In most cases, we do not discuss these comments, with which
we generally agree, below. Finally, certain comments raised issues
concerning other HIPAA rules, such as allegations that a particular
entity had violated the Privacy Rule or that particular provisions of a
HIPAA rule create a hardship. Such issues are outside the scope of this
rulemaking and, accordingly, are not addressed here.
A. Subpart A
Subpart A of the final rule adopts a new definition of the term
``person.'' This definition is placed in Sec. 160.103, which contains
definitions that apply to all of the HIPAA rules. Thus, the new
definition of ``person'' applies to all of the HIPAA rules.
Proposed rule: We proposed to amend Sec. 160.103 to add a
definition of the term ``person'' to replace the definition of that
term adopted by the April 17, 2003 interim final rule. We proposed to
define the term ``person'' as ``a natural person, trust or estate,
partnership, corporation, professional association or corporation, or
other entity, public or private.'' As more fully explained at 70 FR
20227-20228, the proposed definition clarified, consistent with the
HIPAA provisions, that the term includes States and other public
entities.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: We received one comment on this section, endorsing its
application to all of the HIPAA rules.
Response: The definition of ``person'' in the final rule remains
the same as proposed.
B. Subpart C--Compliance and Investigations
We amend subpart C to make the compliance and investigation
provisions of the subpart--which at present apply only to the Privacy
Rule--apply to all of the HIPAA rules. In addition, we include in
subpart C the definitions that apply to subparts C, D, and E. We move
to subpart C from subpart E the provisions relating to investigational
subpoenas and inquiries. We also add to subpart C provisions
prohibiting intimidation or retaliation that are currently found in the
Privacy Rule but not in the other HIPAA rules. We change the title of
this subpart to reflect the focus of this subpart within the larger
Enforcement Rule. Aside from a change to Sec. 160.306 and certain
minor and conforming changes to Sec. Sec. 160.300, 160.312, 160.314,
and 160.316, we do not change the substance of the existing provisions
of subpart C.
1. Section 160.300--Applicability
Proposed rule: We proposed to amend Sec. 160.300 (along with Sec.
160.304--Principles for achieving compliance; Sec. 160.306--Complaints
to the Secretary; Sec. 160.308--Compliance reviews; and Sec.
160.310--Responsibilities of covered entities) to make the provisions
of subpart C applicable to all of the HIPAA rules, instead of
applicable only to the Privacy Rule. The proposed rule would accomplish
this by changing the present references in these sections from
``subpart E of part 164'' to the more inclusive, defined term,
``administrative simplification provision'' or ``administrative
simplification provisions,'' as appropriate. As explained at 70 FR
20228, the purpose of this proposed change was to simplify and make
uniform the compliance and enforcement process for the HIPAA rules.
Final rule: The final rule streamlines the provisions of the
proposed rule by substituting the term ``provisions'' for the
references to standards, requirements, and implementation
specifications in Sec. 160.300.
Comment: A number of comments endorsed the approach of having
uniform compliance and enforcement provisions for the HIPAA rules, and
no comments disagreed with this approach.
Response: The final rule retains the policy of the proposed rule,
consistent with the expression of support for this approach in the
public comment, but streamlines the language of the section.
Comment: A couple of comments asked whether ``affiliated entities''
were the same as ``hybrid entities,'' in terms of applying the rule.
[[Page 8393]]
Response: As described at Sec. 164.105(b)(2)(i)(A), an affiliated
covered entity consists of ``[l]egally separate covered entities [that]
designate themselves (including any health care component of such
covered entity) as a single affiliated covered entity * * * [where] all
of the covered entities designated are under common ownership or
control.'' Thus, an affiliated covered entity is comprised of more than
one covered entity. By contrast, a hybrid entity is defined at Sec.
164.103 as ``a single legal entity: (1) That is a covered entity; (2)
Whose business activities include both covered and non-covered
functions; and (3) That designates health care components in accordance
with [the regulation].'' The Privacy and Security Rules apply to any
covered entity in either arrangement. The issue of liability for a
particular violation with respect to covered entities in an affiliated
covered entity is discussed in connection with Sec. 160.402(b) below.
2. Section 160.302--Definitions
Proposed rule: We proposed to move to Sec. 160.302 three
definitions that were adopted in the April 17, 2003 interim final rule
at Sec. 160.502: ``ALJ'' (Administrative Law Judge), ``civil money
penalty or penalty'', and ``respondent.'' We also proposed to add to
Sec. 160.302 two terms which are used throughout subparts C, D, and E:
``administrative simplification provision'' and ``violation'' or ``to
violate.'' We proposed to define the term ``administrative
simplification provision'' in Sec. 160.302 to mean any requirement or
prohibition established by the HIPAA provisions or HIPAA rules: ``* * *
any requirement or prohibition established by: (1) 42 U.S.C. 1320d-
1320d-4, 1320d-7, and 1320d-8; (2) Section 264 of Public Law 104-191;
or (3) This subchapter.'' We proposed to define a ``violation'' (or
``to violate'') to mean a ``failure to comply with an administrative
simplification provision.'' As more fully explained at 70 FR 20228-
20229, both definitions derive directly from the statutory language,
and both definitions function consistently and fairly across the
various HIPAA rules.
Final rule: The final rule adopts the provisions of the proposed
rule.
a. ``Administrative Simplification Provision''
Comment: One comment expressed general support for the definitions.
Another comment stated that the definition of ``administrative
simplification provision'' should be revised to include only standards.
The comment argued that this approach would be more consistent with the
statute, which provides that covered entities must comply with
standards, not requirements, prohibitions, or other restrictions set
forth in the HIPAA rules.
Response: No change is made to the definition of ``administrative
simplification provision.'' With respect to the second comment above,
we do not agree that the definition of this term should be limited to
standards. As discussed at 70 FR 20229, limiting the elements of the
HIPAA rules that could be violated to those designated as standards
would have the effect of, among other things, insulating from
enforcement explicit statutory requirements and prohibitions (e.g., the
prohibitions at section 1175(a) of the Act, which the statute terms
``requirements'' and which the Transactions Rule treats as requirements
but not standards). We do not agree that Congress intended such an
effect. We note, moreover, that the statute explicitly provides for the
adoption of implementation specifications. See section 1172(d) of the
Act. Furthermore, we disagree with the contention that the statute does
not contemplate that violations may be tied to requirements and
prohibitions: section 1176(a)(1) speaks of ``violations of an identical
requirement or prohibition.''
Comment: Several comments argued that this definition could lead to
multiple violations from a single act and lead to more liability than
covered entities could reasonably expect. It also was argued that this
definition would render almost meaningless the statutory $25,000 cap on
liability for violations of an identical provision in a calendar year.
Response: No examples were supplied to illustrate the concern as to
how this definition would increase the anticipated liability of covered
entities, so we can only respond generally. The prohibition in Sec.
160.404(b)(2) on counting overlapping requirements twice should
minimize any such effect. As for violations that might be implicated in
a single act and not be insulated by Sec. 160.404(b)(2), we see no
reason why they should not be considered as separate violations, since
covered entities must comply with all applicable requirements and
prohibitions of the HIPAA provisions and rules. Also, the definition
does not render the statutory cap meaningless; rather, the
``requirement or prohibition'' language of the definition is taken
directly from the part of section 1176(a) that establishes the $25,000
statutory cap (``the total amount imposed on the person for all
violations of an identical requirement or prohibition for a calendar
year may not exceed $25,000''). Furthermore, for the reasons explained
in the preamble to the proposed rule, none of the other possible
formulations of what constitutes a ``provision of this part'' works
uniformly and fairly across the HIPAA rules. Thus, we retain the
definition of ``administrative simplification provision'' as proposed.
b. ``Violation'' or ``Violate''
Comment: One comment asked how the definition of ``violation''
would work with the addressable components of the Security Rule.
Response: With respect to the issue of how this term would apply to
the addressable implementation specifications of the Security Rule, we
provide the following guidance. Under Sec. 164.306(d)(3)(ii), a
covered entity must implement an addressable implementation
specification if doing so is ``reasonable and appropriate.'' Where that
condition is met, the addressable implementation specification is a
requirement, and failure to implement the addressable implementation
specification would, accordingly, constitute a violation. Where that
condition is not met, the covered entity must document why it would not
be reasonable and appropriate to implement the implementation
specification and implement ``an equivalent alternative measure if
reasonable and appropriate.'' In this latter situation, creating the
documentation referred to is a requirement, and implementing an
alternative measure is also a requirement, if doing so is reasonable
and appropriate in the covered entity's circumstances; failure to take
either required action would, accordingly, constitute a violation.
3. Section 160.304--Principles for Achieving Compliance
Proposed rule: We proposed to amend Sec. 160.304 to make it
applicable to all of the HIPAA rules; otherwise, we proposed to leave
the rule substantively unchanged. Section 160.304 provides that the
Secretary will, to the extent practicable, seek the cooperation of
covered entities in obtaining compliance. Section 160.304 also provides
that the Secretary may provide technical assistance to help covered
entities voluntarily comply with the HIPAA rules.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: Many comments supported HHS's approach to voluntary
compliance and the use of a complaint-based process to identify and
correct
[[Page 8394]]
noncompliance, on the grounds that it is the most efficient and
effective way of obtaining compliance and realizing the benefits of the
HIPAA rules. In addition, some contended that, given the confusion of
many covered entities with many of the rules' requirements, it is an
appropriate approach. However, one comment criticized HHS's reliance on
voluntary compliance and informal resolution of complaints on the
ground that the statute contemplates that violations of the HIPAA rules
should be pursued in the same manner as fraud and abuse cases, that is,
through the formal, adversarial process provided for by section
1128A(c). Another comment stated that HHS's reliance on voluntary
compliance has led to lax enforcement and that reliance on a complaint-
based system is a fundamentally flawed approach, particularly with
respect to enforcement of the Privacy Rule, because HHS has provided
insufficient education to consumers, and it is impossible for consumers
to complain about a law about which they know very little. Several
comments urged that OCR and CMS continue to provide educational
materials and guidance to help covered entities comply with the HIPAA
rules and to educate consumers about their rights under the Privacy
Rule.
Response: We agree that encouraging voluntary compliance is the
most effective and quickest way of obtaining compliance in most cases.
We do not agree that encouraging voluntary compliance and seeking
informal resolution of complaints in individual cases constitutes lax
enforcement or that such an approach is inconsistent with our statutory
obligations. Our experience to date with privacy complaints illustrates
the effectiveness of our enforcement approach. As of October 31, 2005,
OCR had received and initiated reviews of over 16,000 privacy
complaints from health care consumers and others across the country.
These complaints are widespread and diverse, not only geographically,
but also with respect to the type of entity complained against, as well
as the Privacy Rule issues raised by the complaints. Complaints are
filed against all sizes and types of covered entities, from solo
practitioners to hospitals and pharmacy chains, and from health
insurance issuers to group health plans, for example. In addition, the
complaints implicate a full range of Privacy Rule issues, from uses and
disclosures of protected health information to individual rights to
administrative requirements. The variation and expansiveness of the
complaints provide HHS with a much broader approach to compliance than
would a compliance review system, which likely would need to be
targeted to larger institutions and/or a smaller set of concerns.
Further, our experience with these cases--68 percent have been resolved
or otherwise closed to date--indicates that generally we are receiving
good cooperation from covered entities in quickly addressing compliance
problems. Such resolutions bring the benefits of the HIPAA rules to
consumers far more quickly than would a formalized, adversarial
process, which would also be time-consuming and costly for both sides.
We also do not agree that the statute contemplates only a
formalized, adversarial process; rather, it only requires such a
process where a proposed civil money penalty is contested. It is
important to note, moreover, that section 1176 contemplates that we
would work with covered entities to help them achieve compliance, even
when there is an allegation that the covered entity is in violation of
the rules. Section 1176 provides that a civil money penalty may not be
imposed if the failure to comply was due to reasonable cause and not
willful neglect and is corrected within a certain period of time after
the covered entity knew or should have known of the compliance failure,
and that the Secretary may, in some circumstances, provide technical
assistance to the covered entity during that period. Further, an
approach that is primarily complaint-based does not limit our ability
to perform compliance reviews when appropriate, and this has, in fact,
occurred. We will continue to review the effectiveness of our
enforcement approach and revise it, if needed. Notwithstanding our
above approach, however, we will resort to civil money penalties, as
needed, for matters that cannot be resolved by informal means.
Further, we disagree that persons affected by the Privacy Rule and
the other HIPAA rules are unaware of their rights, as evidenced by the
large number of complaints that HHS has received from consumers and
covered and other entities. HHS has an ongoing program of providing
information to the public and guidance to covered entities through the
Internet, public speaking and educational events, and toll-free call-in
lines. The millions of hits to our Web sites--http://www.hhs.gov/ocr/hipaa for the Privacy Rule and http://www.cms.gov/hipaa/hipaa2 for the
he
other HIPAA rules--suggest that covered entities and the public are
increasingly aware of the application of the HIPAA rules to their
business activities and lives, respectively, and are able to access the
information we have made available. In addition, the American Health
Information Management Association issued the results of their latest
compliance survey in a report entitled ``The State of HIPAA Privacy and
Security Compliance, April 2005,'' which indicated, with respect to the
Privacy Rule, that over two-thirds of all hospital and health system
patients had some or a complete understanding of their rights and the
facility's responsibilities. Nonetheless, while such evidence is
encouraging, we recognize that HHS must remain active in providing
outreach and public education. We are committed to doing so, and thus,
continue to develop educational material for consumers and industry
guidance for covered entities.
Comment: One comment suggested that the Secretary commit to
providing technical assistance to covered entities.
Response: We do not agree that the provision of technical
assistance should be mandated. The statute (at section
1176(b)(3)(B)(ii)) makes the provision of technical assistance
discretionary if the Secretary determines that the compliance failure
was due to the covered entity's inability to comply. While OCR and CMS
provide technical assistance in many cases, it is not necessary in all
instances to provide such assistance in order to obtain compliance.
Thus, it is inappropriate to mandate the provision of technical
assistance.
Comment: One comment suggested amending Sec. 160.304(b) to require
ongoing reporting of complaints and resolutions to the healthcare
industry. The goal in requiring reporting would be to educate covered
entities regarding complaints that are found to be actual violations
and encourage them to review their compliance. The comment stated that
the current reports made by OCR to the National Committee on Vital and
Health Statistics are not helpful since they only report the volume of
complaints, not the nature of the complaints or whether a violation
occurred.
Response: We do not believe mandatory reporting of complaints and
resolutions is necessary. Both CMS and OCR currently have the ability
to report to the public, including the healthcare industry, about
complaints and their resolutions, and do so in summary form. We
continue to present summaries of actions on complaints in various fora,
including in public presentations, testimony, and in written documents.
Our enforcement experience also informs our development of FAQs and
guidance documents to explain certain
[[Page 8395]]
provisions and how to comply with them. In any event, covered entities
should use their own internal complaint processes and experience to
assess and improve their compliance and ability to serve the needs of
their customers.
Comment: One comment suggested that the informal resolution process
should allow HHS to render opinions on a covered entity's
interpretation of the HIPAA rules. The comment expressed concern that a
covered entity would not be able to resolve a compliance issue during
the informal resolution process if it made a good faith, but incorrect,
interpretation of a HIPAA rule. The comment suggested allowing HHS to
render an opinion on the entity's interpretation to facilitate the
informal resolution of compliance problems.
Response: As a general matter, we do not issue advisory opinions,
but the informal resolution process will provide covered entities with
information about HHS's interpretation of the HIPAA rules. Covered
entities may also find guidance as to the proper interpretation of a
HIPAA rule in the FAQs posted on the HHS website and technical
assistance offered to the covered entities by HHS. Covered entities may
also submit questions to HHS for consideration with respect to future
FAQs and guidance.
4. Section 160.306--Complaints to the Secretary
Proposed rule: Section 160.306 provides for investigations of
covered entities by the Secretary. It also outlines the procedure and
requirements for filing a complaint against a covered entity. For
example, it provides that a complaint must name the person that is the
subject of the complaint and describe the acts or omissions believed to
be violations. It also requires that complaints be filed within 180
days of when the complainant knew or should have known that the act or
omission occurred, unless this time limit is waived for good cause. The
proposed rule would have amended this section to apply it to all of the
HIPAA rules, rather than exclusively to the Privacy Rule, but otherwise
proposed no substantive changes to the section.
Final rule: The final rule adopts the provisions of the proposed
rule, except that proposed Sec. 160.306(c) is revised to require the
Secretary to describe the basis of the complaint in the first written
communication with the covered entity about the complaint.
Comment: One comment asked for clarification on when a complaint
will be considered to have been timely filed in situations when a
complainant should have known of the violation, thus triggering the
180-day time period for filing a complaint.
Response: Deciding whether or not a complaint was properly filed
within the 180-day period will need to be determined in each case. For
example, an individual who is informed through an accounting of
disclosures that his or her health information was impermissibly
disclosed would be considered to know of the violation at the time the
individual receives the accounting. In any event, however, the 180-day
period can be waived for good cause shown.
Comment: Two comments suggested that HHS be required to inform a
covered entity of the specific basis for an investigation or compliance
review. These comments suggested the best way to accomplish this goal
would be to send a copy of the complaint to the covered entity. The
comments stated that, without specific information as to the basis of
the complaint, a covered entity will not be able to properly respond to
the agency's request for information.
Response: Both CMS and OCR currently provide the basis for an
investigation in the first written communication with a covered entity
about a complaint. This policy will continue to be followed, and the
final rule is revised to require it. It should be noted that provision
of a description of the basis for the complaint does not circumscribe
the investigation, if the investigation subsequently uncovers other
compliance issues with respect to the covered entity.
We disagree that sending a copy of the complaint is necessary for a
covered entity to adequately respond to the Secretary's inquiries. As
noted above, covered entities receive a description of the basis for
the complaint. Other information contained in the complaint, such as
the complainant's identity, is not always relevant to the
investigation. In some cases, in fact, it may be necessary to withhold
such information to, for example, protect the complainant's privacy. In
instances where it is necessary to provide the complainant's identity
in order for the covered entity to properly respond to the
investigation, the complainant is so informed before this information
is released to the covered entity.
Comment: One comment suggested that the rule be revised to require
that a complaint include the name of the covered entity that is the
subject of the complaint.
Response: The rule, both as proposed and as adopted below, already
requires that a complaint ``name the person that is the subject of the
complaint.'' See Sec. 160.306(b)(2).
Comment: In one comment, a covered entity complained that it had
expended a great deal of time and money defending itself against what
turned out to be a false allegation and asked that HHS put more effort
into gathering detailed information from complainants and helping
covered entities respond to complaints. Another comment criticized the
rule for providing no way of sanctioning a person bringing a negligent
or malicious complaint.
Response: We understand that it may take time and effort to
establish that an allegation is unfounded. When complaints are
received, we make every effort to determine if the complaint is
legitimate, so as not to place undue burdens on covered entities.
Further, covered entities are encouraged promptly to contact the OCR or
CMS investigators handling their complaints to discuss the allegations
once notice of an investigation is received by the covered entity.
Doing so should help a covered entity avoid the expenditure of
unnecessary time and funds on defending itself against baseless
complaints. The statute provides no basis for our penalizing a person
for bringing a negligent or malicious complaint, although remedies may
exist at common law. However, as discussed below in connection with
Sec. 160.316, lack of good faith would typically be a matter that is
looked at in the course of investigating a complaint.
Comment: One comment suggested that only individuals or personal
representatives should have standing to file a complaint. The comment
takes the position that one covered entity should not be able to bring
a complaint against another.
Response: We disagree. The purpose of the complaint process is to
bring violations to the attention of HHS, so that any noncompliance
with the HIPAA rules may be corrected. Particularly with respect to the
Transactions Rule, the persons or entities that are likely to be
disadvantaged by the noncompliance of a covered entity are other
covered entities. It would, accordingly, be inconsistent with the
purpose of the complaint process to exclude such entities from it.
Comment: Two comments suggested that HHS be required to notify
covered entities of a complaint within a specified time-frame.
Response: OCR and CMS make every effort to notify covered entities
of complaints on a timely basis. However, we do not include a specific
deadline for notifying covered entities of
[[Page 8396]]
complaints in the rule. The time needed to determine whether a
complaint states issues that should be investigated can vary greatly,
while fluctuations in the volume of complaints and other workload
demands may also make meeting a specific deadline problematic.
Comment: One comment suggested that Sec. 160.306(a)(2) should be
amended to require that ``uses or disclosures'' be described in the
complaint rather than ``acts or omissions.''
Response: The suggested change would not be appropriate. The
provisions of this rule apply to all of the HIPAA rules, not just the
Privacy Rule; the other HIPAA rules regulate actions other than uses
and disclosures of protected health information. Moreover, even under
the Privacy Rule, a violation may occur where no impermissible use or
disclosure of protected health information has occurred. Failure to
comply with a notice requirement under Sec. 164.520 is an example of a
violation that does not involve a use or disclosure of protected health
information.
Comment: One comment suggested that the Secretary should be
required to investigate all complaints and that failure to do so is
inconsistent with section 1176(a) of the Act, which compels the
Secretary to impose penalties for violations unless a statutory
limitation applies. Imposing a deadline for beginning investigations
was also suggested.
Response: The decision to investigate a complaint is based on the
facts presented. Not all complaints need to be investigated. For
example, in our experience, a substantial percentage of privacy
complaints allege facts that fall outside of OCR's jurisdiction under
HIPAA--e.g., an action prior to the compliance date of the Privacy Rule
or an action by an entity not covered by the Rule. Revising the rule to
require the Secretary to investigate all complaints would be
counterproductive and lead to an inefficient allocation of enforcement
resources. Similarly, imposing a deadline for beginning an
investigation is unrealistic: Some investigations may turn out to be
more time-consuming than anticipated, delaying the start of other
investigations. It is necessary to provide OCR and CMS with the
flexibility to deal with variations in circumstances and resource
constraints.
5. Section 160.308--Compliance Reviews
Proposed rule: The proposed rule provided that the Secretary may
conduct compliance reviews to determine whether covered entities are
complying with the applicable administrative simplification provisions.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: Several comments asked HHS to outline the circumstances
under which a compliance review would be undertaken or asked that the
compliance review provision be eliminated from the rule. One comment
suggested that compliance reviews be limited to evidence-based reviews.
These comments expressed concern that the rule does not specifically
define when a compliance review will be undertaken.
Response: Compliance reviews are conducted at the discretion of the
Secretary. Outlining specific instances in which a compliance review
will be conducted could have the counterproductive effect of skewing
compliance efforts toward those aspects of compliance that had been
identified as likely to result in a compliance review. It also does not
seem advisable to limit, by rule, the circumstances under which such
reviews may be conducted at this early stage of the enforcement
program, when our knowledge of the types of violations that may arise
is necessarily limited. We also do not agree that the provision for
compliance reviews should be eliminated. There are situations where
instances of potential noncompliance come to HHS's attention outside of
the complaint process (e.g., where media reports suggest that a
violation has occurred), and HHS must have clear authority to
investigate such situations.
Comment: A number of comments suggested that HHS detail the
compliance review process and rules for notification of covered
entities when they are being reviewed.
Response: The rule already contains procedures to be followed, and
requirements to be met, that apply to compliance reviews. See
Sec. Sec. 160.304, 160.310, 160.312, 160.314, and 160.316. It is
unnecessary to establish procedures comparable to the complaint filing
procedures of Sec. 160.306 for compliance reviews, since they are
initiated by HHS. The concerns expressed by most of the comments on
this topic--that HHS would undertake a compliance review without notice
to the covered entity and without specifying the basis for, or the
focus of, the review--are misplaced. Section 160.312 requires HHS to
attempt to resolve violations found in a compliance review by informal
means and to inform the covered entity in writing if a compliance
review is or is not resolved by informal means. Failing to notify the
covered entity of a compliance review or the basis for such a review is
not consistent with our practice generally and would be unlikely to
yield much information of use, resulting in an ineffective use of the
covered entity's and the agency's resources.
Comment: One comment suggests that compliance reviews should be
mandatory and should be initiated within a specified time period.
Response: The rule, as proposed and adopted, does not preclude
establishing a compliance review program or schedule, but it does not
require it either. One purpose of compliance reviews is to permit
investigation when allegations or situations warranting investigation
come to our attention outside of the complaint process. The necessity
for a compliance review in a particular case or a program of scheduled
compliance reviews is inherently unpredictable, and it is important to
retain the administrative flexibility to address such situations.
Mandating compliance reviews on a fixed basis or schedule would be an
inefficient allocation of limited enforcement resources and would
hamper the agency's ability to target resources at actual noncompliance
problems as they arise.
Comment: One comment suggested that the rule contain provisions
outlining the coordination and cooperation between CMS and OCR when a
compliance review under more than one rule occurs.
Response: As with complaint-based investigations, CMS and OCR will
coordinate and allocate responsibility for compliance reviews based
upon the HIPAA provisions involved and the facts of the case. We do not
consider it advisable to specify detailed rules in this regard, as the
allocation of function and responsibility will depend on the facts of
each case and the resources available at the time.
6. Section 160.310--Responsibilities of Covered Entities
Proposed rule: Section 160.310 addresses the responsibilities of a
covered entity, such as providing records and compliance reports to the
Secretary and cooperating during a compliance review or complaint
investigation. Section 160.310(c) provides that a covered entity must
permit HHS to have access during normal business hours to its
facilities, books, records, and other information necessary to
determine compliance, but provides that if the Secretary determines
that ``exigent circumstances exist, such as when documents may be
hidden or destroyed,'' the covered entity must permit access at any
time without
[[Page 8397]]
notice. Section 160.310 also requires that the Secretary may not
disclose protected health information obtained by the Secretary in the
course of an investigation or compliance review except when necessary
to ascertaining or enforcing compliance or as otherwise required by
law. The proposed rule would amend this section to apply it to all of
the HIPAA rules, rather than exclusively to the Privacy Rule, but
otherwise proposed no substantive changes to the section.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: A couple of comments asked HHS either to further define
``exigent circumstances,'' such as by limiting it to situations
involving national security or by inserting specific examples of
exigent circumstances in Sec. 160.310(c)(1). One comment suggested
that the rule be revised to require that the Secretary's determination
that ``exigent circumstances'' exist be a ``reasonable'' one.
Response: The determination of what constitutes ``exigent
circumstances'' will inevitably be fact-dependent. Specific language
defining ``exigent circumstances'' is unnecessary, as the rule already
provides a clarifying example and the principle underlying the
provision is reasonably universal. We note that limiting the provision
to situations where matters of national security are involved would
most likely not cover the types of situations the provision is intended
to cover--situations in which it is likely that the covered entity will
seek to conceal or destroy evidence of noncompliance that HHS needs to
carry out its statutory obligation to enforce the HIPAA rules.
Comment: Two comments asked for further guidance and notice of
record retention requirements and another comment expressed concerns
with the record retention requirements of the Privacy Rule.
Response: Record retention requirements applicable to the Privacy
and Security Rules are spelled out in those rules; see, Sec.
164.530(j) and Sec. 164.316(b), respectively. We do not address these
record retention requirements here, as this topic lies outside the
scope of this rule.
The other HIPAA rules do not contain explicit record retention
requirements, as such. However, it is likely that the documentation
that would be relevant to showing compliance with those rules--such as
health plan instructions to providers, software documentation,
contracts, and systems processes--is kept as part of normal business
practices. Covered entities should consider any other applicable laws,
such as state law, in making such decisions.
7. Section 160.312--Secretarial Action Regarding Complaints and
Compliance Reviews
Proposed rule: We proposed to revise Sec. 160.312(a) to require
that, where noncompliance is indicated, the Secretary would seek to
reach by informal means a resolution of the matter that is satisfactory
to the Secretary. Informal means could include demonstrated compliance,
or a completed corrective action plan or other agreement. We proposed
to revise Sec. 160.312(a)(2) to require, where noncompliance is
indicated and the matter is resolved by informal means, that HHS notify
the covered entity in writing and, if the matter arose from a
complaint, the complainant. Where noncompliance is indicated and the
matter is not resolved by informal means, proposed Sec.
160.312(a)(3)(i) would require the Secretary to so inform the covered
entity and provide the covered entity an opportunity to submit, within
30 days of receipt of such notification, written evidence of any
mitigating factors or affirmative defenses. To avoid confusion with the
notice of proposed determination process provided for at proposed Sec.
160.420, proposed Sec. 160.312(a)(3)(ii) provided that, where the
matter is not resolved by informal means and the Secretary finds that
imposition of a civil money penalty is warranted, the formal finding
would be contained in the notice of proposed determination issued under
proposed Sec. 160.420. We proposed to leave Sec. 160.312(b)
substantively unchanged.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment suggested that covered entities should be able
to appeal the Secretary's findings during the informal resolution
process and that the Secretary's decision to resolve a matter
informally should not preclude the respondent from questioning the
Secretary's interpretation or application of the rule in question.
Response: The purpose of the informal resolution process described
in Sec. 160.312 is to bring closure at an early stage to a matter
where compliance is in issue and, thus, to obviate the need to issue a
notice of proposed determination. Section 160.312 recognizes, however,
that informal resolutions will not always be achieved. Where the agency
and the covered entity are not able to resolve the matter informally,
HHS (through OCR and/or CMS) will make a finding of noncompliance
pursuant to Sec. 160.420, which the covered entity may then challenge
through the applicable procedures of subparts D and E. Nothing in the
rule compels the covered entity to challenge the finding of
noncompliance under Sec. 160.420, but if the covered entity wishes to
challenge such a finding, including the agency's interpretation or
application of a rule, it must do so through the procedural avenue
provided by subparts D and E. These procedures implement the
requirement of section 1128A(c) of the Act that the Secretary may not
make an adverse determination against a person until the person has
been given written notice and an opportunity for a hearing on the
record on the adverse determination.
Comment: One comment asked how informal resolution is possible,
given HHS's position that, where a violation is found, a CMP must be
imposed. Another comment expressed concern that the informal resolution
process would allow covered entities to skirt penalties and the
consequences of noncompliance with the HIPAA rules and suggested that
the Secretary should not be compelled to reach a resolution through
informal processes.
Response: These comments misunderstand our position as to the
mandatory nature of the statute. The Secretary must impose a civil
money penalty where a formal determination of a violation is made.
However, many opportunities exist prior to this determination that
allow the Secretary to exercise his discretion to not impose a penalty.
This issue is discussed more fully in connection with Sec. 160.402
below.
The second comment above also misconstrues Sec. 160.312. Nothing
in that section compels OCR or CMS to resolve matters informally.
Indeed, Sec. 160.312(a)(3) describes the actions to be taken ``[i]f
the matter is not resolved by informal means * * *''.
Comment: One comment suggested that HHS and the covered entity
should be required to put the informal resolution in writing.
Response: Both Sec. 160.312(a)(2) and Sec. 160.312(b) require
that the resolutions contemplated in those sections be ``in writing.''
CMS and OCR currently document informal resolutions.
Comment: One comment suggested that the 30-day time period for a
covered entity to submit to the Secretary evidence of mitigating
factors or affirmative defenses should be extended.
Response: Thirty days should be sufficient for a covered entity to
submit such evidence. The opportunity to provide additional evidence
comes at
[[Page 8398]]
the end of investigation, and the covered entity should be gathering
any evidence of mitigating factors or affirmative defenses during the
investigation. In addition, the covered entity will have the
opportunity to present such evidence to the ALJ if it chooses to appeal
the Secretary's findings. Accordingly, we do not change this provision.
Comment: One comment suggested that a deadline should be imposed
for HHS to notify the covered entity of its findings after an
investigation.
Response: The time needed to finalize the agency's findings will
depend on the complexity of the case, its outcome, and workload
considerations. As these factors are inherently variable and
unpredictable, we do not believe it would be advisable to impose fixed
deadlines for taking the actions described in Sec. 160.312.
Comment: One comment requested clarification of proposed Sec.
160.312(a)(3)(ii), with respect to what action is referred to and the
associated time frame.
Response: The action referred to is HHS's notification of the
covered entity of its finding of noncompliance when it determines that
the matter cannot be resolved informally. Section 160.312(a)(3)(ii)
provides that, if HHS decides to impose a civil money penalty, it will
send a notice of proposed determination to the covered entity pursuant
to Sec. 160.420. Thus, the intent of this provision is to clarify
that, once OCR and/or CMS, as applicable, has determined that a
violation has occurred, the matter cannot be resolved informally in a
manner that is satisfactory to OCR and/or CMS, and a civil money
penalty should be imposed, the agency's next step is to provide the
formal notice required by section 1128A(c)(1), which in this rule is
the notice of proposed determination under Sec. 160.420. The rule
imposes no specific deadline on the agency for sending this notice.
However, it should be noted that if the notice is not sent within six
years of the violation, pursuit of the civil money penalty would be
precluded by section 1128A(c)(1), which is implemented in this rule by
Sec. 160.414.
Comment: One comment requested that Sec. 160.312(a)(3) be revised
to afford complainants the opportunity to express, in writing, the
impact of the violation.
Response: The suggested change is unnecessary, since nothing in the
rule precludes a complainant from providing such information to the
agency at any point in the process. Complainants frequently describe,
in their complaints or in the course of OCR's or CMS's initial contacts
with the complainants, the impact of the alleged violation. HHS also
may request such information from the complainant where, for example,
it bears on the amount of the penalty to be imposed.
8. Section 160.314--Investigational Subpoenas and Inquiries
Proposed rule: The text of proposed Sec. 160.314 was adopted by
the April 17, 2003 interim final rule as Sec. 160.504. We proposed to
move this section to subpart C, consistent with our overall approach of
organizing subparts C, D, and E to reflect the stages of the
enforcement process. We proposed to include in the introductory
language of proposed Sec. 160.314(a) a sentence which states that, for
the purposes of paragraph (a), a person other than a natural person is
termed an ``entity.'' We proposed not to modify Sec. 160.314(b)(1),
(2) and (8) from the provisions of the April 17, 2003 interim final
rule at paragraphs (b)(1)-(3) of Sec. 160.504. However, we proposed to
add new paragraphs (3) through (7) and (9) to Sec. 160.314(b) and also
to add a new paragraph (c). The proposed new paragraphs at Sec. Sec.
160.314(b)(3)-(b)(7) would permit representatives of HHS to attend and
ask questions at the inquiry, give a witness the opportunity to clarify
his answers on the record after being questioned by HHS, require any
objections or claims of privilege to be asserted on the record, and
permit HHS to seek enforcement of the subpoena through the federal
district court if a witness refuses to answer non-privileged questions
or produce requested documents or items. Further, proposed Sec.
160.314(c) provided that, consistent with Sec. 160.310, testimony and
other evidence obtained in an investigational inquiry may be used by
HHS in any of its activities and may be used or offered into evidence
in any administrative or judicial proceeding. Together, these additions
would clarify the manner in which investigational inquiries will be
conducted, and how testimony given, and evidence obtained, during such
an investigation may be used.
Final rule: The final rule adopts the provisions of the proposed
rule, except that paragraph (a) is revised to clarify that
investigational subpoenas may issue when a compliance review is
conducted.
Comment: A few comments requested that this section provide for the
protection of privileged documents when subpoenaed by the Secretary.
Comments also suggested that covered entities should have the ability
to challenge a subpoena issued by the Secretary.
Response: The rule, as proposed and adopted, provides a process for
a subpoenaed witness to challenge the subpoena and/or assert privilege.
Under section 205(e) of the Act, made applicable by section 1128A(j)(1)
of the Act, the federal district court in which a person charged with
contumacy or refusal to obey a subpoena resides or transacts business
has jurisdiction upon application of HHS. As provided in Sec.
160.314(a)(5), HHS may seek to enforce the subpoena in such cases
through action in the relevant federal district court, which would
presumably hear the basis for the witness's refusal to obey or claim of
privilege in connection with a motion to quash under Fed. R. Civ. P.
45(c)(3). (28 U.S.C. Appendix).
Comment: Several comments requested that the scope of the subpoenas
issued by the Secretary be limited to the investigation and that the
Secretary not be allowed to pursue open-ended inquiries.
Response: Section 205(d) of the Act, which is made applicable by
section 1128A(j)(1), provides that a subpoena may issue for ``the
production of any evidence that relates to any matter under
investigation or in question before [the Secretary].'' Moreover, the
federal courts subject the exercise of an agency's administrative
subpoena authority to a reasonableness analysis. In U.S. v. Powell, 397
U.S. 481 (1964), the holding of which was extended to all
administrative subpoena authorities in Securities and Exchange
Commission v. Jerry T. O'Brien, Inc., 467 U.S. 735, 741-42 (1984), the
U.S. Supreme Court articulated a standard for the judicial review of
administrative subpoenas that requires that the investigation be
conducted pursuant to a legitimate purpose and that the information
requested under the subpoena is relevant to that purpose. HHS is
required to comply with this standard in the exercise of the subpoena
authority under this section.
Comment: One comment asked that covered entities be given notice of
investigational inquiries directed at them.
Response: In general, we would expect that an investigational
subpoena would be used where a covered entity has failed to respond to
HHS's requests for information in the course of an investigation
conducted under Sec. 160.306. In such a case, the covered entity will
have been previously notified of the investigation pursuant to Sec.
160.306(c). Similarly, a subpoena would typically be issued in
connection with a compliance review under Sec. 160.308 where the
covered entity had
[[Page 8399]]
failed to respond to HHS's prior requests for information. Thus, we do
not expect the element of surprise to be present, which appears to be
the concern underlying these comments. We clarify in Sec. 160.314(a)
that this section also applies to compliance reviews.
Comment: One comment suggested that Sec. 160.314(a) be revised to
state that the admissibility of written statements obtained by HHS
during an investigational inquiry is subject to 45 CFR 160.518 and
160.538.
Response: We do not consider the suggested language necessary.
Sections 160.518 and 160.538 apply to the exchange and admission of
written statements. Should OCR or CMS seek to have written statements
obtained during an investigation admitted into evidence, those
statements would be subject to the requirements of Sec. Sec. 160.518
and 160.538.
Comment: One comment asked for clarification as to who may amend a
transcript and whether the Secretary has the discretion to limit a
witness's amendment of his or her testimony transcript.
Response: Under Sec. 160.314(b)(9), both sides may propose
corrections to the transcript, and any proposed corrections are
attached to the transcript; the transcript itself is not altered.
Section 160.314(b)(9)(i) provides that, if a witness is provided with a
copy of the transcript, the witness may submit written proposed
corrections to the transcript, or, if the witness is afforded only the
opportunity to inspect the transcript, the witness may propose
corrections to the transcript at the time of inspection. In either
case, the witness's proposed corrections are attached to the
transcript. Similarly, under Sec. 160.314(b)(9)(ii), the Secretary's
proposed corrections are attached to the transcript. The purpose of the
proposed corrections is to make the transcript ``true and accurate.''
See Sec. 160.314(b)(9)(i). Under this process, then, HHS would not be
changing the witness's proposed corrections; HHS would, at most, be
proposing different corrections.
Comment: One comment suggested that Sec. 160.314 be revised to
require HHS to provide for the same protection of protected health
information that is required of covered entities when HHS receives
protected health information during an investigation.
Response: Section 160.310(c)(3) explicitly protects the
confidentiality of protected health information received by HHS ``in
connection with an investigation or compliance review under this
subpart.'' Although these protections are not the same as those
required of covered entities with respect to protected health
information, in some respects they are more stringent, given the
limited circumstances for which the information may be disclosed under
this provision. Because Sec. 160.314 is now part of the subpart, the
restriction of Sec. 160.310(c)(3) applies to protected health
information received during an investigational inquiry. See Sec.
160.314(c), which provides that testimony and other evidence obtained
in an investigational inquiry may only be used ``[c]onsistent with
Sec. 160.310(c)(3) * * *''.
Comment: One comment asked for clarification of the ``good cause''
limitation on a witness's ability to inspect the official transcript of
their testimony.
Response: This provision derives from the Administrative Procedure
Act, which requires, at 5 U.S.C. 555(c), that ``[a] person compelled to
submit data or evidence is entitled to retain or, on payment of
lawfully prescribed costs, procure a copy or transcript thereof, except
that in a nonpublic investigatory proceeding the witness may for good
cause be limited to inspection of the official transcript of his
testimony.'' The ``good cause'' language of this provision has been
explained as follows:
The * * * grant[] to agencies of the right to inhibit access to
testimony in nonpublic investigatory proceedings were in recognition
that such investigations, ``like those of a grand jury, might be
thwarted in certain cases if not kept secret, and that if witnesses
were given a copy of their transcript, suspected violators would be
in a better position to tailor their own testimony to that of the
previous testimony, and to threaten witness about to testify with
economic or other reprisals.''
LaMorte v. Mansfield, 438 F.2d 448, 451 (2d Cir. 1971) (quoting
Commercial Capital Corp. v. S.E.C., 360 F.2d 856, 858 (7th Cir. 1966)).
Comment: Several comments suggested that evidence obtained during
an investigation by HHS should be used only within the scope of that
investigation, not for other matters, as provided for by Sec.
160.314(c).
Response: Section 160.314(c) mirrors the OIG rule. The concept that
HHS may use evidence obtained in an investigation for matters outside
the scope of the investigation is not novel. While we would expect to
be careful in using such information for other purposes, we are legally
obligated to take appropriate action if we obtain clear evidence of
wrongdoing.
9. Section 160.316--Refraining From Intimidation or Retaliation
Proposed rule: Proposed Sec. 160.316, which was taken from Sec.
164.530(g)(2) of the Privacy Rule, would prohibit covered entities from
threatening, intimidating, coercing, discriminating against, or taking
any other retaliatory action against individuals or other persons
(including other covered entities) who complain to HHS or otherwise
assist or cooperate in the enforcement processes created by this rule.
The intent of this addition to subpart C was to make these non-
retaliation provisions applicable to all of the HIPAA rules, not just
the Privacy Rule. A conforming change to Sec. 164.530(g) of the
Privacy Rule was proposed, to cross-reference proposed Sec. 160.316.
Final rule: The final rule adopts the provisions of the proposed
rule, except that the verb ``harass'' is inserted in the introductory
language of this section. The related revision to Sec. 164.530(g) is
adopted without change.
Comment: Two comments asked HHS to strengthen the prohibition on
retaliation and intimidation. The comments express concern that the
current provision is not a sufficient deterrence to covered entities,
particularly payers. One comment suggested that the language be revised
to read in pertinent part as follows: ``A covered entity may not
threaten * * * including not threaten to reduce or eliminate payment,
intimidate, coerce, harass, discriminate against, or take any other
retaliatory action against any individual or other person * * *
including suspending or terminating participation in a Medicaid program
and/or in any other program or network or reducing or eliminating
payment for * * *''. Another comment suggested that persons who engage
in prohibited retaliation or intimidation should be considered to have
``knowingly'' violated the statute and be subject to criminal penalties
under section 1177 of the Act.
Response: We agree with the comment that the actions covered in the
suggested language would constitute intimidation or retaliation under
the appropriate facts, but we think that such claims may be made under
the existing language. However, while harassment is encompassed by the
phrase ``other retaliatory action'' in this section, since harassment
is a form of pressure that is sufficiently different from, and as
objectionable as, the other intimidating or retaliatory acts that are
specifically mentioned, we clarify the section by including it in the
text of the regulation;
[[Page 8400]]
the text of the final rule is revised accordingly.
The statute does not make retaliation or intimidation the subject
of a criminal penalty under section 1177, and we cannot expand the
scope of the criminal provision by regulation. Accordingly, we do not
adopt this suggestion.
Comment: One comment suggested amending the section to require that
a complaint be filed in good faith under Sec. 160.306 and that the
same change be made to the remaining language in proposed Sec.
164.530(g). The comment stated that covered entities should not be
prohibited from firing employees who file false complaints and that
covered health care providers should not be prohibited from terminating
the provider-patient relationship where the patient files a false
complaint.
Response: The good faith of a complainant is currently evaluated by
OCR to the extent it bears upon determining whether a compliance
failure appears to have occurred and the extent to which the complaint
should be investigated. We do not read the rule as prohibiting the
firing of an employee or the termination of a provider-patient
relationship where other legitimate grounds for such action exist;
whether such grounds exist would be a matter to be ascertained in the
course of the investigation.
Comment: Two comments asked HHS to provide examples of retaliation
and/or outline procedures or criteria for how the occurrence of
retaliation will be investigated and determined. One comment asked that
the rule stipulate that an act be considered to be one of retaliation
or intimidation only if it occurred after the filing of a complaint.
Response: Complaints regarding retaliation or intimidation will be
handled in the same manner as investigations regarding other possible
violations of the HIPAA rule, as Sec. 160.316 is considered an
administrative simplification provision for the purposes of imposing a
civil money penalty. Because such situations are likely to be quite
varied and factually complex, we are reluctant to preclude
consideration of events prior to the filing of a complaint that may be
relevant to a claim of retaliation or intimidation. We, thus, retain
the language as proposed.
C. Subpart D--Imposition of Civil Money Penalties
Subpart D of the final rule addresses the issuance of a notice of
proposed determination to impose a civil money penalty and other
actions that are relevant thereafter, whether or not a hearing is
requested following the issuance of the notice of proposed
determination. It also contains provisions on identifying violations,
calculating civil money penalties for such violations, and establishing
affirmative defenses to the imposition of civil money penalties. It,
thus, implements the provisions of section 1176, as well as related
provisions of section 1128A. As noted above, many provisions of subpart
D are based in large part upon the OIG regulations, but we adapt the
language of the OIG regulations to reflect issues presented by, or the
authority underlying, the HIPAA rules.
1. Section 160.402--Basis for a Civil Money Penalty
Section 160.402 sets forth the rules concerning the basis for
liability for a civil money penalty. It includes the rules for
determining liability if more than one covered entity is responsible
for a violation and where an agent of a covered entity is responsible
for a violation.
a. Section 160.402(a)--General Rule
Proposed rule: Proposed Sec. 160.402(a) would require the
Secretary to impose a civil money penalty on any covered entity which
the Secretary determines has violated an administrative simplification
provision, unless the covered entity establishes that an affirmative
defense, as provided for by Sec. 160.410, exists. This provision is
based on the language in section 1176(a) that ''* * * the Secretary
shall impose on any person who violates a provision of this part a
penalty * * * ''. A ``provision of this part'' is considered to be a
requirement or prohibition of the HIPAA statute or rules. See the
discussion of ``administrative simplification provision'' under Sec.
160.302 above.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: A number of comments suggested that the words ``the
Secretary will impose a civil money penalty * * * '' are too strict.
Some comments expressed concern that this language could jeopardize
HHS's ability to resolve a matter informally; other comments questioned
how this language was consistent with the provisions for voluntary
compliance (Sec. 160.304), informal resolution (Sec. 160.312), and
settlement (Sec. 160.416). Most of these comments suggested that the
rule give the Secretary discretion to impose a civil money penalty
instead of making it mandatory.
Response: Section 160.402(a) states the general rule of section
1176(a): If the Secretary determines that a covered entity has violated
an administrative simplification provision, he will impose a civil
money penalty unless a basis for not imposing a penalty under section
1176(b) exists. The use of the words ``shall impose'' in section
1176(a) is more than the mere conveyance of authority to the Secretary
to exercise his discretion where he has made a formal determination
that a covered entity has violated an administrative simplification
provision. Under the procedures set forth in this final rule, the
formal determination is proposed in a notice of proposed determination
under Sec. 160.420. A covered entity may request administrative review
by an administrative law judge of this determination. If the covered
entity does not so request, the proposed determination becomes final.
Many opportunities will precede a determination of a violation,
however, that will permit the Secretary to exercise his discretion to
not impose a penalty. As set forth in Sec. 160.304, the principle for
achieving compliance is to seek voluntary compliance by covered
entities. To implement this principle in complaints and compliance
reviews, Sec. 160.312 provides that the Secretary will attempt to
reach resolution by informal means prior to proposing a determination
under Sec. 160.420 that a covered entity has violated an
administrative simplification provision. If resolution satisfactory to
the Secretary is reached by informal means, the Secretary may exercise
his discretion to close the matter without formally proposing a
determination under Sec. 160.420. The Secretary is also authorized by
section 1128A(f) of the Act, which is incorporated by reference in
section 1176, to exercise discretion to settle any matter. Thus, under
Sec. Sec. 160.416 and 160.514, settlements of civil money penalties
which have been proposed or are being challenged through the
administrative hearing process are possible. The Secretary also has
discretion to waive civil money penalties, in whole or in part, in
certain cases under Sec. 160.412.
The general rule stated in Sec. 160.402(a) that the Secretary will
impose a civil money penalty upon a covered entity if the Secretary
determines that the covered entity has violated an administrative
simplification provision is not at odds with the Secretary's authority
to exercise his discretion pursuant to Sec. Sec. 160.304, 160.312,
160.412, 160.416, and 160.514. However, these exercises of Secretarial
discretion require actions by covered entities. When a covered entity
acts, or fails to act, in ways that do not allow the exercise of
Secretarial discretion not to
[[Page 8401]]
impose a penalty, the Secretary will impose a civil money penalty upon
the covered entity if the Secretary determines that the covered entity
has violated an administrative simplification provision.
Comment: One comment complained that Sec. 160.402(a) does not
allow for early termination of frivolous complaints. The comment stated
that covered entities are locked into paying a civil money penalty or
initiating an expensive and elaborate defense to the complaint.
Response: It is our expectation that complaints that are frivolous
will be resolved at an early stage of the informal resolution process
under Sec. 160.312. A covered entity can facilitate this process by
cooperating with the OCR or CMS investigators on a timely basis.
Comment: One comment suggested that Sec. 160.402(a) be revised to
require HHS to issue a finding that informal resolution is not
sufficient and that a civil money penalty is necessary.
Response: The provision suggested would be redundant. The notice of
proposed determination under Sec. 160.420 essentially fulfills this
function, in that it must state the grounds upon which the Secretary
has decided to impose the penalty.
b. Section 160.402(b)--Violations by More Than One Covered Entity
Proposed rule: Proposed Sec. 160.402(b) provided that, except with
respect to covered entities that are members of an affiliated covered
entity, if the Secretary determines that more than one covered entity
was responsible for violating an administrative simplification
provision, the Secretary will impose a civil money penalty against each
such covered entity. Based on the statutory language in section
1176(a), which states that the Secretary ``* * * shall impose a penalty
* * *'' when there is a determination that an entity has violated a
HIPAA provision, this provision would apply to any two or more covered
entities (other than members of an affiliated covered entity, discussed
below), including, but not limited to, those that are part of a joint
arrangement, such as an organized health care arrangement. The preamble
to the proposed rule noted that the determination of whether or not an
entity is responsible for the violation would be based on the facts and
that, while simply being part of a joint arrangement would not, in and
of itself, make a covered entity responsible for a violation by another
entity in the joint arrangement, it could be a factor considered in the
analysis. See 70 FR 20231.
Proposed Sec. 160.402(b)(2) provided that each covered entity that
is a member of an affiliated covered entity would be jointly and
severally liable for a civil money penalty for a violation by the
affiliated covered entity. An affiliated covered entity is a group of
covered entities under common ownership or control, which have elected
to be treated as if they were one covered entity for purposes of
compliance with the Security and Privacy Rules. See Sec. 164.105(b).
Final rule: The final rule provides that a member of an affiliated
covered entity is jointly and severally liable for a violation by the
affiliated covered entity, unless it is established that another member
of the affiliated covered entity was responsible for the violation.
Comment: Proposed Sec. 160.402(b) was opposed by many on the
ground that it was unfair to make one covered entity liable for a
violation committed by another covered entity. A number of comments
stated that this provision was particularly unfair, when coupled with
the requirement of proposed Sec. 160.426 that the public be notified
of civil money penalties imposed, in that a covered entity that was not
responsible for the violation in question could bear the reputational
injury associated with such notification, due to the operation of
proposed Sec. 160.402(b). One comment pointed out that violations may
not be system-wide, but may be limited to one member of the affiliated
covered entity; in such a situation, it would not be fair to penalize
the other members of the affiliated covered entity.
Response: We agree with these comments to a certain extent and have
changed the final rule accordingly. We agree that, if responsibility
for a violation can be shown to lie with one member of an affiliated
covered entity, that member should be held liable for the violation.
Thus, we have provided that a covered entity member of an affiliated
covered entity may avoid liability if it is established that another
member was responsible for the violation. We suspect that in most
cases, which member was responsible for the violation will be clear--
for example, if four of five members of a covered entity distributed
privacy notices but the fifth member did not, the violations of the
notice distribution requirement of Sec. 164.520 would be attributed to
the fifth member. In such cases, the objections to publication
described above are beside the point, because liability follows
responsibility.
However, we do not agree that the inability to assign specific
responsibility for a violation to one or more members of an affiliated
covered entity should shield all of its members from liability. We
doubt that such situations will arise often, but they may arise where
the affiliated covered entity has failed to take a required act--for
example, where the affiliated covered entity has failed to appoint a
privacy officer. In such a case, all of the members of the affiliated
covered entity bear a share of the responsibility for the failure to
act, since any of them could have presumably taken action to bring the
group, as a whole, into compliance. It is, thus, not unreasonable that
all members of the affiliated covered entity should be jointly and
severally liable for the consequent penalty. Moreover, absent joint and
several liability, each member of the affiliated covered entity would
be separately liable for the penalty for the violation, e.g., the
failure to appoint a privacy officer. Thus, the removal of joint and
several liability may result in greater liability for the members of an
affiliated covered entity in some cases.
Comment: Several comments argued that there is no statutory
authority for holding the members of an affiliated covered entity
jointly and severally liable, in that the statute requires that the
penalty ``shall be imposed on any person who violates a provision * *
*'' and, thus, does not authorize imposition of a penalty on a person
who has not violated a provision of the statute or rules. One comment
argued that proposed Sec. 160.402(b) would violate the due process
clause by imposing liability on entities not responsible for a
violation.
Response: These objections are misplaced. Where, as will usually be
the case, responsibility for the violation is evident and the
responsible party is charged with the violation, they are obviously not
relevant. In the case of other violations, where the responsibility for
the violation is shared by the members of the affiliated covered
entity, as in where the affiliated covered entity fails to take
required actions, they are likewise not relevant. Since each covered
entity member of the affiliated covered entity is responsible for
complying with the rule in question, responsibility for the failure to
act may be properly imputed to each member. Moreover, since an
affiliated covered entity is a type of joint undertaking, it is
reasonable to impute responsibility to the members of the affiliated
covered entity, as is typically done with joint ventures.
Comment: Several comments argued that proposed Sec. 160.402(b)
uses a legal fiction of the Privacy and Security Rules to create
liability where liability would not otherwise exist and substitutes
this fiction for the corporate form and structure that establish the
basis for enterprise liability under U.S. law.
[[Page 8402]]
Another comment stated that this section is inconsistent with the
provision of the HIPAA rules (Sec. 160.105(b)) that defines an
affiliated covered entity as an entity comprised of ``legally
separate'' entities.
Response: We disagree. The affiliated covered entity concept is
more than a legal fiction. It is an operational approach to discharging
certain compliance responsibilities. When covered entities create an
affiliated covered entity, they mutually agree to conduct their
business in a certain manner and hold themselves out to the world as a
joint undertaking. While the Privacy and Security Rules do not
prescribe detailed requirements for how an affiliated covered entity
must be organized, the level of cooperation such an undertaking
necessitates, the requirement for designation, and the requirement of
common ownership or control mean that the participating members will
have entered into an agreement of some sort, whether formal or
informal. We, thus, think that it is properly viewed as a joint
venture.
The fact that an affiliated covered entity is composed of ``legally
separate'' entities is beside the point. Joint and several liability,
as a concept, is imposed on legally separate entities. See, e.g.,
Black's Law Dictionary (8th ed. 2004), liability.
Comment: A number of comments argued that the provision for joint
and several liability would discourage covered entities from setting up
affiliated covered entities. One comment stated that proposed Sec.
160.402(b) represents a change in position by HHS, in that the preamble
to the Privacy Rule, on which many covered entities relied, stated that
covered entities that formed an affiliated covered entity are
``separately subject to liability under this rule.''
Response: Section 160.402(b), as adopted, should allay the concerns
expressed by these comments with respect to the potential exposure to
liability for the members of affiliated covered entities. We think
that, in most cases, which member of an affiliated covered entity is
responsible for a violation will be obvious; where this is the case,
HHS would seek to impose the civil money penalties on that member. Even
if it is not obvious from the violation itself who the responsible
party is, a covered entity may adduce evidence to establish that
responsibility for the violation lies elsewhere, and, if this is shown,
avoid liability. In any event, the establishment of an affiliated
covered entity is not mandated by either the Privacy Rule or the
Security Rule. Rather, establishing an affiliated covered entity is a
business decision to be made by the covered entities involved. The
affiliated covered entity arrangement carries with it certain benefits
for the member entities; any increased exposure to potential liability
under this rule, assuming there is one, should be part of the business
calculus.
In addition, we do not agree that Sec. 160.402(b) is inconsistent
with the position taken in the preamble to the Privacy Rule. Our prior
statement was intended to provide notice that liability for violations
by an affiliated covered entity would devolve onto the member covered
entities of an affiliated covered entity, rather than being attributed
to the affiliated covered entity itself, so that member covered
entities could not avoid liability by arguing that the affiliated
covered entity had committed the violation in question. It was not
intended to indicate the bases upon which that liability would be
determined, which is the purpose of Sec. 160.402(b).
Comment: A couple of comments supported the policy of holding the
members of an affiliated covered entity jointly and severally liable.
One comment supported holding all covered entities in an affiliated
covered entity liable for the violations of one as an efficient
mechanism for highlighting the seriousness of violations of the HIPAA
rules.
Response: For the reasons set forth above, we have not adopted this
policy in the final rule, insofar as responsibility for a violation can
be determined.
Comment: Two comments requested clarification of the maximum amount
of the penalty that will be assessed against an affiliated covered
entity when one of its members has been found noncompliant.
Response: Where responsibility for a violation is allocated to
individual covered entities, each covered entity determined to be
responsible for the violation would be liable for violations of an
identical requirement or prohibition in a calendar year up to the
statutory maximum of $25,000. If responsibility for particular
violations cannot be determined, so that the members of the affiliated
covered entity are jointly and severally liable for the violation, the
maximum that would be imposed for violations of an identical
requirement or prohibition in a calendar year would be $25,000.
Comment: Several comments requested clarification of the statement
in the preamble to the proposed rule that membership in an organized
health care arrangement ``could be a factor considered in the
analysis'' in determining the liability of a member of such arrangement
for a violation. Of particular concern was the potential liability of a
hospital for the actions of physicians with privileges; one comment
noted that the hospital exercises little control over medical staff in
such situations. One comment requested that the final rule clarify that
membership in an organized health care arrangement would not increase a
covered entity's exposure to liability.
Response: As we noted in the preamble to the proposed rule, the
members of an organized health care arrangement would be individually--
not jointly and severally--liable for any violation of the HIPAA rules.
What our preamble statement intended to indicate was that HHS might
have to look carefully at how the organized health care arrangement
operated in determining which member(s) of the organized health care
arrangement was responsible for a particular violation, if that was not
clear at the outset.
c. Section 160.402(c)--Violations Attributed to a Covered Entity
Proposed rule: Proposed Sec. 160.402(c) provided that a covered
entity can be held liable for a civil money penalty based on the
actions of any agent, including a workforce member, acting within the
scope of the agency. This provision derives from section 1128A(l) of
the Act, which is made applicable to HIPAA by section 1176(a)(2) of the
Act. Section 1128A(l) states that ``a principal is liable for penalties
* * * under this section for the actions of the principal's agents
acting within the scope of the agency.'' Under the proposed rule, a
covered entity could be liable for a civil money penalty for a
violation by any agent acting within the scope of the agency, including
a workforce member. (``Workforce'' is defined at Sec. 160.103 as
``employees, volunteers, trainees, or other persons whose conduct in
the performance of work for a covered entity is under the direct
control of such entity, whether or not they are paid by the covered
entity.'') The proposed rule excepted covered entities from liability
for actions of a business associate agent that violate the HIPAA rules,
if the covered entity was in compliance with the HIPAA rules governing
business associates at Sec. Sec. 164.308(b) and 164.502(e). Proposed
Sec. 160.402(c) also provided that the Federal common law of agency
would apply to determine agency issues under this provision.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: A number of comments supported the provision of proposed
Sec. 160.402(c) relating to business
[[Page 8403]]
associates and requested that it be retained in the final rule.
Response: We agree and have done so.
Comment: One comment requested clarification of the liability of a
covered entity for a violation committed by a non-covered entity who is
not a business associate or workforce member, such as researchers,
medical device vendors, and non-covered providers who have treatment
privileges and access to protected health information at a covered
entity's facility. The comment argued that, depending on the
circumstances, such persons may or may not be considered agents.
Response: In general, a ``violation'' cannot occur, if the act in
question is not done by a covered entity or its agent, because only
covered entities are subject to the HIPAA rules. For example, if a
permitted or required disclosure of protected health information is
made by a covered entity to a person or entity that is not a workforce
member or business associate, the covered entity would not generally be
responsible for that person's or entity's subsequent use or disclosure
of the information. Thus, if a hospital that is a covered entity
discloses protected health information to a non-covered health care
provider with privileges for treatment of a patient, the hospital would
not be liable for a subsequent use or disclosure by that provider, as
long as the hospital is not also involved in that use or disclosure. If
the provider is an agent of the hospital, however, the hospital's
liability will be determined in accordance with Sec. 160.402(c).
Comment: We requested comment in the proposed rule on whether there
are categories of workforce members whom it would be inappropriate to
treat as agents under Sec. 160.402(c). A number of comments suggested
that independent contractors, volunteers, and students under the
supervision of an academic institution be excluded from the definition
of an agent for whose acts the covered entity could be liable, provided
that the covered entity has given the requisite training to such
persons. The comments indicated that generally covered entities have
less control over such persons than they have over employees.
Response: Whether a person is sufficiently under the control of a
covered entity and acting within the scope of the agency has to be
determined on the facts of each situation, but Sec. 160.402(c) creates
a presumption that a workforce member is an agent of the covered entity
for the member's conduct under the HIPAA rules, such as using and
disclosing protected health information. With regard to whether an
independent contractor is a member of the covered entity's workforce,
the question would be whether the covered entity had direct control
over the independent contractor in the performance of its work for the
covered entity. See Sec. 160.103 (definition of ``workforce''). If the
covered entity does not have direct control over such persons, they do
not fall within the definition of ``workforce.'' Where persons, such as
independent contractors, who are not under the direct control of the
covered entity perform a function or activity that involves the use or
disclosure of individually identifiable health information or a
function or activity regulated by this subchapter on behalf of a
covered entity, such persons would fall within the definition of
``business associate,'' and the covered entity would be required to
comply with the business associate provisions of the Privacy and
Security Rules with regard to such persons. Because of the direct
control requirement in the definition of workforce, we think it is
appropriate for a covered entity to be liable for a violative act of an
independent contractor who is a member of the workforce, that is, who
is under the direct control of the covered entity.
With respect to volunteers and trainees, we note that, while
covered entities may have less control over these persons, they do
control their performance of activities that are governed by the HIPAA
rules, such as access to protected health information. In regard to
privacy, a covered entity is required to train these categories of
workforce members as necessary and appropriate for these volunteers and
trainees to carry out their functions within the covered entity. 45 CFR
164.530(b). This requirement allows a covered entity to adapt its
training to a volunteer's or trainee's scope of duties. For example, a
volunteer who files laboratory results in a medical record will require
training that is different and more extensive than the training given
to a volunteer in the lobby gift shop of a hospital. Section 160.402(c)
is consistent with these distinctions. The acts of volunteers and
trainees will be examined on a case-by-case basis to determine if they
are acting as agents within the scope of their agency. Thus, we think
that it is appropriate to treat volunteers and trainees as persons for
whose acts a covered entity may be liable, if they act as agents for
the covered entity and violate the HIPAA rules within the scope of
their agency.
Comment: One comment recommended that the rule be revised to make
covered entities liable for violations committed by business
associates. The comment suggested that, if a covered entity is not
liable for the actions of its business associates, covered entities
will outsource the handling of protected health information to avoid
liability.
Response: We included the business associate exception in proposed
Sec. 160.402(c)(1)-(3) to make this rule consistent with the business
associate provisions in the Privacy and Security Rules. Changing the
business associate provisions in the Privacy and Security Rules is
outside the scope of this rulemaking. (See the extensive discussion
about business associates in the Privacy Rule and Security Rule
preambles at 65 FR 82503-82507 and 82640-82645, 67 FR 53251-53253, and
68 FR 8358-8361). The satisfactory assurances that are required in
written contracts or arrangements between covered entities and their
business associates are intended to protect the confidentiality of
protected health information handled by business associates. If a
covered entity fails to comply with the business associate provisions
in the Privacy and Security Rules, such as by not entering into the
requisite contracts or arrangements, or by not taking reasonable steps
to cure a breach or end a violation that is known to the covered
entity, the covered entity may be liable for the actions of a business
associate agent. We, therefore, decline to follow the recommendation.
Comment: Two comments suggested that HHS limit its use of the
Federal common law of agency because its application may make a covered
entity liable for the actions of a person, such as an independent
contractor, for whom the covered entity is not liable under state law.
Response: As we stated above, covered entities must comply with the
business associate provisions of the Privacy and Security Rules for
independent contractors who are not under the direct control of the
covered entity and who perform a function or activity that involves the
use or disclosure of individually identifiable health information or a
function or activity regulated by ``this subchapter'' (i.e., the HIPAA
rules) on behalf of a covered entity. If a covered entity complies with
the business associate provisions, the exception from liability in
Sec. 160.402(c) will be applicable. The purpose of establishing the
Federal common law of agency to determine when a covered entity is
vicariously liable for the acts of its agents is to achieve nationwide
uniformity in the implementation of the HIPAA rules by covered entities
and nationwide
[[Page 8404]]
consistency in the enforcement of these rules by HHS. The comments
reinforced our conclusion that reliance on state law could introduce
inconsistency in the implementation of the HIPAA rules by covered
entities in different states. Thus, we retain the Federal common law of
agency as the standard by which agency questions in specific cases will
be determined.
Comment: Two comments requested clarification of how this section
will apply to insurance agents, brokers, and consultants.
Response: Insurance agents, brokers, and consultants who are not
members of the covered entity's workforce but with whom the covered
entity shares protected health information will generally fall within
the definition of ``business associate'' at Sec. 160.103. A covered
entity that complies with the business associate provisions of the
Privacy and Security Rules would not be liable for a violation of those
rules by the business associate pursuant to the liability exception in
Sec. 160.402(c). It is also possible that the insurance agent, broker,
or consultant may be the covered entity's agent in some, but not all,
of his or her activities. An agent or broker may be working on behalf
of an employer to arrange insurance coverage for its employees and not
on behalf of the health insurance issuer that is a covered entity. In
cases where the liability exception for business associates is not
available or not met, the determination of whether an insurance agent,
broker, or consultant is an agent of a covered entity and was acting
within the scope of the agency will be made based on the facts of each
situation.
Comment: One comment argued that covered entities should not be
liable for acts of employees outside the scope of their employment.
Another comment suggested that covered entities should not be liable
for the actions of agents who have been informed of the covered
entity's HIPAA compliance policies, yet act contrary to them. Another
suggested that a covered entity should not be liable for the acts of
agents who, although authorized to disclose protected health
information, disclose it for purposes of sale or with intent to do
harm.
Response: Section 160.402(c), as proposed and adopted, provides
that a covered entity is liable for the acts of an agent acting
``within the scope of the agency.'' This provision necessarily implies
that a covered entity is not liable for its agent's acts outside the
scope of the agency (as determined under the federal common law of
agency). With regard to the comments that suggest that unauthorized
conduct by an agent is outside the scope of the agency, the Federal
common law of agency will be applied to the facts of each case to
determine whether the covered entity is liable for the conduct, even
though it was unauthorized.
Comment: Two comments expressed concern with the role of a Privacy
Officer and his or her liability under this part and the covered
entity's liability for the actions of a Privacy Officer who is a
business associate. One comment suggested that the Privacy Officer
should not incur any additional liability merely by being designated
the Privacy Officer. The other comment requested clarification as to a
covered entity's liability when the covered entity directly controls a
Privacy Officer, if the Privacy Officer is a business associate.
Response: As stated above, the facts of each case will determine
the liability of covered entities for wrongful conduct of its agents
under the HIPAA rules. As a general matter, we think that a Privacy
Officer is an officer of a covered entity for the purposes of the
Privacy Rule and, thus, will likely be the covered entity's agent. As
stated in Sec. 160.402, a covered entity is liable for the acts of its
agent acting within the scope of its agency and, thus, is liable for
any penalties that result from those acts. However, if a Privacy
Officer is a business associate of the covered entity, the liability
exception in Sec. 160.402(c) may apply. A covered entity that is in
compliance with the business associate provisions of the Privacy and
Security Rules will not be liable for a violation of those rules by the
business associate.
2. Section 160.404--Amount of a Civil Money Penalty
Proposed rule: Under proposed Sec. 160.404(a), the penalty amount
would be determined through the method provided for in proposed Sec.
160.406, using the factors set forth in proposed Sec. 160.408, and
subject to the statutory caps reflected in proposed Sec. 160.404(b)
and any reduction under proposed Sec. 160.412. The proposed regulation
would not establish minimum penalties. Proposed Sec. 160.404 would
follow the language of the statute and establish the maximum penalties
for a violation and for violations of an identical requirement or
prohibition during a calendar year, as set forth in the statute--up to
$100 per violation and up to $25,000 for violations of an identical
requirement or prohibition in a calendar year. Proposed Sec.
160.404(b) provided that the term ``calendar year'' means the period
from January 1 through the following December 31.
Under proposed Sec. 160.404(b)(2), a violation of a more specific
requirement or prohibition, such as one contained within an
implementation specification, could not also be counted, for purposes
of determining civil money penalties, as an automatic violation of a
broader requirement or prohibition that entirely encompasses the more
specific one. That is, the Secretary could impose a civil money penalty
for violation of either the general or the specific requirement, but
not both. Proposed Sec. 160.404(b)(2) would not apply where a covered
entity's action results in violations of multiple, differing
requirements or prohibitions within the same HIPAA rule or in
violations of more than one HIPAA rule. Proposed Sec. 160.404(b)(2)
also would not preclude assessing civil money penalties for multiple
violations of an identical requirement or prohibition, up to the
statutory cap.
Final rule: The final rule adopts the provisions of the proposed
rule. Changes to the provisions referenced in this section are
discussed in connection with those provisions.
Comment: While most comments that addressed proposed Sec.
160.404(b)(2) supported it, several comments suggested that a single
set of facts or single activity should not result in the finding of
more than one violation, even of different subparts. According to the
comments, covered entities should not be assessed penalties for
violating more than one provision if all violations arise out of the
same facts or incident. One comment suggested that penalties should not
be doubly assessed for overlapping provisions in other subparts unless
gross misconduct or willful negligence was involved.
Response: We do not count an act that violates overlapping
provisions of a subpart as more than one violation because provisions
that are duplicative in a subpart were written that way as a drafting
convenience and were not intended to establish separate legal
obligations. This rationale, however, does not apply where the legal
obligations are found in different subparts. Further, the different
subparts implement different statutory standards and, thus, impose
separate legal obligations. For example, where a covered entity re-
sells its used computers without scrubbing the hard drives that contain
protected health information, this act may violate several separate
legal obligations under the Security and Privacy Rules: (1) The media
re-use requirement of Sec. 164.310(d)(2)(ii); (2) the safeguards
requirement of Sec. 164.530(c); and (3) to the extent that the
protected health
[[Page 8405]]
information on the drives is accessible by persons to whom it could not
permissibly be disclosed, Sec. Sec. 164.308(a)(4)(i) and 164.502(a).
In such a situation, the act has violated requirements or prohibitions
of different rules promulgated pursuant to different provisions of the
statute, and it is appropriate that such violations be treated
separately. Thus, we decline to extend Sec. 160.404(b)(2) as
suggested.
Further, the same facts may evidence noncompliance with more than
one non-overlapping provision of a subpart and, thus, may result in
multiple violations for which a penalty may be assessed. For example, a
covered entity that makes an impermissible use of protected health
information may also, by virtue of the impermissible use, have violated
the Privacy Rule's minimum necessary and/or reasonable safeguard
provisions.
We also note that, in some cases, a violation of one requirement or
prohibition may produce consequential violations, and such cases would
not come within Sec. 160.404(b)(2). For example, Sec. 164.308(a)
requires covered entities to conduct security risk analyses. The
security risk analysis is the foundation of the covered entity's
security risk management plan and is one of the bases which it must
take into account in deciding not to implement addressable
implementation specifications under the Security Rule. If a covered
entity does not do a security risk analysis, it has no basis for not
implementing the addressable implementation specifications under the
Security Rule, and any failure to implement such specifications could,
thus, be considered a violation. Thus, while the failure to conduct the
security risk analysis would be a violation, albeit a continuing one,
of just one provision, it would necessarily result in other violations,
to the extent the covered entity failed to implement the addressable
implementation specifications of the Security Rule.
Comment: One comment suggested that the costs incurred by the
covered entity as a result of the violation should be considered in
calculating the amount of the penalty.
Response: We do not adopt this suggestion for several reasons.
First, we are not certain what costs the comment is suggesting be
considered--the costs associated with committing the violation, the
costs associated with correcting the violation, or both. Second, the
factors to be considered in determining the amount of the penalty for a
violation are set out at section 1128A(d) and are implemented in this
rule by Sec. 160.408. ``Costs incurred by the covered entity as a
result of the violation'' is not a concept that fits squarely within
any of the statutory factors. Third, to the extent consideration of
such costs is reasonable, it would seem to be relevant only to the
criterion for waiver under Sec. 160.412 (``the extent that payment of
the penalty would be excessive relative to the violation''); insofar as
that criterion weighs the seriousness of the effect of the violation,
costs associated with correcting the violation might in certain
circumstances be a relevant factor to be considered.
3. Section 160.406--Number of Violations
Proposed rule: Proposed Sec. 160.406 would establish the general
rule that the Secretary will determine the number of violations of an
identical requirement or prohibition by a covered entity by applying
any of the variables of action, person, or time, as follows: (1) The
number of times the covered entity failed to engage in required conduct
or engaged in a prohibited act; (2) the number of persons involved in,
or affected by, the violation; or (3) the duration of the violation,
counted in days. Paragraph (a) of this section would require the
Secretary to determine the appropriate variable or variables for
counting the number of violations based on the specific facts and
circumstances related to the violation, and take into consideration the
underlying purpose of the particular HIPAA rule that is violated. More
than one variable could be used to determine the number of violations
(for example, the number of people affected multiplied by the time
(number of days) over which the violation occurred). The Secretary
would have discretion in determining which variable or variables were
appropriate for determining the number of violations. The preamble to
the proposed rule noted that, under this proposal, the policy for
determining which variable(s) to use for which type of violation would
be developed in the context of specific cases rather than established
by regulation and that subsequent cases would be decided consistently
with prior similar cases.
Final rule: The final rule eliminates the provision for variables
and provides that the number of violations of an identical requirement
or prohibition (termed ``identical violations'') will be determined
based on the nature of the covered entity's obligation to act or not
act under the provision violated, such as its obligation to act in a
certain manner, or within a certain time, or with respect to certain
persons. With respect to continuing violations, a separate violation
will be deemed to occur on each day such a violation continues.
Comment: While two comments supported the proposal, many comments
challenged the variable approach of proposed Sec. 160.406 to
determining the number of violations. In particular, several comments
expressed concern over the broad discretion provided to the Secretary
to determine the number of violations, particularly in light of the
fact that the proposed rule would have prohibited the ALJ from
reviewing the Secretary's choice of variable(s). Further, some comments
were concerned that the Secretary could use multiple variables to
determine the number of violations. It was argued that the proposed
approach was unfair in that it (1) did not allow covered entities to
predict the amount of a civil money penalty that would result from a
violation, and (2) could maximize the penalty to the statutory cap in
virtually any case, which could result in very harsh penalties for
relatively minor offenses. Other comments argued that the variable
approach was inconsistent with the policy of proposed Sec.
160.404(b)(2), prohibiting the double counting of overlapping
regulatory requirements, or was inconsistent with HHS's general
approach to voluntary compliance. It was suggested, for example, that
HHS instead could establish one particular calculation method for each
HIPAA rule or specify the types of violations for which HHS would use a
particular method.
Comments also criticized the variable approach as inconsistent with
the definition of ``violation,'' arguing that the person and time
variables have no logical relationship to a failure to comply, and
thus, would not be appropriate for counting violations. Specifically,
it was argued that since a ``violation'' is defined as a failure to
comply with a requirement or prohibition, by definition a violation is
a failure to take a required action or a failure to refrain from doing
a prohibited act, and, thus, is not defined by the period of time
during which such action or inaction occurs or by the number of people
who may be affected by it. Further, several comments argued that the
action/inaction variable was the only one that was consistent with the
statute, so that penalizing covered entities by using other variables
would be penalizing them for violations that, by definition, do not
exist, which would be inconsistent with Congressional intent, as
expressed in section 1176(a), and inappropriate as a matter of public
policy. It was also argued that the time and person variables look at
qualitative issues and attempt to measure the
[[Page 8406]]
importance of an act or omission; they do not measure where an act is
quantitatively extensive--i.e., repeated or prolonged. It was argued
that qualitative considerations are treated, under the statute, as
aggravating or mitigating factors, not as questions of the quantity of
violations, as is done under the variable approach.
Response: It was not our intent to suggest that the variables we
proposed would be employed in a manner unrelated to the nature of the
underlying violation, as assumed by many of the comments. However,
since we agree that the manner in which the number of identical
violations should be determined will depend on the nature of the
provision violated, and the provision for variables was confusing and
susceptible to misinterpretation, we have eliminated the explicit
requirement to use the person, time, and action variables. The final
rule instead makes clear that the Secretary will determine the number
of identical violations based on the nature of the obligation of the
covered entity to act (or not act) under the provision violated. While
we agree, in principle, that the definition of ``violation'' looks to
an action or a failure to act as the essence of a violation, defining
what particular act or failure to act constitutes the specific
violation in question will necessarily require looking at the
substantive provision involved and determining what the covered entity
was legally obligated to do. We do not agree, in this regard, that the
elements of ``people'' and ``time'' are always irrelevant to a failure
to comply or that consideration of these elements would result in
double counting of violations. Rather, the precise nature of the
covered entity's obligation will, as discussed below, in many cases be
a function of to whom the obligation is owed or the manner in which it
must be performed or other elements. Thus, we include in the regulation
examples of elements that should be considered, as appropriate, in
construing a provision to determine a covered entity's obligation
thereunder. We believe that this approach, under which the number of
violations is grounded in the language of the provision violated, is
wholly consistent with the statutory scheme.
In many cases, applying this principle should not be difficult. For
example, the Privacy Rule requires that covered entities have contracts
or other arrangements in place with its business associates to assure
the privacy of protected health information, and specifies what must
(and may not) be included in the contract or other arrangement to do
so. See Sec. 164.504(e). Two such provisions are that the contract may
not authorize the business associate to use or further disclose the
information in a manner that would violate the Privacy Rule, if done by
the covered entity, and that the contract must provide that the
business associate will use appropriate safeguards to prevent use or
disclosure of the information other than as provided for by the
contract. See Sec. 164.504(e)(2)(i) and 164.504(e)(2)(ii)(B). If a
covered entity enters into five contracts with business associates that
authorize the business associates to use protected health information
in a manner not permitted by the Privacy Rule and that do not require
the business associates to use appropriate safeguards to protect the
information, the covered entity will have committed five violations of
each of the two separate requirements. Similarly, the Transactions Rule
prohibits covered entities from entering into trading partner
agreements that would change the use of a data element in a standard or
add data elements not contained in the standard. See Sec. 162.915(a),
(b). If a health plan were, by trading partner agreement, to require
200 providers to use a data element in a given transaction in a manner
that was inconsistent with the standard, and also required the use of
another data element that was not part of the standard, we would view
each inconsistent requirement in the trading partner agreement as a
separate violation. The regulation prohibits the adoption of certain
terms in trading partner agreements, so each noncompliant term in each
agreement would constitute a separate violation, resulting in 200
violations of each of these requirements.
With respect to the transactions standards themselves, however, we
anticipate defining the requirement violated to be the requirement to
conduct a standard transaction. While one could view each required data
element in a transaction as a separate requirement, because the
Implementation Guide for each transaction is incorporated by reference
into the regulation, one could also view the underlying Implementation
Guides as functioning simply to describe what constitutes compliance in
a particular case, rather than establishing separate compliance
requirements. While we believe that either interpretation of the
Transactions Rule is permissible, we expect to take the latter view of
the Rule, to facilitate the predictability of determining violations
under that Rule. Thus, we would count each noncompliant transaction as
a single violation, regardless of the number of missing data elements.
For example, if a health plan is found to have conducted 200
eligibility transactions which are missing several required data
elements, the health plan would have committed 200 violations of one
identical requirement (i.e., the requirement at Sec. 162.923(a) to
conduct a covered transaction as a standard (i.e., compliant)
transaction).
In some cases, determining how many times a provision has been
violated will be a function of the number of individuals or other
entities affected, because the covered entity's obligation is to act in
a certain manner with respect to certain persons. We include the term
``persons'' in the list of examples in Sec. 160.406 to make clear that
such consideration may be appropriate. It may include not only
individuals, but also other covered entities, their workforce members,
or trading partners, where the obligation in question relates to such
types of persons. For example, assume that a covered entity
impermissibly allows a workforce member to access the protected health
information of 20 patients whose information is stored on a computer
file. The question is whether this set of facts constitutes one
violation or 20 violations of Sec. 164.502(a), which prohibits
impermissible uses or disclosures of protected health information.
Since the covered entity has an obligation with respect to each patient
to protect his or her protected health information, the sharing of the
20 patients' protected health information with the employee constitutes
a separate impermissible use, or violation, of Sec. 164.502(a) with
respect to each patient.
Some provisions embody a requirement or prohibition that is of an
ongoing nature or for which timeliness is an element of compliance. We
characterize violations of such a requirement or prohibition as
continuing violations. In such cases, the covered entity's obligation
to act continues over time, and, if it fails to take the required
action, that failure to comply also cont