HIPAA Administrative Simplification; Enforcement, 20224-20258 [05-7512]
Download as PDF
20224
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
FOR FURTHER INFORMATION CONTACT:
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Carol Conrad, (202) 690–1840.
SUPPLEMENTARY INFORMATION:
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991–AB29
HIPAA Administrative Simplification;
Enforcement
Office of the Secretary, HHS.
ACTION: Proposed rule.
AGENCY:
SUMMARY: The Secretary of Health and
Human Services is proposing rules for
the imposition of civil money penalties
on entities that violate rules adopted by
the Secretary to implement the
Administrative Simplification
provisions of the Health Insurance
Portability and Accountability Act of
1996, Pub. L. 104–191 (HIPAA). The
proposed rule would amend the existing
rules relating to the investigation of
noncompliance to make them apply to
all of the HIPAA Administrative
Simplification rules, rather than
exclusively to the privacy standards. It
would also amend the existing rules
relating to the process for imposition of
civil money penalties. Among other
matters, the proposed rules would
clarify and elaborate upon the
investigation process, bases for liability,
determination of the penalty amount,
grounds for waiver, conduct of the
hearing, and the appeal process.
DATES: Comments on the proposed rule
will be considered if we receive them at
the appropriate address, as provided
below, no later than June 17, 2005.
ADDRESSES: You may submit comments
by any of the following methods:
• Federal eRulemaking Portal: https://
www.regulations.gov. Include agency
name and ‘‘RIN: 0991–AB29.’’
• E-mail:
CMS0010.Comments@hhs.gov. Include
‘‘RIN: 0991–AB29’’ in the subject line of
the message.
• Mail: U.S. Department of Health
and Human Services, Office of General
Counsel, Attention: HIPAA Enforcement
Rule, 330 Independence Ave., SW.,
Washington, DC 20201.
• Hand Delivery/Courier: Attention:
HIPAA Enforcement Rule, Hubert H.
Humphrey Building, 200 Independence
Avenue, SW., Washington, DC 20201.
Instructions: Because of staff and
resource limitations, we cannot accept
comments by facsimile (FAX)
transmission. For detailed instructions
on submitting comments and additional
information on the rulemaking process,
see the ‘‘Public Participation’’ heading
of the SUPPLEMENTARY INFORMATION
section of this document.
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
I. Public Participation
We welcome comments from the
public on all issues set forth in this rule
to assist us in fully considering issues
and developing policies. You can assist
us by referencing the RIN number (RIN:
0991–AB29) and by preceding your
discussion of any particular provision
with a citation to the section of the
proposed rule being discussed.
A. Inspection of Public Comments
Comments received timely will be
available for public inspection as they
are received, generally beginning
approximately 6 weeks after publication
of this document, at the mail address
provided above, Monday through Friday
of each week from 8:30 a.m. to 4 p.m.
To schedule an appointment to view
public comments, call Karen Shaw,
(202) 205–0154.
B. Electronic Comments
We will consider all electronic
comments that include the full name,
postal address, and affiliation (if
applicable) of the sender and are
submitted to either of the electronic
addresses identified in the ADDRESSES
section of this preamble. All comments
must be incorporated in the e-mail
message, because we may not be able to
access attachments. Copies of
electronically submitted comments will
be available for public inspection as
soon as practicable at the address
provided, and subject to the process
described, in the preceding paragraph.
C. Mailed Comments and Hand
Delivered/Couriered Comments
Mailed comments may be subject to
delivery delays due to security
procedures. Please allow sufficient time
for mailed comments to be timely
received in the event of delivery delays.
Comments mailed to the address
indicated for hand or courier delivery
may be delayed and could be
considered late.
D. Copies
To order copies of the Federal
Register containing this document, send
your request to: New Orders,
Superintendent of Documents, P.O. Box
371954, Pittsburgh, PA 15250–7954.
Specify the date of the issue requested
and enclose a check or money order
payable to the Superintendent of
Documents, or enclose your Visa or
Master Card number and expiration
date. Credit card orders can also be
placed by calling the order desk at (202)
PO 00000
Frm 00002
Fmt 4701
Sfmt 4702
512–1800 (or toll-free at 1–866–512–
1800) or by faxing to (202) 512–2250.
The cost for each copy is $10. As an
alternative, you may view and
photocopy the Federal Register
document at most libraries designated
as Federal Depository Libraries and at
many other public and academic
libraries throughout the country that
receive the Federal Register.
E. Electronic Access
This Federal Register document is
available from the Federal Register
online database through GPO Access, a
service of the U.S. Government Printing
Office. The web site address is: https://
www.gpoaccess.gov/nara/.
This document is available
electronically at the following web sites
of the Department of Health and Human
Services (HHS): https://www.hhs.gov/
ocr/hipaa/ and https://www.cms.gov/
hipaa/hipaa2.
F. Response to Comments
Because of the large number of public
comments we normally receive on
Federal Register documents, we are not
able to acknowledge or respond to them
individually. We will consider all
comments we receive in accordance
with the methods described above and
by the date specified in the DATES
section of this preamble. When we
proceed with a final rule, we will
respond to comments in the preamble to
that rule.
II. Background
HHS proposes to amend or renumber
existing rules that relate to compliance
with, and enforcement of, the
Administrative Simplification
regulations (HIPAA rules) adopted by
the Secretary of Health and Human
Services (Secretary) under subtitle F of
Title II of HIPAA (HIPAA provisions).
These rules are codified at 45 CFR part
160, subparts C and E. In addition, this
proposed rule would add a new subpart
D to part 160. The new subpart D would
contain additional rules relating to the
imposition by the Secretary of civil
money penalties on covered entities that
violate the HIPAA rules. The full set of
rules that will ultimately be codified at
subparts C, D, and E of 45 CFR part 160
is collectively referred to in this
proposed rule as the ‘‘Enforcement
Rule.’’ Finally, HHS proposes
conforming changes to subpart A of part
160 and subpart E of part 164.
The statutory and regulatory
background of the proposed rule is set
out below. A description of HHS’s
approach to enforcement of the HIPAA
provisions and the HIPAA rules in
general, the approach of this proposed
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
rule in particular, and each section of
the proposed rule follows. The preamble
concludes with HHS’s analyses of
impact and other issues under
applicable law.
A. Statutory Background
Subtitle F of Title II of HIPAA,
entitled ‘‘Administrative
Simplification,’’ requires the Secretary
to adopt national standards for certain
information-related activities of the
health care industry. The purpose of
subtitle F is to improve the Medicare
program under title XVIII of the Social
Security Act (Act), the Medicaid
program under title XIX of the Act, and
the efficiency and effectiveness of the
health care system, by mandating the
development of standards and
requirements to enable the electronic
exchange of certain health information.
Section 262 of subtitle F added a new
Part C to Title XI of the Act. Part C
(sections 1171–1179 of the Act, 42
U.S.C. 1320d–1320d–8) requires the
Secretary to adopt national standards for
certain financial and administrative
transactions and various data elements
to be used in those transactions, such as
code sets and certain unique health
identifiers. Recognizing that the
industry trend toward computerizing
health information, which HIPAA
encourages, may increase the
accessibility of that information,
sections 262 and 264 of HIPAA also
require the Secretary to adopt national
standards to protect the security and
privacy of the information.
Under section 1172(a) of the Act, 42
U.S.C. 1320d–1(a), the HIPAA
provisions apply only to—
The following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits
any health information in electronic form in
connection with a transaction referred to in
section 1173(a)(1).
These entities are collectively known as
‘‘covered entities.’’ An additional
category of covered entities was added
by the Medicare Prescription Drug,
Improvement, and Modernization Act of
2003 (Pub. L. 108–173) (MMA). As
added by MMA, section 1860D–
31(h)(6)(A) of the Act, 42 U.S.C. 1395w–
141(h)(6)(A), provides that:
a prescription drug card sponsor is a covered
entity for purposes of applying part C of title
XI and all regulatory provisions promulgated
thereunder, including regulations (relating to
privacy) adopted pursuant to the authority of
the Secretary under section 264(c) of the
Health Insurance Portability and
Accountability Act of 1996 (42 U.S.C. 1320d–
2 note).
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
HIPAA requires certain consultations
with industry as a predicate to the
issuance of the HIPAA standards and
provides that most covered entities have
up to 2 years (small health plans have
up to 3 years) to come into compliance
with the standards, once adopted. The
statute establishes civil money penalties
and criminal penalties for violations.
Act, sections 1172(c) (42 U.S.C. 1320d–
1(c)), 1175(b) (42 U.S.C. 1320d–4(b)),
1176 (42 U.S.C. 1320d–5), 1177 (42
U.S.C. 1320d–6). HHS enforces the civil
money penalties, while the U.S.
Department of Justice enforces the
criminal penalties.
HIPAA’s civil money penalty
provision, section 1176(a) of the Act, 42
U.S.C. 1320d–5(a), authorizes the
Secretary to impose a civil money
penalty, as follows:
(1) IN GENERAL. Except as provided in
subsection (b), the Secretary shall impose on
any person who violates a provision of this
part [42 U.S.C. § 1320d et seq.] a penalty of
not more than $100 for each such violation,
except that the total amount imposed on the
person for all violations of an identical
requirement or prohibition during a calendar
year may not exceed $25,000.
(2) PROCEDURES. The provisions of
section 1128A [42 U.S.C. 1320a–7a] (other
than subsections (a) and (b) and the second
sentence of subsection (f)) shall apply to the
imposition of a civil money penalty under
this subsection in the same manner as such
provisions apply to the imposition of a
penalty under such section 1128A.
For simplicity, we refer throughout this
preamble to this provision, the related
provisions at section 1128A of the Act,
and other related provisions of the Act,
by their Social Security Act citations,
rather than by their U.S. Code citations.
Subsection (b) of section 1176 sets out
limitations on the Secretary’s authority
to impose civil money penalties and
also provides authority for waiving such
penalties. Under section 1176(b)(1), a
civil money penalty may not be
imposed with respect to an act that
‘‘constitutes an offense punishable’’
under the criminal penalty provision.
Under section 1176(b)(2), a civil money
penalty may not be imposed ‘‘if it is
established to the satisfaction of the
Secretary that the person liable for the
penalty did not know, and by exercising
reasonable diligence would not have
known, that such person violated the
provision.’’ Under section 1176(b)(3), a
civil money penalty may not be
imposed if the failure to comply was
due ‘‘to reasonable cause and not to
willful neglect’’ and is corrected within
a certain time. Finally, under section
1176(b)(4), a civil money penalty may
be reduced or entirely waived ‘‘to the
extent that the payment of such penalty
PO 00000
Frm 00003
Fmt 4701
Sfmt 4702
20225
would be excessive relative to the
compliance failure involved.’’
As noted above, HIPAA incorporates
by reference certain provisions of
section 1128A of the Act. Those
provisions, as relevant here, establish a
number of requirements with respect to
the imposition of civil money penalties.
Under section 1128A(c)(1), the Secretary
may not initiate a civil money penalty
action ‘‘later than six years after the
date’’ of the occurrence that forms the
basis for the civil money penalty. Under
section 1128A(c)(2), a person upon
whom the Secretary seeks to impose a
civil money penalty must be given
written notice and an opportunity for a
determination to be made ‘‘on the
record after a hearing at which the
person is entitled to be represented by
counsel, to present witnesses, and to
cross-examine witnesses against the
person.’’ Section 1128A also provides,
at subsections (c), (e), and (j),
respectively, requirements for: service of
the notice and authority for sanctions
which the hearing officer may impose
for misconduct in connection with the
civil money penalty proceeding; judicial
review of the Secretary’s determination
in the United States Court of Appeals
for the circuit in which the person
resides or maintains his/its principal
place of business; and the issuance of
subpoenas by the Secretary and the
enforcement of those subpoenas. In
addition, section 1128A of the Act
contains provisions relating to liability
for civil money penalties and how they
are dealt with, once imposed. For
example, section 1128A(d) provides that
the Secretary must take into account
certain factors ‘‘in determining the
amount * * * of any penalty,’’ section
1128A(h) requires certain notifications
once a civil money penalty is imposed,
and section 1128A(l) makes a principal
liable for penalties ‘‘for the actions of
the principal’s agent acting within the
scope of the agency.’’ These provisions
are discussed more fully below.
B. Regulatory Background
As noted above, HIPAA requires the
Secretary to adopt a number of national
standards to facilitate the exchange, and
protect the privacy and security, of
certain health information. The
Secretary has already adopted many of
these HIPAA standards by regulation.
• Regulations implementing the
statutory requirement for the adoption
of standards for transactions and code
sets, Health Insurance Reform:
Standards for Electronic Transactions
(Transactions Rule), were published on
August 17, 2000 (65 FR 50312), and
were modified on February 20, 2003 (68
FR 8381). The Transactions Rule
E:\FR\FM\18APP2.SGM
18APP2
20226
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
became effective on October 16, 2000,
with an initial compliance date of
October 16, 2002 for covered entities
other than small health plans. The
passage of the Administrative
Simplification Compliance Act (ASCA),
Pub. L. 107–105, in 2001 enabled
covered entities to obtain an extension
of the compliance date to October 16,
2003 by filing a compliance plan by
October 15, 2002. If a covered entity
(other than a small health plan) did not
file such a plan, it was required to
comply with the Transactions Rule by
October 16, 2002. All covered entities
were required to be in compliance with
the Transactions Rule, as modified, by
October 16, 2003.
• Regulations implementing the
statutory requirement for the adoption
of privacy standards, Standards for
Privacy of Individually Identifiable
Health Information (Privacy Rule), were
published on December 28, 2000 (65 FR
82462). The Privacy Rule became
effective on April 14, 2001.
Modifications to simplify and increase
the workability of the Privacy Rule were
published on August 14, 2002 (67 FR
53182). Compliance with the Privacy
Rule, as modified, was required by April
14, 2003 for covered entities other than
small health plans; small health plans
were required to come into compliance
by April 14, 2004.
The Privacy Rule adopted rules
relating to compliance and enforcement.
These rules are codified at 45 CFR part
160, subpart C. Subpart C presently
applies only to compliance with, and
enforcement of, the Privacy Rule.
• Regulations implementing the
statutory requirement for the adoption
of an employer identifier standard,
Health Insurance Reform: Standard
Unique Employer Identifier (EIN Rule),
were published on May 31, 2002 (67 FR
38009) and became effective on July 30,
2002. The initial compliance date was
July 30, 2004 for most covered entities;
small health plans have until July 30,
2005 to come into compliance. These
regulations were modified on January
23, 2004 (69 FR 3434), effective the
same date.
• Regulations implementing the
statutory requirement for the adoption
of security standards, Health Insurance
Reform: Security Standards, were
published on February 20, 2003 (68 FR
8334), effective on April 21, 2003. The
initial compliance date for covered
entities other than small health plans is
April 20, 2005; small health plans have
until April 20, 2006 to come into
compliance.
• An interim final rule promulgating
procedural requirements for imposition
of civil money penalties, Civil Money
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
Penalties: Procedures for Investigations,
Imposition of Penalties, and Hearings
(April 17, 2003 interim final rule), was
published on April 17, 2003 (68 FR
18895), was effective on May 19, 2003,
with a sunset date of September 16,
2004 (as corrected at 68 FR 22453, April
28, 2003). The April 17, 2003 interim
final rule adopted a new subpart E of
part 160. The sunset date of the April
17, 2003 interim final rule was extended
to September 16, 2005 on September 15,
2004 (69 FR 55515).
• Regulations implementing the
requirement to issue standards for a
unique identifier for health care
providers, HIPAA Administrative
Simplification: Standard Unique Health
Identifier for Health Care Providers (NPI
Rule), were issued on January 23, 2004
(69 FR 3434), effective on May 23, 2005.
The compliance date is May 23, 2007 for
most covered entities; small health
plans have until May 23, 2008 to come
into compliance.
In addition to the foregoing
regulations implementing the HIPAA
provisions, HHS has adopted two other
regulations that are relevant, for some
covered entities, to compliance with
those provisions.
• Section 3 of the ASCA amended
section 1862 of the Act to require
Medicare providers, with certain
exceptions, to submit claims to
Medicare electronically (and, thus, in
conformity with the Transactions Rule)
by October 16, 2003. Regulations
implementing section 3, Medicare
Program: Electronic Submission of
Medicare Claims, were published on
August 15, 2003 (68 FR 48805), effective
on October 16, 2003.
• Regulations implementing the
Medicare Prescription Drug Discount
Card program under MMA and the
statutory provision that Medicare
prescription drug discount card
sponsors are covered entities under
HIPAA, were issued on December 15,
2003 (68 FR 69840), effective the same
date. These rules require such sponsors
to comply with the HIPAA rules when
they become sponsors, except and to the
extent that the Secretary temporarily
waives the Privacy Rule requirements,
and provides some rules regarding how
these entities are to comply with the
HIPAA rules. The Secretary has
indicated that he does not anticipate
that it will be necessary to waive the
Privacy Rule requirements and has not
done so. 68 FR 69871.
III. General Approach
As the discussion above makes clear,
the duty to comply with certain HIPAA
rules is now a reality for all covered
entities. The immediacy of the
PO 00000
Frm 00004
Fmt 4701
Sfmt 4702
compliance obligation brings with it the
issue of how these rules will be
enforced. Accordingly, we discuss
below our general approach to
enforcement, how the rules proposed
below would fit in with the existing
components of the Enforcement Rule,
and the basic approach of the proposed
rule.
A. HHS’s General Approach to
Enforcement
One of the Secretary’s priorities is
‘‘One HHS’’: HHS’s public health and
welfare mission and message must be
consistent, and HHS should speak with
one voice. Because of the Secretary’s
One HHS policy and because there is
one statutory provision for imposing
civil money penalties on covered
entities that violate the HIPAA rules,
there is one enforcement and
compliance policy for the HIPAA rules.
We are committed to promoting and
encouraging voluntary compliance with
the HIPAA rules through education,
cooperation, and technical assistance.
Many educational and technical
assistance materials on HIPAA,
including the HIPAA rules, are already
available on HHS’s Web sites. See
https://www.hhs.gov/ocr/hipaa for the
Privacy Rule and https://www.cms.gov/
hipaa/hipaa2 for the other HIPAA rules.
We continue to work on educational
and technical assistance materials,
including additional guidance on
compliance and enforcement and
targeted technical assistance materials
focused on particular segments of the
health care industry. We anticipate
developing additional materials relevant
to new HIPAA rules as the need arises.
The authority for administering and
enforcing compliance with the Privacy
Rule has been delegated to the HHS
Office for Civil Rights (OCR). 65 FR
82381 (December 28, 2000). The
authority for administering and
enforcing compliance with the nonprivacy HIPAA rules has been delegated
to the Centers for Medicare & Medicaid
Services (CMS). 68 FR 60694 (October
23, 2003).
At present, our compliance and
enforcement activities are primarily
complaint-based. Although our
enforcement efforts are focused on
investigating complaints, they may also
include conducting compliance reviews
to determine if a covered entity is in
compliance. When potential violations
come to our attention through a
complaint or a compliance review, OCR
or CMS’s Office of HIPAA Standards
(OHS), as appropriate, attempts to
resolve the matter informally. Many
such matters are resolved at the initial
stage of contact. However, even where a
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
matter is not resolved at this initial stage
and the investigation continues, the
matter can still be resolved through
voluntary compliance (for example, by
means of a corrective action plan); and
OCR or CMS may provide technical
assistance to help the covered entity
achieve compliance. Resolving issues
through such informal means is often
the quickest and most effective means of
ensuring that the benefits of the HIPAA
rules are realized. However, if we are
unable to obtain compliance effectively
on matters within our jurisdiction
through voluntary means, we may seek
to impose civil money penalties.
Moreover, matters subject to criminal
penalties are referred to the Department
of Justice.
B. HHS’s Approach to the Enforcement
Rule
The Enforcement Rule would bring
together and adopt rules governing the
implementation of the civil money
penalty authority of section 1176 of the
Act for all of the HIPAA rules. As
previously noted, parts of the
Enforcement Rule are already in place:
subpart C of part 160 establishes certain
investigative procedures for the Privacy
Rule, and subpart E establishes interim
procedures for investigations and for the
imposition of, and challenges to the
imposition of, civil money penalties for
all of the HIPAA rules. This proposed
rule would complete the Enforcement
Rule by addressing, among other issues,
our policies for determining violations
and calculating civil money penalties,
how we will address the statutory
limitations on the imposition of civil
money penalties, and various
procedural issues, such as provisions for
appellate review within HHS of a
hearing decision, burden of proof, and
notification of other agencies of the
imposition of a civil money penalty.
In developing these regulations,
several principles guided our choice of
policies from among the available
options. The Enforcement Rule should
promote voluntary compliance with the
HIPAA rules, be clear and easy to
understand, provide consistent results
in the interest of fairness, provide the
Secretary with reasonable discretion,
particularly in areas where the exercise
of judgment is called for by the statute
or rules, and avoid being overly
prescriptive in areas where it would be
helpful to gain experience with the
practical impact of the HIPAA rules, to
avoid unintended adverse effects.
With respect to many of the
Enforcement Rule’s provisions, we were
also mindful that section 1176(a)
requires the Secretary to apply the
incorporated provisions of section
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
1128A to the imposition of a civil
money penalty under section 1176 ‘‘in
the same manner as’’ they apply to the
imposition of civil money penalties
under section 1128A itself. As we
explained in the preamble to the April
17, 2003 interim final rule, the
imposition of civil money penalties
under section 1128A is administered by
the HHS Office of the Inspector General
(OIG). Accordingly, the rules proposed
below, like those in the current Subpart
E, generally look to the regulations of
the OIG that implement section 1128A,
which are codified at 42 CFR parts 1003,
1005, and 1006 (OIG regulations).
The Enforcement Rule does not adopt
standards, as that term is defined and
interpreted under HIPAA. Thus, the
requirement for industry consultations
in section 1172(c) of the Act does not
apply. For the same reason, HIPAA’s
time frames for compliance, set forth in
section 1175 of the Act, will not apply
to the Enforcement Rule, when adopted
in final form.
IV. Provisions of the Proposed Rule
The proposed rule would revise 45
CFR part 160 as follows: it would revise
the existing subpart C, adopt a new
subpart D, and revise the existing
subpart E; a minor amendment of
subpart A is also proposed. Subpart A,
which contains general provisions,
would be amended to include a
definition of ‘‘person.’’ Subpart C
includes all provisions that relate to
activities for determining compliance,
including investigations and
cooperation by covered entities. The
proposed revisions of subpart C are
largely technical, incorporating several
provisions currently found in subpart E.
We also propose to make subpart C
applicable to the non-privacy HIPAA
rules. The new subpart D would
establish rules relating to the imposition
of civil money penalties, including
those which apply whether or not there
is a hearing. Subpart D would also
incorporate several provisions currently
found in subpart E. Proposed subpart E
would address the pre-hearing and
hearing phases of the enforcement
process. Many of the provisions of
proposed subpart E were adopted by the
April 17, 2003 interim final rule and
would not be substantively changed,
although they would, in general, be
renumbered.
Finally, a conforming change to the
privacy standards in subpart E of part
164 is proposed. This conforming
change is discussed in connection with
proposed § 160.316 at section IV.B.5
below.
PO 00000
Frm 00005
Fmt 4701
Sfmt 4702
20227
A. Subpart A
We propose to amend § 160.103 to
add a definition of the term ‘‘person.’’
This would replace the definition of that
term adopted by the April 17, 2003
interim final rule. We propose to place
this definition in § 160.103 so that it
applies to all of the HIPAA rules. The
term ‘‘person’’ appears throughout the
HIPAA rules, and the definition of the
term we propose is a universal one that
should work in each of the contexts in
which the term ‘‘person’’ occurs. If the
proposed placement would create
problems, commenters should bring that
to our attention.
In § 160.502 of the April 17, 2003
interim final rule, we defined a
‘‘person’’ as ‘‘a natural or legal person’’
to clarify, in the context of
administrative subpoenas, the
distinction between an entity (defined
as a ‘‘legal person’’) and natural persons
who would testify on the entity’s behalf.
The proposed rule would revise and
expand this definition.
The statutory definition of a ‘‘person’’
that would otherwise apply to the
HIPAA provisions is found in section
1101(3) of the Act. That section, which
has been in the Act since it was
originally enacted in 1935, defines a
person as ‘‘an individual, a trust or
estate, a partnership, or a corporation.’’
However, Part C of title XI specifies that
the class of ‘‘persons’’ to whom the
HIPAA standards apply—health plans,
certain health care providers, and health
care clearinghouses—includes certain
State and federal programs, which are
not included in the definition of
‘‘person’’ in section 1101(3). For
example, section 1171(2) defines a
health care clearinghouse as a ‘‘public
or private’’ entity. Under section
1171(3), a ‘‘health care provider’’ is
defined to include a provider of services
as defined in section 1861(u), for
purposes of the Medicare program. The
definition includes hospitals, which in
turn include State or local governmentowned hospitals. Finally, the definition
of ‘‘health plan’’ in section 1171(5)
includes State and federal health plans:
section 1171(5)(A) includes a group
health plan ‘‘as defined in section
2791(a) of the Public Health Service
Act,’’ and this definition includes State
and local governmental group health
plans; section 1171(5)(E) includes ‘‘the
medicaid program under title XIX,’’
which is a State program; and other
provisions of section 1171(5) explicitly
include as health plans various federal
health plans, such as Medicare, the
Federal Employee Benefit Health Plan,
CHAMPUS, and the program of benefits
for veterans. Section 1176, by its terms,
E:\FR\FM\18APP2.SGM
18APP2
20228
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
applies to ‘‘any person who violates a
provision of this part.’’ Nothing in this
language suggests that Congress
intended to exempt any class of covered
entities from liability for a civil money
penalty under this section.
Thus, to effectuate Congress’s purpose
in enacting the HIPAA provisions, it is
necessary to define ‘‘person’’
sufficiently broadly to encompass the
entities to which the HIPAA rules
apply. The Supreme Court has
recognized that this is a valid approach
in appropriate instances. See, e.g.,
Lawson v. Suwanee S.S. Co., 336 U.S.
198 (1949). This proposed approach is
also consistent with that taken by the
OIG regulations, the preamble to which
explained that it was necessary to
expand the definition of ‘‘person’’ in the
context of section 1128A of the Act to
include States because of clear
Congressional intent to include them in
the class of entities subject to civil
money penalties. 48 FR 38837, 38828
(August 26, 1983).
Accordingly, the proposed rule
generally tracks the definition of
‘‘person’’ in the OIG regulations. In
particular, by defining the term as ‘‘a
natural person, trust or estate,
partnership, corporation, professional
association or corporation, or other
entity, public or private,’’ the proposed
rule clarifies, consistent with the HIPAA
provisions, that the term includes States
and other public entities. However, we
propose to adapt the language used in
the OIG regulations by substituting the
term ‘‘natural person’’ for the term
‘‘individual’’ in the definition of
‘‘person’’ in the OIG regulations. The
term ‘‘individual’’ is defined in
§ 160.103 as ‘‘the person who is the
subject of protected health
information.’’ Since the term
‘‘individual’’ has a defined, and
narrower, meaning in the HIPAA rules
than it does in the OIG regulations, the
proposed rule uses the term ‘‘natural
person’’ to make the definition of
‘‘person’’ have the same scope as in the
OIG regulations.
B. Subpart C—Compliance and
Investigations
We propose to amend subpart C to
make the compliance and investigation
provisions of the subpart—which at
present apply only to the Privacy Rule—
applicable to all of the HIPAA rules. In
addition, we propose to include in
subpart C the definitions that apply to
subparts C, D, and E. In accordance with
the organizational scheme described
above, we also propose to move to
subpart C from subpart E the provision
relating to investigational subpoenas,
which is currently codified at § 160.504.
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
The title of this subpart has also been
changed (from ‘‘Compliance and
Enforcement’’) to reflect the focus of this
subpart within the larger Enforcement
Rule. Finally, we propose to add to
subpart C provisions prohibiting
intimidation or retaliation that are
currently found in the Privacy Rule but
not in the other HIPAA rules. Aside
from making conforming changes to
§ 160.312, discussed at section IV.B.3
below, we propose to leave the
substance of the existing provisions of
subpart C unchanged. We solicit
comment as to whether these provisions
should be revised and, if so, in what
manner.
1. Application of Subpart C to the NonPrivacy HIPAA Rules
Subpart C is intended to provide a
cooperative approach to obtaining
compliance, including use of technical
assistance and informal means to
resolve disputes, and currently provides
as follows. Section 160.304 provides
that the Secretary will, to the extent
practicable, seek the cooperation of
covered entities in obtaining
compliance and may provide technical
assistance to this end. Section 160.306
provides for the investigation of
complaints by the Secretary and
provides requirements relating to the
filing of such complaints. Section
160.308 provides for the conduct of
compliance reviews by the Secretary.
Section 160.310 requires covered
entities to keep and submit such records
as the Secretary determines are
necessary to determine compliance and
cooperate with the Secretary in an
investigation or compliance review. A
covered entity must provide access
during normal business hours to their
books and records pertinent to
ascertaining compliance; while we think
such circumstances are very unlikely
ever to arise, a covered entity is also
required, where exigent circumstances
exist, to permit such access at any time
and without notice. This section also
provides that the Secretary may disclose
protected health information obtained
in the course of an investigation or
compliance review only if necessary for
ascertaining or enforcing compliance
with the applicable requirements of the
Privacy Rule or if otherwise required by
law. Section 160.312 addresses
Secretarial action regarding complaints
and compliance reviews. It provides
that where noncompliance is indicated,
the Secretary will attempt to resolve the
matter by informal means wherever
possible and provides for certain
notifications to the covered entity (and
the complainant, if the matter arose
from a complaint).
PO 00000
Frm 00006
Fmt 4701
Sfmt 4702
At present, subpart C applies only to
the Privacy Rule. However, to simplify,
clarify, and reduce the burden of the
compliance process for covered entities,
the proposed rule would make this
subpart applicable to the other HIPAA
rules as well. A uniform regulatory
scheme would simplify the compliance
and enforcement process in the event
that a covered entity violates provisions
of more than one HIPAA rule (for
example, where violations of both the
Privacy Rule and the Security Rule are
at issue) and is also consistent with the
Secretary’s ‘‘One HHS’’ policy.
Accordingly, we propose to amend
the following sections of subpart C to
make them applicable to all of the
HIPAA rules: § 160.300—Applicability;
§ 160.304—Principles for achieving
compliance; § 160.306—Complaints to
the Secretary; § 160.308—Compliance
reviews; and § 160.310—
Responsibilities of covered entities. This
would be accomplished by changing the
present references in these sections from
‘‘subpart E of part 164’’ to the more
inclusive, defined term, ‘‘administrative
simplification provision’’ or
‘‘administrative simplification
provisions,’’ as appropriate.
2. Section 160.302—Definitions
Section 160.302 presently states that
the terms used in subpart C that are
defined in § 164.501 have the same
meaning as defined in that section. The
terms that were initially defined in
§ 164.501 that would continue to be
used in this subpart (‘‘individual,’’
‘‘disclose,’’ ‘‘protected health
information,’’ ‘‘use’’) have subsequently
been moved to § 160.103. The term
‘‘payment’’ is used in this subpart, but
not as defined in § 164.501. Thus, we
propose to delete this text, as it is no
longer appropriate.
We propose to move to § 160.302
three definitions that were adopted in
the April 17, 2003 interim final rule at
§ 160.502: ‘‘ALJ’’, ‘‘civil money penalty
or penalty’’, and ‘‘respondent.’’ These
terms are placed at the outset of the
provisions that address compliance and
enforcement for clarity, since they are
used in more than one of the subparts
that address compliance and
enforcement. We do not discuss these
terms, as we do not propose to change
them. We discuss below two new terms
which we propose to add to § 160.302
and which are likewise used throughout
subparts C, D, and E: ‘‘administrative
simplification provision’’ and ‘‘violation
or violate.’’
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
a. ‘‘Administrative Simplification
Provision’’
Section 1176(a)(1) provides that,
except as provided in section 1176(b),
the Secretary shall impose ‘‘on any
person who violates a provision of this
part a penalty of not more than $100 for
each such violation, except that the total
amount imposed on the person for all
violations of an identical requirement or
prohibition during a calendar year may
not exceed $25,000.’’ (Emphasis added.)
Based on this statutory language, and
also taking into account the structures of
each of the HIPAA rules, HHS
considered a number of different
options for defining the term ‘‘provision
of this part’’ in section 1176(a)(1) as it
applies to the HIPAA rules.
The HIPAA rules generally are
comprised of standards, implementation
specifications, and requirements and
prohibitions. However, the structure
and composition of the HIPAA rules
with respect to these elements vary. The
Privacy Rule is generally comprised of
standards that contain implementation
specifications and other requirements or
prohibitions. The identifier rules (the
EIN Rule and the NPI Rule) contain
standards and implementation
specifications, and all requirements that
apply to covered entities are in a
standard or an implementation
specification. In the Security Rule, most
requirements are in standards or their
related implementation specifications,
but some requirements are freestanding.
The Transactions Rule contains
requirements and prohibitions, not all of
which are contained in standards and
implementation specifications, and
adopts standards that are also
implementation specifications. The
provisions of subpart C of part 160 that
apply to covered entities are framed as
requirements. The HIPAA rules are
silent as to which of these elements is
a ‘‘provision of this part’’ that may be
violated and for which civil money
penalties may be assessed.
We propose to define a new term—
‘‘administrative simplification
provision’’—to express the scope and
application of the compliance and
investigation provisions, as well as the
enforcement and penalty provisions.
This proposed provision interprets
‘‘provision of this part’’ in section 1176
to refer to any requirement or
prohibition established by the statute or
any of the HIPAA rules that are adopted
under the statute.
In determining how to define a
‘‘provision of this part’’ that could be
violated, we considered options in light
of our goal of implementing a unified
approach with respect to all of the
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
HIPAA rules. Given the variation in
structure of the HIPAA rules, we sought
an approach which would be flexible
enough to apply to all the rules but
which would not be too complex.
Accordingly, we decided against an
approach that would define the
‘‘provision of this part’’ that could be
violated as either any ‘‘standard,’’ or any
‘‘implementation specification,’’ or
both. These approaches would not have
captured stand-alone requirements or
prohibitions—i.e., those requirements
and prohibitions in the HIPAA rules
that fall outside of the structure of a
standard or implementation
specification. For example, in the
Transactions Rule, the prohibition on a
health plan delaying or rejecting a
transaction that is a standard transaction
(§ 162.925(a)(2)), which implements the
statutory prohibition at section
1175(a)(1)(B), is a stand-alone
requirement. It would be anomalous to
create an enforcement scheme that, in
effect, insulated this provision from
enforcement. These options would also
have resulted in complexity and
inconsistency in the application of the
Enforcement Rule to each of the HIPAA
rules, given their varied structures with
respect to standards and
implementation specifications.
Instead, we propose to define a
‘‘provision of this part’’ that can be
violated as any ‘‘requirement or
prohibition’’ found within the rules,
regardless of whether the requirement or
prohibition falls within a standard,
implementation specification, or
elsewhere in the rules. This definition
flows directly from the statutory
language in section 1176(a)(1) of the
Act, which refers to ‘‘violations of an
identical requirement or prohibition.’’ It
is also a definition that can be applied
consistently across the HIPAA rules,
regardless of how they are structured or
titled. Accordingly, we propose to
define the term ‘‘administrative
simplification provision’’ in § 160.302 to
mean any requirement or prohibition
established by the HIPAA provisions or
HIPAA rules: ‘‘* * * any requirement
or prohibition established by: (1) 42
U.S.C. 1320d–1320d4, 1320d–7, and
1320d–8; (2) Section 264 of Pub. L. 104–
191; or (3) This subchapter.’’ This
definition would include those
provisions in subpart C which apply to
covered entities.
b. ‘‘Violation’’ or ‘‘Violate’’
Building on this proposed definition
of ‘‘administrative simplification
provision,’’ we propose to define a
‘‘violation’’ (or ‘‘to violate’’) to mean a
‘‘failure to comply with an
administrative simplification
PO 00000
Frm 00007
Fmt 4701
Sfmt 4702
20229
provision.’’ Like the proposed definition
of ‘‘administrative simplification
provision,’’ the proposed definition of
‘‘violation’’ flows directly from the
statutory language: subsections (b)(3)
and (b)(4) of section 1176 equate a
‘‘violation’’ with a ‘‘failure to comply.’’
The proposed definition is likewise one
that can be applied consistently across
the HIPAA rules. This proposed
definition would make no distinction
between commissions and omissions—
that is, a violation occurs when a
covered entity fails to take an action
required by a HIPAA rule, as well as
when a covered entity takes an action
prohibited by a HIPAA rule.
3. Section 160.312—Secretarial Action
Regarding Complaints and Compliance
Reviews
Section 160.312(a) currently provides
that the Secretary will inform the
covered entity and the complainant, if
applicable, if an investigation or
compliance review indicates a failure to
comply and attempt to resolve the
matter by informal means whenever
possible. If the Secretary determines
that the matter cannot be resolved by
informal means, the Secretary may issue
findings to the covered entity and, if
applicable, the complainant.
Like the current § 160.312(a),
proposed § 160.312(a)(1) provides that,
where noncompliance is indicated, the
Secretary would seek to reach a
resolution of the matter satisfactory to
the Secretary by informal means.
Informal means would include
demonstrated compliance, or a
completed corrective action plan or
other agreement. Under this provision,
entering into a corrective action plan or
other agreement would not, in and of
itself, resolve the noncompliance;
rather, the full performance by the
covered entity of its obligations under
the corrective action plan or other
agreement would be necessary to
resolve the noncompliance.
Proposed §§ 160.312(a)(2) and (3)
address what notifications will be
provided by the Secretary where
noncompliance is indicated, based on
an investigation or compliance review.
Notification under this paragraph would
not be required where the only contacts
made were with the complainant, to
determine whether the complaint
warrants investigation. Paragraph (a)(2)
provides for written notice to the
covered entity and, if the matter arose
from a complaint, the complainant,
where the matter is resolved by informal
means. If the matter is not resolved by
informal means, paragraph (a)(3)(i)
requires the Secretary to so inform the
covered entity and provide the covered
E:\FR\FM\18APP2.SGM
18APP2
20230
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
entity an opportunity to submit written
evidence of any mitigating factors or
affirmative defenses for consideration
under §§ 160.408 and 160.410; the
covered entity must submit any such
evidence to the Secretary within 30 days
of receipt of such notification.
Paragraph (a)(3)(ii) would revise the
current § 160.312(a)(2) to avoid
confusion with the notice of proposed
determination process provided for at
proposed § 160.420. Where a matter is
not resolved by informal means and the
Secretary finds that imposition of a civil
money penalty is warranted, the formal
finding would be contained in the
notice of proposed determination issued
under proposed § 160.420. See also the
discussion at section V.J below.
Paragraph (b) of the current § 160.312
provides that if the Secretary finds after
an investigation or compliance review
that no further action is warranted, the
Secretary will so inform the covered
entity and, if the matter arose from a
complaint, the complainant. This
section does not apply where no
investigation or compliance review has
been initiated, such as where a
complaint has been dismissed due to
lack of jurisdiction. Paragraph (b) would
remain largely unchanged.
4. Section 160.314—Investigational
Subpoenas and Inquiries
The text of § 160.314 was adopted by
the April 17, 2003 interim final rule as
§ 160.504. We propose to move this
section to subpart C, consistent with our
overall approach of organizing subparts
C, D, and E to reflect the stages of the
enforcement process. Since the
investigational subpoenas and inquiries
occur prior to the imposition of a civil
money penalty, we propose to move the
rules relating to them to subpart C,
where other rules related to this stage of
the process are located. This
organizational arrangement should
facilitate use of the Rule by covered
entities and others.
One substantive change is proposed to
paragraph (a). We would add to the
introductory language of this paragraph
a sentence which states that, for the
purposes of paragraph (a), a person
other than a natural person is termed an
‘‘entity.’’ This permits us to avoid
creating a definition of the term ‘‘entity’’
that would have a broader application
and might be incorrect in other contexts,
but preserves the utility of the definition
in this specific context. The term
‘‘entity’’ would no longer be a defined
term for the rest of the Rule, unlike the
approach taken in § 160.502 of the April
17, 2003 interim final rule.
Proposed paragraphs (b)(1), (2) and (8)
are unchanged from the current
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
paragraphs (b)(1)—(3) of § 160.504. We
propose to add new paragraphs (3)
through (7) and (9) to § 160.314(b) and
also to add a new paragraph (c).
Together, these additions would clarify
the manner in which investigational
inquiries will be conducted, and how
testimony given, and evidence obtained,
during such an investigation may be
used.
The new paragraphs are based upon
similar provisions in 42 CFR 1006.4.
Proposed §§ 160.314(b)(3)—(7) describe
the rights of the Secretary and the
witness in the inquiry process:
representatives of the Secretary are
entitled to attend and ask questions, a
witness may clarify his or her answers
on the record following questioning by
the Secretary, the witness must place
any claim of privilege on the record,
what requirements apply to the
assertion of objections, and under what
circumstances and how the Secretary
may seek enforcement of the subpoena.
Proposed § 160.314(b)(8) (currently
§ 160.504(b)(3) and which, as noted
above, has not changed) recognizes that
investigational inquiries are non-public
proceedings. Accordingly, a witness’s
right to retain a copy of the transcript
of his or her testimony may be limited
for good cause (5 U.S.C. 555(c)).
Proposed § 160.314(b)(9) explains what
would happen in such a case: The
witness would nonetheless be entitled
to inspect the transcript and to propose
any corrections. If the witness is
provided a copy of the transcript,
paragraph (b)(9)(i) would provide for the
opportunity to review the transcript and
offer proposed corrections. This
provision is consistent with the practice
under Rule 30(e) of the Federal Rules of
Civil Procedure (F.R.C.P.). Paragraph
(b)(9)(ii) would allow the Secretary to
attach corrections to the transcript of a
witness’s testimonial interview if the
record transcribing the interview is
incorrect. Consistent with the practice
under the OIG regulations, this
provision would not permit the
Secretary to propose substantive
changes to the witness’s testimony.
Proposed § 160.314(c) provides that,
consistent with § 160.310, testimony
and other evidence obtained in an
investigational inquiry may be used by
HHS in any of its activities and may be
used or offered into evidence in any
administrative or judicial proceeding.
This provision follows § 1006.4(h) of the
OIG regulations, but is tailored to be
consistent with the existing
§ 160.310(c)(3). Under this provision,
evidence obtained in an investigational
inquiry could be used in any of HHS’s
activities and could be used or offered
into evidence in any administrative or
PO 00000
Frm 00008
Fmt 4701
Sfmt 4702
judicial proceeding, except to the extent
it consists of protected health
information. Evidence that is protected
health information may be disclosed
only ‘‘if necessary for ascertaining or
enforcing compliance with the
applicable administrative simplification
provisions, or if otherwise required by
law,’’ as provided at § 160.310(c).
5. Section 160.316—Refraining From
Intimidation or Retaliation
Proposed § 160.316 would prohibit
covered entities from threatening,
intimidating, coercing, discriminating
against, or taking any other retaliatory
action against individuals or other
persons (including other covered
entities) who complain to HHS or
otherwise assist or cooperate in the
enforcement processes created by this
rule. This provision is taken from
§ 164.530(g)(2) of the Privacy Rule, with
only minor changes designed to adapt
the provision to the new subparts which
this rule would add. The intent of this
addition to subpart C is to make these
non-retaliation provisions applicable to
all of the HIPAA rules, not just the
Privacy Rule. The placement of these
provisions in subpart C accomplishes
this.
Section 164.530(g) would retain
existing provisions which provide that a
covered entity may not intimidate,
threaten, coerce, discriminate against, or
take other retaliatory action against an
individual for exercising his or her
rights or for participating in any process
established by the Privacy Rule,
including filing a complaint with a
covered entity. A conforming change to
§ 164.530(g) of the Privacy Rule is
proposed, to cross-reference proposed
§ 160.316.
As with other provisions of subpart C
that impose requirements or
prohibitions on covered entities, the
provisions of § 160.316 are
‘‘administrative simplification
provisions.’’ Thus, a violation of a
requirement or prohibition of this
section would be a basis for imposition
of a civil money penalty.
C. Subpart D—Imposition of Civil
Money Penalties
Proposed subpart D addresses the
issuance of a notice of proposed
determination to impose a civil money
penalty and other events that would be
relevant thereafter, whether or not a
hearing follows the issuance of the
notice of proposed determination. This
subpart also would contain provisions
on identifying violations, determining
the number of violations, calculating
civil money penalties for such
violations, and establishing affirmative
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
defenses to the imposition of civil
money penalties. It would, thus,
implement the provisions of section
1176, as well as related provisions of
section 1128A. As noted above, many
provisions of the Rule are based in large
part upon the OIG regulations, but, as
with subpart E, we propose to adapt the
OIG language to reflect issues presented
by, or the authority underlying, the
HIPAA rules.
1. Section 160.402—Basis for a Civil
Money Penalty
Proposed § 160.402(a) would require
the Secretary to impose a civil money
penalty on any covered entity which the
Secretary determines has violated an
administrative simplification provision,
unless the covered entity establishes
that an affirmative defense, as provided
for by § 160.410, exists. See the
discussion at section IV.C.3 below. This
provision is based on the language in
section 1176(a) that ‘‘* * * the
Secretary shall impose on any person
who violates a provision of this part a
penalty * * *’’. This proposed
provision interprets ‘‘provision of this
part’’ in section 1176(a)(1) to refer to
any requirement or prohibition
established by the statute or any of the
HIPAA rules that are adopted under the
statute. See the discussion of the
definitions of ‘‘administrative
simplification provision’’ and
‘‘violation’’ in section IV.B.2 above.
The use of the term ‘‘shall impose’’ in
section 1176(a) is more than a mere
conveyance of authority to the Secretary
to impose a penalty for a violation of an
administrative simplification provision.
If the Secretary finds in a notice of
proposed determination that a covered
entity has violated an administrative
simplification provision, he is required
to impose a penalty unless a basis for
not imposing the penalty under section
1176 exists. Section 1176(a) does not
limit the Secretary’s discretion to
encourage a covered entity to come into
compliance voluntarily, to close a case
without issuing a notice of proposed
determination if voluntary compliance
is obtained, or to set the amount of the
penalty below the statutory caps. Nor
does section 1176(a) limit the
Secretary’s discretion to settle any
matter, including cases in which a civil
money penalty has been proposed or
which are in hearing. The first sentence
of section 1128A(f) of the Act, which is
incorporated by reference in section
1176, states, in part, ‘‘Civil money
penalties * * * imposed under this
section may be compromised by the
Secretary * * *’’. Therefore, the
Secretary may settle a case even after a
civil money penalty has been proposed.
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
a. Section 160.402(b)—Violations by
More than One Covered Entity
The proposed rule includes a
provision, at § 160.402(b), that addresses
what would happen if multiple covered
entities were responsible for violating a
HIPAA provision. Proposed
§ 160.402(b)(1) provides that, except
with respect to covered entities that are
members of an affiliated covered entity,
if the Secretary determines that more
than one covered entity was responsible
for violating an administrative
simplification provision, the Secretary
will impose a civil money penalty
against each such covered entity.
Proposed § 160.402(b)(2) provides that
each covered entity that is a member of
an affiliated covered entity would be
jointly and severally liable for a civil
money penalty for a violation by the
affiliated covered entity.
Proposed § 160.402(b)(1) is based on a
similar provision in the OIG regulations
at 42 CFR 1003.102(d). It differs from
the OIG provision in that this proposed
provision requires the imposition of a
penalty on each covered entity that the
Secretary determines has violated an
administrative simplification provision,
rather than giving the Secretary
discretion to determine whether to
impose a civil money penalty on one or
all. This is based on the statutory
language in section 1176(a) which states
that the Secretary ‘‘* * * shall impose
a penalty * * *’’ when there is a
determination that an entity has
violated a HIPAA provision. As
discussed above, the language in the
statute mandates the imposition of a
penalty in appropriate situations where
there has been a finding of a violation.
However, nothing in this section would
limit the Secretary’s ability to exercise
enforcement discretion to investigate
only one covered entity, to encourage
one or more covered entities to come
into compliance, to close a case against
one or more covered entities without
issuing a notice of proposed
determination if voluntary compliance
is obtained, or to set the amount of the
penalty differently for each covered
entity when multiple covered entities
are responsible for violating an
administrative simplification provision,
to the extent section 1176 and this Rule
would allow.
With the exception of affiliated
covered entity arrangements, this
provision may apply to any two covered
entities, including, but not limited to,
those that are part of a joint
arrangement, such as an organized
health care arrangement. The
determination of whether or not an
entity is responsible for the violation
PO 00000
Frm 00009
Fmt 4701
Sfmt 4702
20231
would be based on the facts. Simply
being part of a joint arrangement would
not, in and of itself, make a covered
entity responsible for a violation by
another entity in the joint arrangement,
although it may be a factor considered
in the analysis.
Proposed § 160.402(b)(2) provides that
each covered entity that is a member of
an affiliated covered entity would be
jointly and severally liable for a civil
money penalty for a violation by the
affiliated covered entity. An affiliated
covered entity is a group of covered
entities under common ownership or
control, which have elected to be treated
as if they were one covered entity for
purposes of compliance with the
Security and Privacy Rules. See 45 CFR
164.105(b). Electing to become an
affiliated covered entity may reduce the
administrative burden and create certain
efficiencies with respect to compliance.
There is no requirement to form an
affiliated covered entity; the entities that
choose to form an affiliated covered
entity must designate themselves as
such and must document the
designation in writing.
The December 2000 Privacy Rule
stated as follows with respect to the
liability of the component covered
entities of an affiliated covered entity:
‘‘The covered entities that together make
up the affiliated covered entity are
separately subject to liability under this
rule.’’ 65 FR 82503. We clarify this
language in the proposed rule. Under
proposed § 160.402(b)(2), each covered
entity that is a member of an affiliated
covered entity would be jointly and
severally liable for a civil money
penalty for a violation by the affiliated
covered entity. This means that we
could enforce a violation of the Security
Rule or Privacy Rule by an affiliated
covered entity against any covered
entity member of the affiliated covered
entity separately or against all of the
covered entity members of the affiliated
covered entity jointly. The reason for
joint and several liability is that the
affiliated covered entity is treated,
under the Security and Privacy Rules, as
one entity. Thus, it may be impossible
to know or prove which covered entity
within an affiliated covered entity is
responsible for a violation, particularly
in the case of a failure to act. For
example, if an affiliated covered entity
fails to appoint a privacy official as
required by § 164.530(a)(1)(i), it may be
impossible to identify one entity as
responsible for the omission.
Proposed § 160.402(b)(2) differs from
proposed § 160.402(b)(1) in two ways.
First, no covered entity in an affiliated
covered entity could avoid a civil
money penalty by demonstrating that it
E:\FR\FM\18APP2.SGM
18APP2
20232
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
was not responsible for the act or
omission constituting the violation or
that another covered entity member of
the affiliated covered entity was the
culpable entity. Second, the maximum
penalty that could be imposed on all
members of the affiliated covered entity
for identical violations in a calendar
year would be the maximum allowed for
one covered entity—$25,000. By
contrast, under § 160.402(b)(1), if more
than one covered entity were
responsible for a violation of an
administrative simplification provision,
each covered entity would be treated as
separately violating the provision, and
each could be assessed the maximum
penalty of $25,000 in a calendar year for
sufficient identical violations.
be held liable for a business associate’s
actions that violate the rules.
i. Federal Common Law of Agency
we note that section 1128A(l) of the Social
Security Act, which applies to the imposition
of civil monetary penalties under HIPAA,
provides that a principal is liable for
penalties for the actions of its agent acting
within the scope of the agency. Therefore, a
covered entity will generally be responsible
for the actions of its employees such as
where the employee discloses protected
health information in violation of the
regulation.
A principal’s liability for the actions
of its agents is generally governed by
State law. However, the Supreme Court
has provided that the federal common
law of agency may be applied where
there is a strong governmental interest
in nationwide uniformity and a
predictable standard and when the
federal rule in question is interpreting a
federal statute. Burlington Indus. v.
Ellerth, 524 U.S. 742 (1998). Here, there
is a strong interest in nationwide
uniformity. The fundamental goal of the
HIPAA provisions is to achieve
standardization of certain health care
transactions, to standardize certain
security practices, and to set a federal
floor of privacy practices, in order to
increase the efficiency and effectiveness
of the health care system. Therefore, it
is essential for HHS to apply one
consistent body of law regardless of
where an action is brought. The same
considerations support a strong federal
interest in the predictable operation of
the standards, to ensure that the various
covered entities operating thereunder
can do so consistently so as to facilitate
the legitimate exchange of information.
Finally, the HIPAA rules interpret a
federal statute, the HIPAA provisions.
Thus, the tests for application of the
federal common law of agency are met
here. Accordingly, proposed
§ 160.402(c) contains specific language
to make clear that the federal law of
agency applies.
Where the federal common law of
agency applies, the courts often look to
the Restatement (Second) of Agency
(1958) (Restatement) as a basis for
explaining the common law’s
application. While the determination of
whether an agent is acting within the
scope of its authority must be decided
on a case-by-case basis, the Restatement
provides guidelines for this
determination. Section 229 of the
Restatement provides:
65 FR 82603.
We clarify in proposed § 160.402(c)
that, in the context of the HIPAA rules,
this means that a covered entity
generally can be held liable for a civil
money penalty based on the actions of
any agent, including an employee or
other workforce member, acting within
the scope of the agency or employment.
A business associate will often be an
agent of a covered entity, but, as
discussed below, a covered entity that
complies with the HIPAA rules
governing business associates will not
(1) To be within the scope of the
employment, conduct must be of the same
general nature as that authorized, or
incidental to the conduct authorized.
(2) In determining whether or not the
conduct, although not authorized, is
nevertheless so similar to or incidental to the
conduct authorized as to be within the scope
of employment, the following matters of fact
are to be considered;
(a) Whether or not the act is one commonly
done by such servants;
(b) The time, place and purpose of the act;
(c) The previous relations between the
master and the servant;
b. Section 160.402(c)—Violations
Attributed to a Covered Entity
Under section 1176(a)(2), ‘‘the
provisions of section 1128A * * * shall
apply to the imposition of a civil money
penalty under [HIPAA] in the same
manner as such provisions apply to the
imposition of a penalty under such
section 1128A.’’ Section 1128A(l) of the
Act addresses the liability of a covered
entity for violations committed by an
agent. It states that ‘‘a principal is liable
for penalties * * * under this section
for the actions of the principal’s agents
acting within the scope of the agency.’’
This is similar to the traditional rule of
agency in which principals are
vicariously liable for the acts of their
agents acting within the scope of their
authority. See Meyer v. Holley, 537 U.S.
280 (2003). The preamble to the
December 2000 Privacy Rule discussed
the applicability of section 1128A(l) as
follows:
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
PO 00000
Frm 00010
Fmt 4701
Sfmt 4702
(d) The extent to which the business of the
master is apportioned between different
servants;
(e) Whether or not the act is outside the
enterprise of the master or, if within the
enterprise, has not been entrusted to any
servant;
(f) Whether or not the master has reason to
expect that such an act will be done;
(g) The similarity in quality of the act done
to the act authorized;
(h) Whether or not the instrumentality by
which the harm is done has been furnished
by the master to the servant;
(i) The extent of departure from the normal
method of accomplishing an authorized
result; and
(j) Whether or not the act is seriously
criminal.
In some cases, under federal agency
law, a principal may be liable for an
agent’s acts even if the agent acts
outside the scope of its authority. Rest.
2nd Agency § 219(2). However,
proposed § 160.402(c) would follow
section 1128A(l), which limits liability
for the actions of an agent to those
actions that are within the scope of the
agency.
ii. Agents
Various categories of persons may be
agents of a covered entity. These are
workforce members, business associates,
and others. ‘‘Workforce’’ is defined as
‘‘employees, volunteers, trainees, and
other persons whose conduct, in the
performance of work for a covered
entity, is under the direct control of
such entity, whether or not they are
paid by the covered entity.’’ 45 CFR
160.103. Because of the ‘‘direct control’’
language of the rule, we believe that all
workforce members, including those
who are not employees, are agents of a
covered entity. This conclusion is
consistent with the requirements at
§§ 164.308(a)(5) and 164.530(b) for a
covered entity to train all workforce
members and with the requirement at
§ 164.514(d)(2) for a covered entity to
adopt minimum necessary policies and
procedures for use of protected health
information by all workforce members.
The workforce may include an
independent contractor; as explained in
the preamble to the Privacy Rule,
independent contractors ‘‘may or may
not be workforce members.’’ 65 FR
82480. Under the proposed rule, a
covered entity could be liable for a civil
money penalty for a violation by any
workforce member, whether an
employee, contractor, volunteer, trainee,
etc., acting within the scope of his or
her employment or agency. We
specifically request comment on
whether there are categories of
workforce members whom it would be
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
inappropriate to treat as agents under
§ 160.402(c).
The definition of the term ‘‘business
associate,’’ set forth at § 160.103,
includes any agents of a covered entity,
other than members of its workforce,
that perform on its behalf any function
or activity regulated by the HIPAA rules
or perform certain specified services for
the covered entity that involve the use
or disclosure of protected health
information. Under the Security and
Privacy Rules, the covered entity may
disclose protected health information to
the business associate, and allow the
business associate to create or receive
protected health information on its
behalf, if the covered entity complies
with relevant requirements to obtain
satisfactory assurances that the business
associate will appropriately safeguard
the information. In particular,
§§ 164.308(b) and 164.502(e) of the
HIPAA rules require covered entities
using the services of business associates
to obtain satisfactory assurances, by a
written contract or other arrangement,
that the business associate will
safeguard the protected health
information. If the covered entity
complies with these requirements, then
it can protect itself from what could
otherwise be liability for actions of its
agent business associates that violate the
HIPAA rules. As specified in
§§ 164.314(a)(1)(ii) and 164.504(e)(1)(ii),
even if a covered entity knows of a
pattern of activity or practice by the
business associate that constitutes a
material breach or violation of the
business associate’s obligations under
the contract, the covered entity will not
be considered to be in violation of the
regulations if it takes certain actions. If
the covered entity fails to take these
steps, however, it is outside the safe
harbor provided by the Security and
Privacy Rules and may be subject to
penalty.
Some business associates are also
covered entities. Health care
clearinghouses are one example of this
situation, but a covered health care
provider or a health plan may also act
as a business associate of another
covered entity. The business associate
provisions of the Security and Privacy
Rules provide that where one covered
entity acts as the business associate of
another covered entity and violates the
satisfactory assurances it provided as a
business associate, it is separately liable
for violation of the business associate
provisions of the Security and Privacy
Rules. See §§ 164.308(b)(3) and
164.502(e)(1)(iii). If the act or omission
that resulted in a breach of the business
associate contract by the covered entity
business associate would also constitute
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
a violation of an underlying provision of
the Security or Privacy Rule by that
covered entity business associate, it
would be in violation of the underlying
provision as well.
To make this proposed rule consistent
with the business associate provisions
of the HIPAA rules, the proposed rule
would carve out from the provision for
vicarious liability those actions by a
business associate that would be
shielded by the business associate
provisions of the Security and Privacy
Rules. Thus, a covered entity that is in
compliance with the business associate
provisions of the Security and Privacy
Rules would not be liable for a violation
of those rules by the business associate,
even though the business associate is
the covered entity’s agent and was
acting within the scope of its agency
when it violated the rule. We recognize
that in many cases, a business associate
contract may establish an agency
relationship. However, there may also
be situations in which the business
associate may not be an agent. For
example, the Privacy Rule permits a
covered entity to rely, if such reliance
is reasonable, on the request of a
professional who is a business associate
as the minimum necessary. This
suggests that a business associate may
not always be sufficiently under the
direct control of the covered entity to
qualify as an agent.
HHS has issued guidance stating that
a covered entity is not required to
monitor the activities of its business
associate:
The HIPAA Privacy Rule requires covered
entities to enter into written contracts or
other arrangements with business associates
which protect the privacy of protected health
information; but covered entities are not
required to monitor or oversee the means by
which their business associate carry out
privacy safeguards or the extent to which the
business associate abides by the privacy
requirements of the contract. Nor is the
covered entity responsible or liable for the
actions of its business associates. However, if
a covered entity finds out about a material
breach or violation of the contract by the
business associate, it must take reasonable
steps to cure the breach or end the violation,
and, if unsuccessful, terminate the contract
with the business associate. If termination is
not feasible (e.g., where there are no other
viable business alternatives for the covered
entity), the covered entity must report the
problem to the Department of Health and
Human Services Office for Civil Rights.
FAQ Answer ID # 236 at www.hhs.gov/
ocr/hipaa, entitled ‘‘Is a covered entity
liable for, or required to monitor, the
actions of its business associates?’’
(Click on the link for Answers to Your
Frequently Asked Questions, and then
select and search on the subcategory for
PO 00000
Frm 00011
Fmt 4701
Sfmt 4702
20233
Business Associates.) Proposed
§ 160.402(c) is consistent with this
guidance. If the covered entity complies
with the applicable business associate
provisions, the covered entity will not
be held liable for the actions of its
business associate. Concomitantly, if the
covered entity fails to comply with
those provisions, such as by not
entering into the requisite arrangements
or contracts, or by not taking reasonable
steps to cure the breach or end the
violation, it could be held liable under
proposed § 160.402(c) for the actions of
its business associate agent.
2. Sections 160.404, 160.406, 160.408—
Calculation of Penalties
a. Section 160.404—Amount of a Civil
Money Penalty
Section 1176(a)(1) establishes
maximum penalty amounts for
violations. The statute provides a
maximum penalty of ‘‘not more than
$100’’ for each violation (see section
IV.B.2 above for the discussion of
‘‘violation’’), and the penalty imposed
on a covered entity ‘‘for all violations of
an identical requirement or prohibition
during a calendar year may not exceed
$25,000.’’
The statute establishes only maximum
penalty amounts, so the Secretary has
the discretion to impose penalties that
are less than the statutory maximum.
This proposed regulation would not
establish minimum penalties. Under
proposed § 160.404(a), the penalty
amount would be determined through
the method provided for in proposed
§ 160.406, using the factors set forth in
proposed § 160.408, and subject to the
statutory caps reflected in proposed
§ 160.404(b) and any reduction under
proposed § 160.412.
Proposed § 160.404 would follow the
language of the statute and establish the
maximum penalties for a violation and
for identical violations during a
calendar year, as set forth in the
statute—up to $100 per violation and up
to $25,000 for identical violations in a
calendar year. Proposed § 160.404(b)
makes clear that the term ‘‘calendar
year’’ means the period from January 1
through the following December 31.
An identical violation is a violation of
the same requirement or prohibition in
one of the HIPAA rules or in the statute.
It is based on the provision of the
regulation or statute that has been
violated and not on whether the
violations relate to the same
individual’s protected health
information, the same transaction, or are
with the same trading partner. For
example, assume that a health plan
includes in its trading partner
E:\FR\FM\18APP2.SGM
18APP2
20234
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
agreements a provision that requires the
submission of a data element that is not
included in the implementation guides
for transactions covered by the
agreement and requires 7,500 different
trading partners to sign such agreements
in a calendar year. Inclusion of the
provision violates § 162.915(b), which
prohibits covered entities from entering
into a trading partner agreement which
adds any data element or segments to
the maximum defined data set. If the
penalty is assessed at $100/violation,
the total penalty for all such violations
would amount to $750,000 ($100 x
7500). However, the maximum penalty
that may be assessed for the calendar
year for those violations is $25,000,
because they all relate to the same
prohibition. This is the case even
though the violations involve 7,500
different trading partners.
b. Section 160.404(b)(2)—Violations of
Repeated or Overlapping Provisions in a
HIPAA Rule
Some requirements or prohibitions in
the provisions of a HIPAA rule may be
repeated in, or may overlap, other
provisions in the same rule. We propose
§ 160.404(b)(2) to make clear that a
violation of a more specific requirement
or prohibition, such as one contained
within an implementation specification,
is not also counted, for purposes of
determining civil money penalties, as an
automatic violation of a broader
requirement or prohibition that entirely
encompasses the more specific one, in
that such duplicative requirements
generally reflect considerations of
drafting and not of substance. Under
this proposal, the Secretary could
impose a civil money penalty for
violation of either the general or the
specific requirement, but not both.
For example, if, after the applicable
compliance date for the Security Rule,
a covered entity violates the
requirement to implement policies and
procedures for facility access controls at
§ 164.310(a)(1), the covered entity will
also have violated the Security Rule’s
provision at § 164.316(a), which is the
general standard requiring the
implementation of policies and
procedures. Similarly, if a covered
entity fails to implement minimum
necessary policies and procedures for
uses of protected health information as
required by the implementation
specification at § 164.514(d)(2) of the
Privacy Rule, the covered entity also has
violated the minimum necessary
standard at § 164.514(d)(1), which
requires compliance with the
implementation specification. In these
two examples, the proposed provision
would treat the act or omission as a
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
violation of only one of the identified
administrative simplification
provisions, not both, for purposes of
imposing civil money penalties.
Proposed § 160.404(b)(2) would not
apply where a covered entity’s action
results in violations of multiple,
differing requirements or prohibitions
within the same HIPAA rule, however.
The following is an example: due to
inadequate safeguards, a covered entity
uses protected health information in a
manner prohibited by the Privacy Rule.
Civil money penalties may be imposed
on the covered entity for its violation of
the use provision in § 164.502(a), as
well as for its violation of the safeguards
requirement in § 164.530(c).
Proposed § 160.404(b)(2) would also
not apply where a covered entity’s
action may result in a violation of more
than one HIPAA rule; for example,
failure to adopt administrative
safeguards may violate both the Privacy
Rule (§ 164.530(c)) and the Security
Rule (§ 164.308). In such a case, more
than one regulatory standard has been
violated, and the Secretary may assess a
penalty under both HIPAA rules. The
proposed provision is limited to
duplicate provisions in the same
subpart, or HIPAA rule, and would not
apply to limit civil money penalties for
violations of more than one HIPAA rule.
Proposed § 160.404(b)(2) would also
not preclude assessing civil money
penalties for multiple violations of an
identical requirement or prohibition.
c. Section 160.406—Number of
Violations
As stated above, section 1176(a)
provides a maximum penalty for
identical violations by a covered entity
in a calendar year. However, in many
cases, it may not be clear exactly how
to quantify the number of violations.
Furthermore, the types of requirements
and prohibitions vary among and within
the HIPAA rules—for example,
requirements to adopt policies and
procedures versus requirements to
conduct transactions in standard format.
There are various possible measures,
or variables, that can be used to count
violations, and different laws use one or
multiple approaches. See, e.g., 42 CFR
part 488, subpart F. In the context of the
HIPAA rules, there are three basic
variables that seem reasonable to use in
calculating the number of violations that
have occurred—(1) the number of
impermissible actions or failures to take
required actions, (2) the number of
persons involved, and (3) the amount of
time during which the violation
occurred.
PO 00000
Frm 00012
Fmt 4701
Sfmt 4702
i. Variables
Actions—The number of violations
could be based on the number of times
a covered entity takes a prohibited
action (commission) or the number of
times a covered entity fails to take a
required action (omission). The ‘‘action’’
variable seems likely to be a workable
variable for determining the number of
violations where the acts in question are
discrete and/or repetitive, such as could
be the case with the Transactions Rule.
However, the ‘‘action’’ variable may
have a very different result in other
circumstances. For example, if a
covered entity fails to implement a
required policy, there is only one failure
to act, and, therefore, using this
variable, the number of violations of the
requirement would be one, even though
such a failure to act might have
extended over a long period of time, be
intentional, and have serious
consequences for other entities or
individuals. Thus, the ‘‘action’’ variable
might not be appropriate in many
circumstances.
Persons—The number of violations
could be measured in terms of the
number of persons involved or affected.
Persons may be natural persons or
entities, and violations could be
counted in terms of one of four
categories of persons.
• Individuals who are the subject of
protected health information—for
example, the number of individuals
who did not receive access to their
records.
• Employees for whom the covered
entity has an obligation—for example,
the number of employees who
improperly took one or more
impermissible actions, such as
improperly using protected health
information.
• Persons who receive information in
violation of the rules—for example, the
number of employees who have access
to protected health information but who
should not have such access, either in
violation of the covered entity’s
minimum necessary policies or in
violation of its access control security
procedures.
• Other persons affected by the
violation—for example, the number of
providers affected by an impermissible
health plan requirement that providers
use codes not permitted under subpart
J of the Transactions Rule.
Using the ‘‘person’’ variable to
determine the number of violations of a
HIPAA rule may or may not be an
appropriate approach, depending on the
purpose of the regulatory provision. For
example, counting by the ‘‘person’’
variable may not be appropriate for
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
purposes of counting violations of most
of the Transactions Rule requirements.
Time—When violations are
continuous, they could be calculated in
terms of a unit of time, such as calendar
days. For example, inclusion of a term
in a trading partner agreement that is
not permitted by § 162.915 would be
one action, if counted as an action, but,
if counted by time, the number of
violations would depend on how long
the impermissible agreement was in
effect and what unit of time was applied
to count the number of violations.
However, using a time variable makes
less sense for violations that are distinct
and repetitive, such as many
Transactions Rule violations would be.
For example, if a covered entity
conducted 3000 transactions that were
not in standard form over a two-day
period and another covered entity
conducted two transactions that were
not in standard form over a two-day
period, each set of facts would result in
two violations under a ‘‘per day’’
approach.
ii. Determining the Number of
Violations
Proposed § 160.406 would establish
the general rule that the Secretary will
determine the number of violations of
an identical requirement or prohibition
by a covered entity by applying any of
the variables of action, person, or time,
as follows: (1) The number of times the
covered entity failed to engage in
required conduct or engaged in a
prohibited act; (2) the number of
persons involved in, or affected by, the
violation; or (3) the duration of the
violation, counted in days (because
many of the HIPAA requirements are in
terms of days, this seems to be the most
appropriate unit of time to use).
Paragraph (a) of this section would
require the Secretary to determine the
appropriate variable or variables for
counting the number of violations based
on the specific facts and circumstances
related to the violation, and take into
consideration the underlying purpose of
the particular HIPAA rule that is
violated. More than one variable could
be used to determine the number of
violations (for example, the number of
people affected times the time (number
of days) over which the violation
occurred). Because of the range of
circumstances that can be presented in
determining the number of violations
and the very different nature of the
HIPAA rules that may be implicated by
those violations, the Secretary would
have discretion in determining which
variable or variables were appropriate
for determining the number of
violations rather than being required to
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
use a rigid formula, which could
produce arbitrary results. Under this
proposal, the policy for determining
which variable(s) to use for which type
of violation would be developed in the
context of specific cases rather than
established by regulation. Subsequent
cases would be decided consistently
with prior similar cases. This option
would defer more specific decisions
regarding the appropriate variable(s) for
counting penalties to such time as a case
raising the HIPAA provision occurs.
Several approaches were considered
in deciding how to determine the
number of violations:
• Use one variable for all of the
HIPAA rules. While this approach has
greater consistency, the variation among
the rules in terms of their types of
requirements and prohibitions makes it
difficult to identify one variable that
would work equally well in each rule.
• Use one variable or approach for
each individual HIPAA rule. This
approach would also have greater
consistency and certainty. However, it
would not address the variations within
HIPAA rules and could be confusing
when a covered entity violated more
than one rule.
• Categorize requirements and
prohibitions and assign variables to
each. This approach would increase
certainty and consistency across all of
the HIPAA rules but would likely result
in a complex scheme that might operate
unfairly.
After weighing the advantages and
disadvantages of each approach, it was
determined that it would be preferable
to determine the appropriate variable(s)
for particular types of violations based
on the context of a specific case. We
welcome comments on this approach,
the options that were considered, and
other potential options for determining
the number of violations.
d. Section 160.408—Factors Considered
in Determining the Amount of a Civil
Money Penalty
Section 1176(a)(2) states that, with
some exceptions, the provisions of
section 1128A of the Act shall apply to
the imposition of a civil money penalty
under section 1176 ‘‘in the same manner
as’’ such provisions apply to the
imposition of a civil money penalty
under section 1128A. Section 1128A(d)
requires that—
in determining the amount of * * * any
penalty, * * * the Secretary shall take into
account—
(1) The nature of the claims and the
circumstances under which they were
presented,
(2) The degree of culpability, history of
prior offenses and financial condition of the
person presenting the claims, and
PO 00000
Frm 00013
Fmt 4701
Sfmt 4702
20235
(3) Such other matters as justice may require.
This language establishes factors to be
considered in determining the ultimate
amount of a civil money penalty.
Because section 1176 requires that civil
money penalties be imposed in the same
manner as civil money penalties are
imposed under section 1128A, such
factors should be applied to determining
the amount of a civil money penalty for
HIPAA violations. This approach is
consistent with the approach taken in
other regulations that cross-reference
section 1128A, which rely on these
factors for purposes of determining civil
money penalty amounts. See, e.g., 42
CFR 488.438.
The factors listed in section 1128A(d)
were drafted to apply to violations
involving claims for payment under
federally funded health programs.
Because HIPAA violations will usually
not be about specific claims, HHS
proposes to tailor the section 1128A(d)
factors to the HIPAA rules and break
them into their component elements for
ease of understanding and application,
as follows: (1) The nature of the
violation; (2) the circumstances under
which the violation occurred; (3) degree
of culpability; (4) history of prior
offenses; (5) financial condition of the
covered entity; and (6) such other
matters as justice may require.
Many regulations that implement
section 1128A, such as the OIG
regulations, further particularize the
statutory factors by providing discrete
criteria. Consistent with these other
regulations, and in order to provide
more guidance to covered entities as to
the factors that would be used in
calculating civil money penalties for
violations of the HIPAA rules, we
propose a more specific list of
circumstances that would be considered
in calculating penalty amounts.
Therefore, proposed § 160.408 provides
detailed factors, within the categories
stated above, to consider in determining
the amount of a civil money penalty, as
follows:
(1) The nature of the violation, when
considered in light of the purposes of
the rule violated.
(2) The circumstances under which
the violation occurred and the
consequences, including the time period
during which the violation(s) occurred,
whether the violation caused physical
harm, whether the violation hindered or
facilitated an individual’s ability to
obtain health care, and whether the
violation resulted in financial harm.
(3) The degree of culpability of the
covered entity, including whether the
violation was intentional, and whether
the violation was beyond the direct
control of the covered entity.
E:\FR\FM\18APP2.SGM
18APP2
20236
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
(4) Any history of prior offenses of the
covered entity, including whether the
current violation is the same or similar
to prior violation(s), whether and to
what extent the covered entity has
attempted to correct previous violations,
how the covered entity has responded to
technical assistance from the Secretary
provided in the context of a compliance
effort, and how the covered entity has
responded to prior complaints. This
could include any violations that have
been brought to the covered entity’s
attention, including complaints raised
by individuals directly to the covered
entity, violations of which the covered
entity became aware on its own, and
violations that have been raised in the
context of a complaint to the Secretary.
(5) The financial condition of the
covered entity, including whether the
covered entity had financial difficulties
that affected its ability to comply,
whether the imposition of a civil money
penalty would jeopardize the ability of
the covered entity to continue to
provide, or to pay for, health care, and
the size of the covered entity.
(6) Such other matters as justice may
require.
In many regulations that implement
section 1128A, including the OIG
regulations, the statutory factors and/or
the discrete criteria are designated as
either aggravating or mitigating. See,
e.g., 42 CFR 1003.106(b)-(d). For
example, in some of these regulations,
history of prior offenses is listed as an
aggravating factor. See, e.g., 42 CFR
1003.106(b)(3). However, because the
Enforcement Rule will apply to a
number of rules and an enormous
number of entities and circumstances,
factors may be aggravating or mitigating,
depending on the context. For example,
the factor ‘‘time period during which
the violation(s) occurred’’ could be an
aggravating circumstance where the
covered entity decided not to comply at
all with a HIPAA provision, but be a
mitigating circumstance where a
covered entity quickly found and
corrected repetitive noncompliance.
Thus, we do not propose to label any of
these factors as aggravating or
mitigating. Rather, proposed § 160.408
lists factors that may be considered by
the Secretary as aggravating or
mitigating in determining the amount of
the civil money penalty to impose. The
proposed approach would allow the
Secretary to choose whether to consider
a particular factor and how to consider
each factor as appropriate in each
situation to avoid unfair or
inappropriate results. It also would keep
the rule simple and makes possible a list
of factors to consider in determining
penalties that can work in all cases.
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
We propose to leave to the Secretary’s
discretion the decision regarding when
aggravating and mitigating factors will
be taken into account in determining the
amount of the civil money penalty. This
approach is consistent with other
regulations implementing section
1128A, which do not explain how or at
what point in the process these factors
apply. See, e.g., 42 CFR 488.438.
3. Section 160.410—Affirmative
Defenses to the Imposition of a Civil
Money Penalty
Proposed § 160.410 implements
section 1176(b)(1)—(3) of the Act, which
specify certain limitations with respect
to when civil money penalties may be
imposed. Paragraphs (1), (2), and (3) of
section 1176(b) each state that, if the
conditions described in those
paragraphs are met, ‘‘a penalty may not
be imposed under subsection (a)’’ of
section 1176. Under section 1176(b)(1),
a civil money penalty may not be
imposed with respect to an act that
would be punishable by a criminal
penalty under section 1177 of the Act.
Under section 1176(b)(2), a civil money
penalty may not be imposed if it is
established to the satisfaction of the
Secretary that the person who would be
liable for the civil money penalty ‘‘did
not know, and by exercising reasonable
diligence would not have known’’ that
the person violated the provision. Under
section 1176(b)(3), a civil money
penalty may not be imposed if the
failure to comply ‘‘was due to
reasonable cause and not to willful
neglect’’ and is corrected within a
certain period.
Where it is shown that one or more
of these grounds exists with respect to
a violation for which a civil money
penalty is sought, such a showing bars
the imposition of a civil money penalty
for the violation. The provisions at
section 1176(b)(1), (2), and (3), thus,
constitute complete defenses to the
imposition of a civil money penalty. As
such, they meet the definition of an
affirmative defense: ‘‘A defendant’s
assertion raising new facts and
arguments that, if true, will defeat the
plaintiff’s or prosecution’s claim, even if
all allegations in the complaint are
true.’’ Black’s Law Dictionary (West, 7th
ed. 1999).
Accordingly, proposed § 160.410
would characterize the limitations
under section 1176(b)(1), (2), and (3) as
‘‘affirmative defenses,’’ to make clear
that they must be raised in the first
instance by the respondent. See the
discussion at section IV.D.10 below
regarding proposed § 160.534, with
respect to the burden of proof. However,
characterizing these grounds as
PO 00000
Frm 00014
Fmt 4701
Sfmt 4702
affirmative defenses would not prevent
the Secretary from concluding, based on
information already in his possession,
that one of these limitations applied. If
the Secretary were to conclude, based
on his investigation or on information
provided by the covered entity under
proposed § 160.312(a)(3)(i), that one or
more of these limitations applied with
respect to a violation, the Secretary
would not pursue the civil money
penalty action with respect to the
violation. However, proposed § 160.410
assumes the situation where the
Secretary, through OCR or CMS, has
concluded that none of the statutory
limitations at section 1176(b)(1), (2), or
(3) applies to a particular case and has,
accordingly, issued a notice of proposed
determination to impose a civil money
penalty. The purpose of § 160.410,
therefore, is to describe what the
respondent must show in order to
establish such a defense in the
proceeding that could then follow.
The grounds stated in sections
1176(b)(2) and (b)(3) are grounds about
which the covered entity would be
knowledgeable and could produce
evidence. Treating them as affirmative
defenses is consistent with how similar
language in other statutes has been
implemented. For example, similar
language in section 102 of HIPAA has
been treated as an affirmative defense:
Under the implementing regulations at
45 CFR 150.341(b), the burden of
persuasion is on the entity to establish
that no responsible entity knew, or,
exercising reasonable diligence, would
have known of the violation. Examples
of a similar assignment of burden in
connection with similar statutory
language are found elsewhere. See, e.g.,
26 CFR 301.6651–1(c), implementing 26
U.S.C. 6651 (a failure to timely file a tax
return ‘‘is due to reasonable cause and
not due to willful neglect * * * ’’),
requires ‘‘an affirmative showing of all
facts alleged as a reasonable cause
* * * ’’ by the taxpayer; 8 CFR 280.5,
280.51, implementing 8 U.S.C. 1323
(remission of penalty for bringing in
illegal aliens if the person ‘‘could not
have ascertained, by the exercise of
reasonable diligence, that * * * ’’),
place the burden on the party seeking
remission; 11 U.S.C. 110 (penalties for
persons who fraudulently prepare
bankruptcy petitions except where
failure is ‘‘due to reasonable cause’’) has
been treated as an affirmative defense,
U.S. Trustee v. Womack, 201 B.R. 511,
518 (E.D. Ark. 1996).
Under section 1176(b)(1), a civil
money penalty may not be imposed if
the act in question ‘‘constitutes an
offense punishable under section 1177.’’
While it might appear unlikely that a
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
covered entity would raise this as an
affirmative defense, section 1176(b)(1)
parallels sections 1176(b)(2) and (b)(3)
in both structure and function. This
construction suggests that Congress
intended that it be treated in a parallel
manner. Proposed § 160.410,
accordingly, would do so.
Finally, we recognize that other
affirmative defenses might be available
in a particular case. In order not to
preclude the raising of affirmative
defenses that could legitimately be
raised, the introductory text of proposed
§ 160.410 is drafted to permit a
respondent to offer affirmative defenses
other than those provided in section
1176(b).
a. Section 160.410(b)(1)—Affirmative
Defense Based on Violation Being a
Criminal Offense
Section 1176(b)(1) provides that the
Secretary may not impose a civil money
penalty ‘‘with respect to an act if the act
constitutes an offense punishable under
section 1177.’’ Section 1177(a) provides
as follows:
A person who knowingly and in violation
of this part—
(1) Uses or causes to be used a unique
health identifier;
(2) Obtains individually identifiable health
information relating to an individual; or
(3) Discloses individually identifiable
health information relating to another person,
shall be punished as provided in subsection
(b).
Subsection (b) of section 1177, in turn,
sets out three levels of penalties. The
level of penalty varies depending on the
circumstances under which the offense
was committed.
The proposed rule simply refers to the
statutory provision. As the criminal
penalty provision that provides the
basis for this defense is administered by
the U.S. Department of Justice, we do
not propose to elaborate upon it in this
regulation.
b. Section 160.410(b)(2)—Affirmative
Defense Based on Lack of Knowledge
Section 1176(b)(2) provides as follows:
A penalty may not be imposed under
subsection (a) with respect to a provision of
this part if it is established to the satisfaction
of the Secretary that the person liable for the
penalty did not know, and by exercising
reasonable diligence would not have known,
that such person violated the provision.
For a covered entity to establish an
affirmative defense under section
1176(b)(2), it must show that it did not
have actual or constructive knowledge
of the violation. What is required for
such a showing raises several issues: (1)
What ‘‘knowledge’’ will make the ‘‘lack
of knowledge’’ defense no longer
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
available; (2) when is the ‘‘knowledge’’
of an agent imputed to the covered
entity; and (3) what constitutes
‘‘reasonable diligence.’’
i. ‘‘Knowledge’’
The first question is what must the
covered entity ‘‘know’’ in order for the
defense of section 1176(b)(2) to be no
longer available. Specifically, if the
covered entity knows of the facts that
constitute the violation, but does not
know that they constitute a violation, is
the defense under section 1176(b)(2) no
longer available?
A civil money penalty may not be
imposed for a violation ‘‘if it is
established to the satisfaction of the
Secretary that the person liable for the
penalty did not know * * * that such
person violated the provision.’’ This
language on its face suggests that the
knowledge involved must be knowledge
that a ‘‘violation’’ has occurred, not just
knowledge of the facts constituting the
violation. Section 1176(b)(3) supports
this reading. Under section
1176(b)(3)(A)(i), the cure period—i.e.,
the period in which the violation must
be corrected if the covered entity is to
avail itself of the defense under section
1176(b)(3)—begins to run ‘‘on the first
date the person liable for the penalty
knew, or by exercising reasonable
diligence would have known, that the
failure to comply occurred.’’ The duty to
take corrective action under section
1176(b)(3), thus, flows from knowledge
that ‘‘the failure to comply occurred.’’
We, thus, interpret this knowledge
requirement to mean that the covered
entity must have knowledge that a
violation has occurred, not just
knowledge of the facts underlying the
violation. We use the statutory language
in framing this requirement.
This reading of the statute would not
reward ignorance that is careless or
deliberate. The requirement of section
1176(b)(2) that the covered entity
exercise ‘‘reasonable diligence,’’
discussed below, would make a lack of
knowledge defense unavailable where a
covered entity’s ignorance arises from
its failure to inform itself about its
compliance obligations or to investigate
complaints or other information it
receives indicating likely
noncompliance.
ii. Imputed Knowledge
In order to avail itself of the lack of
knowledge defense, a corporate entity
must show that (1) its responsible
officers or managers did not know about
the violation, and (2) even if an
employee or other agent had actual
knowledge of the violation, why that
knowledge should not be imputed to the
PO 00000
Frm 00015
Fmt 4701
Sfmt 4702
20237
managers and, thus, to the corporate
entity itself. Whether knowledge can be
imputed to a covered entity’s
responsible officers or managers will be
determined by principles of agency. We
clarify this by providing in proposed
§ 160.410(b)(2) that such knowledge will
be ‘‘determined by the federal common
law of agency.’’ As noted in the
discussion in section IV.C.1.b.i above,
we would expect, as a general matter, to
follow the principles set forth in the
Restatement (Second) of Agency with
respect to this issue. Under the general
rule at section 272 of the Restatement,
an agent’s actual or constructive
knowledge is imputed to the principal,
subject to certain exceptions. Rest. 2nd
of Agency (1958), comments a and b.
Whether any of these exceptions are
applicable would depend on the
circumstances of each case. We solicit
comment on this approach and, in
particular, illustrations and
explanations of cases where more or less
specificity might be helpful.
iii. Reasonable Diligence
The defense under section 1176(b)(2)
is available only if the covered entity
‘‘by exercising reasonable diligence
would not have known ... that the
[covered entity] violated the provision.’’
The question this language raises is
what action is required in order for a
covered entity to be able to show that
it has exercised reasonable diligence
and that its ignorance of the violation is,
hence, excused.
The phrase ‘‘reasonable diligence’’
has applications in many areas of the
law. ‘‘Reasonable diligence’’ is typically
defined as ‘‘1. A fair degree of diligence
expected from someone of ordinary
prudence under circumstances like
those at issue. 2. See due diligence (1).’’
Black’s Law Dictionary (West, 7th
edition, 1999). ‘‘Due diligence’’ is, in
turn, defined as ‘‘1. The diligence
reasonably expected from, and
ordinarily exercised by, a person who
seeks to satisfy a legal requirement or to
discharge an obligation.—Also termed
reasonable diligence.’’ Id. In the context
of section 1176(b)(2), these concepts
equate, we believe, to the concept of
‘‘constructive knowledge.’’ As usually
defined, ‘‘constructive knowledge’’ is
the ‘‘knowledge that one using
reasonable care or diligence should
have, and therefore that is attributed by
law to a given person.’’ Id.
The determination of whether a
person acted with reasonable diligence
is generally a factual one, since what is
reasonable depends on the
circumstances. Martin v. OSHRC
(Milliken & Co.), 947 F.2d 1483 (11th
Cir. 1991); Bell Telephone Laboratories,
E:\FR\FM\18APP2.SGM
18APP2
20238
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
Inc. v. Hughes Aircraft Co., 564 F.2d 654
(3rd Cir. 1977). The courts use a variety
of formulations to articulate when a
person will be deemed to have known—
i.e., to have constructive knowledge—
that a particular incident occurred.
However, the various formulations have
common elements. They identify a
‘‘prudent’’ or ‘‘reasonable’’ person and
consider whether that person would,
under similar circumstances, have
become aware of the information in
question. They consider how
‘‘available’’ the information is; for
example, was the information in the
covered entity’s possession (such as in
its electronic information system) or
not. They consider whether there was
‘‘some reason to awaken inquiry and
suggest investigation;’’ for example, had
prior experience suggested that there
could be problems, which a reasonable
person would have investigated.
We considered three options for
implementing the provisions at section
1176(b)(2). One approach would be
simply to repeat the statutory language;
a second approach would be to provide
a more detailed statement of criteria for
establishing reasonable diligence; and
the third approach would be to provide
examples of situations that would (or
would not) constitute reasonable
diligence. We selected the second in
order to provide some guidance, but not
unduly circumscribe future decisions.
Adapting the Black’s definition of due
diligence to the present context,
proposed § 160.410(a) would define
‘‘reasonable diligence’’ to mean ‘‘the
business care and prudence expected
from a person seeking to satisfy a legal
requirement under similar
circumstances.’’ Factors to be
considered in evaluating the
applicability of this affirmative defense
would include whether the covered
entity took reasonable steps to learn of
such violations and whether there were
indications of possible violations, such
as a complaint or other information
made known to the entity, that a person
seeking to satisfy a legal requirement
would have investigated under similar
circumstances.
c. Section 160.410(b)(3)—Affirmative
Defense Based on Reasonable Cause
Section 1176(b)(3) provides as follows:
(A) In general. Except as provided in
subparagraph (B), a penalty may not be
imposed under subsection (a) if—
(i) The failure to comply was due to
reasonable cause and not to willful neglect;
and
(ii) The failure to comply is corrected
during the 30-day period beginning on the
first date the person liable for the penalty
knew, or by exercising reasonable diligence
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
would have known, that the failure to
comply occurred.
(B) Extension of period.
(i) No penalty. The period referred to in
subparagraph (a)(ii) may be extended as
determined appropriate by the Secretary
based on the nature and extent of the failure
to comply.
These provisions raise several issues: (1)
What is reasonable cause; (2) what is
willful neglect; and (3) how should the
cure period be determined.
i. Reasonable Cause
For the defense under section 1176
(b)(3) to be available, the failure to
comply at issue must be ‘‘due to
reasonable cause and not to willful
neglect’’ (as well as corrected within the
cure period). This language has a close
analog in the Internal Revenue Code
(IRC), which provides for an exemption
from penalties for late filing where the
late filing ‘‘is due to reasonable cause
and not due to willful neglect.’’ 26
U.S.C. 6651(a). This IRC language was
construed by the United States Supreme
Court in United States v. Boyle, 469 U.S.
241, 245 (1985). The Internal Revenue
Service (IRS) had articulated specific
factors that would constitute reasonable
cause for late filing; in discussing these
factors, the Court noted that the
underlying principle was whether the
circumstances were beyond the
taxpayer’s control.
HHS has already adopted criteria
interpreting paragraph (b)(3) that are not
unlike those adopted by the IRS in
connection with its late filing penalty
statute. In the guidance published on
July 24, 2003 (CMS Guidance), the
criteria developed to address the
October 16, 2003 compliance deadline
problems for the Transactions Rule are
similar in nature to those developed by
the IRS. Like the IRS criteria, they
premise the existence of reasonable
cause on the existence of circumstances
outside of the covered entity’s control
which make compliance with the
Transactions Rule unreasonable.
We considered three options for
implementing the reasonable cause
language of section 1176(b)(3): repeating
the statutory language; providing a more
detailed statement of the criteria for
establishing reasonable cause; or
providing examples of situations that
would (or would not) constitute
reasonable cause. As with our decision
about reasonable diligence, we took the
second approach. Proposed § 160.410(a)
would define ‘‘reasonable cause’’ as
‘‘circumstances that make it
unreasonable for the covered entity,
despite the exercise of ordinary business
care and prudence, to comply with the
administrative simplification provision
PO 00000
Frm 00016
Fmt 4701
Sfmt 4702
violated.’’ This definition is generally
based on the view of the Supreme Court
in Boyle, but it is tailored to the HIPAA
context in which the judgment in
question would be made. It describes
with more specificity the test for
determining whether reasonable cause
exists, but does not limit this test by
specific examples. Thus, establishing
reasonable cause under section
1176(b)(3) would require demonstrating
circumstances that would make it
unreasonable to expect an entity
exercising ordinary business care and
prudence to comply with the particular
requirement that has been violated. The
determination of whether reasonable
cause exists is generally, and under this
definition would be, a factual one, since
what is ‘‘reasonable’’ depends on the
circumstances.
ii. Willful Neglect
For the defense under section
1176(b)(3) to be available, the failure of
compliance must not be due to ‘‘willful
neglect.’’ In Boyle, discussed above, the
Supreme Court defined ‘‘willful
neglect’’ as ‘‘conscious, intentional
failure or reckless indifference’’ and
indicated that this concept includes
carelessness or other types of fault. 469
U.S. at 245. Since the definition of the
term ‘‘willful neglect’’ is well settled,
we propose to adapt this definition of
the term in proposed § 160.410(a):
‘‘conscious, intentional failure or
reckless indifference to the obligation to
comply with the administrative
simplification provision violated.’’ This
definition reflects the concern that
underlies the statutory language: where
willful neglect caused the ‘‘failure to
comply’’ in question, the penalty should
not be excused.
The proposed definition is also
consistent with the approach already
taken by HHS in the CMS Guidance. In
the CMS Guidance, HHS stated that, in
determining whether noncompliance
with the Transactions Rule would be
penalized, it would consider the ‘‘good
faith efforts’’ of the covered entities
deploying contingency measures after
October 16, 2003 as they work to come
into compliance with the Transactions
Rule. The presence of such ‘‘good faith’’
or diligent efforts to comply evidences
the absence of willful neglect, because
it demonstrates the absence of a
‘‘reckless indifference to the obligation
to comply with the administrative
simplification provision violated.’’
The issue of whether there was willful
neglect would be a factual inquiry
separate from the question of whether
reasonable cause existed, because
section 1176(b)(3) requires both the
presence of reasonable cause and the
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
absence of willful neglect. In the IRC
cases discussed above, for example,
proving the lack of willful neglect does
not establish the existence of reasonable
cause. However, a finding concerning
one element may obviate the necessity
of determining the other element, by
ruling out the existence of a condition
precedent for the affirmative defense.
Thus, where it is found that reasonable
cause does not exist, the presence or
absence of willful neglect need not be
determined; similarly, if it is found that
willful neglect exists, the presence or
absence of reasonable cause need not be
determined.
iii. Determination of the Cure Period
The presence of reasonable cause and
absence of willful neglect are not
sufficient, in themselves, to establish an
affirmative defense under section
1176(b)(3). The covered entity must also
correct the violation during the 30-day
period beginning when the person knew
or should have known that the violation
existed. The statute gives the Secretary
the right to extend this period to the
extent he determines appropriate based
on the nature and the extent of the
failure to comply. This language
presents two issues with respect to the
cure period: (1) When does the cure
period begin; and (2) what limitations,
if any, should be placed on the
Secretary’s ability to extend the cure
period.
Beginning of the Cure Period. Section
1176(b)(3)(A) provides that the cure
period begins ‘‘on the first date the
person liable for the penalty knew, or by
exercising reasonable diligence would
have known, that the failure to comply
occurred.’’ This language is the converse
of section 1176(b)(2). These two
provisions, accordingly, dictate a
sequential analysis. The first question is
whether the covered entity knew, or
with reasonable diligence would have
known, about the violation. If the
covered entity was ignorant of the
violation (i.e., it did not have actual or
constructive knowledge of the
violation), then no civil money penalty
may be imposed for the period in which
such ignorance existed. In such a
situation, the covered entity’s ignorance
of the violation is a complete defense to
imposition of the civil money penalty,
so it is not necessary to reach the
question of whether the grounds for a
defense under section 1176(b)(3) are
also met. However, as soon as the
covered entity knows (or should have
known) of the violation, then the cure
period under section 1176(b)(3)(A)(ii)
begins; simultaneously, the defense of
ignorance stops being available to the
covered entity. At that point, the
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
question is whether the grounds for the
‘‘reasonable cause’’ defense (the
presence of reasonable cause, the
absence of willful neglect, and cure)
exist.
We do not propose to elaborate on the
statutory language with regard to when
the cure period begins. The text of
proposed § 160.410(b)(3), like the
statute, uses the defined term
‘‘reasonable diligence’’ and, thus, builds
on the analysis conducted under
proposed § 160.410(b)(2).
Extension of the Cure Period. Section
1176(b)(3)(A)(i) provides that the cure
period may be extended ‘‘as determined
appropriate by the Secretary based on
the nature and extent of the failure to
comply.’’ This statutory language is a
broad grant of discretion to the
Secretary to determine what is
‘‘appropriate,’’ requiring only that the
Secretary base his decision on the
‘‘nature and extent of the failure to
comply.’’ The statutory language
requires an analysis based on the
specific circumstances of the particular
failure to comply at issue. Given the
enormous number of covered entities,
the almost infinite possible
combinations of violations and
circumstances, the extensive and
varying experiences of covered entities
in coming into compliance, the newness
of both their and our experience with
respect to compliance with the HIPAA
rules, and the brevity of the 30-day
period during which changes are
required, the Secretary should be
afforded significant discretion to decide
when it is appropriate to extend the
cure period. Proposed
§ 160.410(b)(3)(ii)(B) accordingly
follows the statutory language and
would permit the Secretary to use the
full discretion provided by the statute.
4. Section 160.412—Waiver
Section 1176(b)(4) of the Act provides
for waiver of a civil money penalty in
certain circumstances. Section
1176(b)(4) provides that, if the failure to
comply is ‘‘due to reasonable cause and
not to willful neglect,’’ a penalty that
has not already been waived under
section 1176(b)(3) ‘‘may be waived to
the extent that the payment of such
penalty would be excessive relative to
the compliance failure involved.’’ If
there is reasonable cause and no willful
neglect and violation has been timely
cured, the imposition of the civil money
penalty would be precluded under
section 1176(b)(3). Therefore, waiver
under this section would be available
only where there is reasonable cause for
the violation and no willful neglect, but
the violation was not timely cured.
PO 00000
Frm 00017
Fmt 4701
Sfmt 4702
20239
Section 1176(b)(4) affords a covered
entity a statutory right to request a
waiver. However, the Secretary is not
required to grant such a request: the
words ‘‘may be waived’’ indicate that
the decision to grant the waiver is
discretionary. Moreover, the language
‘‘to the extent that’’ and ‘‘excessive
relative to’’ indicate that the Secretary
must consider the facts of the case to
determine whether, and by what
amount, a penalty may be reduced.
While section 1176(b)(4) might appear
to be subsumed by certain of the
statutory factors that could be seen as
mitigating factors, this provision
duplicates neither those factors nor the
affirmative defenses. In contrast to the
statutory factors, which apply to
determining the amount of a civil
money penalty, section 1176(b)(4)
comes formally into play once the
penalty amount has been determined,
because only after there is a specific
proposed penalty amount can it be
determined whether the penalty ‘‘would
be excessive relative to the compliance
failure involved.’’ Section 1176(b)(4)
differs from the affirmative defenses in
that it is not an absolute preclusion of
civil money penalties; rather, waiver or
reduction under section 1176(b)(4) is
discretionary. Finally, in contrast to the
mitigating factors and affirmative
defenses, section 1176(b)(4) provides a
ground on which a covered entity may
request waiver or reduction of a penalty,
once the penalty amount has been
determined.
Proposed § 160.412 does not elaborate
on the statute in any material way. This
provision would provide the Secretary
with the flexibility to utilize the
discretion provided by the statutory
language as necessary. We deem the
statutory criterion itself reasonably
capable of application, and, therefore,
are not stating further criteria at this
time.
5. Section 160.414—Limitations
Proposed § 160.414 was adopted by
the April 17, 2003 interim final rule as
§ 160.522. We propose to move this
section, which sets forth the 6-year
limitation period provided for in section
1128A(c)(1), from subpart E to subpart
D. We propose to do so because this
provision applies generally to the
imposition of civil money penalties and
is not dependent on whether a hearing
is requested. We also propose to change
the language of this provision so that the
date of the occurrence of the violation
is the date from which the limitation is
determined. We propose this change
because the term ‘‘violation’’ is defined
in this proposed rule, whereas it was
not defined in the April 17, 2003
E:\FR\FM\18APP2.SGM
18APP2
20240
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
interim final rule. Thus, the date of the
violation can now be accurately used to
calculate when ‘‘the occurrence took
place,’’ as referenced in the statute. See
also the discussion at section V.G
below.
6. Section 160.416—Authority To Settle
Proposed § 160.416 was adopted by
the April 17, 2003 interim final rule as
§ 160.510. We propose to move this
section, which addresses the authority
of the Secretary to settle any issue or
case or to compromise any penalty
imposed on a covered entity, from
subpart E to subpart D. We propose to
do so because this provision applies
generally to the imposition of civil
money penalties, and is not dependent
on whether a hearing is requested. No
change is made to the text of the
provision.
7. Section 160.418—Penalty Not
Exclusive
Proposed § 160.418 is new. It is based
upon § 1003.109 of the OIG regulations.
We propose to add this section to make
clear that penalties imposed under this
part are not intended to be exclusive
where a violation under this part may
also be a violation of, and subject the
respondent to penalties under, another
federal or a State law. Proposed
§ 160.418 would, however, recognize
that, under section 1176(b)(1) of the Act,
a penalty may not be imposed under
section 1176(a) if the act constitutes an
offense punishable under section 1177.
8. Section 160.420—Notice of Proposed
Determination
The text of proposed § 160.420 was
adopted by the April 17, 2003 interim
final rule as § 160.514. We propose to
move this section from subpart E, which
sets out the procedures and rights of the
parties to a hearing, to subpart D. We
propose to do so because the notice
provided for in this section must be
given whenever a civil money penalty is
proposed, regardless of whether a
hearing is requested. No changes are
proposed to paragraphs (a)(1) and (a)(3),
(4), or to paragraph (b), except
conforming changes. Paragraph (a)(2)
would be revised by adding that, in the
event the Secretary employs statistical
sampling techniques under § 160.536,
the sample relied upon and the
methodology employed must be
generally described in the notice of
proposed determination. A new
paragraph (a)(5) would require the
notice to describe any circumstances
described in § 160.408 that were
considered in determining the amount
of the proposed penalty; this provision
corresponds to § 1003.109(a)(5) of the
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
OIG regulations. The present paragraph
(a)(5) would be renumbered as (a)(6).
See also the discussion at sections V.H–
V.J below.
9. Section 160.422—Failure To Request
a Hearing
The text of proposed § 160.422 was
adopted by the April 17, 2003 interim
final rule as § 160.516. We would add
language (‘‘and the matter is not settled
pursuant to § 160.416’’) to recognize that
the Secretary and the respondent may
agree to a settlement after the Secretary
has issued a notice of proposed
determination. We also provide that the
penalty is final upon receipt of the
penalty notice, to make clear when
subsequent actions, such as collection,
may commence.
10. Section 160.424—Collection of
Penalty
The text of § 160.424 was adopted by
the April 17, 2003 interim final rule as
§ 160.518. We propose to move this
section, which addresses how a final
penalty is collected, from subpart E to
subpart D. We propose to do so because
this provision applies generally to the
imposition of civil money penalties and
is not dependent upon whether a
hearing is requested.
11. Section 160.426—Notification of the
Public and Other Agencies
Proposed § 160.426 would implement
section 1128A(h) of the Act. When a
penalty proposed by the Secretary
becomes final, section 1128A(h) directs
the Secretary to notify certain specified
appropriate State or local agencies,
organizations, and associations and to
provide the reasons for the penalty. We
propose to add the public generally, in
order to make the information available
to anyone who must make decisions
with respect to covered entities. For
instance, knowledge of the imposition
of a civil money penalty for violation of
the Privacy Rule could be important to
health care consumers, as well as to
covered entities throughout the
industry, while information about the
imposition of a civil money penalty for
violation of the Transactions Rule or
other HIPAA rules could be of interest
to a covered entity’s trading partners.
The regulatory language would
provide for notification in such manner
as the Secretary deems appropriate.
Posting to an HHS Web site and/or the
periodic publication of a notice in the
Federal Register are among the methods
which the Secretary is considering using
for the efficient dissemination of such
information. These methods would
avoid the need for the Secretary to
determine which entities, among a
PO 00000
Frm 00018
Fmt 4701
Sfmt 4702
potentially large universe, should be
notified and would also permit the
general public served by covered
entities upon whom civil money
penalties have been imposed to be
apprised of this fact, where that
information is of interest to them. While
the Secretary could provide notice to
individual agencies where desired, the
Secretary could, at his option, use a
single public method of notice, such as
posting to an HHS Web site, to satisfy
the obligation to notify the specified
agencies and the public. See also the
discussion at V.B below.
D. Subpart E—Procedures for Hearings
As previously explained, the
provisions of section 1128A of the Act
apply to the imposition of a civil money
penalty under section 1176 ‘‘in the same
manner as’’ they apply to the imposition
of civil money penalties under section
1128A itself. The provisions of subpart
E are, as a consequence, based in large
part upon, and are in many respects the
same as, the OIG regulations. We
propose to adapt, re-order, or combine
the language of the OIG regulations in
a number of places for clarity of
presentation or to reflect concepts
unique to the HIPAA provisions or
rules. To avoid confusion, we have also
employed certain language usages in
order to make the usage in the rules
consistent with that in the other HIPAA
rules (for example, for mandatory
duties, ‘‘must’’ or ‘‘will’’ instead of
‘‘shall’’ is used; for discretionary duties,
‘‘may’’ instead of ‘‘has the authority to’’
is used). We do not discuss those
nonsubstantive changes below. Where
we propose to materially change the
language of the OIG regulations,
however, we discuss our reasons for
doing so.
As noted above, we have reorganized
subparts C, D, and E so that there is a
logical organization to the three
subparts. Subpart E, as we propose to
revise it, will address the pre-hearing
and hearing phases of the enforcement
process. We have discussed the sections
that we have moved to subparts C and
D in the discussion of those subparts.
The proposed movement of sections out
of subpart E and the introduction of new
sections into subpart E, described
below, necessitates the reordering and
renumbering of other sections of the
existing subpart E, so that the subpart is
organized logically. We do not discuss
such proposed reordering and
renumbering, unless we propose to
change substantially the text of the
section in question.
In the April 17, 2003 interim final
rule, we deferred consideration of
certain provisions so that they could be
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
addressed through notice-and-comment
rule making. Claims of privilege and
other objections to the taking of
testimony at investigational hearings are
addressed in proposed § 160.314. The
proposed rules relating to what
constitutes ‘‘a violation of a provision of
this part’’ and how the amount of civil
money penalties will be determined are
found in § 160.302 of the proposed
subpart C and in §§ 160.402—160.408,
respectively, of the proposed subpart D.
We include in proposed subpart E the
proposed rules that relate to the conduct
of a hearing.
1. Section 160.500—Applicability
This section has been revised to
reflect the more limited scope proposed
for subpart E, resulting from the
movement of many of the provisions in
the April 17, 2003 interim final rule to
proposed subparts C and D.
2. Section 160.502—Definitions
Most of the definitions in this section
of the April 17, 2003 interim final rule
have been moved either to § 160.103 or
to § 160.302, and are discussed in
connection with those sections. In
addition, we propose to delete the term
‘‘entity’’ from this section. The term is
used in various contexts throughout the
HIPAA rules, and we believe that the
definition in the April 17, 2003 interim
final rule may prove confusing with
respect to the other HIPAA rules.
A new definition is added to this
section—a definition of the term
‘‘Board,’’ which stands for the HHS
Departmental Appeals Board. The term
‘‘Board’’ is used instead of the term
‘‘DAB’’, which is used in the OIG
regulations, to make clear that the
reviewing body is the panel of three
judges that conducts appellate review of
ALJ decisions for HHS. This term is
defined because it appears in proposed
§ 160.548, discussed below.
3. Section 160.504—Hearing before an
ALJ
This section, which is § 160.526 of the
April 17, 2003 interim final rule, would
be largely unchanged. We note that, for
a hearing request dismissed under this
section as failing to raise any issue that
may be properly addressed in a hearing
(such as a hearing request that only
raises constitutional claims), this
subpart provides the administrative
review channel leading to judicial
review of such claims. Thus, such a
dismissal would have to be appealed to
the Board, under proposed § 160.548, as
a predicate to appeal to the federal
courts.
The current § 160.526(a)(2) states that
the Departmental party in a hearing is
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
‘‘the Secretary.’’ The term ‘‘Secretary’’ is
defined at § 160.103 of the HIPAA rules
as ‘‘the Secretary of Health and Human
Services or any other officer or
employee of HHS to whom the authority
involved has been delegated.’’ The
Secretary’s authority to interpret and
enforce the HIPAA rules has been
delegated to OCR, in the case of the
Privacy Rule, and to CMS, in the case
of the non-privacy HIPAA rules. Thus,
the Secretary’s investigative authority
and authority to make a proposed
determination of liability for a civil
money penalty are exercised by OCR
and/or CMS, depending on the HIPAA
rule or rules at issue. However, in
proposed subpart E, the Secretary is
performing diverse functions: the
adjudicative function is being
performed for the Secretary by the ALJ
and the Board, and the decision reached
through this adjudicative process
becomes the decision of the Secretary; at
the same time, OCR and/or CMS are
acting for the Secretary in defending the
proposed determination in the
adjudication. The reference to ‘‘the
Secretary’’ may, thus, be confusing, as
what part of HHS is being referred to
depends on the context.
Proposed § 160.504(a)(2) would
clarify which part of HHS acts as the
‘‘party’’ in the hearing. Because which
component of HHS will be the ‘‘party’’
in a particular case will depend on
which rule is alleged to have been
violated, and because a particular case
could involve more than one HIPAA
rule, we define the Secretarial party
generically, by reference to the
component with the delegated
enforcement authority. We adapt the
regulatory definition of ‘‘Secretary’’ to
make it clear that the Secretarial party
could consist of more than one officer
or employee, so that it is possible for
both CMS and OCR to be the Secretarial
party in a particular case.
The last sentence of proposed
§ 160.504(b) (current § 160.526(b))
provides that the date of receipt of the
notice of proposed determination is
presumed to be 5 days after the date of
the notice unless the respondent makes
a reasonable showing to the contrary.
This showing may be made even where
the notice is sent by mail and is not
precluded by the computation of time
rule of proposed § 160.526(c) (current
§ 160.548(c)) establishing a 5-day
allowance for mailing. See section V.K
below for further discussion of this
provision.
4. Section 160.506—Rights of the Parties
The text of paragraphs (a) and (b) of
proposed § 160.506 was adopted at
§ 160.528 of the April 17, 2003 interim
PO 00000
Frm 00019
Fmt 4701
Sfmt 4702
20241
final rule, and no change, other than a
conforming change, is proposed to those
paragraphs. We propose to add a new
paragraph (c) to address the issue of
legal fees. Proposed subsection (c)
adopts the same position taken in
§ 1005.3(b) of the OIG regulations, by
recognizing that a party who is
accompanied, represented or advised by
an attorney is free to enter into a fee
arrangement of that party’s choosing.
This provision is included to make clear
that the Secretary is not limiting how
much the respondent’s attorney may
charge in attorneys fees.
5. Section 160.508—Authority of the
ALJ
The text of proposed § 160.508 was
adopted by the April 17, 2003 interim
final rule as § 160.530. No changes to
paragraphs (a) and (b) are proposed. We
propose to revise paragraph (c) by
adding paragraphs (c)(1) and (5) to the
list of limitations on the authority of the
ALJ. Proposed paragraph (c)(1) would
require the ALJ to follow federal
statutes, regulations, and Secretarial
delegations of authority, and to give
deference to published guidance to the
extent not inconsistent with statute or
regulation. By ‘‘published guidance’’ we
mean guidance that has been publicly
disseminated, including posting on the
CMS or OCR Web site. Although we
recognize that such guidance is not
controlling upon the courts, we believe
that the ALJ and the Board (see the
discussion below in connection with
proposed § 160.548), as components of
HHS, must afford deference to such
guidance to ensure that, to the extent
possible, consistent decisions and
compliance guidance are provided by
the Secretary to covered entities.
Proposed paragraph (c)(5) clarifies
that ALJs may not review the Secretary’s
exercise of discretion whether to grant
an extension or to provide technical
assistance under section 1176(b)(3)(B) of
the Act or the Secretary’s exercise of
discretion in the choice of variable(s)
under proposed § 160.406. Proposed
paragraphs (c)(1) and (5) together make
clear that the purpose of the hearing,
and the authority of the ALJ in
conducting the hearing, would only be
to review the proposed civil money
penalty. Thus, the ALJ would not have
authority to refuse to follow, or to find
invalid, the authorities cited as the basis
for the proposed civil money penalty.
The ALJ also would not have authority
to review the Secretary’s exercise of
discretion under section 1176(b)(3)(B) of
the Act to grant an extension or to
provide technical assistance, nor would
the ALJ have authority to review the
Secretary’s choice of variable(s) in
E:\FR\FM\18APP2.SGM
18APP2
20242
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
determining the number of violations of
an identical administrative
simplification provision, as that choice
is likewise committed to the Secretary’s
discretion. The ALJ could, however,
review whether the variable(s), once
chosen, were properly applied.
6. Section 160.512—Prehearing
Conferences
Proposed § 160.512 would revise
paragraph (a) to establish a minimum
amount of notice (not less than 14
business days) that must be provided to
the parties in the scheduling of
prehearing conferences. We propose this
limitation to address problems that have
been experienced in the context of
administrative hearings in other
programs. Proposed § 160.512 would
also revise paragraph (b)(11) to include
the issue of the protection of
individually identifiable health
information as a matter that may be
discussed at the prehearing conference,
if appropriate. See also the discussion at
section V.AA below, with regard to this
provision.
7. Section 160.518—Exchange of
Witness Lists, Witness Statements, and
Exhibits
Proposed § 160.518 carries forward
§ 160.540 of the existing subpart E with
one substantive change. It would revise
paragraph (a) to provide time limits
within which the exchange of witness
lists, statements, and exhibits must
occur prior to a hearing. Under
proposed § 160.518(a), these items must
be exchanged not more than 60, but not
less than 15, days prior to the scheduled
hearing. We are concerned that the
information not be exchanged too early,
lest the evidence become stale, and we
are also concerned that the time period
not be too short, depriving the parties of
adequate time to prepare. Experience
with administrative hearings in other
programs suggests the need for this
provision. See also the discussion at
section V.R below.
8. Section 160.520—Subpoenas for
Attendance at Hearing
Proposed § 160.520 would carry
forward § 160.542 of the existing
subpart E mainly unchanged. The
current § 160.542(c) would be revised to
clarify that when a subpoena is served
on HHS, the Secretary may comply with
the subpoena by designating any
knowledgeable representative to testify.
See also the discussion at sections V.W
and V.X below.
9. Section 160.532—Collateral Estoppel
Proposed § 160.532 would adopt the
doctrine of collateral estoppel applied
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
burden of proof with respect to all other
issues, including issues of liability and
the factors considered as aggravating
factors under proposed § 160.408 in
determining the amount of penalties to
be imposed. The burden of persuasion
would be judged by a preponderance of
the evidence (i.e., it is more likely than
not that the position advocated is true).
It is also proposed to revise the
current § 160.554(c) by adding a new
paragraph (1) at proposed § 160.534(d).
Proposed § 160.534(d)(1) would provide
that, at a hearing under this part, any
party may present items or information,
during its case in chief, that were
discovered after the date of the notice of
proposed determination or request for a
hearing, as applicable. The admissibility
of such proffered evidence would be
governed generally by the provisions of
proposed § 160.540, and be subject to
the 15-day rule for the exchange of trial
exhibits, witness lists and statements set
out at proposed § 160.518(a). Any such
10. Section 160.534—The Hearing
evidence would not be admissible, if
The text of proposed § 160.534 was
offered by the Secretary, unless it is
adopted by the April 17, 2003 interim
relevant and material to the findings of
final rule as § 160.554. No changes to
fact set forth in the notice of proposed
paragraphs (a) and (c) are proposed.
determination, including circumstances
However, HHS proposes to add a new
that may increase such penalty. If any
paragraph (b) allocating the burden of
such evidence is offered by the
proof at the hearing.
respondent, it would not be admissible
Under the Administrative Procedure
unless it is relevant and material to a
Act (APA), 5 U.S.C. 556(d), the burden
specific admission, denial or
of proof in ALJ hearings has two
explanation of a finding of fact, or to a
components—the burden of going
specific circumstance or argument
forward and the burden of persuasion.
expressly stated in the respondent’s
The burden of going forward relates to
request for hearing that are alleged to
the obligation to go forward initially
constitute grounds for any defense or
with evidence that supports a prima
the factual and legal basis for opposing
facie case. The burden of going forward
or reducing the penalty. Proposed
then shifts to the other party. The
§ 160.534(d) would allow the parties the
burden of persuasion relates to the
opportunity to present items and
obligation ultimately to convince the
information that are relevant and
trier of fact that it is more likely than not material exclusively to the issues
that the advocated position is true. The
actually in dispute as expressly set forth
party with the burden of persuasion
in the notice of proposed determination
loses in the situation where the
and request for hearing. Items and
evidence is in perfect balance.
information that would be relevant and
Proposed § 160.534 would adopt the
material evidence of other violations,
allocation of the burden of proof found
and support the imposition of other or
in the OIG regulations and in
additional penalties would be
administrative hearings generally,
inadmissible. Likewise, items or
which is consistent with the APA. The
information that support defenses,
respondent would bear the burden of
arguments, legal theories, or contentions
proof with respect to (1) any affirmative other than those expressly set forth in
defense, including those set out in
the notice of hearing, or which are not
section 1176(b) of the Act, as
relevant and material to the admissions,
implemented by proposed § 160.410, (2) denials or explanations therein made,
any challenge to the amount or scope of would not be admissible. Proposed
a proposed penalty under section
§ 160.534(d)(2) would republish
1128A(d), as implemented by proposed
paragraph (c) of the present § 160.554.
§§ 160.404—160.408, including
11. Section 160.536—Statistical
mitigating factors, or (3) any contention
Sampling
that a proposed penalty should be
Proposed § 160.536, on statistical
reduced or waived under section
sampling, is new. A similar provision
1176(b)(4), as implemented by
§ 160.412. The Secretary would have the appears at § 1003.133 of the OIG
in federal cases that once a court
decides an issue of fact or law necessary
to its judgment, the court’s decision
precludes the same parties from
relitigating the same issue in another
suit on a different cause of action. Allen
v. McCurry, 449 U.S. 90 (1980). The
doctrine also applies to a final decision
of an administrative agency, acting in a
judicial capacity, that resolves disputed
issues before it, which the parties have
had a fair opportunity to fully litigate.
Astoria Federal Savings & Loan Ass’n v.
Solimino, 501 U.S. 104, 107–108 (1991).
The proposed rule is modeled on
§ 1003.114(a) of the OIG regulations.
Section 1003.114(b), relating to the issue
preclusion arising out of a conviction or
plea in a federal criminal case based
upon fraud or false statements, appears
inapplicable to enforcement of the
HIPAA rules, and, hence, no
comparable provision is proposed for
inclusion in this Rule.
PO 00000
Frm 00020
Fmt 4701
Sfmt 4702
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
regulations, and the use of sampling and
statistical methods is recognized under
Rule 702 of the Federal Rules of
Evidence. Proposed § 160.536 would
permit the Secretary to introduce the
results of a statistical sampling study as
evidence of any variable under
§ 160.406(b) used to determine the
number of violations of a particular
administrative simplification provision,
or, where appropriate, any factor
considered in determining the amount
of the civil money penalty under
proposed § 160.408. If the estimation is
based upon an appropriate sampling
and employs valid statistical methods, it
would constitute prima facie evidence
of the number of violations or amount
of the penalty sought that is a part of the
Secretary’s burden of proof. Such a
showing would cause the burden of
going forward to shift to the respondent,
although the burden of persuasion
would remain with the Secretary.
12. Section 160.542—The Record
This section is § 160.560 of the April
17, 2003 interim final rule. Since the
section provides that the record of the
proceedings be transcribed, we propose
to add to paragraph (a) of this section a
requirement that the cost of
transcription of the record be borne
equally by the parties, in the interest of
fairness.
13. Section 160.546—ALJ Decision
Since we are proposing a process for
administrative review of ALJ decisions
(see section IV.D.14 below), the ALJ
decision would be the initial decision of
the Secretary, rather than the final
decision of the Secretary as set forth in
§ 160.564(d) of the April 17, 2003
interim final rule. Thus, we propose to
revise paragraph (d) to provide that the
decision of the ALJ will be final and
binding on the parties 60 days from the
date of service of the ALJ decision,
unless it is timely appealed by either
party. See also the discussion at section
V.U below, with respect to proposed
§ 160.546(b).
14. Section 160.548—Appeal of the ALJ
Decision
The April 17, 2003 interim final rule,
at § 160.564, makes the decision of the
ALJ the final decision of the Secretary,
thus permitting a respondent to file a
petition for judicial review. In the
preamble to the interim final rule, we
noted that a second level of
administrative review is generally
available in Departmental hearings and
that, while we had not provided for a
second level of administrative review in
the interim final rule, we intended to
address the issue of further
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
administrative review in this proposed
rule. We do so now.
Proposed § 160.548 is modeled on the
provisions that apply to appellate
review under the OIG regulations. It
provides that any party may appeal the
initial decision of the ALJ to the HHS
Departmental Appeals Board (Board)
within 30 days of the date of service of
the ALJ initial decision, unless extended
for good cause. The appealing party
must file a written brief specifying its
exceptions to the initial decision. The
opposing party may file an opposition
brief, which is limited to the exceptions
raised in the brief accompanying notice
of appeal and any relevant issues not
addressed in said exceptions and must
be filed within 30 days of receiving the
appealing party’s notice of appeal and
brief. The appealing party may, if
permitted by the Board, file a reply
brief. These briefs may be the only
means that the parties will have to
present their case to the Board, since
there is no right to appear personally
before the Board. The proposed rule
provides that if a party demonstrates
that additional evidence is material and
relevant and there are reasonable
grounds why such evidence was not
introduced at the ALJ hearing, the Board
may remand the case to the ALJ for
consideration of the additional
evidence.
In an appeal to the Board, the
standard of review on a disputed issue
of fact is whether the ALJ’s initial
decision is supported by substantial
evidence on the record as a whole; on
a disputed issue of law, the standard of
review is whether the ALJ’s initial
decision is erroneous. The Board may
decline to review the case; may affirm,
increase (subject to the statutory caps),
reduce, or reverse any penalty; or may
remand a penalty determination to the
ALJ.
We propose this process for
administrative review of initial ALJ
decisions to achieve consistency in civil
money penalty decisions. Because
hearings could be conducted by
different ALJs, it is conceivable that
different ALJs might decide the same or
similar issues differently. Should this
occur, it would be problematic for both
covered entities and HHS. Provision for
an internal, centralized review process
should reduce the likelihood of
inconsistent results. Indeed, provision
for administrative review of ALJ
decisions is common in other federal
administrative hearing processes.
Because the HIPAA rules affect such a
large part of the health industry and the
requirements of the various HIPAA
regulatory schemes are new and
interrelated, HHS considers it crucial
PO 00000
Frm 00021
Fmt 4701
Sfmt 4702
20243
that the decisions reached in the
adjudicative process be consistent with
other adjudicated decisions as well as
with the policy decisions of the
Secretary in the rules and in
departmental guidance. Since only
aggrieved respondents can appeal to the
U.S. Court of Appeals under section
1128A(e), administrative review of ALJ
decisions will help to ensure that the
final decisions subject to judicial review
represent a consistent interpretation of
the HIPAA rules by the Secretary. While
a process for administrative review of
ALJ decisions will add cost and time to
the process of imposing a civil money
penalty for both HHS and covered
entities, we believe that these
disadvantages are outweighed by the
compelling need to ensure consistency
in the decisions of HHS with respect to
such civil money penalties. Consistency
will benefit both HHS and covered
entities.
Paragraphs (i) and (j) of proposed
§ 160.548 address the issuance of the
Board’s decision on appeal. Under
paragraph (i), the Board must serve its
decision on the parties within 60 days
after final briefs are filed. Under
paragraph (j), the decision of the Board
constitutes the final decision of the
Secretary from which a petition for
judicial review may be filed by a
respondent aggrieved by the Board’s
decision. This option is the traditional
process for administrative review of ALJ
initial decisions regarding civil money
penalties within HHS and is based on
the process set forth in the OIG
regulations. The decision of the Board
becomes the final decision of the
Secretary 60 days after service of the
decision, except where the decision is to
remand to the ALJ or a party requests
reconsideration before the decision
becomes final. Paragraph (j) provides
that a party may request reconsideration
of the Board’s decision, provides a
reconsideration process, and provides
that the Board’s reconsideration
decision becomes final on service.
Proposed § 160.548(k) provides for a
petition for judicial review of a final
decision of the Secretary. Thus, we
propose to remove § 160.568 of the
April 17, 2003 interim final rule as
duplicative. The right to petition for
judicial review is not altered under this
proposal, although an ALJ decision
must be reviewed by the Board before a
petition for judicial review can be filed
by a respondent.
15. Section 160.552—Harmless Error
Proposed § 160.552 is new. It would
adopt the ‘‘harmless error’’ rule that
applies generally to civil litigation in
federal courts. The provision provides,
E:\FR\FM\18APP2.SGM
18APP2
20244
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
in general, that the ALJ and the Board
at every stage of the proceeding will
disregard any error or defect in the
proceeding that does not affect the
substantial rights of the parties. It is
modeled on Rule 61, F.R.C.P., and on
§ 1005.23 of the OIG regulations. In its
application, it would further promote
the efficient resolution of cases where
the proposed imposition of a civil
money penalty is challenged.
V. Response to Public Comments
HHS requested comment on the April
17, 2003 interim final rule and received
timely and substantive comments from
19 persons or organizations. We
summarize those comments, and our
responses to the comments, below.
A. Comment: Two comments
disagreed with HHS’s approach of
encouraging voluntary compliance. One
argued that such an approach is
tantamount to no enforcement; the other
argued that since the Secretary already
has the authority to conduct compliance
reviews, a complaint-driven approach
fails to reflect the agency’s statutory
obligation to enforce the law and the
mandate under section 1176 to impose
civil money penalties for violations. It
was also stated that while HHS’s
intention to resolve potential violations
by informal means might be appropriate
for minor violations, it is inappropriate
for more serious violations or for
covered entities that demonstrate
repeated resistance to compliance.
Most persons who commented on the
voluntary compliance approach
supported it, however. Several of these
comments urged HHS to focus on
resolving issues quickly and informally,
particularly with respect to alleged
violations of the Transactions Rule. One
comment asked for assurance that
covered entities will face only one set of
enforcement rules and procedures,
given that two different components of
HHS have enforcement responsibilities.
Several organizations asked HHS to
provide more guidance with respect to
how covered entities can comply, and
can demonstrate compliance, with the
HIPAA rules.
Response: We do not agree that
emphasizing voluntary compliance
amounts to a policy of nonenforcement.
To the contrary, our experience to date
has been that covered entities are
generally responsive to our investigative
inquiries and act promptly to remedy
deficiencies that are brought to their
attention. The overarching goal of our
enforcement program is to bring covered
entities into compliance, so that the
benefits of the HIPAA rules are fully
realized. Securing voluntary compliance
achieves this goal much more quickly
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
and efficiently than would a process
that was formal and adversarial from the
start. This approach is consistent with
the statute. As discussed above, one of
the statutory defenses to a civil money
penalty is the covered entity’s taking
corrective action on a timely basis,
where reasonable cause for the
noncompliance exists. See section
1176(b)(3)(A). As stated above, however,
should informal, cooperative efforts fail,
HHS would move forward with the civil
money penalty remedy the statute
provides.
The Enforcement Rule addresses the
concern that covered entities not face
multiple sets of enforcement rules and
procedures, as it provides for uniform
procedures that will apply to all of the
HIPAA rules. With respect to the
concerns about guidance, HHS agrees
that the provision of guidance on an
ongoing basis is vitally important. As
noted above, HHS is continuing to
develop guidance on the various HIPAA
rules, and will be publishing such
guidance on an ongoing basis on the
following HHS Web sites: https://
www.hhs.gov/ocr/hipaa/ for the Privacy
Rule and https://www.cms.gov/hipaa/
hipaa2/ for the other HIPAA rules.
B. Comment: Several comments
suggested that information about
complaints and other noncompliance
issues should be made public to assist
other covered entities in coming into
compliance. One organization stated
that the Enforcement Rule should
include a requirement that the Secretary
should annually report to Congress and
the public on the number of complaints
filed and their disposition.
Response: The statute provides for
formal notification of a number of
entities when a penalty is final.
Proposed § 160.426 reflects this
requirement and would provide for
notification of the public in such
circumstances. As previously noted,
however, we expect most complaints to
be resolved informally, and informal
resolutions would not come within the
process provided for by proposed
§ 160.426. OCR and CMS will consider
whether compilation and release of
analyses of complaint dispositions
would be an appropriate use of limited
resources; however, we do not propose
to mandate such action by this rule.
C. Comment: One comment asked
whether HHS anticipated developing a
separate complaint mechanism for
security complaints.
Response: CMS has developed
complaint procedures for the
complaints regarding the Transactions
Rule and a complaint tool for making
such complaints is on the Web at
https://www.cms.hhs.gov/hipaa/hipaa2.
PO 00000
Frm 00022
Fmt 4701
Sfmt 4702
As the compliance dates of the HIPAA
rules other than the Privacy and the
Transactions Rules arrive, it is expected
that the complaint tool will be modified
to permit the filing of complaints
relating to compliance with those other
rules.
D. Comment: One comment stated
that additional protections are needed
for investigational inquiries. The
comment suggested that the rule should
include the procedural protections of
the OIG regulations, such as permission
for witnesses to object to answering
questions on the basis of privilege and
to clarify their answers for the record.
Response: Proposed § 160.314(b)
would revise § 160.504(b) to include
such procedural protections.
E. Comment: One comment suggested
that the rule contain a provision
establishing the bases under which a
complaint will be dismissed prior to a
request for a hearing. Bases suggested
were that the complaint has been
litigated in another forum, the
opportunity to contest the matter was
available but not used in another forum,
and another statutory remedy exists.
Response: Consistent with the
practice under the OIG regulations, the
rules provide for general settlement
authority, rather than specific grounds
for dismissal. See proposed § 160.416.
In addition, the bases suggested in the
comment would not be grounds, per se,
for dismissal.
F. Comment: One comment asked
HHS to clarify the circumstances under
which it would investigate a covered
entity that was not the subject of a
complaint.
Response: We cannot project the
variety of circumstances under which
compliance reviews might be
undertaken. Therefore, we do not
propose to limit the situations in which
this authority could be exercised.
G. Comment: Several comments
objected to § 160.522. One argued that
running the 6-year limitations period
from the ‘‘latest act or omission’’ is a
problem with respect to the 6-year
record retention period provided for by
the Privacy Rule, as covered entities
might believe that they could destroy
records that they would later need for
defense purposes. It was also argued
that the rule should clarify that actions
may only be taken for violations which
occur on or after the compliance date of
the rule in question and that the date of
the civil money penalty action is the
date of the notice of proposed
determination.
Response: We agree. Proposed
§ 160.414 would revise § 160.522 to
provide that the period of limitations
runs ‘‘from the date of the occurrence of
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
the violation’’ and that the Secretary
commences the action ‘‘in accordance
with § 160.420, ‘‘meaning that the
action is considered to be commenced
by (and, therefore, on) the date of the
notice of proposed determination. The
definition of the term ‘‘violation’’ at
proposed § 160.302 builds in the
concept of a duty to comply, since it
defines that term as a ‘‘failure to comply
with an administrative simplification
provision;’’ the definition of the term
‘‘administrative simplification
provision’’ in turn references the
underlying HIPAA rules, which each
explicitly state when the duty to comply
begins.
With respect to the 6-year document
retention requirement of § 164.530(j)(2),
insofar as compliance issues arise out of
complaints, it is unlikely that a covered
entity would be required to defend itself
against a stale complaint, in view of the
requirement at proposed § 160.306(b)(3)
that complaints be filed within 180 days
of when the complainant knew or
should have known of the occurrence of
the violation. In any event, nothing in
the Privacy Rule precludes covered
entities from retaining documents for a
longer period than § 164.530(j)(2)
requires, if they wish to do so.
H. Comment: Nine comments
expressed concern that § 160.514 does
not specify to whom the notice of
proposed determination must be
addressed. The concern was that,
because receipt is presumed 5 days after
mailing, a notice of proposed
determination which was sent to a large
organization might not get to the proper
official on a timely basis, thereby
wasting some of the covered entity’s
time for response. Several comments
suggested that the rule require delivery
to the chief executive officer and, as
appropriate, to the company’s privacy
officer, security officer, or chief
information officer. A couple of
comments suggested that the rule
incorporate the service standards of
Rule 4, F.R.C.P., and require service
upon ‘‘an officer, a managing or general
agent, or to any other agent authorized
by statute to receive service.’’ Several
comments expressed support for the use
of certified mail.
Response: Like § 160.514, proposed
§ 160.420 does not identify the person(s)
to whom the notice of proposed
determination should be addressed, nor
do we think it is necessary or feasible
to do so. Rule 4, which applies under
section 1128A(c), establishes who may
be served and applies without need for
further regulatory action. Because the
size and other organizational
circumstances of covered entities vary
greatly, a rule that further limited or
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
defined who must be served would most
likely be inappropriate for some covered
entities. Further, it is likely that a notice
of proposed determination would be
issued after significant prior contact
with the covered entity, and we
anticipate that our investigators would
in any case be able to ascertain which
officer would be the appropriate
recipient of the notice.
I. Comment: Several comments also
argued that § 160.514 should, like the
analogous OIG regulations, require the
notice of proposed determination to
state the basis for the penalty
calculation. Such information would
help the covered entity understand the
charges against it and prepare its
defense. These comments recommended
that the language in § 1003.109(a)(5) of
the OIG regulations be used.
Response: We agree. A provision
comparable to that in § 1003.109(a)(5)
was omitted from § 160.514 because the
interim final rule did not provide for the
aggravating and mitigating factors
referenced in this provision of the OIG
regulations. The proposed rule,
however, contains the factors that may
be considered in determining the
amount of the penalty. Accordingly,
proposed § 160.420 follows the OIG
regulations in this respect.
J. Comment: One comment stated that
it was not clear how the notice of
proposed determination would interface
with § 160.312 and whether the written
findings there end the informal
resolution phase. The comment
advocated that notice be provided
before the notice of proposed
determination.
Response: We agree that it is not clear
how § 160.514 interfaces with the notice
process described at § 160.312. At
present, § 160.312(a)(2) provides that
the Secretary may issue written findings
documenting noncompliance, if
noncompliance is found and not
informally resolved. Thus, we propose
to revise § 160.312 to make the interface
between that section and proposed
§ 160.420 (currently § 160.514)
seamless. Specifically, proposed
§ 160.312(a)(3)(ii) would provide that if
the Secretary finds that a covered entity
is not in compliance, the matter is not
settled by informal means, and
imposition of a civil money penalty is
warranted, the Secretary will so inform
the covered entity in a notice of
proposed determination in accordance
with § 160.420. The notice of proposed
determination would constitute the
formal notice that the matter had not
been informally resolved and that HHS
had decided to seek civil money
penalties. Further, with respect to notice
prior to the notice of proposed
PO 00000
Frm 00023
Fmt 4701
Sfmt 4702
20245
determination, proposed
§ 160.312(a)(3)(i) would provide that
where noncompliance is indicated and
the matter is not resolved by informal
means, HHS would so inform the
covered entity and give the covered
entity an opportunity to submit written
evidence of any affirmative defenses or
mitigating factors, prior to issuing a
notice of proposed determination.
K. Comment: Several comments
objected to the presumption in
§ 160.526(b) that the date of receipt of
the notice of proposed determination is
5 days after the date of the notice. They
argued that this presumption could
work a hardship, in combination with
the 60-day time limit for requesting a
hearing, if the notice went to the wrong
person in the organization or otherwise
went astray.
Response: Proposed § 160.504(b)
retains the language of the interim final
rule. We believe the concerns about
hardship are misplaced. The
requirement permits the ALJ to grant an
extension of the 5-day time period if the
respondent demonstrates that the
presumption should not apply: ‘‘For
purposes of this section, the
respondent’s date of receipt of the
notice of proposed determination is
presumed to be 5 days after the date of
the notice unless the respondent makes
a reasonable showing to the contrary to
the ALJ.’’ This language tracks the
comparable provision at § 1005.2(c) of
the OIG regulations and has worked
well.
L. Comment: A number of comments
objected to the 60-day time limit in
§ 160.526(b) for a respondent to file its
request for hearing, in combination with
the specific detail required by that
section. They objected to the time limit
and the related requirement for specific
response on several grounds: the level of
specificity demanded requires the
respondent to devise its entire defense,
and, because the notice of proposed
determination is the first notice the
respondent has of the charges, 60 days
is too short a time period in which to
do this; the requirement requires more
specificity of the respondent than of the
Secretary, which is unfair; and the
requirements, together with the 5-day
presumption of receipt and the failure to
specify who receives the notice of
proposed determination, are unfair and
a violation of a respondent’s right to due
process. It was generally recommended
that the request for hearing requirement
parallel § 1005.2 of the OIG regulations,
which requires the request to be made
within 60 days of receipt of the notice,
but requires that the request for hearing
state which findings of fact and
E:\FR\FM\18APP2.SGM
18APP2
20246
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
conclusions of law are disputed and the
basis for the dispute.
Response: The comments on this
issue assume that a notice of proposed
determination will be served on a
respondent with no warning. This
assumption is not reasonable under the
procedures the proposed rule would
establish, however. Proposed § 160.304
would require the Secretary to seek the
cooperation of the covered entity in
obtaining compliance to the extent
practicable, which will necessitate
communication about the
noncompliance at issue. The
investigation or compliance review
process itself will necessarily disclose
much about the noncompliance at issue
to the facility, since the covered entity
will typically be the primary source of
information relevant to the
investigation. If an investigation or
compliance review indicates
noncompliance, proposed
§ 160.312(a)(1) provides that the
Secretary will attempt to reach a
resolution of the matter satisfactory to
the Secretary by informal means.
Further, where noncompliance is
indicated and the matter is not resolved
by informal means, HHS will so inform
the covered entity and give it the
opportunity to submit written evidence
of any affirmative defenses or mitigating
factors, prior to issuing a notice of
proposed determination. See proposed
§ 160.312(a)(3)(i). Thus, the covered
entity necessarily will be made aware
of, and have the opportunity to address,
HHS’s compliance concerns throughout
the investigative period preceding the
notice of proposed determination and
should not be surprised by the matters
described in the notice. For these
reasons, we do not believe that the 60day response time is inadequate.
M. Comment: One comment stated
that settlements should be approved by
the ALJ. Another asked whether
settlements will be a viable path to
resolution of disputes.
Response: Consistent with our
commitment to obtaining voluntary
compliance and the regulatory policies
discussed in the preceding response, we
expect that settlement of compliance
issues will be frequent. We do not
propose to have the ALJ approve such
settlements, to preserve our ability to
resolve compliance issues and achieve
voluntary compliance through informal
means. See proposed § 160.514.
N. Comment: Several comments
queried whether covered entities would
be held liable under the Enforcement
Rule for violations by their business
associates. Of particular concern were
violations committed by health care
clearinghouses.
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
Response: Under § 160.402 of the
proposed rule, a covered entity would
not be liable for the actions of its
business associates where the covered
entity has complied with the
appropriate business associate
provisions. See section IV.C.1.b. above
for further discussion.
O. Comment: Several comments
stated that the rule needs to state what
a violation is, what the aggravating and
mitigating circumstances are, how the
total fine for violations is calculated,
and what would constitute an
acceptable defense and indicate an
appropriate level of ‘‘due diligence.’’
One comment suggested that evidence
of willingness to enter into a corrective
action plan should be a mitigating
factor. One comment noted that the full
Enforcement Rule was needed before
the April 17, 2003 interim final rule
expires.
Response: We generally agree. The
proposed rule addresses the violation
and affirmative defense issues at
§§ 160.402–160.410. Also, the April 17,
2003 interim final rule has been
extended by separate regulatory action
to permit ongoing enforcement while
this rulemaking proceeds. Proposed
§ 160.408(d)(3) provides that the
Secretary may consider, as an
aggravating or mitigating factor, how the
covered entity has responded to
technical assistance from the Secretary
provided in the context of a compliance
effort, with respect to prior offenses.
P. Comment: One comment asked that
the Enforcement Rule describe the
procedures for referral to the
Department of Justice of suspected
criminal violations. Another comment
asked that HHS attempt to ensure that
the application of the criminal
provisions by the Department of Justice
was the same as the application of the
civil provisions by HHS.
Response: The procedures for referral
of criminal matters to the Department of
Justice lie outside the scope of the
Enforcement Rule, which implements
only HHS’s authority under section
1176 of the Act.
Q. Comment: One comment requested
clarification of the statutory basis for
imposing penalties for violations of the
Privacy Rule, since section 264 is a
footnote in the U.S. Code.
Response: Section 264 of the Act is
codified as a note to 42 U.S.C. 1320d–
2. We have always read section 264 as
functionally a part of Part C. Section 264
and Part C cross-reference each other,
and the terminology of section 264 is
also the terminology of Part C
(‘‘standard’’, ‘‘individually identifiable
health information’’, ‘‘implementation
specification’’). Further, the criminal
PO 00000
Frm 00024
Fmt 4701
Sfmt 4702
penalty provisions of section 1177
would not make sense if they did not
apply to the privacy standards, and
section 1176 is, as discussed at IV.C.3
above, closely related to section 1177.
The legislative history confirms this
common-sense reading. See H. Rep. No.
496, 104th Cong., 2d Sess., 1996 U.S.
Code Cong. & Admin. News, p. 1865.
This reading of the statute accords
with that of Congress. Section 1860D–
31(h)(6)(A) of the Act, adopted by
MMA, states that an endorsed discount
drug card sponsor—
is a covered entity for purposes of applying
part C of title XI and all regulatory provisions
promulgated thereunder, including
regulations (relating to privacy) adopted
pursuant to the authority of the Secretary
under section 264(c) of the Health Insurance
Portability and Accountability Act of 1996
(42 U.S.C. 1320d–2 note).
R. Comment: With respect to
prehearing proceedings, two comments
stated that permitting the ALJ to require
exchange of witness lists more than 15
days prior to the hearing could seriously
infringe on the amount of time the
covered entity has to prepare its case. It
was also argued that 60 days is too short
a period to prepare for the hearing. One
comment stated that interrogatories
should be allowed, because records may
be incomplete or contain mistakes. One
comment supported the requirement of
§ 160.540(b)(3) (proposed
§ 160.518(b)(3)), requiring the ALJ to
recess the hearing for a reasonable time
for an objecting party to prepare a
response to witnesses or exhibits that
were not exchanged prior to the hearing.
Response: The scheduling of a hearing
will depend on the schedule of the ALJ
to whom the case is assigned, among
other factors. There is nothing in the
Enforcement Rule that requires the
scheduling of the hearing within a
certain period of time following the
request for hearing. Thus, we do not
think that the provision for exchange of
information earlier than 15 days prior to
hearing should work a hardship on
either side, and the ALJ should be able
to establish a schedule that takes into
consideration the needs of the parties.
Indeed, we believe that this requirement
will assist each party in presenting a
well-prepared case that will result in an
efficient and effective hearing. As the
prehearing procedures permit both
documentary and testimonial discovery,
we do not permit interrogatories, which
we believe would add extra time and
burden to the preparation process
without commensurate benefit.
S. Comment: Several comments urged
that the rule should contain a procedure
to permit the parties to waive the
prehearing conference and the formal
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
hearing and request that the case be
submitted on documentary evidence
and written argument, to make the
process more efficient and less
expensive.
Response: Proposed §§ 160.508(b)(13)
and 160.512(b)(4), (5) would permit this.
T. Comment: One comment stated
that the covered entity should have the
burdens of going forward and
persuasion on affirmative defenses and
mitigating circumstances, while HHS
should have the burdens of going
forward and persuasion on allegations
of violation.
Response: We agree. Proposed
§ 160.534(b) so provides.
U. Comment: Several comments
stated that the ‘‘affirm, increase, or
reduce the penalties imposed by the
Secretary’’ language of § 160.564(b)
would not permit the ALJ to decide that
no violation occurred.
Response: The language of § 160.564
of the April 17, 2003 interim final rule,
which is now found at proposed
§ 160.546, will permit the ALJ to decide
that no violation occurred. Proposed
§ 160.546(a) requires the ALJ to make
findings of fact and conclusions of law.
If these findings and conclusions
support a determination that the
respondent did not violate an
administrative simplification provision,
then no penalty may be imposed. The
language in proposed § 160.546(b)
permits an ALJ who determines that a
respondent has violated an
administrative simplification provision
to act in regard to the penalty amount
set forth in the notice of proposed
determination, that is, to affirm,
increase, or reduce the amount of the
proposed penalty in accordance with
the other applicable provisions of the
regulations.
V. Comment: Several comments
argued that statistical sampling would
be inappropriate to establish the number
of violations. It was argued that
statistical sampling, as used in the OIG
hearings, had been used improperly, in
studies that had basic weaknesses, such
as a too small sample size.
Response: Proposed § 160.536
provides for the use of statistical
sampling, as a well-established
evidentiary tool. Proposed § 160.536(b),
which affords the opposing side the
opportunity to rebut the statistical proof
offered, provides a procedural safeguard
to permit a respondent to challenge the
reliability of any statistical proof
offered.
W. Comment: Two comments
suggested that respondents should be
able to subpoena HHS witnesses with
direct knowledge of the investigation or
other matters at issue.
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
Response: Proposed § 160.520(c)
provides that the Secretary must
designate a representative who is
‘‘knowledgeable’’ to testify. It would
disrupt the agency’s operations if a
respondent could subpoena any HHS
official by name. The requirement that
the HHS representative be
knowledgeable should permit the
presentation of informed testimony,
while permitting the orderly conduct of
government business to continue.
X. Comment: One comment stated
that the rule should permit acceptance
of testimony or a written statement from
individuals whose privacy was violated,
permit such individuals to testify, and
require that such individuals be given
30 days notice of the hearing.
Response: The proposed rule would
not preclude us from offering the
testimony of such individuals, but the
decision to do so is a litigation decision
that must be reserved to the agency. We
do not require that notice of the hearing
be provided to the individuals whose
privacy was violated, but such
information is publicly available.
Y. Comment: A number of comments
stated that agency review of the ALJ
decision was needed or questioned why
it was not provided. A few comments
supported having the ALJ decision be
the final agency action as resulting in a
more efficient and expeditious process.
Response: We have proposed a second
level of agency review, for the reasons
set out at section IV.D.14 above.
Z. Comment: Two comments
questioned the provision for set-off at
§ 160.518(c). One asked whether set-off
would occur without state-level due
process. The other was concerned about
provision of notice. Both were
concerned that set-off could have a
devastating impact on those to whom it
was applied.
Response: The right of set-off is
provided for by section 1128A(f).
Proposed § 160.424(c) accordingly
retains it. We intend to follow
applicable procedures in pursuing setoff.
AA. Comment: A couple of comments
objected to § 160.560. It was stated that
the rule should incorporate additional
procedures to ensure that protected
health information introduced into
evidence is protected from review by
outside parties, redactions should be
made available to the parties for review,
and OCR should be required to pay for
the court reporter.
Response: The protection of protected
health information, including by
redaction of the record, is a matter than
can be addressed in the prehearing
conference. See proposed
§ 160.512(b)(11). We believe that the
PO 00000
Frm 00025
Fmt 4701
Sfmt 4702
20247
ALJ will be in the best position to
determine what specific steps should be
taken in a particular case to protect the
privacy of any protected health
information introduced into evidence.
In the interest of fairness, proposed
§ 160.542(a) would apportion the cost of
transcription of the record equally
between the parties.
BB. Comment: One comment stated
that § 160.558(g) should be revised to
require the Secretary to include notice
to the respondent where HHS intends to
present in its case in chief evidence of
past crimes or similar evidence to show
motive, opportunity, intent, etc.
Response: Proposed § 160.540(g)
would retain this provision. This
provision tracks § 1005.17(g) of the OIG
regulations, and we see no basis to
depart from our practice in this regard.
VI. Impact Statement and Other
Required Analyses
A. Paperwork Reduction Act
We reviewed this proposed rule to
determine whether it raises issues that
would subject it to the Paperwork
Reduction Act (PRA). While the PRA
applies to agencies and collections of
information conducted or sponsored by
those agencies, 5 CFR 1320.4(a) exempts
collections of information that occur
‘‘during the conduct of * * * an
administrative action, investigation, or
audit involving an agency against
specific individuals or entities,’’ except
for investigations or audits ‘‘undertaken
with reference to a category of
individual or entities such as a class of
licensees or an entire industry.’’ The
proposed rule comes within this
exemption, as it deals entirely with
administrative investigations and
actions against specific individuals or
entities. Consequently, it need not be
reviewed by the Office of Management
and Budget under the authority of the
PRA.
B. Executive Order 12866; Regulatory
Flexibility Act; Section 1102, Social
Security Act; Unfunded Mandates
Reform Act of 1995; Small Business
Regulatory Enforcement Fairness Act of
1996; Executive Order 13132
We have examined the impacts of this
proposed rule as required by Executive
Order 12866 (September 1993,
Regulatory Planning and Review), the
Regulatory Flexibility Act (RFA)
(September 16, 1980, Pub. L. 96–354),
section 1102(b) of the Social Security
Act, the Unfunded Mandates Reform
Act of 1995 (Pub. L. 104–4), the Small
Business Regulatory Enforcement and
Fairness Act, 5 U.S.C. 801 et seq., and
Executive Order 13132.
E:\FR\FM\18APP2.SGM
18APP2
20248
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
1. Executive Order 12866
Executive Order 12866 (as amended
by Executive Order 13258, which
merely reassigns responsibility of
duties) directs agencies to assess all
costs and benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
effects, distributive impacts, and
equity). Executive Order 12866 defines,
at section 3(f), several categories of
‘‘significant regulatory actions.’’ One
category is ‘‘economically significant’’
rules, which are defined in section
3(f)(1) of the Order as rules that may
‘‘have an annual effect on the economy
of $100 million or more, or adversely
affect in a material way the economy,
productivity, competition, jobs, the
environment, public health or safety, or
State, local, or tribal governments or
communities.’’ Another category, under
section 3(f)(4) of the Order, consists of
rules that are ‘‘significant regulatory
actions’’ because they ‘‘raise novel legal
or policy issues arising out of legal
mandates, the President’s priorities, or
the principles set forth in this Executive
Order.’’ Executive Order 12866 requires
a full economic impact analysis only for
‘‘economically significant’’ rules under
section 3(f)(1).
We have concluded that this rule
should be treated as a ‘‘significant
regulatory action’’ within the meaning
of section 3(f)(4) of Executive Order
12866, because the HIPAA provisions to
be enforced have extremely broad
implications for the Nation’s health care
system, and because of the novel issues
presented by, and the uncertainties
surrounding, compliance among
covered entities. However, we have
determined that the impact of this rule
is not such that it reaches the
economically significant threshold
under section 3(f)(1) of the Order.
Estimating the impacts of this rule
presents unique challenges. On its face,
the rule simply describes how HHS
plans to enforce the HIPAA provisions,
and can be considered a procedural rule
without any intrinsic impact. However,
health care providers, insurers, and
health care clearinghouses that are
covered by the HIPAA provisions
represent a large proportion of their
respective economic sectors. Further, all
are within the jurisdiction of the
Enforcement Rule (which is a
‘‘significant regulatory action,’’ as noted
above).
The actual economic impacts of
implementing the HIPAA provisions are
subsumed in each of the applicable
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
substantive regulations (Privacy Rule,
Security Rule, Transactions Rule, et
cetera). The economic impacts properly
attributable to this rule, however, are
those stemming from changes to current
practice as a result of the Enforcement
Rule and the cost of new and additional
responsibilities that are required to
conform to the Rule. In general, these
costs are limited to costs related to
conducting and responding to the
investigation of complaints concerning
the alleged HIPAA violations over
which HHS has jurisdiction and
compliance reviews, conducting
hearings, and levying and collecting
civil money penalties. The cost of
conducting and responding to
investigations of privacy complaints and
compliance reviews with respect to the
Privacy Rule has already been covered
by the impact analysis of the Privacy
Rule. Here we extend these processes to
the other HIPAA rules. For reasons
outlined in the following narrative, we
anticipate the impacts of the additional
activities covered by this rule to fall
below the $100 million annual
threshold that would raise this rule to
the definition of ‘‘economically
significant,’’ but acknowledge there is
much that is unknown underlying the
assumptions that have led us to this
conclusion. We discuss these
assumptions below.
Affected Entities and Projected Costs.
Because of its scope, purview, and
potential application, the Enforcement
Rule is a significant regulatory action
within the meaning of section 3(f)(4) of
Executive Order 12866. We believe that
over 2.5 million health care providers,
health plans, and health care
clearinghouses will meet the definition
of a covered entity.
It is difficult for us to determine or
estimate the impact of the Enforcement
Rule on covered entities. All covered
entities are expected to comply with the
HIPAA rules. Enhancing the likelihood
of compliance is the fact that each
substantive HIPAA rule (e.g., the
Privacy Rule, the Security Rule, the
Transactions Rule) has at least a twentysix month period between publication
of the final rule and the compliance date
(60 days for APA Congressional review,
plus 24 months for covered entities or
36 months for small health plans). Thus,
covered entities have at least 26 months
to prepare for implementation, and HHS
has provided, and will continue to
provide, ample educational
opportunities for covered entities during
these periods. We also note that, as
evidenced by the CMS Guidance,
discussed above, where HHS became
aware of potential noncompliance
problems with the Transactions Rule, it
PO 00000
Frm 00026
Fmt 4701
Sfmt 4702
acted proactively to outline an approach
to enforcement that would permit
flexibility under certain circumstances
and which would not penalize good
faith efforts to come into compliance.
Accordingly, noncompliance that would
be pursued under the provisions of the
proposed Enforcement Rule should be
considered to be the exception, rather
than the norm.
Further minimizing the impact of the
Enforcement Rule is the fact that most
compliance efforts undertaken under
the provisions of the rule are expected
to result from complaints, rather than
compliance reviews. To date,
complaints have involved only an
infinitesimal percentage of the universe
of covered entities. As of the end of July
2004, OCR has received over 7,500
complaints related to the Privacy Rule
since the compliance date of April 14,
2003, and CMS has received 145
complaints related to the Transactions
Rule since the compliance date of
October 16, 2003.
The most expensive impacts of this
rule will derive from those cases in
which the covered entities exercise their
rights of appeal under subpart E of part
160. Based on our experience with other
civil money penalty cases, the costs of
such cases can be expected to dwarf the
costs of cases that are resolved prior to
the hearing stage. However, again based
on our experience in other civil money
penalty cases, very few of the cases
opened will proceed through that stage.
That other Departmental experience is
borne out by our experience with
respect to the HIPAA complaints
received to date. Of the privacy
complaints received and processed by
the end of July 2004, approximately
57% were resolved immediately due to
lack of jurisdiction (e.g, the complaint
pertained to events that occurred before
the implementation date of the relevant
HIPAA regulation, the complaint did
not relate to a covered entity, et cetera)
or because of action taken by the
covered entity to resolve the complaint
voluntarily; similarly, of the 145
transactions complaints received from
October 2003 through July 2004, 60%
were closed in that period. Thus, it
seems reasonable to assume that the
costs attributable to the provisions of
this rule will, in most cases that are
opened, be low.
We recognize that our experience to
date reflects slightly over one year of
experience under the Privacy Rule, and
less than one year under the
Transactions Rule. Data generated on
cases that might lead to the imposition
of a civil money penalty during this
time frame may not be typical of what
we will see over time. For example, the
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
number of complaints that may be
dismissed because they involve
situations that occurred before the
relevant compliance date should
decrease with the passage of time.
Similarly, we would expect the
instances of noncompliance to decrease
as covered entities gain experience in
complying with the HIPAA rules; on the
other hand, the number of complaints
could increase as individuals and
entities become more aware of the rules’
requirements. As we acquire experience
under the rules, we will have a more
extensive database for evaluating the
impacts of enforcement activities.
Benefits of the Enforcement Rule. We
believe that the value of the benefits
brought by the HIPAA provisions are
sufficient to warrant appropriate
enforcement efforts. The benefits of the
underlying HIPAA rules have been
previously estimated in connection with
the Privacy and the Transactions Rules,
and are significant. The Enforcement
Rule will encourage voluntary
compliance, and provide a means for
enforcing compliance where it is not
forthcoming voluntarily, thereby
facilitating the achievement of the
benefits of the other HIPAA rules. See,
65 FR 50350–50351; 65 FR 82760,
82776–82779; 68 FR 8370–8371. The
benefits of these protections far
outweigh the costs of this enforcement
regulation.
Summary. In most cases, if covered
entities comply with the various HIPAA
rules, they should not incur any
significant additional costs as a result of
the Enforcement Rule. This is based on
the fact the costs intrinsic to most of the
HIPAA rules and operating directions
against which compliance is evaluated
have been scored independently of this
rule and the requirements have not
changed. We recognize that the specific
requirements against which compliance
is evaluated are not yet well known and
may evolve with experience under
HIPAA, but we expect that covered
entities have both the ability and
expectation to maintain compliance,
especially given our commitment to
encouraging and facilitating voluntary
compliance. While not straightforward
to project, it seems likely that the
number of times in which the full civil
money penalty enforcement process will
be invoked will be extremely small,
based on the evidence to date.
2. Other Analyses
We also examined the impact of the
proposed Rule as required by the
Regulatory Flexibility Act (RFA). The
RFA requires agencies to determine
whether a rule will have a significant
economic impact on a substantial
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
number of small entities. For purposes
of the RFA, small entities include small
businesses, nonprofit organizations, and
government jurisdictions; for health care
entities, the size standard for a ‘‘small’’
entity ranges from $6 million to $29
million in revenues in any one year.
Most hospitals and most other providers
and suppliers are small entities, either
by nonprofit status or by having
revenues less than the applicable size
standard in any one year. As discussed
above, the incidence of noncompliance
is expected to be low, and, as also
discussed above, it is expected that most
issues of noncompliance will be
resolved with minimal enforcement
action. Even though the burden of
regulatory compliance often falls
disproportionately on small entities,
there is no evidence to suggest that
small entities have a higher rate of
noncompliance than large entities. The
Secretary therefore certifies that this
rule will not have a significant
economic impact on a substantial
number of small entities.
Section 1102(b) of the Act requires
agencies to prepare a regulatory impact
analysis if a rule may have a significant
impact on the operations of a substantial
number of small rural hospitals. This
analysis must conform to the provisions
of section 603 (proposed documents)/
604 (final documents) of the RFA. For
purposes of section 1102(b) of the Act,
we define a small rural hospital as a
hospital that is located outside of a
Metropolitan Statistical Area and has
fewer than 100 beds. This proposed rule
would not have a significant impact on
small rural hospitals. The rule would
implement procedures necessary for the
Secretary to enforce subtitle F of Title II
of HIPAA. As noted earlier, we do not
expect that covered entities will
willfully be out of compliance in such
a way that would result in an
enforcement action proceeding through
the hearing stage.
Section 202 of the Unfunded
Mandates Reform Act of 1995, 2 U.S.C.
1531 et seq., also requires that agencies
assess anticipated costs and benefits
before issuing any rule that may result
in expenditure in any one year by State,
local, or tribal governments, in the
aggregate, or by the private sector, of
$100 million. The Small Business
Regulatory Enforcement Fairness Act of
1996 (SBREFA), 5 U.S.C. 801 et seq.,
requires that rules that will have an
impact on the economy of $100 million
or more per annum be submitted for
Congressional review. For the reasons
discussed above, this proposed rule
would not impose a burden large
enough to require a section 202
statement under the Unfunded
PO 00000
Frm 00027
Fmt 4701
Sfmt 4702
20249
Mandates Reform Act of 1995 or
Congressional review under SBREFA.
Executive Order 13132 establishes
certain requirements that an agency
must meet when it adopts a proposed
rule (and subsequent final rule) that
imposes substantial direct requirement
costs on State and local governments,
preempts State law, or otherwise has
Federalism implications. This proposed
rule does not have ‘‘Federalism
implications.’’ The rule would not have
‘‘substantial direct effects on the States,
on the relationship between the national
government and the States, or on the
distribution of power and
responsibilities among the various
levels of government.’’ As the
Enforcement Rule is procedural in
nature, its economic effects would not
be substantial, as explained previously.
Any preemption of State law that could
occur would be a function of the
underlying HIPAA rules, not the
Enforcement Rule, which principally
establishes the means by which the
statutory civil money penalty provisions
will be implemented. Therefore, the
Enforcement Rule is not subject to
Executive Order 13132 (Federalism).
Dated: April 8, 2005.
Michael O. Leavitt,
Secretary.
List of Subjects
45 CFR Part 160
Administrative practice and
procedure, Computer technology,
Electronic transactions, Employer
benefit plan, Health, Health care, Health
facilities, Health insurance, Health
records, Hospitals, Investigations,
Medicaid, Medical research, Medicare,
Penalties, Privacy, Reporting and record
keeping requirements, Security.
45 CFR Part 164
Administrative practice and
procedure, Electronic information
system, Electronic transactions,
Employer benefit plan, Health, Health
care, Health facilities, Health Insurance,
Health records, Hospitals, Medicaid,
Medical research, Medicare, Privacy,
Reporting and record keeping
requirements, Security.
For the reasons set forth in the
preamble, the Department of Health and
Human Services proposes to amend 45
CFR subtitle A, subchapter C, parts 160
and 164, as set forth below.
PART 160—GENERAL
ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part 160
is revised to read as follows:
E:\FR\FM\18APP2.SGM
18APP2
20250
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
Authority: 42 U.S.C. 1302(a), 42 U.S.C.
1320d–1320d–8, and sec. 264 of Pub. L. 104–
191, 110 Stat. 2033–2034 (42 U.S.C. 1320d–
2 (note)).
2. Section § 160.103 is amended by
adding the definition ‘‘Person’’ in
alphabetical order to read as follows:
§ 160.103
Definitions.
*
*
*
*
*
Person means a natural person, trust
or estate, partnership, corporation,
professional association or corporation,
or other entity, public or private.
*
*
*
*
*
3. Revise subpart C of this part to read
as follows:
Subpart C—Compliance and
Investigations
Sec.
160.300 Applicability.
160.302 Definitions.
160.304 Principles for achieving
compliance.
160.306 Complaints to the Secretary.
160.308 Compliance reviews.
160.310 Responsibilities of covered entities.
160.312 Secretarial action regarding
complaints and compliance reviews.
160.314 Investigational subpoenas and
inquiries.
160.316 Refraining from intimidation or
retaliation.
Subpart C—Compliance and
Investigations
§ 160.300
Applicability.
This subpart applies to actions by the
Secretary, covered entities, and others
with respect to ascertaining the
compliance by covered entities with,
and the enforcement of, the applicable
requirements of this part 160 and the
applicable standards, requirements, and
implementation specifications of parts
162 and 164 of this subchapter.
§ 160.302
Definitions.
As used in this subpart and subparts
D and E of this part, the following terms
have the following meanings:
Administrative simplification
provision means any requirement or
prohibition established by:
(1) 42 U.S.C. 1320d–1320d–4, 1320d–
7, and 1320d–8;
(2) Section 264 of Pub. L. 104–191; or
(3) This subchapter.
ALJ means Administrative Law Judge.
Civil money penalty or penalty means
the amount determined under § 160.404
of this part and includes the plural of
these terms.
Respondent means a covered entity
upon which the Secretary has imposed,
or proposes to impose, a civil money
penalty.
Violation or violate means, as the
context may require, failure to comply
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
with an administrative simplification
provision.
§ 160.304 Principles for achieving
compliance.
(a) Cooperation. The Secretary will, to
the extent practicable, seek the
cooperation of covered entities in
obtaining compliance with the
applicable administrative simplification
provisions.
(b) Assistance. The Secretary may
provide technical assistance to covered
entities to help them comply voluntarily
with the applicable administrative
simplification provisions.
§ 160.306
Complaints to the Secretary.
(a) Right to file a complaint. A person
who believes a covered entity is not
complying with the administrative
simplification provisions may file a
complaint with the Secretary.
(b) Requirements for filing
complaints. Complaints under this
section must meet the following
requirements:
(1) A complaint must be filed in
writing, either on paper or
electronically.
(2) A complaint must name the person
that is the subject of the complaint and
describe the acts or omissions believed
to be in violation of the applicable
administrative simplification
provision(s).
(3) A complaint must be filed within
180 days of when the complainant knew
or should have known that the act or
omission complained of occurred,
unless this time limit is waived by the
Secretary for good cause shown.
(4) The Secretary may prescribe
additional procedures for the filing of
complaints, as well as the place and
manner of filing, by notice in the
Federal Register.
(c) Investigation. The Secretary may
investigate complaints filed under this
section. Such investigation may include
a review of the pertinent policies,
procedures, or practices of the covered
entity and of the circumstances
regarding any alleged violation.
§ 160.308
Compliance reviews.
The Secretary may conduct
compliance reviews to determine
whether covered entities are complying
with the applicable administrative
simplification provisions.
§ 160.310
entities.
Responsibilities of covered
(a) Provide records and compliance
reports. A covered entity must keep
such records and submit such
compliance reports, in such time and
manner and containing such
information, as the Secretary may
PO 00000
Frm 00028
Fmt 4701
Sfmt 4702
determine to be necessary to enable the
Secretary to ascertain whether the
covered entity has complied or is
complying with the applicable
administrative simplification
provisions.
(b) Cooperate with complaint
investigations and compliance reviews.
A covered entity must cooperate with
the Secretary, if the Secretary
undertakes an investigation or
compliance review of the policies,
procedures, or practices of the covered
entity to determine whether it is
complying with the applicable
administrative simplification
provisions.
(c) Permit access to information. (1) A
covered entity must permit access by
the Secretary during normal business
hours to its facilities, books, records,
accounts, and other sources of
information, including protected health
information, that are pertinent to
ascertaining compliance with the
applicable administrative simplification
provisions. If the Secretary determines
that exigent circumstances exist, such as
when documents may be hidden or
destroyed, a covered entity must permit
access by the Secretary at any time and
without notice.
(2) If any information required of a
covered entity under this section is in
the exclusive possession of any other
agency, institution, or person and the
other agency, institution, or person fails
or refuses to furnish the information, the
covered entity must so certify and set
forth what efforts it has made to obtain
the information.
(3) Protected health information
obtained by the Secretary in connection
with an investigation or compliance
review under this subpart will not be
disclosed by the Secretary, except if
necessary for ascertaining or enforcing
compliance with the applicable
administrative simplification
provisions, or if otherwise required by
law.
§ 160.312 Secretarial action regarding
complaints and compliance reviews.
(a) Resolution when noncompliance is
indicated. (1) If an investigation of a
complaint pursuant to § 160.306 or a
compliance review pursuant to
§ 160.308 indicates noncompliance, the
Secretary will attempt to reach a
resolution of the matter satisfactory to
the Secretary by informal means.
Informal means may include
demonstrated compliance or a
completed corrective action plan or
other agreement.
(2) If the matter is resolved by
informal means, the Secretary will so
inform the covered entity and, if the
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
matter arose from a complaint, the
complainant, in writing.
(3) If the matter is not resolved by
informal means, the Secretary will—
(i) So inform the covered entity and
provide the covered entity an
opportunity to submit written evidence
of any mitigating factors or affirmative
defenses for consideration under
§§ 160.408 and 160.410. The covered
entity must submit any such evidence to
the Secretary within 30 days (computed
in the same manner as prescribed under
§ 160.526) of receipt of such
notification; and
(ii) If, following action pursuant to
paragraph (a)(3)(i) of this section, the
Secretary finds that a civil money
penalty should be imposed, inform the
covered entity of such finding in a
notice of proposed determination in
accordance with § 160.420.
(b) Resolution when no violation is
found. If, after an investigation pursuant
to § 160.306 or a compliance review
pursuant to § 160.308, the Secretary
determines that further action is not
warranted, the Secretary will so inform
the covered entity and, if the matter
arose from a complaint, the
complainant, in writing.
§ 160.314 Investigational subpoenas and
inquiries.
(a) The Secretary may issue
subpoenas in accordance with 42 U.S.C.
405(d) and (e), 1320a–7a(j), and 1320d–
5 to require the attendance and
testimony of witnesses and the
production of any other evidence during
an investigation pursuant to this part.
For purposes of this paragraph, a person
other than a natural person is termed an
‘‘entity.’’
(1) A subpoena issued under this
paragraph must—
(i) State the name of the person
(including the entity, if applicable) to
whom the subpoena is addressed;
(ii) State the statutory authority for
the subpoena;
(iii) Indicate the date, time, and place
that the testimony will take place;
(iv) Include a reasonably specific
description of any documents or items
required to be produced; and
(v) If the subpoena is addressed to an
entity, describe with reasonable
particularity the subject matter on
which testimony is required. In that
event, the entity must designate one or
more natural persons who will testify on
its behalf, and must state as to each such
person that person’s name and address
and the matters on which he or she will
testify. The designated person must
testify as to matters known or
reasonably available to the entity.
(2) A subpoena under this section
must be served by—
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
(i) Delivering a copy to the natural
person named in the subpoena or to the
entity named in the subpoena at its last
principal place of business; or
(ii) Registered or certified mail
addressed to the natural person at his or
her last known dwelling place or to the
entity at its last known principal place
of business.
(3) A verified return by the natural
person serving the subpoena setting
forth the manner of service or, in the
case of service by registered or certified
mail, the signed return post office
receipt, constitutes proof of service.
(4) Witnesses are entitled to the same
fees and mileage as witnesses in the
district courts of the United States (28
U.S.C. 1821 and 1825). Fees need not be
paid at the time the subpoena is served.
(5) A subpoena under this section is
enforceable through the district court of
the United States for the district where
the subpoenaed natural person resides
or is found or where the entity transacts
business.
(b) Investigational inquiries are nonpublic investigational proceedings
conducted by the Secretary.
(1) Testimony at investigational
inquiries will be taken under oath or
affirmation.
(2) Attendance of non-witnesses is
discretionary with the Secretary, except
that a witness is entitled to be
accompanied, represented, and advised
by an attorney.
(3) Representatives of the Secretary
are entitled to attend and ask questions.
(4) A witness will have the
opportunity to clarify his or her answers
on the record following questioning by
the Secretary.
(5) Any claim of privilege must be
asserted by the witness on the record.
(6) Objections must be asserted on the
record. Errors of any kind that might be
corrected if promptly presented will be
deemed to be waived unless reasonable
objection is made at the investigational
inquiry. Except where the objection is
on the grounds of privilege, the question
will be answered on the record, subject
to objection.
(7) If a witness refuses to answer any
question not privileged or to produce
requested documents or items, or
engages in conduct likely to delay or
obstruct the investigational inquiry, the
Secretary may seek enforcement of the
subpoena under paragraph (a)(5) of this
section.
(8) The proceedings will be recorded
and transcribed. The witness is entitled
to a copy of the transcript, upon
payment of prescribed costs, except
that, for good cause, the witness may be
limited to inspection of the official
transcript of his or her testimony.
PO 00000
Frm 00029
Fmt 4701
Sfmt 4702
20251
(9)(i) The transcript will be submitted
to the witness for signature.
(A) Where the witness will be
provided a copy of the transcript, the
transcript will be submitted to the
witness for signature. The witness may
submit to the Secretary written
proposed corrections to the transcript,
with such corrections attached to the
transcript. If the witness does not return
a signed copy of the transcript or
proposed corrections within 30 days
(computed in the same manner as
prescribed under § 160.526) of its being
submitted to him or her for signature,
the witness will be deemed to have
agreed that the transcript is true and
accurate.
(B) Where, as provided in paragraph
(b)(8) of this section, the witness is
limited to inspecting the transcript, the
witness will have the opportunity at the
time of inspection to propose
corrections to the transcript, with
corrections attached to the transcript.
The witness will also have the
opportunity to sign the transcript. If the
witness does not sign the transcript or
offer corrections within 30 days
(computed in the same manner as
prescribed under § 160.526 of this part)
of receipt of notice of the opportunity to
inspect the transcript, the witness will
be deemed to have agreed that the
transcript is true and accurate.
(ii) The Secretary’s proposed
corrections to the record of transcript
will be attached to the transcript.
(c) Consistent with § 160.310(c)(3),
testimony and other evidence obtained
in an investigational inquiry may be
used by HHS in any of its activities and
may be used or offered into evidence in
any administrative or judicial
proceeding.
§ 160.316 Refraining from intimidation or
retaliation.
A covered entity may not threaten,
intimidate, coerce, discriminate against,
or take any other retaliatory action
against any individual or other person
for—
(a) Filing of a complaint under
§ 160.306;
(b) Testifying, assisting, or
participating in an investigation,
compliance review, proceeding, or
hearing under this part; or
(c) Opposing any act or practice made
unlawful by this subchapter, provided
the individual or person has a good faith
belief that the practice opposed is
unlawful, and the manner of opposition
is reasonable and does not involve a
disclosure of protected health
information in violation of subpart E of
part 164 of this subchapter.
E:\FR\FM\18APP2.SGM
18APP2
20252
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
4. Amend 45 CFR part 160 by adding
a new subpart D to read as follows:
Subpart D—Imposition of Civil Money
Penalties
Sec.
160.400 Applicability.
160.402 Basis for a civil money penalty.
160.404 Amount of a civil money penalty.
160.406 Number of violations.
160.408 Factors considered in determining
the amount of a civil money penalty.
160.410 Affirmative defenses.
160.412 Waiver.
160.414 Limitations.
160.416 Authority to settle.
160.418 Penalty not exclusive.
160.420 Notice of proposed determination.
160.422 Failure to request a hearing.
160.424 Collection of penalty.
160.426 Notification of the public and other
agencies.
Subpart D—Imposition of Civil Money
Penalties
§ 160.400
Applicability.
This subpart applies to the imposition
of a civil money penalty by the
Secretary under 42 U.S.C. 1320d–5.
§ 160.402
Basis for a civil money penalty.
(a) General rule. Subject to § 160.410,
the Secretary will impose a civil money
penalty upon a covered entity if the
Secretary determines that the covered
entity has violated an administrative
simplification provision.
(b) Violation by more than one
covered entity. (1) Except as provided in
paragraph (b)(2) of this section, if the
Secretary determines that more than one
covered entity was responsible for a
violation, the Secretary will impose a
civil money penalty against each such
covered entity.
(2) Each covered entity that is a
member of an affiliated covered entity,
in accordance with § 164.105(b) of this
subchapter, is jointly and severally
liable for a civil money penalty for a
violation of part 164 of this subchapter
based on an act or omission of the
affiliated covered entity.
(c) Violation attributed to a covered
entity. A covered entity is liable, in
accordance with the federal common
law of agency, for a civil money penalty
for a violation based on the act or
omission of any agent of the covered
entity, including a workforce member,
acting within the scope of the agency,
unless—
(1) The agent is a business associate
of the covered entity;
(2) The covered entity has complied,
with respect to such business associate,
with the applicable requirements of
§§ 164.308(b) and 164.502(e) of this
subchapter; and
(3) The covered entity did not—
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
(i) Know of a pattern of activity or
practice of the business associate, and
(ii) Fail to act as required by
§§ 164.314(a)(1)(ii) and 164.504(e)(1)(ii)
of this subchapter, as applicable.
§ 160.404
Amount of a civil money penalty.
(a) The amount of a civil money
penalty will be determined in
accordance with paragraph (b) of this
section and §§ 160.406, 160.408, and
160.412.
(b) The amount of a civil money
penalty that may be imposed is subject
to the following limitations:
(1) The Secretary may not impose a
civil money penalty—
(i) In the amount of more than $100
for each violation; or
(ii) In excess of $25,000 for identical
violations during a calendar year
(January 1 through the following
December 31).
(2) If a requirement or prohibition in
one administrative simplification
provision is repeated in a more general
form in another administrative
simplification provision in the same
subpart, a civil money penalty may be
imposed for a violation of only one of
these administrative simplification
provisions.
§ 160.406
Number of violations.
(a) General rule. To determine the
number of violations of an identical
administrative simplification provision
by a covered entity, the Secretary will
apply, as he deems appropriate, any
variables identified at paragraph (b) of
this section, based upon:
(1) The facts and circumstances of the
violation; and
(2) The underlying purpose of the
subpart of this subchapter that is
violated.
(b) Variables. (1) The number of times
the covered entity failed to engage in
required conduct or engaged in a
prohibited act;
(2) The number of persons involved
in, or affected by, the violation; or
(3) The duration of the violation
counted in days.
§ 160.408 Factors considered in
determining the amount of a civil money
penalty.
In determining the amount of any
civil money penalty, the Secretary may
consider as aggravating or mitigating
factors, as appropriate, any of the
following:
(a) The nature of the violation, in light
of the purpose of the rule violated.
(b) The circumstances, including the
consequences, of the violation,
including but not limited to:
(1) The time period during which the
violation(s) occurred;
PO 00000
Frm 00030
Fmt 4701
Sfmt 4702
(2) Whether the violation caused
physical harm;
(3) Whether the violation hindered or
facilitated an individual’s ability to
obtain health care; and
(4) Whether the violation resulted in
financial harm.
(c) The degree of culpability of the
covered entity, including but not
limited to:
(1) Whether the violation was
intentional; and
(2) Whether the violation was beyond
the direct control of the covered entity.
(d) Any history of prior offenses of the
covered entity, including but not
limited to:
(1) Whether the current violation is
the same or similar to prior violation(s);
(2) Whether and to what extent the
covered entity has attempted to correct
previous violations;
(3) How the covered entity has
responded to technical assistance from
the Secretary provided in the context of
a compliance effort; and
(4) How the covered entity has
responded to prior complaints.
(e) The financial condition of the
covered entity, including but not
limited to:
(1) Whether the covered entity had
financial difficulties that affected its
ability to comply;
(2) Whether the imposition of a civil
money penalty would jeopardize the
ability of the covered entity to continue
to provide, or to pay for, health care;
and
(3) The size of the covered entity.
(f) Such other matters as justice may
require.
§ 160.410
Affirmative defenses.
(a) As used in this section, the
following terms have the following
meanings:
Reasonable cause means
circumstances that would make it
unreasonable for the covered entity,
despite the exercise of ordinary business
care and prudence, to comply with the
administrative simplification provision
violated.
Reasonable diligence means the
business care and prudence expected
from a person seeking to satisfy a legal
requirement under similar
circumstances.
Willful neglect means conscious,
intentional failure or reckless
indifference to the obligation to comply
with the administrative simplification
provision violated.
(b) The Secretary may not impose a
civil money penalty on a covered entity
for a violation if the covered entity
establishes that an affirmative defense
exists with respect to the violation,
including the following:
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
(1) The violation is an act punishable
under 42 U.S.C. 1320d–6;
(2) The covered entity establishes, to
the satisfaction of the Secretary, that it
did not have knowledge of the violation,
determined in accordance with the
federal common law of agency, and, by
exercising reasonable diligence, would
not have known that the violation
occurred; or
(3) The violation is—
(i) Due to reasonable cause and not
willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on
the date the covered entity liable for the
penalty knew, or by exercising
reasonable diligence would have
known, that the violation occurred; or
(B) Such additional period as the
Secretary determines to be appropriate
based on the nature and extent of the
failure to comply.
§ 160.412
Waiver.
For violations described in
§ 160.410(b)(3)(i) that are not corrected
within the period described in
§ 160.410(b)(3)(ii), the Secretary may
waive the civil money penalty, in whole
or in part, to the extent that payment of
the penalty would be excessive relative
to the violation.
§ 160.414
Limitations.
No action under this subpart may be
entertained unless commenced by the
Secretary, in accordance with § 160.420,
within 6 years from the date of the
occurrence of the violation.
§ 160.416
Authority to settle.
Nothing in this subpart limits the
authority of the Secretary to settle any
issue or case or to compromise any
penalty.
§ 160.418
Penalty not exclusive.
Except as otherwise provided by 42
U.S.C. 1320d–5(b)(1), a penalty imposed
under this part is in addition to any
other penalty prescribed by law.
§ 160.420 Notice of proposed
determination.
(a) If a penalty is proposed in
accordance with this part, the Secretary
must deliver, or send by certified mail
with return receipt requested, to the
respondent, written notice of the
Secretary’s intent to impose a penalty.
This notice of proposed determination
must include—
(1) Reference to the statutory basis for
the penalty;
(2) A description of the findings of
fact regarding the violations with
respect to which the penalty is proposed
(except in cases where the Secretary is
relying upon a statistical sampling study
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
in accordance with § 160.536, in which
case the notice must describe the study
relied upon and briefly describe the
statistical sampling technique used by
the Secretary);
(3) The reason(s) why the violation(s)
subject(s) the respondent to a penalty;
(4) The amount of the proposed
penalty;
(5) Any circumstances described in
§ 160.408 that were considered in
determining the amount of the proposed
penalty; and
(6) Instructions for responding to the
notice, including a statement of the
respondent’s right to a hearing, a
statement that failure to request a
hearing within 60 days permits the
imposition of the proposed penalty
without the right to a hearing under
§ 160.504 or a right of appeal under
§ 160.548, and the address to which the
hearing request must be sent.
(b) The respondent may request a
hearing before an ALJ on the proposed
penalty by filing a request in accordance
with § 160.504.
§ 160.422
Failure to request a hearing.
If the respondent does not request a
hearing within the time prescribed by
§ 160.504 and the matter is not settled
pursuant to § 160.416, the Secretary will
impose the proposed penalty or any
lesser penalty permitted by 42 U.S.C.
1320d–5. The Secretary will notify the
respondent by certified mail, return
receipt requested, of any penalty that
has been imposed and of the means by
which the respondent may satisfy the
penalty, and the penalty is final on
receipt of the notice. The respondent
has no right to appeal a penalty under
§ 160.548 with respect to which the
respondent has not timely requested a
hearing.
§ 160.424
Collection of penalty.
(a) Once a determination of the
Secretary to impose a penalty has
become final, the penalty will be
collected by the Secretary, subject to the
first sentence of 42 U.S.C. 1320a–7a(f).
(b) The penalty may be recovered in
a civil action brought in the United
States district court for the district
where the respondent resides, is found,
or is located.
(c) The amount of a penalty, when
finally determined, or the amount
agreed upon in compromise, may be
deducted from any sum then or later
owing by the United States, or by a State
agency, to the respondent.
(d) Matters that were raised or that
could have been raised in a hearing
before an ALJ, or in an appeal under 42
U.S.C. 1320a–7a(e), may not be raised as
a defense in a civil action by the United
PO 00000
Frm 00031
Fmt 4701
Sfmt 4702
20253
States to collect a penalty under this
part.
§ 160.426 Notification of the public and
other agencies.
Whenever a proposed penalty
becomes final, the Secretary will notify,
in such manner as the Secretary deems
appropriate, the public and the
following organizations and entities
thereof and the reason it was imposed:
The appropriate State or local medical
or professional organization, the
appropriate State agency or agencies
administering or supervising the
administration of State health care
programs (as defined in 42 U.S.C.
1320a–7(h)), the appropriate utilization
and quality control peer review
organization, and the appropriate State
or local licensing agency or organization
(including the agency specified in 42
U.S.C. 1395aa(a), 1396a(a)(33)).
5. Revise subpart E to read as follows:
Subpart E—Procedures for Hearings
Sec.
160.500 Applicability.
160.502 Definitions.
160.504 Hearing before an ALJ.
160.506 Rights of the parties.
160.508 Authority of the ALJ.
160.510 Ex parte contacts.
160.512 Prehearing conferences.
160.514 Authority to settle.
160.516 Discovery.
160.518 Exchange of witness lists, witness
statements, and exhibits.
160.520 Subpoenas for attendance at
hearing.
160.522 Fees.
160.524 Form, filing, and service of papers.
160.526 Computation of time.
160.528 Motions.
160.530 Sanctions.
160.532 Collateral estoppel.
160.534 The hearing.
160.536 Statistical sampling.
160.538 Witnesses.
160.540 Evidence.
160.542 The record.
160.544 Post hearing briefs.
160.546 ALJ decision.
160.548 Appeal of the ALJ decision.
160.550 Stay of the Secretary’s decision.
160.552 Harmless error.
Subpart E—Procedures for Hearings
§ 160.500
Applicability.
This subpart applies to hearings
conducted relating to the imposition of
a civil money penalty by the Secretary
under 42 U.S.C. 1320d–5.
§ 160.502
Definitions.
As used in this subpart, the following
term has the following meaning:
Board means the members of the HHS
Departmental Appeals Board, in the
Office of the Secretary, who issue
decisions in panels of three.
E:\FR\FM\18APP2.SGM
18APP2
20254
§ 160.504
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
Hearing before an ALJ.
(a) A respondent may request a
hearing before an ALJ. The parties to the
hearing proceeding consist of—
(1) The respondent; and
(2) The officer(s) or employee(s) of
HHS to whom the enforcement
authority involved has been delegated.
(b) The request for a hearing must be
made in writing signed by the
respondent or by the respondent’s
attorney and sent by certified mail,
return receipt requested, to the address
specified in the notice of proposed
determination. The request for a hearing
must be mailed within 60 days after
notice of the proposed determination is
received by the respondent. For
purposes of this section, the
respondent’s date of receipt of the
notice of proposed determination is
presumed to be 5 days after the date of
the notice unless the respondent makes
a reasonable showing to the contrary to
the ALJ.
(c) The request for a hearing must
clearly and directly admit, deny, or
explain each of the findings of fact
contained in the notice of proposed
determination with regard to which the
respondent has any knowledge. If the
respondent has no knowledge of a
particular finding of fact and so states,
the finding shall be deemed denied. The
request for a hearing must also state the
circumstances or arguments that the
respondent alleges constitute the
grounds for any defense and the factual
and legal basis for opposing the penalty.
(d) The ALJ must dismiss a hearing
request where—
(1) The respondent’s hearing request
is not filed as required by paragraphs (b)
and (c) of this section;
(2) The respondent withdraws the
request for a hearing;
(3) The respondent abandons the
request for a hearing; or
(4) The respondent’s hearing request
fails to raise any issue that may properly
be addressed in a hearing.
§ 160.506
Rights of the parties.
(a) Except as otherwise limited by this
subpart, each party may—
(1) Be accompanied, represented, and
advised by an attorney;
(2) Participate in any conference held
by the ALJ;
3) Conduct discovery of documents as
permitted by this subpart;
(4) Agree to stipulations of fact or law
that will be made part of the record;
(5) Present evidence relevant to the
issues at the hearing;
(6) Present and cross-examine
witnesses;
(7) Present oral arguments at the
hearing as permitted by the ALJ; and
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
(8) Submit written briefs and
proposed findings of fact and
conclusions of law after the hearing.
(b) A party may appear in person or
by a representative. Natural persons
who appear as an attorney or other
representative must conform to the
standards of conduct and ethics
required of practitioners before the
courts of the United States.
(c) Fees for any services performed on
behalf of a party by an attorney are not
subject to the provisions of 42 U.S.C.
406, which authorizes the Secretary to
specify or limit their fees.
§ 160.508
Authority of the ALJ.
(a) The ALJ must conduct a fair and
impartial hearing, avoid delay, maintain
order, and ensure that a record of the
proceeding is made.
(b) The ALJ may—
(1) Set and change the date, time and
place of the hearing upon reasonable
notice to the parties;
(2) Continue or recess the hearing in
whole or in part for a reasonable period
of time;
(3) Hold conferences to identify or
simplify the issues, or to consider other
matters that may aid in the expeditious
disposition of the proceeding;
(4) Administer oaths and affirmations;
(5) Issue subpoenas requiring the
attendance of witnesses at hearings and
the production of documents at or in
relation to hearings;
(6) Rule on motions and other
procedural matters;
(7) Regulate the scope and timing of
documentary discovery as permitted by
this subpart;
(8) Regulate the course of the hearing
and the conduct of representatives,
parties, and witnesses;
(9) Examine witnesses;
(10) Receive, rule on, exclude, or limit
evidence;
(11) Upon motion of a party, take
official notice of facts;
(12) Conduct any conference,
argument or hearing in person or, upon
agreement of the parties, by telephone;
and
(13) Upon motion of a party, decide
cases, in whole or in part, by summary
judgment where there is no disputed
issue of material fact. A summary
judgment decision constitutes a hearing
on the record for the purposes of this
subpart.
(c) The ALJ—
(1) May not find invalid or refuse to
follow Federal statutes, regulations, or
Secretarial delegations of authority and
must give deference to published
guidance to the extent not inconsistent
with statute or regulation;
(2) May not enter an order in the
nature of a directed verdict;
PO 00000
Frm 00032
Fmt 4701
Sfmt 4702
(3) May not compel settlement
negotiations;
(4) May not enjoin any act of the
Secretary; or
(5) May not review the exercise of
discretion by the Secretary with respect
to—
(i) Whether to grant an extension
under § 160.410(b)(3)(ii)(B) or to provide
technical assistance under 42 U.S.C.
1320d–5(b)(3)(B); and
(ii) Selection of variable(s) under
§ 160.406.
§ 160.510
Ex parte contacts.
No party or person (except employees
of the ALJ’s office) may communicate in
any way with the ALJ on any matter at
issue in a case, unless on notice and
opportunity for both parties to
participate. This provision does not
prohibit a party or person from
inquiring about the status of a case or
asking routine questions concerning
administrative functions or procedures.
§ 160.512
Prehearing conferences.
(a) The ALJ must schedule at least one
prehearing conference, and may
schedule additional prehearing
conferences as appropriate, upon
reasonable notice, which may not be
less than 14 business days, to the
parties.
(b) The ALJ may use prehearing
conferences to discuss the following—
(1) Simplification of the issues;
(2) The necessity or desirability of
amendments to the pleadings, including
the need for a more definite statement;
(3) Stipulations and admissions of fact
or as to the contents and authenticity of
documents;
(4) Whether the parties can agree to
submission of the case on a stipulated
record;
(5) Whether a party chooses to waive
appearance at an oral hearing and to
submit only documentary evidence
(subject to the objection of the other
party) and written argument;
(6) Limitation of the number of
witnesses;
(7) Scheduling dates for the exchange
of witness lists and of proposed
exhibits;
(8) Discovery of documents as
permitted by this subpart;
(9) The time and place for the hearing;
(10) The potential for the settlement
of the case by the parties; and
(11) Other matters as may tend to
encourage the fair, just and expeditious
disposition of the proceedings,
including the protection of privacy of
individually identifiable health
information that may be submitted into
evidence or otherwise used in the
proceeding, if appropriate.
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
(c) The ALJ must issue an order
containing the matters agreed upon by
the parties or ordered by the ALJ at a
prehearing conference.
§ 160.514
Authority to settle.
The Secretary has exclusive authority
to settle any issue or case without the
consent of the ALJ.
§ 160.516
Discovery.
(a) A party may make a request to
another party for production of
documents for inspection and copying
that are relevant and material to the
issues before the ALJ.
(b) For the purpose of this section, the
term ‘‘documents’’ includes
information, reports, answers, records,
accounts, papers and other data and
documentary evidence. Nothing
contained in this section may be
interpreted to require the creation of a
document, except that requested data
stored in an electronic data storage
system must be produced in a form
accessible to the requesting party.
(c) Requests for documents, requests
for admissions, written interrogatories,
depositions and any forms of discovery,
other than those permitted under
paragraph (a) of this section, are not
authorized.
(d) This section may not be construed
to require the disclosure of interview
reports or statements obtained by any
party, or on behalf of any party, of
persons who will not be called as
witnesses by that party, or analyses and
summaries prepared in conjunction
with the investigation or litigation of the
case, or any otherwise privileged
documents.
(e)(1) When a request for production
of documents has been received, within
30 days the party receiving that request
must either fully respond to the request,
or state that the request is being objected
to and the reasons for that objection. If
objection is made to part of an item or
category, the part must be specified.
Upon receiving any objections, the party
seeking production may then, within 30
days or any other time frame set by the
ALJ, file a motion for an order
compelling discovery. The party
receiving a request for production may
also file a motion for protective order
any time before the date the production
is due.
(2) The ALJ may grant a motion for
protective order or deny a motion for an
order compelling discovery if the ALJ
finds that the discovery sought—
(i) Is irrelevant;
(ii) Is unduly costly or burdensome;
(iii) Will unduly delay the
proceeding; or
(iv) Seeks privileged information.
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
(3) The ALJ may extend any of the
time frames set forth in paragraph (e)(1)
of this section.
(4) The burden of showing that
discovery should be allowed is on the
party seeking discovery.
§ 160.518 Exchange of witness lists,
witness statements, and exhibits.
(a) The parties must exchange witness
lists, copies of prior written statements
of proposed witnesses, and copies of
proposed hearing exhibits, including
copies of any written statements that the
party intends to offer in lieu of live
testimony in accordance with § 160.538,
not more than 60, and not less than 15,
days before the scheduled hearing.
(b)(1) If, at any time, a party objects
to the proposed admission of evidence
not exchanged in accordance with
paragraph (a) of this section, the ALJ
must determine whether the failure to
comply with paragraph (a) of this
section should result in the exclusion of
that evidence.
(2) Unless the ALJ finds that
extraordinary circumstances justified
the failure timely to exchange the
information listed under paragraph (a)
of this section, the ALJ must exclude
from the party’s case-in-chief—
(i) The testimony of any witness
whose name does not appear on the
witness list; and
(ii) Any exhibit not provided to the
opposing party as specified in paragraph
(a) of this section.
(3) If the ALJ finds that extraordinary
circumstances existed, the ALJ must
then determine whether the admission
of that evidence would cause substantial
prejudice to the objecting party.
(i) If the ALJ finds that there is no
substantial prejudice, the evidence may
be admitted.
(ii) If the ALJ finds that there is
substantial prejudice, the ALJ may
exclude the evidence, or, if he or she
does not exclude the evidence, must
postpone the hearing for such time as is
necessary for the objecting party to
prepare and respond to the evidence,
unless the objecting party waives
postponement.
(c) Unless the other party objects
within a reasonable period of time
before the hearing, documents
exchanged in accordance with
paragraph (a) of this section will be
deemed to be authentic for the purpose
of admissibility at the hearing.
§ 160.520
hearing.
Subpoenas for attendance at
(a) A party wishing to procure the
appearance and testimony of any person
at the hearing may make a motion
requesting the ALJ to issue a subpoena
PO 00000
Frm 00033
Fmt 4701
Sfmt 4702
20255
if the appearance and testimony are
reasonably necessary for the
presentation of a party’s case.
(b) A subpoena requiring the
attendance of a person in accordance
with paragraph (a) of this section may
also require the person (whether or not
the person is a party) to produce
relevant and material evidence at or
before the hearing.
(c) When a subpoena is served by a
respondent on a particular employee or
official or particular office of HHS, the
Secretary may comply by designating
any knowledgeable HHS representative
to appear and testify.
(d) A party seeking a subpoena must
file a written motion not less than 30
days before the date fixed for the
hearing, unless otherwise allowed by
the ALJ for good cause shown. That
motion must—
(1) Specify any evidence to be
produced;
(2) Designate the witnesses; and
(3) Describe the address and location
with sufficient particularity to permit
those witnesses to be found.
(e) The subpoena must specify the
time and place at which the witness is
to appear and any evidence the witness
is to produce.
(f) Within 15 days after the written
motion requesting issuance of a
subpoena is served, any party may file
an opposition or other response.
(g) If the motion requesting issuance
of a subpoena is granted, the party
seeking the subpoena must serve it by
delivery to the person named, or by
certified mail addressed to that person
at the person’s last dwelling place or
principal place of business.
(h) The person to whom the subpoena
is directed may file with the ALJ a
motion to quash the subpoena within 10
days after service.
(i) The exclusive remedy for
contumacy by, or refusal to obey a
subpoena duly served upon, any person
is specified in 42 U.S.C. 405(e).
§ 160.522
Fees.
The party requesting a subpoena must
pay the cost of the fees and mileage of
any witness subpoenaed in the amounts
that would be payable to a witness in a
proceeding in United States District
Court. A check for witness fees and
mileage must accompany the subpoena
when served, except that, when a
subpoena is issued on behalf of the
Secretary, a check for witness fees and
mileage need not accompany the
subpoena.
§ 160.524
papers.
Form, filing, and service of
(a) Forms. (1) Unless the ALJ directs
the parties to do otherwise, documents
E:\FR\FM\18APP2.SGM
18APP2
20256
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
filed with the ALJ must include an
original and two copies.
(2) Every pleading and paper filed in
the proceeding must contain a caption
setting forth the title of the action, the
case number, and a designation of the
paper, such as motion to quash
subpoena.
(3) Every pleading and paper must be
signed by and must contain the address
and telephone number of the party or
the person on whose behalf the paper
was filed, or his or her representative.
(4) Papers are considered filed when
they are mailed.
(b) Service. A party filing a document
with the ALJ or the Board must, at the
time of filing, serve a copy of the
document on the other party. Service
upon any party of any document must
be made by delivering a copy, or placing
a copy of the document in the United
States mail, postage prepaid and
addressed, or with a private delivery
service, to the party’s last known
address. When a party is represented by
an attorney, service must be made upon
the attorney in lieu of the party.
(c) Proof of service. A certificate of the
natural person serving the document by
personal delivery or by mail, setting
forth the manner of service, constitutes
proof of service.
§ 160.526
Computation of time.
(a) In computing any period of time
under this subpart or in an order issued
thereunder, the time begins with the day
following the act, event or default, and
includes the last day of the period
unless it is a Saturday, Sunday, or legal
holiday observed by the Federal
Government, in which event it includes
the next business day.
(b) When the period of time allowed
is less than 7 days, intermediate
Saturdays, Sundays, and legal holidays
observed by the Federal Government
must be excluded from the computation.
(c) Where a document has been served
or issued by placing it in the mail, an
additional 5 days must be added to the
time permitted for any response. This
paragraph does not apply to requests for
hearing under § 160.504.
§ 160.528
Motions.
(a) An application to the ALJ for an
order or ruling must be by motion.
Motions must state the relief sought, the
authority relied upon and the facts
alleged, and must be filed with the ALJ
and served on all other parties.
(b) Except for motions made during a
prehearing conference or at the hearing,
all motions must be in writing. The ALJ
may require that oral motions be
reduced to writing.
(c) Within 10 days after a written
motion is served, or such other time as
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
may be fixed by the ALJ, any party may
file a response to the motion.
(d) The ALJ may not grant a written
motion before the time for filing
responses has expired, except upon
consent of the parties or following a
hearing on the motion, but may overrule
or deny the motion without awaiting a
response.
(e) The ALJ must make a reasonable
effort to dispose of all outstanding
motions before the beginning of the
hearing.
§ 160.530
Sanctions.
The ALJ may sanction a person,
including any party or attorney, for
failing to comply with an order or
procedure, for failing to defend an
action or for other misconduct that
interferes with the speedy, orderly or
fair conduct of the hearing. The
sanctions must reasonably relate to the
severity and nature of the failure or
misconduct. The sanctions may
include—
(a) In the case of refusal to provide or
permit discovery under the terms of this
part, drawing negative factual inferences
or treating the refusal as an admission
by deeming the matter, or certain facts,
to be established;
(b) Prohibiting a party from
introducing certain evidence or
otherwise supporting a particular claim
or defense;
(c) Striking pleadings, in whole or in
part;
(d) Staying the proceedings;
(e) Dismissal of the action;
(f) Entering a decision by default;
(g) Ordering the party or attorney to
pay the attorney’s fees and other costs
caused by the failure or misconduct;
and
(h) Refusing to consider any motion or
other action that is not filed in a timely
manner.
§ 160.532
Collateral estoppel.
When a final determination that the
respondent violated an administrative
simplification provision has been
rendered in any proceeding in which
the respondent was a party and had an
opportunity to be heard, the respondent
is bound by that determination in any
proceeding under this part.
§ 160.534
The hearing.
(a) The ALJ must conduct a hearing
on the record in order to determine
whether the respondent should be
found liable under this part.
(b)(1) The respondent has the burden
of going forward and the burden of
persuasion with respect to any:
(i) Affirmative defense pursuant to
§ 160.410;
PO 00000
Frm 00034
Fmt 4701
Sfmt 4702
(ii) Challenge to the amount of a
proposed penalty pursuant to
§§ 160.404–160.408, including any
factors raised as mitigating factors; or
(iii) Claim that a proposed penalty
should be reduced or waived pursuant
to § 160.412.
(2) The Secretary has the burden of
going forward and the burden of
persuasion with respect to all other
issues, including issues of liability and
the existence of any factors considered
as aggravating factors in determining the
amount of the proposed penalty.
(3) The burden of persuasion will be
judged by a preponderance of the
evidence.
(c) The hearing must be open to the
public unless otherwise ordered by the
ALJ for good cause shown.
(d)(1) Subject to the 15-day rule under
§ 160.518(a) and the admissibility of
evidence under § 160.540, either party
may introduce, during its case in chief,
items or information that arose or
became known after the date of the
issuance of the notice of proposed
determination or the request for hearing,
as applicable. Such items and
information may not be admitted into
evidence, if introduced—
(i) By the Secretary, unless they are
material and relevant to the acts or
omissions with respect to which the
penalty is proposed in the notice of
proposed determination pursuant to
§ 160.420, including circumstances that
may increase penalties; or
(ii) By the respondent, unless they are
material and relevant to an admission,
denial or explanation of a finding of fact
in the notice of proposed determination
under § 160.420, or to a specific
circumstance or argument expressly
stated in the request for hearing under
§ 160.504, including circumstances that
may reduce penalties.
(2) After both parties have presented
their cases, evidence may be admitted in
rebuttal even if not previously
exchanged in accordance with
§ 160.518.
§ 160.536
Statistical sampling.
(a) In meeting the burden of proof set
forth in § 160.534, the Secretary may
introduce the results of a statistical
sampling study as evidence of the
number of violations under § 160.406, or
the factors considered in determining
the amount of the civil money penalty
under § 160.408. Such statistical
sampling study, if based upon an
appropriate sampling and computed by
valid statistical methods, constitutes
prima facie evidence of the number of
violations and the existence of factors
material to the proposed civil money
E:\FR\FM\18APP2.SGM
18APP2
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
penalty as described in §§ 160.406 and
160.408.
(b) Once the Secretary has made a
prima facie case, as described in
paragraph (a) of this section, the burden
of going forward shifts to the respondent
to produce evidence reasonably
calculated to rebut the findings of the
statistical sampling study. The Secretary
will then be given the opportunity to
rebut this evidence.
§ 160.538
Witnesses.
(a) Except as provided in paragraph
(b) of this section, testimony at the
hearing must be given orally by
witnesses under oath or affirmation.
(b) At the discretion of the ALJ,
testimony of witnesses other than the
testimony of expert witnesses may be
admitted in the form of a written
statement. Any such written statement
must be provided to the other party,
along with the last known address of the
witness, in a manner that allows
sufficient time for the other party to
subpoena the witness for crossexamination at the hearing. Prior
written statements of witnesses
proposed to testify at the hearing must
be exchanged as provided in § 160.518.
The ALJ may, at his or her discretion,
admit prior sworn testimony of experts
that has been subject to adverse
examination, such as a deposition or
trial testimony.
(c) The ALJ must exercise reasonable
control over the mode and order of
interrogating witnesses and presenting
evidence so as to:
(1) Make the interrogation and
presentation effective for the
ascertainment of the truth;
(2) Avoid repetition or needless
consumption of time; and
(3) Protect witnesses from harassment
or undue embarrassment.
(d) The ALJ must permit the parties to
conduct cross-examination of witnesses
as may be required for a full and true
disclosure of the facts.
(e) The ALJ may order witnesses
excluded so that they cannot hear the
testimony of other witnesses, except
that the ALJ may not order to be
excluded—
(1) A party who is a natural person;
(2) In the case of a party that is not
a natural person, the officer or employee
of the party appearing for the entity pro
se or designated as the party’s
representative; or
(3) A natural person whose presence
is shown by a party to be essential to the
presentation of its case, including a
person engaged in assisting the attorney
for the Secretary.
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
§ 160.540
Evidence.
(a) The ALJ must determine the
admissibility of evidence.
(b) Except as provided in this subpart,
the ALJ is not bound by the Federal
Rules of Evidence. However, the ALJ
may apply the Federal Rules of
Evidence where appropriate, for
example, to exclude unreliable
evidence.
(c) The ALJ must exclude irrelevant or
immaterial evidence.
(d) Although relevant, evidence may
be excluded if its probative value is
substantially outweighed by the danger
of unfair prejudice, confusion of the
issues, or by considerations of undue
delay or needless presentation of
cumulative evidence.
(e) Although relevant, evidence must
be excluded if it is privileged under
Federal law.
(f) Evidence concerning offers of
compromise or settlement are
inadmissible to the extent provided in
Rule 408 of the Federal Rules of
Evidence.
(g) Evidence of crimes, wrongs, or acts
other than those at issue in the instant
case is admissible in order to show
motive, opportunity, intent, knowledge,
preparation, identity, lack of mistake, or
existence of a scheme. This evidence is
admissible regardless of whether the
crimes, wrongs, or acts occurred during
the statute of limitations period
applicable to the acts or omissions that
constitute the basis for liability in the
case and regardless of whether they
were referenced in the Secretary’s notice
of proposed determination under
§ 160.420.
(h) The ALJ must permit the parties to
introduce rebuttal witnesses and
evidence.
(i) All documents and other evidence
offered or taken for the record must be
open to examination by both parties,
unless otherwise ordered by the ALJ for
good cause shown.
§ 160.542
The record.
(a) The hearing must be recorded and
transcribed. Transcripts may be
obtained following the hearing from the
ALJ. Cost of transcription will be borne
equally by the parties.
(b) The transcript of the testimony,
exhibits, and other evidence admitted at
the hearing, and all papers and requests
filed in the proceeding constitute the
record for decision by the ALJ and the
Secretary.
(c) The record may be inspected and
copied (upon payment of a reasonable
fee) by any person, unless otherwise
ordered by the ALJ for good cause
shown.
PO 00000
Frm 00035
Fmt 4701
Sfmt 4702
20257
(d) For good cause, the ALJ may order
appropriate redactions made to the
record.
§ 160.544
Post hearing briefs.
The ALJ may require the parties to file
post-hearing briefs. In any event, any
party may file a post-hearing brief. The
ALJ must fix the time for filing the
briefs. The time for filing may not
exceed 60 days from the date the parties
receive the transcript of the hearing or,
if applicable, the stipulated record. The
briefs may be accompanied by proposed
findings of fact and conclusions of law.
The ALJ may permit the parties to file
reply briefs.
§ 160.546
ALJ decision.
(a) The ALJ must issue a decision,
based only on the record, which must
contain findings of fact and conclusions
of law.
(b) The ALJ may affirm, increase, or
reduce the penalties imposed by the
Secretary.
(c) The ALJ must issue the decision to
both parties within 60 days after the
time for submission of post-hearing
briefs and reply briefs, if permitted, has
expired. If the ALJ fails to meet the
deadline contained in this paragraph, he
or she must notify the parties of the
reason for the delay and set a new
deadline.
(d) Unless the decision of the ALJ is
timely appealed as provided for in
§ 160.548, the decision of the ALJ will
be final and binding on the parties 60
days from the date of service of the
ALJ’s decision.
§ 160.548
Appeal of the ALJ decision.
(a) Any party may appeal the decision
of the ALJ to the Board by filing a notice
of appeal with the Board within 30 days
of the date of service of the ALJ
decision. The Board may extend the
initial 30 day period for a period of time
not to exceed 30 days if a party files
with the Board a request for an
extension within the initial 30 day
period and shows good cause.
(b) If a party files a timely notice of
appeal with the Board, the ALJ must
forward the record of the proceeding to
the Board.
(c) A notice of appeal must be
accompanied by a written brief
specifying exceptions to the initial
decision and reasons supporting the
exceptions. Any party may file a brief in
opposition to the exceptions, which
may raise any relevant issue not
addressed in the exceptions, within 30
days of receiving the notice of appeal
and the accompanying brief. The Board
may permit the parties to file reply
briefs.
E:\FR\FM\18APP2.SGM
18APP2
20258
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / Proposed Rules
(d) There is no right to appear
personally before the Board or to appeal
to the Board any interlocutory ruling by
the ALJ.
(e) The Board may not consider any
issue not raised in the parties’ briefs,
nor any issue in the briefs that could
have been raised before the ALJ but was
not.
(f) If any party demonstrates to the
satisfaction of the Board that additional
evidence not presented at such hearing
is relevant and material and that there
were reasonable grounds for the failure
to adduce such evidence at the hearing,
the Board may remand the matter to the
ALJ for consideration of such additional
evidence.
(g) The Board may decline to review
the case, or may affirm, increase,
reduce, reverse or remand any penalty
determined by the ALJ.
(h) The standard of review on a
disputed issue of fact is whether the
initial decision of the ALJ is supported
by substantial evidence on the whole
record. The standard of review on a
disputed issue of law is whether the
decision is erroneous.
(i) Within 60 days after the time for
submission of briefs and reply briefs, if
permitted, has expired, the Board must
serve on each party to the appeal a copy
of the Board’s decision and a statement
describing the right of any respondent
who is penalized to seek judicial
review.
(j)(1) The Board’s decision under
paragraph (i) of this section, including
a decision to decline review of the
initial decision, becomes the final
decision of the Secretary 60 days after
the date of service of the Board’s
decision, except with respect to a
decision to remand to the ALJ or if
reconsideration is requested under this
paragraph.
(2) The Board will reconsider its
decision only if it determines that the
decision contains a clear error of fact or
error of law. New evidence will not be
a basis for reconsideration unless the
party demonstrates that the evidence is
newly discovered and was not
previously available.
(3) A party may file a motion for
reconsideration with the Board before
the date the decision becomes final
under paragraph (j)(1) of this section. A
motion for reconsideration must be
accompanied by a written brief
specifying any alleged error of fact or
VerDate jul<14>2003
16:15 Apr 15, 2005
Jkt 205001
law and, if the party is relying on
additional evidence, explaining why the
evidence was not previously available.
Any party may file a brief in opposition
within 15 days of receiving the motion
for reconsideration and the
accompanying brief unless this time
limit is extended by the Board for good
cause shown. Reply briefs are not
permitted.
(4) The Board must rule on the motion
for reconsideration not later than 30
days from the date the opposition brief
is due. If the Board denies the motion,
the decision issued under paragraph (i)
of this section becomes the final
decision of the Secretary on the date of
service of the ruling. If the Board grants
the motion, the Board will issue a
reconsidered decision, after such
procedures as the Board determines
necessary to address the effect of any
error. The Board’s decision on
reconsideration becomes the final
decision of the Secretary on the date of
service of the decision, except with
respect to a decision to remand to the
ALJ.
(5) If service of a ruling or decision
issued under this section is by mail, the
date of service will be deemed to be 5
days from the date of mailing.
(k)(1) A respondent’s petition for
judicial review must be filed within 60
days of the date on which the decision
of the Board becomes the final decision
of the Secretary under paragraph (j) of
this section.
(2) In compliance with 28 U.S.C.
2112(a), a copy of any petition for
judicial review filed in any U.S. Court
of Appeals challenging the final
decision of the Secretary must be sent
by certified mail, return receipt
requested, to the General Counsel of
HHS. The petition copy must be a copy
showing that it has been time-stamped
by the clerk of the court when the
original was filed with the court.
(3) If the General Counsel of HHS
received two or more petitions within
10 days after the final decision of the
Secretary, the General Counsel will
notify the U.S. Judicial Panel on
Multidistrict Litigation of any petitions
that were received within the 10 day
period.
§ 160.550
Stay of the Secretary’s decision.
(a) Pending judicial review, the
respondent may file a request for stay of
the effective date of any penalty with
the ALJ. The request must be
PO 00000
Frm 00036
Fmt 4701
Sfmt 4702
accompanied by a copy of the notice of
appeal filed with the federal court. The
filing of the request automatically stays
the effective date of the penalty until
such time as the ALJ rules upon the
request.
(b) The ALJ may not grant a
respondent’s request for stay of any
penalty unless the respondent posts a
bond or provides other adequate
security.
(c) The ALJ must rule upon a
respondent’s request for stay within 10
days of receipt.
§ 160.552
Harmless error.
No error in either the admission or the
exclusion of evidence, and no error or
defect in any ruling or order or in any
act done or omitted by the ALJ or by any
of the parties is ground for vacating,
modifying or otherwise disturbing an
otherwise appropriate ruling or order or
act, unless refusal to take such action
appears to the ALJ or the Board
inconsistent with substantial justice.
The ALJ and the Board at every stage of
the proceeding must disregard any error
or defect in the proceeding that does not
affect the substantial rights of the
parties.
PART 164—SECURITY AND PRIVACY
1. The authority citation for part 164
is revised to read as follows:
Authority: 42 U.S.C. 1320d–1320d–8 and
sec. 264, Pub. L. 104–191, 110 Stat. 2033–
2034 (42 U.S.C. 1320d-2 (note)).
2. Revise § 164.530(g) to read as
follows:
§ 164.530 Standard: refraining from
intimidating or retaliatory acts.
*
*
*
*
*
(g) A covered entity—
(1) May not intimidate, threaten,
coerce, discriminate against, or take
other retaliatory action against any
individual for the exercise by the
individual of any right established, or
for participation in any process
provided for by this subpart, including
the filing of a complaint under this
section; and
(2) Must refrain from intimidation and
retaliation as provided in § 160.316 of
this subchapter.
*
*
*
*
*
[FR Doc. 05–7512 Filed 4–14–05; 8:45 am]
BILLING CODE 4153–01–P
E:\FR\FM\18APP2.SGM
18APP2
Agencies
[Federal Register Volume 70, Number 73 (Monday, April 18, 2005)]
[Proposed Rules]
[Pages 20224-20258]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 05-7512]
[[Page 20223]]
-----------------------------------------------------------------------
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
HIPAA Administrative Simplification; Enforcement; Proposed Rule
Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 /
Proposed Rules
[[Page 20224]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB29
HIPAA Administrative Simplification; Enforcement
AGENCY: Office of the Secretary, HHS.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Secretary of Health and Human Services is proposing rules
for the imposition of civil money penalties on entities that violate
rules adopted by the Secretary to implement the Administrative
Simplification provisions of the Health Insurance Portability and
Accountability Act of 1996, Pub. L. 104-191 (HIPAA). The proposed rule
would amend the existing rules relating to the investigation of
noncompliance to make them apply to all of the HIPAA Administrative
Simplification rules, rather than exclusively to the privacy standards.
It would also amend the existing rules relating to the process for
imposition of civil money penalties. Among other matters, the proposed
rules would clarify and elaborate upon the investigation process, bases
for liability, determination of the penalty amount, grounds for waiver,
conduct of the hearing, and the appeal process.
DATES: Comments on the proposed rule will be considered if we receive
them at the appropriate address, as provided below, no later than June
17, 2005.
ADDRESSES: You may submit comments by any of the following methods:
Federal eRulemaking Portal: https://www.regulations.gov.
Include agency name and ``RIN: 0991-AB29.''
E-mail: CMS0010.Comments@hhs.gov. Include ``RIN: 0991-
AB29'' in the subject line of the message.
Mail: U.S. Department of Health and Human Services, Office
of General Counsel, Attention: HIPAA Enforcement Rule, 330 Independence
Ave., SW., Washington, DC 20201.
Hand Delivery/Courier: Attention: HIPAA Enforcement Rule,
Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington,
DC 20201.
Instructions: Because of staff and resource limitations, we cannot
accept comments by facsimile (FAX) transmission. For detailed
instructions on submitting comments and additional information on the
rulemaking process, see the ``Public Participation'' heading of the
SUPPLEMENTARY INFORMATION section of this document.
FOR FURTHER INFORMATION CONTACT: Carol Conrad, (202) 690-1840.
SUPPLEMENTARY INFORMATION:
I. Public Participation
We welcome comments from the public on all issues set forth in this
rule to assist us in fully considering issues and developing policies.
You can assist us by referencing the RIN number (RIN: 0991-AB29) and by
preceding your discussion of any particular provision with a citation
to the section of the proposed rule being discussed.
A. Inspection of Public Comments
Comments received timely will be available for public inspection as
they are received, generally beginning approximately 6 weeks after
publication of this document, at the mail address provided above,
Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule
an appointment to view public comments, call Karen Shaw, (202) 205-
0154.
B. Electronic Comments
We will consider all electronic comments that include the full
name, postal address, and affiliation (if applicable) of the sender and
are submitted to either of the electronic addresses identified in the
ADDRESSES section of this preamble. All comments must be incorporated
in the e-mail message, because we may not be able to access
attachments. Copies of electronically submitted comments will be
available for public inspection as soon as practicable at the address
provided, and subject to the process described, in the preceding
paragraph.
C. Mailed Comments and Hand Delivered/Couriered Comments
Mailed comments may be subject to delivery delays due to security
procedures. Please allow sufficient time for mailed comments to be
timely received in the event of delivery delays. Comments mailed to the
address indicated for hand or courier delivery may be delayed and could
be considered late.
D. Copies
To order copies of the Federal Register containing this document,
send your request to: New Orders, Superintendent of Documents, P.O. Box
371954, Pittsburgh, PA 15250-7954. Specify the date of the issue
requested and enclose a check or money order payable to the
Superintendent of Documents, or enclose your Visa or Master Card number
and expiration date. Credit card orders can also be placed by calling
the order desk at (202) 512-1800 (or toll-free at 1-866-512-1800) or by
faxing to (202) 512-2250. The cost for each copy is $10. As an
alternative, you may view and photocopy the Federal Register document
at most libraries designated as Federal Depository Libraries and at
many other public and academic libraries throughout the country that
receive the Federal Register.
E. Electronic Access
This Federal Register document is available from the Federal
Register online database through GPO Access, a service of the U.S.
Government Printing Office. The web site address is: https://
www.gpoaccess.gov/nara/. This document is available
electronically at the following web sites of the Department of Health
and Human Services (HHS): https://www.hhs.gov/ocr/hipaa/ and https://
www.cms.gov/hipaa/hipaa2.
F. Response to Comments
Because of the large number of public comments we normally receive
on Federal Register documents, we are not able to acknowledge or
respond to them individually. We will consider all comments we receive
in accordance with the methods described above and by the date
specified in the DATES section of this preamble. When we proceed with a
final rule, we will respond to comments in the preamble to that rule.
II. Background
HHS proposes to amend or renumber existing rules that relate to
compliance with, and enforcement of, the Administrative Simplification
regulations (HIPAA rules) adopted by the Secretary of Health and Human
Services (Secretary) under subtitle F of Title II of HIPAA (HIPAA
provisions). These rules are codified at 45 CFR part 160, subparts C
and E. In addition, this proposed rule would add a new subpart D to
part 160. The new subpart D would contain additional rules relating to
the imposition by the Secretary of civil money penalties on covered
entities that violate the HIPAA rules. The full set of rules that will
ultimately be codified at subparts C, D, and E of 45 CFR part 160 is
collectively referred to in this proposed rule as the ``Enforcement
Rule.'' Finally, HHS proposes conforming changes to subpart A of part
160 and subpart E of part 164.
The statutory and regulatory background of the proposed rule is set
out below. A description of HHS's approach to enforcement of the HIPAA
provisions and the HIPAA rules in general, the approach of this
proposed
[[Page 20225]]
rule in particular, and each section of the proposed rule follows. The
preamble concludes with HHS's analyses of impact and other issues under
applicable law.
A. Statutory Background
Subtitle F of Title II of HIPAA, entitled ``Administrative
Simplification,'' requires the Secretary to adopt national standards
for certain information-related activities of the health care industry.
The purpose of subtitle F is to improve the Medicare program under
title XVIII of the Social Security Act (Act), the Medicaid program
under title XIX of the Act, and the efficiency and effectiveness of the
health care system, by mandating the development of standards and
requirements to enable the electronic exchange of certain health
information. Section 262 of subtitle F added a new Part C to Title XI
of the Act. Part C (sections 1171-1179 of the Act, 42 U.S.C. 1320d-
1320d-8) requires the Secretary to adopt national standards for certain
financial and administrative transactions and various data elements to
be used in those transactions, such as code sets and certain unique
health identifiers. Recognizing that the industry trend toward
computerizing health information, which HIPAA encourages, may increase
the accessibility of that information, sections 262 and 264 of HIPAA
also require the Secretary to adopt national standards to protect the
security and privacy of the information.
Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a), the HIPAA
provisions apply only to--
The following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information
in electronic form in connection with a transaction referred to in
section 1173(a)(1).
These entities are collectively known as ``covered entities.'' An
additional category of covered entities was added by the Medicare
Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L.
108-173) (MMA). As added by MMA, section 1860D-31(h)(6)(A) of the Act,
42 U.S.C. 1395w-141(h)(6)(A), provides that:
a prescription drug card sponsor is a covered entity for purposes of
applying part C of title XI and all regulatory provisions
promulgated thereunder, including regulations (relating to privacy)
adopted pursuant to the authority of the Secretary under section
264(c) of the Health Insurance Portability and Accountability Act of
1996 (42 U.S.C. 1320d-2 note).
HIPAA requires certain consultations with industry as a predicate
to the issuance of the HIPAA standards and provides that most covered
entities have up to 2 years (small health plans have up to 3 years) to
come into compliance with the standards, once adopted. The statute
establishes civil money penalties and criminal penalties for
violations. Act, sections 1172(c) (42 U.S.C. 1320d-1(c)), 1175(b) (42
U.S.C. 1320d-4(b)), 1176 (42 U.S.C. 1320d-5), 1177 (42 U.S.C. 1320d-6).
HHS enforces the civil money penalties, while the U.S. Department of
Justice enforces the criminal penalties.
HIPAA's civil money penalty provision, section 1176(a) of the Act,
42 U.S.C. 1320d-5(a), authorizes the Secretary to impose a civil money
penalty, as follows:
(1) IN GENERAL. Except as provided in subsection (b), the
Secretary shall impose on any person who violates a provision of
this part [42 U.S.C. Sec. 1320d et seq.] a penalty of not more than
$100 for each such violation, except that the total amount imposed
on the person for all violations of an identical requirement or
prohibition during a calendar year may not exceed $25,000.
(2) PROCEDURES. The provisions of section 1128A [42 U.S.C.
1320a-7a] (other than subsections (a) and (b) and the second
sentence of subsection (f)) shall apply to the imposition of a civil
money penalty under this subsection in the same manner as such
provisions apply to the imposition of a penalty under such section
1128A.
For simplicity, we refer throughout this preamble to this provision,
the related provisions at section 1128A of the Act, and other related
provisions of the Act, by their Social Security Act citations, rather
than by their U.S. Code citations.
Subsection (b) of section 1176 sets out limitations on the
Secretary's authority to impose civil money penalties and also provides
authority for waiving such penalties. Under section 1176(b)(1), a civil
money penalty may not be imposed with respect to an act that
``constitutes an offense punishable'' under the criminal penalty
provision. Under section 1176(b)(2), a civil money penalty may not be
imposed ``if it is established to the satisfaction of the Secretary
that the person liable for the penalty did not know, and by exercising
reasonable diligence would not have known, that such person violated
the provision.'' Under section 1176(b)(3), a civil money penalty may
not be imposed if the failure to comply was due ``to reasonable cause
and not to willful neglect'' and is corrected within a certain time.
Finally, under section 1176(b)(4), a civil money penalty may be reduced
or entirely waived ``to the extent that the payment of such penalty
would be excessive relative to the compliance failure involved.''
As noted above, HIPAA incorporates by reference certain provisions
of section 1128A of the Act. Those provisions, as relevant here,
establish a number of requirements with respect to the imposition of
civil money penalties. Under section 1128A(c)(1), the Secretary may not
initiate a civil money penalty action ``later than six years after the
date'' of the occurrence that forms the basis for the civil money
penalty. Under section 1128A(c)(2), a person upon whom the Secretary
seeks to impose a civil money penalty must be given written notice and
an opportunity for a determination to be made ``on the record after a
hearing at which the person is entitled to be represented by counsel,
to present witnesses, and to cross-examine witnesses against the
person.'' Section 1128A also provides, at subsections (c), (e), and
(j), respectively, requirements for: service of the notice and
authority for sanctions which the hearing officer may impose for
misconduct in connection with the civil money penalty proceeding;
judicial review of the Secretary's determination in the United States
Court of Appeals for the circuit in which the person resides or
maintains his/its principal place of business; and the issuance of
subpoenas by the Secretary and the enforcement of those subpoenas. In
addition, section 1128A of the Act contains provisions relating to
liability for civil money penalties and how they are dealt with, once
imposed. For example, section 1128A(d) provides that the Secretary must
take into account certain factors ``in determining the amount * * * of
any penalty,'' section 1128A(h) requires certain notifications once a
civil money penalty is imposed, and section 1128A(l) makes a principal
liable for penalties ``for the actions of the principal's agent acting
within the scope of the agency.'' These provisions are discussed more
fully below.
B. Regulatory Background
As noted above, HIPAA requires the Secretary to adopt a number of
national standards to facilitate the exchange, and protect the privacy
and security, of certain health information. The Secretary has already
adopted many of these HIPAA standards by regulation.
Regulations implementing the statutory requirement for the
adoption of standards for transactions and code sets, Health Insurance
Reform: Standards for Electronic Transactions (Transactions Rule), were
published on August 17, 2000 (65 FR 50312), and were modified on
February 20, 2003 (68 FR 8381). The Transactions Rule
[[Page 20226]]
became effective on October 16, 2000, with an initial compliance date
of October 16, 2002 for covered entities other than small health plans.
The passage of the Administrative Simplification Compliance Act (ASCA),
Pub. L. 107-105, in 2001 enabled covered entities to obtain an
extension of the compliance date to October 16, 2003 by filing a
compliance plan by October 15, 2002. If a covered entity (other than a
small health plan) did not file such a plan, it was required to comply
with the Transactions Rule by October 16, 2002. All covered entities
were required to be in compliance with the Transactions Rule, as
modified, by October 16, 2003.
Regulations implementing the statutory requirement for the
adoption of privacy standards, Standards for Privacy of Individually
Identifiable Health Information (Privacy Rule), were published on
December 28, 2000 (65 FR 82462). The Privacy Rule became effective on
April 14, 2001. Modifications to simplify and increase the workability
of the Privacy Rule were published on August 14, 2002 (67 FR 53182).
Compliance with the Privacy Rule, as modified, was required by April
14, 2003 for covered entities other than small health plans; small
health plans were required to come into compliance by April 14, 2004.
The Privacy Rule adopted rules relating to compliance and
enforcement. These rules are codified at 45 CFR part 160, subpart C.
Subpart C presently applies only to compliance with, and enforcement
of, the Privacy Rule.
Regulations implementing the statutory requirement for the
adoption of an employer identifier standard, Health Insurance Reform:
Standard Unique Employer Identifier (EIN Rule), were published on May
31, 2002 (67 FR 38009) and became effective on July 30, 2002. The
initial compliance date was July 30, 2004 for most covered entities;
small health plans have until July 30, 2005 to come into compliance.
These regulations were modified on January 23, 2004 (69 FR 3434),
effective the same date.
Regulations implementing the statutory requirement for the
adoption of security standards, Health Insurance Reform: Security
Standards, were published on February 20, 2003 (68 FR 8334), effective
on April 21, 2003. The initial compliance date for covered entities
other than small health plans is April 20, 2005; small health plans
have until April 20, 2006 to come into compliance.
An interim final rule promulgating procedural requirements
for imposition of civil money penalties, Civil Money Penalties:
Procedures for Investigations, Imposition of Penalties, and Hearings
(April 17, 2003 interim final rule), was published on April 17, 2003
(68 FR 18895), was effective on May 19, 2003, with a sunset date of
September 16, 2004 (as corrected at 68 FR 22453, April 28, 2003). The
April 17, 2003 interim final rule adopted a new subpart E of part 160.
The sunset date of the April 17, 2003 interim final rule was extended
to September 16, 2005 on September 15, 2004 (69 FR 55515).
Regulations implementing the requirement to issue
standards for a unique identifier for health care providers, HIPAA
Administrative Simplification: Standard Unique Health Identifier for
Health Care Providers (NPI Rule), were issued on January 23, 2004 (69
FR 3434), effective on May 23, 2005. The compliance date is May 23,
2007 for most covered entities; small health plans have until May 23,
2008 to come into compliance.
In addition to the foregoing regulations implementing the HIPAA
provisions, HHS has adopted two other regulations that are relevant,
for some covered entities, to compliance with those provisions.
Section 3 of the ASCA amended section 1862 of the Act to
require Medicare providers, with certain exceptions, to submit claims
to Medicare electronically (and, thus, in conformity with the
Transactions Rule) by October 16, 2003. Regulations implementing
section 3, Medicare Program: Electronic Submission of Medicare Claims,
were published on August 15, 2003 (68 FR 48805), effective on October
16, 2003.
Regulations implementing the Medicare Prescription Drug
Discount Card program under MMA and the statutory provision that
Medicare prescription drug discount card sponsors are covered entities
under HIPAA, were issued on December 15, 2003 (68 FR 69840), effective
the same date. These rules require such sponsors to comply with the
HIPAA rules when they become sponsors, except and to the extent that
the Secretary temporarily waives the Privacy Rule requirements, and
provides some rules regarding how these entities are to comply with the
HIPAA rules. The Secretary has indicated that he does not anticipate
that it will be necessary to waive the Privacy Rule requirements and
has not done so. 68 FR 69871.
III. General Approach
As the discussion above makes clear, the duty to comply with
certain HIPAA rules is now a reality for all covered entities. The
immediacy of the compliance obligation brings with it the issue of how
these rules will be enforced. Accordingly, we discuss below our general
approach to enforcement, how the rules proposed below would fit in with
the existing components of the Enforcement Rule, and the basic approach
of the proposed rule.
A. HHS's General Approach to Enforcement
One of the Secretary's priorities is ``One HHS'': HHS's public
health and welfare mission and message must be consistent, and HHS
should speak with one voice. Because of the Secretary's One HHS policy
and because there is one statutory provision for imposing civil money
penalties on covered entities that violate the HIPAA rules, there is
one enforcement and compliance policy for the HIPAA rules. We are
committed to promoting and encouraging voluntary compliance with the
HIPAA rules through education, cooperation, and technical assistance.
Many educational and technical assistance materials on HIPAA,
including the HIPAA rules, are already available on HHS's Web sites.
See https://www.hhs.gov/ocr/hipaa for the Privacy Rule and https://
www.cms.gov/hipaa/hipaa2 for the other HIPAA rules. We continue to work
on educational and technical assistance materials, including additional
guidance on compliance and enforcement and targeted technical
assistance materials focused on particular segments of the health care
industry. We anticipate developing additional materials relevant to new
HIPAA rules as the need arises.
The authority for administering and enforcing compliance with the
Privacy Rule has been delegated to the HHS Office for Civil Rights
(OCR). 65 FR 82381 (December 28, 2000). The authority for administering
and enforcing compliance with the non-privacy HIPAA rules has been
delegated to the Centers for Medicare & Medicaid Services (CMS). 68 FR
60694 (October 23, 2003).
At present, our compliance and enforcement activities are primarily
complaint-based. Although our enforcement efforts are focused on
investigating complaints, they may also include conducting compliance
reviews to determine if a covered entity is in compliance. When
potential violations come to our attention through a complaint or a
compliance review, OCR or CMS's Office of HIPAA Standards (OHS), as
appropriate, attempts to resolve the matter informally. Many such
matters are resolved at the initial stage of contact. However, even
where a
[[Page 20227]]
matter is not resolved at this initial stage and the investigation
continues, the matter can still be resolved through voluntary
compliance (for example, by means of a corrective action plan); and OCR
or CMS may provide technical assistance to help the covered entity
achieve compliance. Resolving issues through such informal means is
often the quickest and most effective means of ensuring that the
benefits of the HIPAA rules are realized. However, if we are unable to
obtain compliance effectively on matters within our jurisdiction
through voluntary means, we may seek to impose civil money penalties.
Moreover, matters subject to criminal penalties are referred to the
Department of Justice.
B. HHS's Approach to the Enforcement Rule
The Enforcement Rule would bring together and adopt rules governing
the implementation of the civil money penalty authority of section 1176
of the Act for all of the HIPAA rules. As previously noted, parts of
the Enforcement Rule are already in place: subpart C of part 160
establishes certain investigative procedures for the Privacy Rule, and
subpart E establishes interim procedures for investigations and for the
imposition of, and challenges to the imposition of, civil money
penalties for all of the HIPAA rules. This proposed rule would complete
the Enforcement Rule by addressing, among other issues, our policies
for determining violations and calculating civil money penalties, how
we will address the statutory limitations on the imposition of civil
money penalties, and various procedural issues, such as provisions for
appellate review within HHS of a hearing decision, burden of proof, and
notification of other agencies of the imposition of a civil money
penalty.
In developing these regulations, several principles guided our
choice of policies from among the available options. The Enforcement
Rule should promote voluntary compliance with the HIPAA rules, be clear
and easy to understand, provide consistent results in the interest of
fairness, provide the Secretary with reasonable discretion,
particularly in areas where the exercise of judgment is called for by
the statute or rules, and avoid being overly prescriptive in areas
where it would be helpful to gain experience with the practical impact
of the HIPAA rules, to avoid unintended adverse effects.
With respect to many of the Enforcement Rule's provisions, we were
also mindful that section 1176(a) requires the Secretary to apply the
incorporated provisions of section 1128A to the imposition of a civil
money penalty under section 1176 ``in the same manner as'' they apply
to the imposition of civil money penalties under section 1128A itself.
As we explained in the preamble to the April 17, 2003 interim final
rule, the imposition of civil money penalties under section 1128A is
administered by the HHS Office of the Inspector General (OIG).
Accordingly, the rules proposed below, like those in the current
Subpart E, generally look to the regulations of the OIG that implement
section 1128A, which are codified at 42 CFR parts 1003, 1005, and 1006
(OIG regulations).
The Enforcement Rule does not adopt standards, as that term is
defined and interpreted under HIPAA. Thus, the requirement for industry
consultations in section 1172(c) of the Act does not apply. For the
same reason, HIPAA's time frames for compliance, set forth in section
1175 of the Act, will not apply to the Enforcement Rule, when adopted
in final form.
IV. Provisions of the Proposed Rule
The proposed rule would revise 45 CFR part 160 as follows: it would
revise the existing subpart C, adopt a new subpart D, and revise the
existing subpart E; a minor amendment of subpart A is also proposed.
Subpart A, which contains general provisions, would be amended to
include a definition of ``person.'' Subpart C includes all provisions
that relate to activities for determining compliance, including
investigations and cooperation by covered entities. The proposed
revisions of subpart C are largely technical, incorporating several
provisions currently found in subpart E. We also propose to make
subpart C applicable to the non-privacy HIPAA rules. The new subpart D
would establish rules relating to the imposition of civil money
penalties, including those which apply whether or not there is a
hearing. Subpart D would also incorporate several provisions currently
found in subpart E. Proposed subpart E would address the pre-hearing
and hearing phases of the enforcement process. Many of the provisions
of proposed subpart E were adopted by the April 17, 2003 interim final
rule and would not be substantively changed, although they would, in
general, be renumbered.
Finally, a conforming change to the privacy standards in subpart E
of part 164 is proposed. This conforming change is discussed in
connection with proposed Sec. 160.316 at section IV.B.5 below.
A. Subpart A
We propose to amend Sec. 160.103 to add a definition of the term
``person.'' This would replace the definition of that term adopted by
the April 17, 2003 interim final rule. We propose to place this
definition in Sec. 160.103 so that it applies to all of the HIPAA
rules. The term ``person'' appears throughout the HIPAA rules, and the
definition of the term we propose is a universal one that should work
in each of the contexts in which the term ``person'' occurs. If the
proposed placement would create problems, commenters should bring that
to our attention.
In Sec. 160.502 of the April 17, 2003 interim final rule, we
defined a ``person'' as ``a natural or legal person'' to clarify, in
the context of administrative subpoenas, the distinction between an
entity (defined as a ``legal person'') and natural persons who would
testify on the entity's behalf. The proposed rule would revise and
expand this definition.
The statutory definition of a ``person'' that would otherwise apply
to the HIPAA provisions is found in section 1101(3) of the Act. That
section, which has been in the Act since it was originally enacted in
1935, defines a person as ``an individual, a trust or estate, a
partnership, or a corporation.'' However, Part C of title XI specifies
that the class of ``persons'' to whom the HIPAA standards apply--health
plans, certain health care providers, and health care clearinghouses--
includes certain State and federal programs, which are not included in
the definition of ``person'' in section 1101(3). For example, section
1171(2) defines a health care clearinghouse as a ``public or private''
entity. Under section 1171(3), a ``health care provider'' is defined to
include a provider of services as defined in section 1861(u), for
purposes of the Medicare program. The definition includes hospitals,
which in turn include State or local government-owned hospitals.
Finally, the definition of ``health plan'' in section 1171(5) includes
State and federal health plans: section 1171(5)(A) includes a group
health plan ``as defined in section 2791(a) of the Public Health
Service Act,'' and this definition includes State and local
governmental group health plans; section 1171(5)(E) includes ``the
medicaid program under title XIX,'' which is a State program; and other
provisions of section 1171(5) explicitly include as health plans
various federal health plans, such as Medicare, the Federal Employee
Benefit Health Plan, CHAMPUS, and the program of benefits for veterans.
Section 1176, by its terms,
[[Page 20228]]
applies to ``any person who violates a provision of this part.''
Nothing in this language suggests that Congress intended to exempt any
class of covered entities from liability for a civil money penalty
under this section.
Thus, to effectuate Congress's purpose in enacting the HIPAA
provisions, it is necessary to define ``person'' sufficiently broadly
to encompass the entities to which the HIPAA rules apply. The Supreme
Court has recognized that this is a valid approach in appropriate
instances. See, e.g., Lawson v. Suwanee S.S. Co., 336 U.S. 198 (1949).
This proposed approach is also consistent with that taken by the OIG
regulations, the preamble to which explained that it was necessary to
expand the definition of ``person'' in the context of section 1128A of
the Act to include States because of clear Congressional intent to
include them in the class of entities subject to civil money penalties.
48 FR 38837, 38828 (August 26, 1983).
Accordingly, the proposed rule generally tracks the definition of
``person'' in the OIG regulations. In particular, by defining the term
as ``a natural person, trust or estate, partnership, corporation,
professional association or corporation, or other entity, public or
private,'' the proposed rule clarifies, consistent with the HIPAA
provisions, that the term includes States and other public entities.
However, we propose to adapt the language used in the OIG regulations
by substituting the term ``natural person'' for the term ``individual''
in the definition of ``person'' in the OIG regulations. The term
``individual'' is defined in Sec. 160.103 as ``the person who is the
subject of protected health information.'' Since the term
``individual'' has a defined, and narrower, meaning in the HIPAA rules
than it does in the OIG regulations, the proposed rule uses the term
``natural person'' to make the definition of ``person'' have the same
scope as in the OIG regulations.
B. Subpart C--Compliance and Investigations
We propose to amend subpart C to make the compliance and
investigation provisions of the subpart--which at present apply only to
the Privacy Rule--applicable to all of the HIPAA rules. In addition, we
propose to include in subpart C the definitions that apply to subparts
C, D, and E. In accordance with the organizational scheme described
above, we also propose to move to subpart C from subpart E the
provision relating to investigational subpoenas, which is currently
codified at Sec. 160.504. The title of this subpart has also been
changed (from ``Compliance and Enforcement'') to reflect the focus of
this subpart within the larger Enforcement Rule. Finally, we propose to
add to subpart C provisions prohibiting intimidation or retaliation
that are currently found in the Privacy Rule but not in the other HIPAA
rules. Aside from making conforming changes to Sec. 160.312, discussed
at section IV.B.3 below, we propose to leave the substance of the
existing provisions of subpart C unchanged. We solicit comment as to
whether these provisions should be revised and, if so, in what manner.
1. Application of Subpart C to the Non-Privacy HIPAA Rules
Subpart C is intended to provide a cooperative approach to
obtaining compliance, including use of technical assistance and
informal means to resolve disputes, and currently provides as follows.
Section 160.304 provides that the Secretary will, to the extent
practicable, seek the cooperation of covered entities in obtaining
compliance and may provide technical assistance to this end. Section
160.306 provides for the investigation of complaints by the Secretary
and provides requirements relating to the filing of such complaints.
Section 160.308 provides for the conduct of compliance reviews by the
Secretary. Section 160.310 requires covered entities to keep and submit
such records as the Secretary determines are necessary to determine
compliance and cooperate with the Secretary in an investigation or
compliance review. A covered entity must provide access during normal
business hours to their books and records pertinent to ascertaining
compliance; while we think such circumstances are very unlikely ever to
arise, a covered entity is also required, where exigent circumstances
exist, to permit such access at any time and without notice. This
section also provides that the Secretary may disclose protected health
information obtained in the course of an investigation or compliance
review only if necessary for ascertaining or enforcing compliance with
the applicable requirements of the Privacy Rule or if otherwise
required by law. Section 160.312 addresses Secretarial action regarding
complaints and compliance reviews. It provides that where noncompliance
is indicated, the Secretary will attempt to resolve the matter by
informal means wherever possible and provides for certain notifications
to the covered entity (and the complainant, if the matter arose from a
complaint).
At present, subpart C applies only to the Privacy Rule. However, to
simplify, clarify, and reduce the burden of the compliance process for
covered entities, the proposed rule would make this subpart applicable
to the other HIPAA rules as well. A uniform regulatory scheme would
simplify the compliance and enforcement process in the event that a
covered entity violates provisions of more than one HIPAA rule (for
example, where violations of both the Privacy Rule and the Security
Rule are at issue) and is also consistent with the Secretary's ``One
HHS'' policy.
Accordingly, we propose to amend the following sections of subpart
C to make them applicable to all of the HIPAA rules: Sec. 160.300--
Applicability; Sec. 160.304--Principles for achieving compliance;
Sec. 160.306--Complaints to the Secretary; Sec. 160.308--Compliance
reviews; and Sec. 160.310--Responsibilities of covered entities. This
would be accomplished by changing the present references in these
sections from ``subpart E of part 164'' to the more inclusive, defined
term, ``administrative simplification provision'' or ``administrative
simplification provisions,'' as appropriate.
2. Section 160.302--Definitions
Section 160.302 presently states that the terms used in subpart C
that are defined in Sec. 164.501 have the same meaning as defined in
that section. The terms that were initially defined in Sec. 164.501
that would continue to be used in this subpart ( ``individual,''
``disclose,'' ``protected health information,'' ``use'') have
subsequently been moved to Sec. 160.103. The term ``payment'' is used
in this subpart, but not as defined in Sec. 164.501. Thus, we propose
to delete this text, as it is no longer appropriate.
We propose to move to Sec. 160.302 three definitions that were
adopted in the April 17, 2003 interim final rule at Sec. 160.502:
``ALJ'', ``civil money penalty or penalty'', and ``respondent.'' These
terms are placed at the outset of the provisions that address
compliance and enforcement for clarity, since they are used in more
than one of the subparts that address compliance and enforcement. We do
not discuss these terms, as we do not propose to change them. We
discuss below two new terms which we propose to add to Sec. 160.302
and which are likewise used throughout subparts C, D, and E:
``administrative simplification provision'' and ``violation or
violate.''
[[Page 20229]]
a. ``Administrative Simplification Provision''
Section 1176(a)(1) provides that, except as provided in section
1176(b), the Secretary shall impose ``on any person who violates a
provision of this part a penalty of not more than $100 for each such
violation, except that the total amount imposed on the person for all
violations of an identical requirement or prohibition during a calendar
year may not exceed $25,000.'' (Emphasis added.) Based on this
statutory language, and also taking into account the structures of each
of the HIPAA rules, HHS considered a number of different options for
defining the term ``provision of this part'' in section 1176(a)(1) as
it applies to the HIPAA rules.
The HIPAA rules generally are comprised of standards,
implementation specifications, and requirements and prohibitions.
However, the structure and composition of the HIPAA rules with respect
to these elements vary. The Privacy Rule is generally comprised of
standards that contain implementation specifications and other
requirements or prohibitions. The identifier rules (the EIN Rule and
the NPI Rule) contain standards and implementation specifications, and
all requirements that apply to covered entities are in a standard or an
implementation specification. In the Security Rule, most requirements
are in standards or their related implementation specifications, but
some requirements are freestanding. The Transactions Rule contains
requirements and prohibitions, not all of which are contained in
standards and implementation specifications, and adopts standards that
are also implementation specifications. The provisions of subpart C of
part 160 that apply to covered entities are framed as requirements. The
HIPAA rules are silent as to which of these elements is a ``provision
of this part'' that may be violated and for which civil money penalties
may be assessed.
We propose to define a new term--``administrative simplification
provision''--to express the scope and application of the compliance and
investigation provisions, as well as the enforcement and penalty
provisions. This proposed provision interprets ``provision of this
part'' in section 1176 to refer to any requirement or prohibition
established by the statute or any of the HIPAA rules that are adopted
under the statute.
In determining how to define a ``provision of this part'' that
could be violated, we considered options in light of our goal of
implementing a unified approach with respect to all of the HIPAA rules.
Given the variation in structure of the HIPAA rules, we sought an
approach which would be flexible enough to apply to all the rules but
which would not be too complex. Accordingly, we decided against an
approach that would define the ``provision of this part'' that could be
violated as either any ``standard,'' or any ``implementation
specification,'' or both. These approaches would not have captured
stand-alone requirements or prohibitions--i.e., those requirements and
prohibitions in the HIPAA rules that fall outside of the structure of a
standard or implementation specification. For example, in the
Transactions Rule, the prohibition on a health plan delaying or
rejecting a transaction that is a standard transaction (Sec.
162.925(a)(2)), which implements the statutory prohibition at section
1175(a)(1)(B), is a stand-alone requirement. It would be anomalous to
create an enforcement scheme that, in effect, insulated this provision
from enforcement. These options would also have resulted in complexity
and inconsistency in the application of the Enforcement Rule to each of
the HIPAA rules, given their varied structures with respect to
standards and implementation specifications.
Instead, we propose to define a ``provision of this part'' that can
be violated as any ``requirement or prohibition'' found within the
rules, regardless of whether the requirement or prohibition falls
within a standard, implementation specification, or elsewhere in the
rules. This definition flows directly from the statutory language in
section 1176(a)(1) of the Act, which refers to ``violations of an
identical requirement or prohibition.'' It is also a definition that
can be applied consistently across the HIPAA rules, regardless of how
they are structured or titled. Accordingly, we propose to define the
term ``administrative simplification provision'' in Sec. 160.302 to
mean any requirement or prohibition established by the HIPAA provisions
or HIPAA rules: ``* * * any requirement or prohibition established by:
(1) 42 U.S.C. 1320d-1320d4, 1320d-7, and 1320d-8; (2) Section 264 of
Pub. L. 104-191; or (3) This subchapter.'' This definition would
include those provisions in subpart C which apply to covered entities.
b. ``Violation'' or ``Violate''
Building on this proposed definition of ``administrative
simplification provision,'' we propose to define a ``violation'' (or
``to violate'') to mean a ``failure to comply with an administrative
simplification provision.'' Like the proposed definition of
``administrative simplification provision,'' the proposed definition of
``violation'' flows directly from the statutory language: subsections
(b)(3) and (b)(4) of section 1176 equate a ``violation'' with a
``failure to comply.'' The proposed definition is likewise one that can
be applied consistently across the HIPAA rules. This proposed
definition would make no distinction between commissions and
omissions--that is, a violation occurs when a covered entity fails to
take an action required by a HIPAA rule, as well as when a covered
entity takes an action prohibited by a HIPAA rule.
3. Section 160.312--Secretarial Action Regarding Complaints and
Compliance Reviews
Section 160.312(a) currently provides that the Secretary will
inform the covered entity and the complainant, if applicable, if an
investigation or compliance review indicates a failure to comply and
attempt to resolve the matter by informal means whenever possible. If
the Secretary determines that the matter cannot be resolved by informal
means, the Secretary may issue findings to the covered entity and, if
applicable, the complainant.
Like the current Sec. 160.312(a), proposed Sec. 160.312(a)(1)
provides that, where noncompliance is indicated, the Secretary would
seek to reach a resolution of the matter satisfactory to the Secretary
by informal means. Informal means would include demonstrated
compliance, or a completed corrective action plan or other agreement.
Under this provision, entering into a corrective action plan or other
agreement would not, in and of itself, resolve the noncompliance;
rather, the full performance by the covered entity of its obligations
under the corrective action plan or other agreement would be necessary
to resolve the noncompliance.
Proposed Sec. Sec. 160.312(a)(2) and (3) address what
notifications will be provided by the Secretary where noncompliance is
indicated, based on an investigation or compliance review. Notification
under this paragraph would not be required where the only contacts made
were with the complainant, to determine whether the complaint warrants
investigation. Paragraph (a)(2) provides for written notice to the
covered entity and, if the matter arose from a complaint, the
complainant, where the matter is resolved by informal means. If the
matter is not resolved by informal means, paragraph (a)(3)(i) requires
the Secretary to so inform the covered entity and provide the covered
[[Page 20230]]
entity an opportunity to submit written evidence of any mitigating
factors or affirmative defenses for consideration under Sec. Sec.
160.408 and 160.410; the covered entity must submit any such evidence
to the Secretary within 30 days of receipt of such notification.
Paragraph (a)(3)(ii) would revise the current Sec. 160.312(a)(2) to
avoid confusion with the notice of proposed determination process
provided for at proposed Sec. 160.420. Where a matter is not resolved
by informal means and the Secretary finds that imposition of a civil
money penalty is warranted, the formal finding would be contained in
the notice of proposed determination issued under proposed Sec.
160.420. See also the discussion at section V.J below.
Paragraph (b) of the current Sec. 160.312 provides that if the
Secretary finds after an investigation or compliance review that no
further action is warranted, the Secretary will so inform the covered
entity and, if the matter arose from a complaint, the complainant. This
section does not apply where no investigation or compliance review has
been initiated, such as where a complaint has been dismissed due to
lack of jurisdiction. Paragraph (b) would remain largely unchanged.
4. Section 160.314--Investigational Subpoenas and Inquiries
The text of Sec. 160.314 was adopted by the April 17, 2003 interim
final rule as Sec. 160.504. We propose to move this section to subpart
C, consistent with our overall approach of organizing subparts C, D,
and E to reflect the stages of the enforcement process. Since the
investigational subpoenas and inquiries occur prior to the imposition
of a civil money penalty, we propose to move the rules relating to them
to subpart C, where other rules related to this stage of the process
are located. This organizational arrangement should facilitate use of
the Rule by covered entities and others.
One substantive change is proposed to paragraph (a). We would add
to the introductory language of this paragraph a sentence which states
that, for the purposes of paragraph (a), a person other than a natural
person is termed an ``entity.'' This permits us to avoid creating a
definition of the term ``entity'' that would have a broader application
and might be incorrect in other contexts, but preserves the utility of
the definition in this specific context. The term ``entity'' would no
longer be a defined term for the rest of the Rule, unlike the approach
taken in Sec. 160.502 of the April 17, 2003 interim final rule.
Proposed paragraphs (b)(1), (2) and (8) are unchanged from the
current paragraphs (b)(1)--(3) of Sec. 160.504. We propose to add new
paragraphs (3) through (7) and (9) to Sec. 160.314(b) and also to add
a new paragraph (c). Together, these additions would clarify the manner
in which investigational inquiries will be conducted, and how testimony
given, and evidence obtained, during such an investigation may be used.
The new paragraphs are based upon similar provisions in 42 CFR
1006.4. Proposed Sec. Sec. 160.314(b)(3)--(7) describe the rights of
the Secretary and the witness in the inquiry process: representatives
of the Secretary are entitled to attend and ask questions, a witness
may clarify his or her answers on the record following questioning by
the Secretary, the witness must place any claim of privilege on the
record, what requirements apply to the assertion of objections, and
under what circumstances and how the Secretary may seek enforcement of
the subpoena. Proposed Sec. 160.314(b)(8) (currently Sec.
160.504(b)(3) and which, as noted above, has not changed) recognizes
that investigational inquiries are non-public proceedings. Accordingly,
a witness's right to retain a copy of the transcript of his or her
testimony may be limited for good cause (5 U.S.C. 555(c)). Proposed
Sec. 160.314(b)(9) explains what would happen in such a case: The
witness would nonetheless be entitled to inspect the transcript and to
propose any corrections. If the witness is provided a copy of the
transcript, paragraph (b)(9)(i) would provide for the opportunity to
review the transcript and offer proposed corrections. This provision is
consistent with the practice under Rule 30(e) of the Federal Rules of
Civil Procedure (F.R.C.P.). Paragraph (b)(9)(ii) would allow the
Secretary to attach corrections to the transcript of a witness's
testimonial interview if the record transcribing the interview is
incorrect. Consistent with the practice under the OIG regulations, this
provision would not permit the Secretary to propose substantive changes
to the witness's testimony.
Proposed Sec. 160.314(c) provides that, consistent with Sec.
160.310, testimony and other evidence obtained in an investigational
inquiry may be used by HHS in any of its activities and may be used or
offered into evidence in any administrative or judicial proceeding.
This provision follows Sec. 1006.4(h) of the OIG regulations, but is
tailored to be consistent with the existing Sec. 160.310(c)(3). Under
this provision, evidence obtained in an investigational inquiry could
be used in any of HHS's activities and could be used or offered into
evidence in any administrative or judicial proceeding, except to the
extent it consists of protected health information. Evidence that is
protected health information may be disclosed only ``if necessary for
ascertaining or enforcing compliance with the applicable administrative
simplification provisions, or if otherwise required by law,'' as
provided at Sec. 160.310(c).
5. Section 160.316--Refraining From Intimidation or Retaliation
Proposed Sec. 160.316 would prohibit covered entities from
threatening, intimidating, coercing, discriminating against, or taking
any other retaliatory action against individuals or other persons
(including other covered entities) who complain to HHS or otherwise
assist or cooperate in the enforcement processes created by this rule.
This provision is taken from Sec. 164.530(g)(2) of the Privacy Rule,
with only minor changes designed to adapt the provision to the new
subparts which this rule would add. The intent of this addition to
subpart C is to make these non-retaliation provisions applicable to all
of the HIPAA rules, not just the Privacy Rule. The placement of these
provisions in subpart C accomplishes this.
Section 164.530(g) would retain existing provisions which provide
that a covered entity may not intimidate, threaten, coerce,
discriminate against, or take other retaliatory action against an
individual for exercising his or her rights or for participating in any
process established by the Privacy Rule, including filing a complaint
with a covered entity. A conforming change to Sec. 164.530(g) of the
Privacy Rule is proposed, to cross-reference proposed Sec. 160.316.
As with other provisions of subpart C that impose requirements or
prohibitions on covered entities, the provisions of Sec. 160.316 are
``administrative simplification provisions.'' Thus, a violation of a
requirement or prohibition of this section would be a basis for
imposition of a civil money penalty.
C. Subpart D--Imposition of Civil Money Penalties
Proposed subpart D addresses the issuance of a notice of proposed
determination to impose a civil money penalty and other events that
would be relevant thereafter, whether or not a hearing follows the
issuance of the notice of proposed determination. This subpart also
would contain provisions on identifying violations, determining the
number of violations, calculating civil money penalties for such
violations, and establishing affirmative
[[Page 20231]]
defenses to the imposition of civil money penalties. It would, thus,
implement the provisions of section 1176, as well as related provisions
of section 1128A. As noted above, many provisions of the Rule are based
in large part upon the OIG regulations, but, as with subpart E, we
propose to adapt the OIG language to reflect issues presented by, or
the authority underlying, the HIPAA rules.
1. Section 160.402--Basis for a Civil Money Penalty
Proposed Sec. 160.402(a) would require the Secretary to impose a
civil money penalty on any covered entity which the Secretary
determines has violated an administrative simplification provision,
unless the covered entity establishes that an affirmative defense, as
provided for by Sec. 160.410, exists. See the discussion at section
IV.C.3 below. This provision is based on the language in section
1176(a) that ``* * * the Secretary shall impose on any person who
violates a provision of this part a penalty * * *''. This proposed
provision interprets ``provision of this part'' in section 1176(a)(1)
to refer to any requirement or prohibition established by the statute
or any of the HIPAA rules that are adopted under the statute. See the
discussion of the definitions of ``administrative simplification
provision'' and ``violation'' in section IV.B.2 above.
The use of the term ``shall impose'' in section 1176(a) is more
than a mere conveyance of authority to the Secretary to impose a
penalty for a violation of an administrative simplification provision.
If the Secretary finds in a notice of proposed determination that a
covered entity has violated an administrative simplification provision,
he is required to impose a penalty unless a basis for not imposing the
penalty under section 1176 exists. Section 1176(a) does not limit the
Secretary's discretion to encourage a covered entity to come into
compliance voluntarily, to close a case without issuing a notice of
proposed determination if voluntary compliance is obtained, or to set
the amount of the penalty below the statutory caps. Nor does section
1176(a) limit the Secretary's discretion to settle any matter,
including cases in which a civil money penalty has been proposed or
which are in hearing. The first sentence of section 1128A(f) of the
Act, which is incorporated by reference in section 1176, states, in
part, ``Civil money penalties * * * imposed under this section may be
compromised by the Secretary * * *''. Therefore, the Secretary may
settle a case even after a civil money penalty has been proposed.
a. Section 160.402(b)--Violations by More than One Covered Entity
The proposed rule includes a provision, at Sec. 160.402(b), that
addresses what would happen if multiple covered entities were
responsible for violating a HIPAA provision. Proposed Sec.
160.402(b)(1) provides that, except with respect to covered entities
that are members of an affiliated covered entity, if the Secretary
determines that more than one covered entity was responsible for
violating an administrative simplification provision, the Secretary
will impose a civil money penalty against each such covered entity.
Proposed Sec. 160.402(b)(2) provides that each covered entity that is
a member of an affiliated covered entity would be jointly and severally
liable for a civil money penalty for a violation by the affiliated
covered entity.
Proposed Sec. 160.402(b)(1) is based on a similar provision in the
OIG regulations at 42 CFR 1003.102(d). It differs from the OIG
provision in that this proposed provision requires the imposition of a
penalty on each covered entity that the Secretary determines has
violated an administrative simplification provision, rather than giving
the Secretary discretion to determine whether to impose a civil money
penalty on one or all. This is based on the statutory language in
section 1176(a) which states that the Secretary ``* * * shall impose a
penalty * * *'' when there is a determination that an entity has
violated a HIPAA provision. As discussed above, the language in the
statute mandates the imposition of a penalty in appropriate situations
where there has been a finding of a violation. However, nothing in this
section would limit the Secretary's ability to exercise enforcement
discretion to investigate only one covered entity, to encourage one or
more covered entities to come into compliance, to close a case against
one or more covered entities without issuing a notice of proposed
determination if voluntary compliance is obtained, or to set the amount
of the penalty differently for each covered entity when multiple
covered entities are responsible for violating an administrative
simplification provision, to the extent section 1176 and this Rule
would allow.
With the exception of affiliated covered entity arrangements, this
provision may apply to any two covered entities, including, but not
limited to, those that are part of a joint arrangement, such as an
organized health care arrangement. The determination of whether or not
an entity is responsible for the violation would be based on the facts.
Simply being part of a joint arrangement would not, in and of itself,
make a covered entity responsible for a violation by another entity in
the joint arrangement, although it may be a factor considered in the
analysis.
Proposed Sec. 160.402(b)(2) provides that each covered entity that
is a member of an affiliated covered entity would be jointly and
severally liable for a civil money penalty for a violation by the
affiliated covered entity. An affiliated covered entity is a group of
covered entities under common ownership or control, which have elected
to be treated as if they were one covered entity for purposes of
compliance with the Security and Privacy Rules. See 45 CFR 164.105(b).
Electing to become an affiliated covered entity may reduce the
administrative burden and create certain efficiencies with respect to
compliance. There is no requirement to form an affiliated covered
entity; the entities that choose to form an affiliated covered entity
must designate themselves as such and must document the designation in
writing.
The December 2000 Privacy Rule stated as follows with respect to
the liability of the component covered entities of an affiliated
covered entity: ``The covered entities that together make up the
affiliated covered entity are separately subject to liability under
this rule.'' 65 FR 82503. We clarify this language in the proposed
rule. Under proposed Sec. 160.402(b)(2), each covered entity that is a
member of an affiliated covered entity would be jointly and severally
liable for a civil money penalty for a violation by the affiliated
covered entity. This means that we could enforce a violation of the
Security Rule or Privacy Rule by an affiliated covered entity against
any covered entity member of the affiliated covered entity separately
or against all of the covered entity members of the affiliated covered
entity jointly. The reason for joint and several liability is that the
affiliated covered entity is treated, under the Security and Privacy
Rules, as one entity. Thus, it may be impossible to know or prove which
covered entity within an affiliated covered entity is responsible for a
violation, particularly in the case of a failure to act. For example,
if an affiliated covered entity fails to appoint a privacy official as
required by Sec. 164.530(a)(1)(i), it may be impossible to identify
one entity as responsible for the omission.
Proposed Sec. 160.402(b)(2) differs from proposed Sec.
160.402(b)(1) in two ways. First, no covered entity in an affiliated
covered entity could avoid a civil money penalty by demonstrating that
it
[[Page 20232]]
was not responsible for the act or omission constituting the violation
or that another covered entity member of the affiliated covered entity
was the culpable entity. Second, the maximum penalty that could be
imposed on all members of the affiliated covered entity for identical
violations in a calendar year would be the maximum allowed for one
covered entity--$25,000. By contrast, under Sec. 160.402(b)(1), if
more than one covered entity were responsible for a violation of an
administrative simplification provision, each covered entity would be
treated as separately violating the provision, and each could be
assessed the maximum penalty of $25,000 in a calendar year for
sufficient identical violations.
b. Section 160.402(c)--Violations Attributed to a Covered Entity
Under section 1176(a)(2), ``the provisions of section 1128A * * *
shall apply to the imposition of a civil money penalty under [HIPAA] in
the same manner as such provisions apply to the imposition of a penalty
under such section 1128A.'' Section 1128A(l) of the Act addresses the
liability of a covered entity for violations committed by an agent. It
states that ``a principal is liable for penalties * * * under this
section for the actions of the principal's agents acting within the
scope of the agency.'' This is similar to the traditional rule of
agency in which principals are vicariously liable for the acts of their
agents acting within the scope of their authority. See Meyer v. Holley,
537 U.S. 280 (2003). The preamble to the December 2000 Privacy Rule
discussed the applicability of section 1128A(l) as follows:
we note that section 1128A(l) of the Social Security Act, which
applies to the imposition of civil monetary penalties under HIPAA,
provides that a principal is liable for penalties for the actions of
its agent acting within the scope of the agency. Therefore, a
covered entity will generally be responsible for the actions of its
employees such as where the employee discloses protected health
information in violation of the regulation.
65 FR 82603.
We clarify in proposed Sec. 160.402(c) that, in the context of the
HIPAA rules, this means that a covered entity generally can be held
liable for a civil money penalty based on the actions of any agent,
including an employee or other workforce member, acting within the
scope of the agency or employment. A business associate will often be
an agent of a covered entity, but, as discussed below, a covered entity
that complies with the HIPAA rules governing business associates will
not be held liable for a business associate's actions that violate the
rules.
i. Federal Common Law of Agency
A principal's liability for the actions of its agents is generally
governed by State law. However, the Supreme Court has provided that the
federal common law of agency may be applied where there is a strong
governmental interest in nationwide uniformity and a predictable
standard and when the federal rule in question is interpreting a
federal statute. Burlington Indus. v. Ellerth, 524 U.S. 742 (1998).
Here, there is a strong interest in nationwide uniformity. The
fundamental goal of the HIPAA provisions is to achieve standardization
of certain health care transactions, to standardize certain security
practices, and to set a federal floor of privacy practices, in order to
increase the efficiency and effectiveness of the health care system.
Therefore, it is essential for HHS to apply one consistent body of law
regardless of where an action is brought. The same considerations
support a strong federal interest in the predictable operation of the
standards, to ensure that the various covered entities operating
thereunder can do so consistently so as to facilitate the legitimate
exchange of information. Finally, the HIPAA rules interpret a federal
statute, the HIPAA provisions. Thus, the tests for application of the
federal comm