HIPAA Administrative Simplification: Enforcement, 8390-8433 [06-1376]

Agencies

• Office of the Secretary
• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 71, Number 32 (Thursday, February 16, 2006)]
[Rules and Regulations]
[Pages 8390-8433]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-1376]



[[Page 8389]]

-----------------------------------------------------------------------

Part III





Department of Health and Human Services





-----------------------------------------------------------------------



Office of the Secretary



-----------------------------------------------------------------------



45 CFR Parts 160 and 164



HIPAA Administrative Simplification: Enforcement; Final Rule

Federal Register / Vol. 71, No. 32 / Thursday, February 16, 2006 / 
Rules and Regulations

[[Page 8390]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0991-AB29


HIPAA Administrative Simplification: Enforcement

AGENCY: Office of the Secretary, HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Secretary of Health and Human Services is adopting rules 
for the imposition of civil money penalties on entities that violate 
rules adopted by the Secretary to implement the Administrative 
Simplification provisions of the Health Insurance Portability and 
Accountability Act of 1996, Public Law 104-191 (HIPAA). The final rule 
amends the existing rules relating to the investigation of 
noncompliance to make them apply to all of the HIPAA Administrative 
Simplification rules, rather than exclusively to the privacy standards. 
It also amends the existing rules relating to the process for 
imposition of civil money penalties. Among other matters, the final 
rule clarifies and elaborates upon the investigation process, bases for 
liability, determination of the penalty amount, grounds for waiver, 
conduct of the hearing, and the appeal process.

DATES: This final rule is effective on March 16, 2006.

FOR FURTHER INFORMATION CONTACT: Carol C. Conrad, (202) 690-1840.

SUPPLEMENTARY INFORMATION: On April 18, 2005, the Department of Health 
and Human Services (HHS) published a Notice of Proposed Rulemaking 
(proposed rule) proposing to revise the existing rules relating to 
compliance with, and enforcement of, the Administrative Simplification 
regulations (HIPAA rules) adopted by the Secretary of Health and Human 
Services (Secretary) under subtitle F of Title II of HIPAA (HIPAA 
provisions). 70 FR 20224. The proposed rule also proposed the adoption 
of new provisions relating to the imposition of civil money penalties 
on covered entities that violate a HIPAA provision or HIPAA rule. The 
comment period on the proposed rule closed on June 17, 2005. Forty-nine 
comments, principally from health care organizations, were received 
during the comment period.
    In this final rule, HHS revises existing rules that relate to 
compliance with, and enforcement of, the HIPAA rules. These rules are 
codified at 45 CFR part 160, subparts C and E. In addition, this final 
rule adds a new subpart D to part 160. The new subpart D contains 
additional rules relating to the imposition by the Secretary of civil 
money penalties on covered entities that violate the HIPAA rules. The 
full set of rules to be codified at subparts C, D, and E of 45 CFR part 
160 is collectively referred to in this final rule as the ``Enforcement 
Rule.'' Finally, HHS makes minor and conforming changes to subpart A of 
part 160 and subpart E of part 164.
    The statutory and regulatory background of the final rule is set 
out below. A description of the provisions of the proposed rule, the 
public comments, and HHS's responses to the comments follows. The 
preamble concludes with HHS's analyses of impact and other issues under 
applicable law.

I. Background

A. Statutory Background

    Subtitle F of Title II of HIPAA, entitled ``Administrative 
Simplification,'' requires the Secretary to adopt national standards 
for certain information-related activities of the health care industry. 
Under section 1173 of the Social Security Act (Act), 42 U.S.C. 1320d-2, 
the Secretary is required to adopt national standards for certain 
financial and administrative transactions, code sets, the security of 
health information, and certain unique health identifiers. In addition, 
section 264 of HIPAA, 42 U.S.C. 1320d-2 note, requires the Secretary to 
promulgate standards to protect the privacy of certain health 
information. Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a), 
the provisions of Subtitle F apply only to--

    The following persons:
    (1) A health plan.
    (2) A health care clearinghouse.
    (3) A health care provider who transmits any health information 
in electronic form in connection with a transaction referred to in 
section 1173(a)(1).

    These entities are collectively known as ``covered entities.'' \1\
---------------------------------------------------------------------------

    \1\ An additional category of covered entities was added by the 
Medicare Prescription Drug, Improvement, and Modernization Act of 
2003 (Pub. L. 108-173) (MMA). As added by MMA, section 1860D-
31(h)(6)(A) of the Act, 42 U.S.C. 1395w-141(h)(6)(A), provides that 
a prescription drug card sponsor is a covered entity for purposes of 
applying part C of title XI and all regulatory provisions 
promulgated thereunder, including regulations (relating to privacy) 
adopted pursuant to the authority of the Secretary under section 
264(c) of the Health Insurance Portability and Accountability Act of 
1996 (42 U.S.C. 1320d-2 note).
---------------------------------------------------------------------------

    HIPAA requires certain consultations with industry as a predicate 
to the issuance of the HIPAA standards and provides that most covered 
entities have up to 2 years (small health plans have up to 3 years) to 
come into compliance with the standards, once adopted. Act, sections 
1172(c) (42 U.S.C. 1320d-1(c)), 1175(b) (42 U.S.C. 1320d-4(b)). The 
statute establishes civil money penalties and criminal penalties for 
violations. Act, sections 1176 (42 U.S.C. 1320d-5), 1177 (42 U.S.C. 
1320d-6). HHS enforces the civil money penalties, while the U.S. 
Department of Justice enforces the criminal penalties.
    HIPAA's civil money penalty provision, section 1176(a) of the Act, 
42 U.S.C. 1320d-5(a), authorizes the Secretary to impose a civil money 
penalty, as follows:

    (1) IN GENERAL. Except as provided in subsection (b), the 
Secretary shall impose on any person who violates a provision of 
this part [42 U.S.C. 1320d, et seq.] a penalty of not more than $100 
for each such violation, except that the total amount imposed on the 
person for all violations of an identical requirement or prohibition 
during a calendar year may not exceed $25,000.
    (2) PROCEDURES. The provisions of section 1128A [42 U.S.C. 
1320a-7a] (other than subsections (a) and (b) and the second 
sentence of subsection (f)) shall apply to the imposition of a civil 
money penalty under this subsection in the same manner as such 
provisions apply to the imposition of a penalty under such section 
1128A.

For simplicity, we refer throughout this preamble to this provision, 
the related provisions at section 1128A of the Act, and other related 
provisions of the Act, by their Social Security Act citations, rather 
than by their U.S. Code citations.
    Subsection (b) of section 1176 sets out limitations on the 
Secretary's authority to impose civil money penalties and also provides 
authority for waiving such penalties. Under section 1176(b)(1), a civil 
money penalty may not be imposed with respect to an act that 
``constitutes an offense punishable'' under the related criminal 
penalty provision, section 1177 of the Act. Under section 1176(b)(2), a 
civil money penalty may not be imposed ``if it is established to the 
satisfaction of the Secretary that the person liable for the penalty 
did not know, and by exercising reasonable diligence would not have 
known, that such person violated the provision.'' Under section 
1176(b)(3), a civil money penalty may not be imposed if the failure to 
comply was due ``to reasonable cause and not to willful neglect'' and 
is corrected within a certain time. Finally, under section 1176(b)(4), 
a civil money penalty may be reduced or entirely waived ``to the extent 
that the payment of such penalty would be excessive relative to the 
compliance failure involved.''
    As noted above, section 1176(a) incorporates by reference certain

[[Page 8391]]

provisions of section 1128A of the Act. Those provisions, as relevant 
here, establish a number of requirements with respect to the imposition 
of civil money penalties. Under section 1128A(c)(1), the Secretary may 
not initiate a civil money penalty action ``later than six years after 
the date'' of the occurrence that forms the basis for the civil money 
penalty. Under section 1128A(c)(2), a person upon whom the Secretary 
seeks to impose a civil money penalty must be given written notice and 
an opportunity for a determination to be made ``on the record after a 
hearing at which the person is entitled to be represented by counsel, 
to present witnesses, and to cross-examine witnesses against the 
person.'' Section 1128A also provides, at subsections (c), (e), and 
(j), respectively, requirements for: Service of the notice and 
authority for sanctions which the hearing officer may impose for 
misconduct in connection with the civil money penalty proceeding; 
judicial review of the Secretary's determination in the United States 
Court of Appeals for the circuit in which the person resides or 
maintains his/its principal place of business; and the issuance and 
enforcement of subpoenas by the Secretary. In addition, section 1128A 
of the Act contains provisions relating to liability for civil money 
penalties and what measures must be taken once they are imposed. For 
example, section 1128A(d) provides that the Secretary must take into 
account certain factors ``in determining the amount * * * of any 
penalty''; section 1128A(h) requires certain notifications once a civil 
money penalty is imposed; and section 1128A(l) makes a principal liable 
for penalties ``for the actions of the principal's agent acting within 
the scope of the agency.'' These provisions are discussed more fully 
below.

B. Regulatory Background

    As noted above, section 1173 of the Act and section 264 of HIPAA 
require the Secretary to adopt a number of national standards to 
facilitate the exchange, and protect the privacy and security, of 
certain health information. The Secretary has already adopted many of 
these HIPAA standards by regulation. These regulations consist of the 
following: Health Insurance Reform: Standards for Electronic 
Transactions (Transactions Rule); Standards for Privacy of Individually 
Identifiable Health Information (Privacy Rule); Health Insurance 
Reform: Standard Unique Employer Identifier (EIN Rule); Health 
Insurance Reform: Security Standards (Security Rule); and HIPAA 
Administrative Simplification: Standard Unique Health Identifier for 
Health Care Providers (NPI Rule). Proposed standards for certain claims 
attachments were published on September 23, 2005 (70 FR 55990) and 
proposed standards for health plan identifiers are under development. 
The history of these and related rules is described in a proposed rule 
published on April 18, 2005 at 70 FR 20225-20226.
    An interim final rule promulgating procedural requirements for 
imposition of civil money penalties, Civil Money Penalties: Procedures 
for Investigations, Imposition of Penalties, and Hearings (April 17, 
2003 interim final rule), was published on April 17, 2003 (68 FR 
18895), and was effective on May 19, 2003, with a sunset date of 
September 16, 2004 (as corrected at 68 FR 22453, April 28, 2003). The 
April 17, 2003 interim final rule adopted a new subpart E of part 160. 
The sunset date of the April 17, 2003 interim final rule was extended 
to September 16, 2005 on September 15, 2004 (69 FR 55515) and was 
further extended to March 16, 2006 on September 14, 2005 (70 FR 54293).
    The authority for administering and enforcing compliance with the 
Privacy Rule has been delegated to the HHS Office for Civil Rights 
(OCR). 65 FR 82381 (December 28, 2000). The authority for administering 
and enforcing compliance with the non-privacy HIPAA rules has been 
delegated to the HHS Centers for Medicare & Medicaid Services (CMS). 68 
FR 60694 (October 23, 2003).

II. Overview of the Proposed and Final Rules

A. The Proposed Rule

    In the proposed rule, we proposed to bring together and adopt rules 
governing the implementation of the civil money penalty authority of 
section 1176 of the Act for all of the HIPAA rules. As previously 
noted, parts of the Enforcement Rule are already in place: subpart C of 
part 160 establishes certain investigative procedures for the Privacy 
Rule, and subpart E establishes interim procedures for investigations 
and for the imposition, and challenges to the imposition, of civil 
money penalties for all of the HIPAA rules. The proposed rule would 
complete the Enforcement Rule by (1) making subpart C applicable to all 
of the HIPAA rules; (2) adopting on a permanent basis most of the 
provisions of subpart E; and (3) addressing, among other issues, our 
policies for determining violations and calculating civil money 
penalties, how we will address the statutory limitations on the 
imposition of civil money penalties, and various procedural issues, 
such as provisions for appellate review within HHS of a hearing 
decision, burden of proof, and notification of other agencies of the 
imposition of a civil money penalty.
    Several fundamental considerations shaped the proposed rule. First, 
there is one statutory provision for imposing civil money penalties on 
covered entities that violate the HIPAA rules; thus, the proposed rule 
sought to establish a uniform enforcement and compliance policy for all 
of the HIPAA rules to minimize the potential for confusion and burden 
and maximize the potential for fairness and consistency in enforcement. 
Second, the proposed rule sought to facilitate the movement from 
noncompliance to compliance by covered entities by extending to all of 
the HIPAA rules the regulatory commitment to promoting and encouraging 
voluntary compliance with the HIPAA rules that currently applies to the 
Privacy Rule, subpart C of part 160. Third, the proposed rule sought to 
minimize confusion with the procedures for investigations and hearings 
by building upon pre-existing Departmental procedures for 
investigations and hearings under section 1128A of the Act--the civil 
money penalty regulations of the Office of the Inspector General, which 
are codified at 42 CFR parts 1003, 1005, and 1006 (OIG regulations). 
Fourth, the proposed rule was intended to be clear and easy to 
understand. Finally, the proposed rule sought to provide the Secretary 
with reasonable discretion, particularly in areas where the exercise of 
judgment is called for by the statute or rules, and to avoid being 
overly prescriptive in areas where it would be helpful to gain 
experience with the practical impact of the HIPAA rules, to avoid 
unintended adverse effects.
    We proposed to amend subpart A of part 160, which contains general 
provisions, to include a definition of ``person.'' With respect to 
subpart C of part 160, we proposed to incorporate several provisions 
currently found in subpart E and to make subpart C applicable to the 
non-privacy HIPAA rules. We also proposed to add to part 160 a new 
subpart D, which would establish rules relating to the imposition of 
civil money penalties, including those which apply whether or not there 
is a hearing. We also proposed to incorporate into subpart D several 
provisions currently found in subpart E. Proposed subpart E addressed 
the pre-hearing and hearing phases of the enforcement process. Many of 
the provisions of proposed subpart E were adopted by the April 17, 2003 
interim final rule; we did not propose to change them substantively, 
although we

[[Page 8392]]

proposed to renumber them. Finally, a conforming change to the privacy 
standards in subpart E of part 164 was proposed.

B. The Final Rule

    While the final rule adopts most of the provisions of the proposed 
rule without change, several significant changes to certain provisions 
of the proposed rule have been made in response to comments. We do not 
list variables in the final rule, as was proposed, to count the number 
of violations of an identical requirement or prohibition; rather, the 
final rule clarifies that the method for determining the number of such 
violations is grounded in the substantive requirement or prohibition 
violated. In addition, the ALJ will be able to review the number of 
violations determined as part of his or her review of the proposed 
civil money penalty. The provision for joint and several liability of 
the members of an affiliated covered entity is retained, unless it is 
established that another member of the affiliated covered entity was 
responsible for the violation. While we continue to treat section 
1176(b)(1) as an affirmative defense, we provide that it may be raised 
at any time. We retain the provision for statistical sampling, but we 
provide that, where statistical sampling is used, HHS must provide a 
copy of the study on which its statistical findings are based with the 
notice of proposed determination. As a corollary, we provide that a 
respondent who intends to introduce evidence of its statistical expert 
at the hearing must provide the study prepared by its expert to HHS at 
least 30 days prior to the scheduled hearing. We also provide that a 
respondent will have 90, rather than 60, days in which to file its 
request for hearing. Other changes made by the final rule are described 
below.
    The Enforcement Rule does not adopt standards, as that term is 
defined and interpreted under Subtitle F of Title II of HIPAA. Thus, 
the requirement for industry consultations in section 1172(c) of the 
Act does not apply. For the same reason, the statute's time frames for 
compliance, set forth in section 1175 of the Act, do not apply to the 
Enforcement Rule. Accordingly, the Enforcement Rule is effective on 
March 16, 2006.


III. Section-by-Section Description of the Final Rule and Response to 
Comments

    We received 49 comments on the proposed rule. Many of these 
comments were from associations or interest groups involved in the 
health care industry. We also received comments from covered entities, 
a state agency, a law school class, and a number of individuals.
    While the comments addressed most of the provisions of the proposed 
rule, the following 14 sections of the proposed rule received no 
comment: proposed Sec. Sec.  160.400, 160.418, 160.500, 160.502, 
160.506, 160.510, 160.514, 160.524, 160.526, 160.528, 160.530, 160.532, 
160.544, and 160.550. We have, accordingly, not changed these sections 
in the final rule from what was proposed, and we do not discuss them 
below. The basis and purpose of sections that are unchanged from the 
proposed rule and are not discussed below are set out in the proposed 
rule published on April 18, 2005 at 70 FR 20240-20247 and, in certain 
cases, in the interim final rule published on April 17, 2003 at 68 FR 
18895-18901.
    A number of comments also expressed support for particular 
provisions. In most cases, we do not discuss these comments, with which 
we generally agree, below. Finally, certain comments raised issues 
concerning other HIPAA rules, such as allegations that a particular 
entity had violated the Privacy Rule or that particular provisions of a 
HIPAA rule create a hardship. Such issues are outside the scope of this 
rulemaking and, accordingly, are not addressed here.

A. Subpart A

    Subpart A of the final rule adopts a new definition of the term 
``person.'' This definition is placed in Sec.  160.103, which contains 
definitions that apply to all of the HIPAA rules. Thus, the new 
definition of ``person'' applies to all of the HIPAA rules.
    Proposed rule: We proposed to amend Sec.  160.103 to add a 
definition of the term ``person'' to replace the definition of that 
term adopted by the April 17, 2003 interim final rule. We proposed to 
define the term ``person'' as ``a natural person, trust or estate, 
partnership, corporation, professional association or corporation, or 
other entity, public or private.'' As more fully explained at 70 FR 
20227-20228, the proposed definition clarified, consistent with the 
HIPAA provisions, that the term includes States and other public 
entities.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: We received one comment on this section, endorsing its 
application to all of the HIPAA rules.
    Response: The definition of ``person'' in the final rule remains 
the same as proposed.

B. Subpart C--Compliance and Investigations

    We amend subpart C to make the compliance and investigation 
provisions of the subpart--which at present apply only to the Privacy 
Rule--apply to all of the HIPAA rules. In addition, we include in 
subpart C the definitions that apply to subparts C, D, and E. We move 
to subpart C from subpart E the provisions relating to investigational 
subpoenas and inquiries. We also add to subpart C provisions 
prohibiting intimidation or retaliation that are currently found in the 
Privacy Rule but not in the other HIPAA rules. We change the title of 
this subpart to reflect the focus of this subpart within the larger 
Enforcement Rule. Aside from a change to Sec.  160.306 and certain 
minor and conforming changes to Sec. Sec.  160.300, 160.312, 160.314, 
and 160.316, we do not change the substance of the existing provisions 
of subpart C.
1. Section 160.300--Applicability
    Proposed rule: We proposed to amend Sec.  160.300 (along with Sec.  
160.304--Principles for achieving compliance; Sec.  160.306--Complaints 
to the Secretary; Sec.  160.308--Compliance reviews; and Sec.  
160.310--Responsibilities of covered entities) to make the provisions 
of subpart C applicable to all of the HIPAA rules, instead of 
applicable only to the Privacy Rule. The proposed rule would accomplish 
this by changing the present references in these sections from 
``subpart E of part 164'' to the more inclusive, defined term, 
``administrative simplification provision'' or ``administrative 
simplification provisions,'' as appropriate. As explained at 70 FR 
20228, the purpose of this proposed change was to simplify and make 
uniform the compliance and enforcement process for the HIPAA rules.
    Final rule: The final rule streamlines the provisions of the 
proposed rule by substituting the term ``provisions'' for the 
references to standards, requirements, and implementation 
specifications in Sec.  160.300.
    Comment: A number of comments endorsed the approach of having 
uniform compliance and enforcement provisions for the HIPAA rules, and 
no comments disagreed with this approach.
    Response: The final rule retains the policy of the proposed rule, 
consistent with the expression of support for this approach in the 
public comment, but streamlines the language of the section.
    Comment: A couple of comments asked whether ``affiliated entities'' 
were the same as ``hybrid entities,'' in terms of applying the rule.

[[Page 8393]]

    Response: As described at Sec.  164.105(b)(2)(i)(A), an affiliated 
covered entity consists of ``[l]egally separate covered entities [that] 
designate themselves (including any health care component of such 
covered entity) as a single affiliated covered entity * * * [where] all 
of the covered entities designated are under common ownership or 
control.'' Thus, an affiliated covered entity is comprised of more than 
one covered entity. By contrast, a hybrid entity is defined at Sec.  
164.103 as ``a single legal entity: (1) That is a covered entity; (2) 
Whose business activities include both covered and non-covered 
functions; and (3) That designates health care components in accordance 
with [the regulation].'' The Privacy and Security Rules apply to any 
covered entity in either arrangement. The issue of liability for a 
particular violation with respect to covered entities in an affiliated 
covered entity is discussed in connection with Sec.  160.402(b) below.
2. Section 160.302--Definitions
    Proposed rule: We proposed to move to Sec.  160.302 three 
definitions that were adopted in the April 17, 2003 interim final rule 
at Sec.  160.502: ``ALJ'' (Administrative Law Judge), ``civil money 
penalty or penalty'', and ``respondent.'' We also proposed to add to 
Sec.  160.302 two terms which are used throughout subparts C, D, and E: 
``administrative simplification provision'' and ``violation'' or ``to 
violate.'' We proposed to define the term ``administrative 
simplification provision'' in Sec.  160.302 to mean any requirement or 
prohibition established by the HIPAA provisions or HIPAA rules: ``* * * 
any requirement or prohibition established by: (1) 42 U.S.C. 1320d-
1320d-4, 1320d-7, and 1320d-8; (2) Section 264 of Public Law 104-191; 
or (3) This subchapter.'' We proposed to define a ``violation'' (or 
``to violate'') to mean a ``failure to comply with an administrative 
simplification provision.'' As more fully explained at 70 FR 20228-
20229, both definitions derive directly from the statutory language, 
and both definitions function consistently and fairly across the 
various HIPAA rules.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
a. ``Administrative Simplification Provision''
    Comment: One comment expressed general support for the definitions. 
Another comment stated that the definition of ``administrative 
simplification provision'' should be revised to include only standards. 
The comment argued that this approach would be more consistent with the 
statute, which provides that covered entities must comply with 
standards, not requirements, prohibitions, or other restrictions set 
forth in the HIPAA rules.
    Response: No change is made to the definition of ``administrative 
simplification provision.'' With respect to the second comment above, 
we do not agree that the definition of this term should be limited to 
standards. As discussed at 70 FR 20229, limiting the elements of the 
HIPAA rules that could be violated to those designated as standards 
would have the effect of, among other things, insulating from 
enforcement explicit statutory requirements and prohibitions (e.g., the 
prohibitions at section 1175(a) of the Act, which the statute terms 
``requirements'' and which the Transactions Rule treats as requirements 
but not standards). We do not agree that Congress intended such an 
effect. We note, moreover, that the statute explicitly provides for the 
adoption of implementation specifications. See section 1172(d) of the 
Act. Furthermore, we disagree with the contention that the statute does 
not contemplate that violations may be tied to requirements and 
prohibitions: section 1176(a)(1) speaks of ``violations of an identical 
requirement or prohibition.''
    Comment: Several comments argued that this definition could lead to 
multiple violations from a single act and lead to more liability than 
covered entities could reasonably expect. It also was argued that this 
definition would render almost meaningless the statutory $25,000 cap on 
liability for violations of an identical provision in a calendar year.
    Response: No examples were supplied to illustrate the concern as to 
how this definition would increase the anticipated liability of covered 
entities, so we can only respond generally. The prohibition in Sec.  
160.404(b)(2) on counting overlapping requirements twice should 
minimize any such effect. As for violations that might be implicated in 
a single act and not be insulated by Sec.  160.404(b)(2), we see no 
reason why they should not be considered as separate violations, since 
covered entities must comply with all applicable requirements and 
prohibitions of the HIPAA provisions and rules. Also, the definition 
does not render the statutory cap meaningless; rather, the 
``requirement or prohibition'' language of the definition is taken 
directly from the part of section 1176(a) that establishes the $25,000 
statutory cap (``the total amount imposed on the person for all 
violations of an identical requirement or prohibition for a calendar 
year may not exceed $25,000''). Furthermore, for the reasons explained 
in the preamble to the proposed rule, none of the other possible 
formulations of what constitutes a ``provision of this part'' works 
uniformly and fairly across the HIPAA rules. Thus, we retain the 
definition of ``administrative simplification provision'' as proposed.
b. ``Violation'' or ``Violate''
    Comment: One comment asked how the definition of ``violation'' 
would work with the addressable components of the Security Rule.
    Response: With respect to the issue of how this term would apply to 
the addressable implementation specifications of the Security Rule, we 
provide the following guidance. Under Sec.  164.306(d)(3)(ii), a 
covered entity must implement an addressable implementation 
specification if doing so is ``reasonable and appropriate.'' Where that 
condition is met, the addressable implementation specification is a 
requirement, and failure to implement the addressable implementation 
specification would, accordingly, constitute a violation. Where that 
condition is not met, the covered entity must document why it would not 
be reasonable and appropriate to implement the implementation 
specification and implement ``an equivalent alternative measure if 
reasonable and appropriate.'' In this latter situation, creating the 
documentation referred to is a requirement, and implementing an 
alternative measure is also a requirement, if doing so is reasonable 
and appropriate in the covered entity's circumstances; failure to take 
either required action would, accordingly, constitute a violation.
3. Section 160.304--Principles for Achieving Compliance
    Proposed rule: We proposed to amend Sec.  160.304 to make it 
applicable to all of the HIPAA rules; otherwise, we proposed to leave 
the rule substantively unchanged. Section 160.304 provides that the 
Secretary will, to the extent practicable, seek the cooperation of 
covered entities in obtaining compliance. Section 160.304 also provides 
that the Secretary may provide technical assistance to help covered 
entities voluntarily comply with the HIPAA rules.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: Many comments supported HHS's approach to voluntary 
compliance and the use of a complaint-based process to identify and 
correct

[[Page 8394]]

noncompliance, on the grounds that it is the most efficient and 
effective way of obtaining compliance and realizing the benefits of the 
HIPAA rules. In addition, some contended that, given the confusion of 
many covered entities with many of the rules' requirements, it is an 
appropriate approach. However, one comment criticized HHS's reliance on 
voluntary compliance and informal resolution of complaints on the 
ground that the statute contemplates that violations of the HIPAA rules 
should be pursued in the same manner as fraud and abuse cases, that is, 
through the formal, adversarial process provided for by section 
1128A(c). Another comment stated that HHS's reliance on voluntary 
compliance has led to lax enforcement and that reliance on a complaint-
based system is a fundamentally flawed approach, particularly with 
respect to enforcement of the Privacy Rule, because HHS has provided 
insufficient education to consumers, and it is impossible for consumers 
to complain about a law about which they know very little. Several 
comments urged that OCR and CMS continue to provide educational 
materials and guidance to help covered entities comply with the HIPAA 
rules and to educate consumers about their rights under the Privacy 
Rule.
    Response: We agree that encouraging voluntary compliance is the 
most effective and quickest way of obtaining compliance in most cases. 
We do not agree that encouraging voluntary compliance and seeking 
informal resolution of complaints in individual cases constitutes lax 
enforcement or that such an approach is inconsistent with our statutory 
obligations. Our experience to date with privacy complaints illustrates 
the effectiveness of our enforcement approach. As of October 31, 2005, 
OCR had received and initiated reviews of over 16,000 privacy 
complaints from health care consumers and others across the country. 
These complaints are widespread and diverse, not only geographically, 
but also with respect to the type of entity complained against, as well 
as the Privacy Rule issues raised by the complaints. Complaints are 
filed against all sizes and types of covered entities, from solo 
practitioners to hospitals and pharmacy chains, and from health 
insurance issuers to group health plans, for example. In addition, the 
complaints implicate a full range of Privacy Rule issues, from uses and 
disclosures of protected health information to individual rights to 
administrative requirements. The variation and expansiveness of the 
complaints provide HHS with a much broader approach to compliance than 
would a compliance review system, which likely would need to be 
targeted to larger institutions and/or a smaller set of concerns. 
Further, our experience with these cases--68 percent have been resolved 
or otherwise closed to date--indicates that generally we are receiving 
good cooperation from covered entities in quickly addressing compliance 
problems. Such resolutions bring the benefits of the HIPAA rules to 
consumers far more quickly than would a formalized, adversarial 
process, which would also be time-consuming and costly for both sides.
    We also do not agree that the statute contemplates only a 
formalized, adversarial process; rather, it only requires such a 
process where a proposed civil money penalty is contested. It is 
important to note, moreover, that section 1176 contemplates that we 
would work with covered entities to help them achieve compliance, even 
when there is an allegation that the covered entity is in violation of 
the rules. Section 1176 provides that a civil money penalty may not be 
imposed if the failure to comply was due to reasonable cause and not 
willful neglect and is corrected within a certain period of time after 
the covered entity knew or should have known of the compliance failure, 
and that the Secretary may, in some circumstances, provide technical 
assistance to the covered entity during that period. Further, an 
approach that is primarily complaint-based does not limit our ability 
to perform compliance reviews when appropriate, and this has, in fact, 
occurred. We will continue to review the effectiveness of our 
enforcement approach and revise it, if needed. Notwithstanding our 
above approach, however, we will resort to civil money penalties, as 
needed, for matters that cannot be resolved by informal means.
    Further, we disagree that persons affected by the Privacy Rule and 
the other HIPAA rules are unaware of their rights, as evidenced by the 
large number of complaints that HHS has received from consumers and 
covered and other entities. HHS has an ongoing program of providing 
information to the public and guidance to covered entities through the 
Internet, public speaking and educational events, and toll-free call-in 
lines. The millions of hits to our Web sites--https://www.hhs.gov/ocr/
hipaa for the Privacy Rule and https://www.cms.gov/hipaa/hipaa2 for the 
other HIPAA rules--suggest that covered entities and the public are 
increasingly aware of the application of the HIPAA rules to their 
business activities and lives, respectively, and are able to access the 
information we have made available. In addition, the American Health 
Information Management Association issued the results of their latest 
compliance survey in a report entitled ``The State of HIPAA Privacy and 
Security Compliance, April 2005,'' which indicated, with respect to the 
Privacy Rule, that over two-thirds of all hospital and health system 
patients had some or a complete understanding of their rights and the 
facility's responsibilities. Nonetheless, while such evidence is 
encouraging, we recognize that HHS must remain active in providing 
outreach and public education. We are committed to doing so, and thus, 
continue to develop educational material for consumers and industry 
guidance for covered entities.
    Comment: One comment suggested that the Secretary commit to 
providing technical assistance to covered entities.
    Response: We do not agree that the provision of technical 
assistance should be mandated. The statute (at section 
1176(b)(3)(B)(ii)) makes the provision of technical assistance 
discretionary if the Secretary determines that the compliance failure 
was due to the covered entity's inability to comply. While OCR and CMS 
provide technical assistance in many cases, it is not necessary in all 
instances to provide such assistance in order to obtain compliance. 
Thus, it is inappropriate to mandate the provision of technical 
assistance.
    Comment: One comment suggested amending Sec.  160.304(b) to require 
ongoing reporting of complaints and resolutions to the healthcare 
industry. The goal in requiring reporting would be to educate covered 
entities regarding complaints that are found to be actual violations 
and encourage them to review their compliance. The comment stated that 
the current reports made by OCR to the National Committee on Vital and 
Health Statistics are not helpful since they only report the volume of 
complaints, not the nature of the complaints or whether a violation 
occurred.
    Response: We do not believe mandatory reporting of complaints and 
resolutions is necessary. Both CMS and OCR currently have the ability 
to report to the public, including the healthcare industry, about 
complaints and their resolutions, and do so in summary form. We 
continue to present summaries of actions on complaints in various fora, 
including in public presentations, testimony, and in written documents. 
Our enforcement experience also informs our development of FAQs and 
guidance documents to explain certain

[[Page 8395]]

provisions and how to comply with them. In any event, covered entities 
should use their own internal complaint processes and experience to 
assess and improve their compliance and ability to serve the needs of 
their customers.
    Comment: One comment suggested that the informal resolution process 
should allow HHS to render opinions on a covered entity's 
interpretation of the HIPAA rules. The comment expressed concern that a 
covered entity would not be able to resolve a compliance issue during 
the informal resolution process if it made a good faith, but incorrect, 
interpretation of a HIPAA rule. The comment suggested allowing HHS to 
render an opinion on the entity's interpretation to facilitate the 
informal resolution of compliance problems.
    Response: As a general matter, we do not issue advisory opinions, 
but the informal resolution process will provide covered entities with 
information about HHS's interpretation of the HIPAA rules. Covered 
entities may also find guidance as to the proper interpretation of a 
HIPAA rule in the FAQs posted on the HHS website and technical 
assistance offered to the covered entities by HHS. Covered entities may 
also submit questions to HHS for consideration with respect to future 
FAQs and guidance.
4. Section 160.306--Complaints to the Secretary
    Proposed rule: Section 160.306 provides for investigations of 
covered entities by the Secretary. It also outlines the procedure and 
requirements for filing a complaint against a covered entity. For 
example, it provides that a complaint must name the person that is the 
subject of the complaint and describe the acts or omissions believed to 
be violations. It also requires that complaints be filed within 180 
days of when the complainant knew or should have known that the act or 
omission occurred, unless this time limit is waived for good cause. The 
proposed rule would have amended this section to apply it to all of the 
HIPAA rules, rather than exclusively to the Privacy Rule, but otherwise 
proposed no substantive changes to the section.
    Final rule: The final rule adopts the provisions of the proposed 
rule, except that proposed Sec.  160.306(c) is revised to require the 
Secretary to describe the basis of the complaint in the first written 
communication with the covered entity about the complaint.
    Comment: One comment asked for clarification on when a complaint 
will be considered to have been timely filed in situations when a 
complainant should have known of the violation, thus triggering the 
180-day time period for filing a complaint.
    Response: Deciding whether or not a complaint was properly filed 
within the 180-day period will need to be determined in each case. For 
example, an individual who is informed through an accounting of 
disclosures that his or her health information was impermissibly 
disclosed would be considered to know of the violation at the time the 
individual receives the accounting. In any event, however, the 180-day 
period can be waived for good cause shown.
    Comment: Two comments suggested that HHS be required to inform a 
covered entity of the specific basis for an investigation or compliance 
review. These comments suggested the best way to accomplish this goal 
would be to send a copy of the complaint to the covered entity. The 
comments stated that, without specific information as to the basis of 
the complaint, a covered entity will not be able to properly respond to 
the agency's request for information.
    Response: Both CMS and OCR currently provide the basis for an 
investigation in the first written communication with a covered entity 
about a complaint. This policy will continue to be followed, and the 
final rule is revised to require it. It should be noted that provision 
of a description of the basis for the complaint does not circumscribe 
the investigation, if the investigation subsequently uncovers other 
compliance issues with respect to the covered entity.
    We disagree that sending a copy of the complaint is necessary for a 
covered entity to adequately respond to the Secretary's inquiries. As 
noted above, covered entities receive a description of the basis for 
the complaint. Other information contained in the complaint, such as 
the complainant's identity, is not always relevant to the 
investigation. In some cases, in fact, it may be necessary to withhold 
such information to, for example, protect the complainant's privacy. In 
instances where it is necessary to provide the complainant's identity 
in order for the covered entity to properly respond to the 
investigation, the complainant is so informed before this information 
is released to the covered entity.
    Comment: One comment suggested that the rule be revised to require 
that a complaint include the name of the covered entity that is the 
subject of the complaint.
    Response: The rule, both as proposed and as adopted below, already 
requires that a complaint ``name the person that is the subject of the 
complaint.'' See Sec.  160.306(b)(2).
    Comment: In one comment, a covered entity complained that it had 
expended a great deal of time and money defending itself against what 
turned out to be a false allegation and asked that HHS put more effort 
into gathering detailed information from complainants and helping 
covered entities respond to complaints. Another comment criticized the 
rule for providing no way of sanctioning a person bringing a negligent 
or malicious complaint.
    Response: We understand that it may take time and effort to 
establish that an allegation is unfounded. When complaints are 
received, we make every effort to determine if the complaint is 
legitimate, so as not to place undue burdens on covered entities. 
Further, covered entities are encouraged promptly to contact the OCR or 
CMS investigators handling their complaints to discuss the allegations 
once notice of an investigation is received by the covered entity. 
Doing so should help a covered entity avoid the expenditure of 
unnecessary time and funds on defending itself against baseless 
complaints. The statute provides no basis for our penalizing a person 
for bringing a negligent or malicious complaint, although remedies may 
exist at common law. However, as discussed below in connection with 
Sec.  160.316, lack of good faith would typically be a matter that is 
looked at in the course of investigating a complaint.
    Comment: One comment suggested that only individuals or personal 
representatives should have standing to file a complaint. The comment 
takes the position that one covered entity should not be able to bring 
a complaint against another.
    Response: We disagree. The purpose of the complaint process is to 
bring violations to the attention of HHS, so that any noncompliance 
with the HIPAA rules may be corrected. Particularly with respect to the 
Transactions Rule, the persons or entities that are likely to be 
disadvantaged by the noncompliance of a covered entity are other 
covered entities. It would, accordingly, be inconsistent with the 
purpose of the complaint process to exclude such entities from it.
    Comment: Two comments suggested that HHS be required to notify 
covered entities of a complaint within a specified time-frame.
    Response: OCR and CMS make every effort to notify covered entities 
of complaints on a timely basis. However, we do not include a specific 
deadline for notifying covered entities of

[[Page 8396]]

complaints in the rule. The time needed to determine whether a 
complaint states issues that should be investigated can vary greatly, 
while fluctuations in the volume of complaints and other workload 
demands may also make meeting a specific deadline problematic.
    Comment: One comment suggested that Sec.  160.306(a)(2) should be 
amended to require that ``uses or disclosures'' be described in the 
complaint rather than ``acts or omissions.''
    Response: The suggested change would not be appropriate. The 
provisions of this rule apply to all of the HIPAA rules, not just the 
Privacy Rule; the other HIPAA rules regulate actions other than uses 
and disclosures of protected health information. Moreover, even under 
the Privacy Rule, a violation may occur where no impermissible use or 
disclosure of protected health information has occurred. Failure to 
comply with a notice requirement under Sec.  164.520 is an example of a 
violation that does not involve a use or disclosure of protected health 
information.
    Comment: One comment suggested that the Secretary should be 
required to investigate all complaints and that failure to do so is 
inconsistent with section 1176(a) of the Act, which compels the 
Secretary to impose penalties for violations unless a statutory 
limitation applies. Imposing a deadline for beginning investigations 
was also suggested.
    Response: The decision to investigate a complaint is based on the 
facts presented. Not all complaints need to be investigated. For 
example, in our experience, a substantial percentage of privacy 
complaints allege facts that fall outside of OCR's jurisdiction under 
HIPAA--e.g., an action prior to the compliance date of the Privacy Rule 
or an action by an entity not covered by the Rule. Revising the rule to 
require the Secretary to investigate all complaints would be 
counterproductive and lead to an inefficient allocation of enforcement 
resources. Similarly, imposing a deadline for beginning an 
investigation is unrealistic: Some investigations may turn out to be 
more time-consuming than anticipated, delaying the start of other 
investigations. It is necessary to provide OCR and CMS with the 
flexibility to deal with variations in circumstances and resource 
constraints.
5. Section 160.308--Compliance Reviews
    Proposed rule: The proposed rule provided that the Secretary may 
conduct compliance reviews to determine whether covered entities are 
complying with the applicable administrative simplification provisions.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: Several comments asked HHS to outline the circumstances 
under which a compliance review would be undertaken or asked that the 
compliance review provision be eliminated from the rule. One comment 
suggested that compliance reviews be limited to evidence-based reviews. 
These comments expressed concern that the rule does not specifically 
define when a compliance review will be undertaken.
    Response: Compliance reviews are conducted at the discretion of the 
Secretary. Outlining specific instances in which a compliance review 
will be conducted could have the counterproductive effect of skewing 
compliance efforts toward those aspects of compliance that had been 
identified as likely to result in a compliance review. It also does not 
seem advisable to limit, by rule, the circumstances under which such 
reviews may be conducted at this early stage of the enforcement 
program, when our knowledge of the types of violations that may arise 
is necessarily limited. We also do not agree that the provision for 
compliance reviews should be eliminated. There are situations where 
instances of potential noncompliance come to HHS's attention outside of 
the complaint process (e.g., where media reports suggest that a 
violation has occurred), and HHS must have clear authority to 
investigate such situations.
    Comment: A number of comments suggested that HHS detail the 
compliance review process and rules for notification of covered 
entities when they are being reviewed.
    Response: The rule already contains procedures to be followed, and 
requirements to be met, that apply to compliance reviews. See 
Sec. Sec.  160.304, 160.310, 160.312, 160.314, and 160.316. It is 
unnecessary to establish procedures comparable to the complaint filing 
procedures of Sec.  160.306 for compliance reviews, since they are 
initiated by HHS. The concerns expressed by most of the comments on 
this topic--that HHS would undertake a compliance review without notice 
to the covered entity and without specifying the basis for, or the 
focus of, the review--are misplaced. Section 160.312 requires HHS to 
attempt to resolve violations found in a compliance review by informal 
means and to inform the covered entity in writing if a compliance 
review is or is not resolved by informal means. Failing to notify the 
covered entity of a compliance review or the basis for such a review is 
not consistent with our practice generally and would be unlikely to 
yield much information of use, resulting in an ineffective use of the 
covered entity's and the agency's resources.
    Comment: One comment suggests that compliance reviews should be 
mandatory and should be initiated within a specified time period.
    Response: The rule, as proposed and adopted, does not preclude 
establishing a compliance review program or schedule, but it does not 
require it either. One purpose of compliance reviews is to permit 
investigation when allegations or situations warranting investigation 
come to our attention outside of the complaint process. The necessity 
for a compliance review in a particular case or a program of scheduled 
compliance reviews is inherently unpredictable, and it is important to 
retain the administrative flexibility to address such situations. 
Mandating compliance reviews on a fixed basis or schedule would be an 
inefficient allocation of limited enforcement resources and would 
hamper the agency's ability to target resources at actual noncompliance 
problems as they arise.
    Comment: One comment suggested that the rule contain provisions 
outlining the coordination and cooperation between CMS and OCR when a 
compliance review under more than one rule occurs.
    Response: As with complaint-based investigations, CMS and OCR will 
coordinate and allocate responsibility for compliance reviews based 
upon the HIPAA provisions involved and the facts of the case. We do not 
consider it advisable to specify detailed rules in this regard, as the 
allocation of function and responsibility will depend on the facts of 
each case and the resources available at the time.
6. Section 160.310--Responsibilities of Covered Entities
    Proposed rule: Section 160.310 addresses the responsibilities of a 
covered entity, such as providing records and compliance reports to the 
Secretary and cooperating during a compliance review or complaint 
investigation. Section 160.310(c) provides that a covered entity must 
permit HHS to have access during normal business hours to its 
facilities, books, records, and other information necessary to 
determine compliance, but provides that if the Secretary determines 
that ``exigent circumstances exist, such as when documents may be 
hidden or destroyed,'' the covered entity must permit access at any 
time without

[[Page 8397]]

notice. Section 160.310 also requires that the Secretary may not 
disclose protected health information obtained by the Secretary in the 
course of an investigation or compliance review except when necessary 
to ascertaining or enforcing compliance or as otherwise required by 
law. The proposed rule would amend this section to apply it to all of 
the HIPAA rules, rather than exclusively to the Privacy Rule, but 
otherwise proposed no substantive changes to the section.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: A couple of comments asked HHS either to further define 
``exigent circumstances,'' such as by limiting it to situations 
involving national security or by inserting specific examples of 
exigent circumstances in Sec.  160.310(c)(1). One comment suggested 
that the rule be revised to require that the Secretary's determination 
that ``exigent circumstances'' exist be a ``reasonable'' one.
    Response: The determination of what constitutes ``exigent 
circumstances'' will inevitably be fact-dependent. Specific language 
defining ``exigent circumstances'' is unnecessary, as the rule already 
provides a clarifying example and the principle underlying the 
provision is reasonably universal. We note that limiting the provision 
to situations where matters of national security are involved would 
most likely not cover the types of situations the provision is intended 
to cover--situations in which it is likely that the covered entity will 
seek to conceal or destroy evidence of noncompliance that HHS needs to 
carry out its statutory obligation to enforce the HIPAA rules.
    Comment: Two comments asked for further guidance and notice of 
record retention requirements and another comment expressed concerns 
with the record retention requirements of the Privacy Rule.
    Response: Record retention requirements applicable to the Privacy 
and Security Rules are spelled out in those rules; see, Sec.  
164.530(j) and Sec.  164.316(b), respectively. We do not address these 
record retention requirements here, as this topic lies outside the 
scope of this rule.
    The other HIPAA rules do not contain explicit record retention 
requirements, as such. However, it is likely that the documentation 
that would be relevant to showing compliance with those rules--such as 
health plan instructions to providers, software documentation, 
contracts, and systems processes--is kept as part of normal business 
practices. Covered entities should consider any other applicable laws, 
such as state law, in making such decisions.
7. Section 160.312--Secretarial Action Regarding Complaints and 
Compliance Reviews
    Proposed rule: We proposed to revise Sec.  160.312(a) to require 
that, where noncompliance is indicated, the Secretary would seek to 
reach by informal means a resolution of the matter that is satisfactory 
to the Secretary. Informal means could include demonstrated compliance, 
or a completed corrective action plan or other agreement. We proposed 
to revise Sec.  160.312(a)(2) to require, where noncompliance is 
indicated and the matter is resolved by informal means, that HHS notify 
the covered entity in writing and, if the matter arose from a 
complaint, the complainant. Where noncompliance is indicated and the 
matter is not resolved by informal means, proposed Sec.  
160.312(a)(3)(i) would require the Secretary to so inform the covered 
entity and provide the covered entity an opportunity to submit, within 
30 days of receipt of such notification, written evidence of any 
mitigating factors or affirmative defenses. To avoid confusion with the 
notice of proposed determination process provided for at proposed Sec.  
160.420, proposed Sec.  160.312(a)(3)(ii) provided that, where the 
matter is not resolved by informal means and the Secretary finds that 
imposition of a civil money penalty is warranted, the formal finding 
would be contained in the notice of proposed determination issued under 
proposed Sec.  160.420. We proposed to leave Sec.  160.312(b) 
substantively unchanged.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment suggested that covered entities should be able 
to appeal the Secretary's findings during the informal resolution 
process and that the Secretary's decision to resolve a matter 
informally should not preclude the respondent from questioning the 
Secretary's interpretation or application of the rule in question.
    Response: The purpose of the informal resolution process described 
in Sec.  160.312 is to bring closure at an early stage to a matter 
where compliance is in issue and, thus, to obviate the need to issue a 
notice of proposed determination. Section 160.312 recognizes, however, 
that informal resolutions will not always be achieved. Where the agency 
and the covered entity are not able to resolve the matter informally, 
HHS (through OCR and/or CMS) will make a finding of noncompliance 
pursuant to Sec.  160.420, which the covered entity may then challenge 
through the applicable procedures of subparts D and E. Nothing in the 
rule compels the covered entity to challenge the finding of 
noncompliance under Sec.  160.420, but if the covered entity wishes to 
challenge such a finding, including the agency's interpretation or 
application of a rule, it must do so through the procedural avenue 
provided by subparts D and E. These procedures implement the 
requirement of section 1128A(c) of the Act that the Secretary may not 
make an adverse determination against a person until the person has 
been given written notice and an opportunity for a hearing on the 
record on the adverse determination.
    Comment: One comment asked how informal resolution is possible, 
given HHS's position that, where a violation is found, a CMP must be 
imposed. Another comment expressed concern that the informal resolution 
process would allow covered entities to skirt penalties and the 
consequences of noncompliance with the HIPAA rules and suggested that 
the Secretary should not be compelled to reach a resolution through 
informal processes.
    Response: These comments misunderstand our position as to the 
mandatory nature of the statute. The Secretary must impose a civil 
money penalty where a formal determination of a violation is made. 
However, many opportunities exist prior to this determination that 
allow the Secretary to exercise his discretion to not impose a penalty. 
This issue is discussed more fully in connection with Sec.  160.402 
below.
    The second comment above also misconstrues Sec.  160.312. Nothing 
in that section compels OCR or CMS to resolve matters informally. 
Indeed, Sec.  160.312(a)(3) describes the actions to be taken ``[i]f 
the matter is not resolved by informal means * * *''.
    Comment: One comment suggested that HHS and the covered entity 
should be required to put the informal resolution in writing.
    Response: Both Sec.  160.312(a)(2) and Sec.  160.312(b) require 
that the resolutions contemplated in those sections be ``in writing.'' 
CMS and OCR currently document informal resolutions.
    Comment: One comment suggested that the 30-day time period for a 
covered entity to submit to the Secretary evidence of mitigating 
factors or affirmative defenses should be extended.
    Response: Thirty days should be sufficient for a covered entity to 
submit such evidence. The opportunity to provide additional evidence 
comes at

[[Page 8398]]

the end of investigation, and the covered entity should be gathering 
any evidence of mitigating factors or affirmative defenses during the 
investigation. In addition, the covered entity will have the 
opportunity to present such evidence to the ALJ if it chooses to appeal 
the Secretary's findings. Accordingly, we do not change this provision.
    Comment: One comment suggested that a deadline should be imposed 
for HHS to notify the covered entity of its findings after an 
investigation.
    Response: The time needed to finalize the agency's findings will 
depend on the complexity of the case, its outcome, and workload 
considerations. As these factors are inherently variable and 
unpredictable, we do not believe it would be advisable to impose fixed 
deadlines for taking the actions described in Sec.  160.312.
    Comment: One comment requested clarification of proposed Sec.  
160.312(a)(3)(ii), with respect to what action is referred to and the 
associated time frame.
    Response: The action referred to is HHS's notification of the 
covered entity of its finding of noncompliance when it determines that 
the matter cannot be resolved informally. Section 160.312(a)(3)(ii) 
provides that, if HHS decides to impose a civil money penalty, it will 
send a notice of proposed determination to the covered entity pursuant 
to Sec.  160.420. Thus, the intent of this provision is to clarify 
that, once OCR and/or CMS, as applicable, has determined that a 
violation has occurred, the matter cannot be resolved informally in a 
manner that is satisfactory to OCR and/or CMS, and a civil money 
penalty should be imposed, the agency's next step is to provide the 
formal notice required by section 1128A(c)(1), which in this rule is 
the notice of proposed determination under Sec.  160.420. The rule 
imposes no specific deadline on the agency for sending this notice. 
However, it should be noted that if the notice is not sent within six 
years of the violation, pursuit of the civil money penalty would be 
precluded by section 1128A(c)(1), which is implemented in this rule by 
Sec.  160.414.
    Comment: One comment requested that Sec.  160.312(a)(3) be revised 
to afford complainants the opportunity to express, in writing, the 
impact of the violation.
    Response: The suggested change is unnecessary, since nothing in the 
rule precludes a complainant from providing such information to the 
agency at any point in the process. Complainants frequently describe, 
in their complaints or in the course of OCR's or CMS's initial contacts 
with the complainants, the impact of the alleged violation. HHS also 
may request such information from the complainant where, for example, 
it bears on the amount of the penalty to be imposed.
8. Section 160.314--Investigational Subpoenas and Inquiries
    Proposed rule: The text of proposed Sec.  160.314 was adopted by 
the April 17, 2003 interim final rule as Sec.  160.504. We proposed to 
move this section to subpart C, consistent with our overall approach of 
organizing subparts C, D, and E to reflect the stages of the 
enforcement process. We proposed to include in the introductory 
language of proposed Sec.  160.314(a) a sentence which states that, for 
the purposes of paragraph (a), a person other than a natural person is 
termed an ``entity.'' We proposed not to modify Sec.  160.314(b)(1), 
(2) and (8) from the provisions of the April 17, 2003 interim final 
rule at paragraphs (b)(1)-(3) of Sec.  160.504. However, we proposed to 
add new paragraphs (3) through (7) and (9) to Sec.  160.314(b) and also 
to add a new paragraph (c). The proposed new paragraphs at Sec. Sec.  
160.314(b)(3)-(b)(7) would permit representatives of HHS to attend and 
ask questions at the inquiry, give a witness the opportunity to clarify 
his answers on the record after being questioned by HHS, require any 
objections or claims of privilege to be asserted on the record, and 
permit HHS to seek enforcement of the subp