HIPAA Administrative Simplification: Enforcement, 56123-56131 [E9-26203]

Agencies

• DEPARTMENT OF HEALTH AND HUMAN SERVICES
• Office of the Secretary

[Federal Register Volume 74, Number 209 (Friday, October 30, 2009)]
[Rules and Regulations]
[Pages 56123-56131]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-26203]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Part 160

RIN 0991-AB55


HIPAA Administrative Simplification: Enforcement

AGENCY: Office of the Secretary, HHS.

ACTION: Interim final rule; request for comments

-----------------------------------------------------------------------

SUMMARY: The Secretary of the Department of Health and Human Services 
(HHS) adopts this interim final rule to conform the enforcement 
regulations promulgated under the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA) to the effective statutory revisions 
made pursuant to the Health Information Technology for Economic and 
Clinical Health Act (the HITECH Act), which was enacted as part of the 
American Recovery and Reinvestment Act of 2009 (ARRA). More 
specifically, this interim final rule amends HIPAA's enforcement 
regulations, as they relate to the imposition of civil money penalties, 
to incorporate the HITECH Act's categories of violations, tiered ranges 
of civil money penalty amounts, and revised limitations on the 
Secretary's authority to impose civil money penalties for established 
violations of HIPAA's Administrative Simplification rules (HIPAA 
rules). This interim final rule does not make amendments with respect 
to those enforcement provisions of the HITECH Act that are not yet 
effective under the applicable statutory provisions. Such amendments 
will be subject to forthcoming rulemaking(s).

DATES: Effective Date: This interim final rule is effective November 
30, 2009. Comment Date: Comments on this interim final rule will be 
considered if received at the appropriate address, as provided below, 
no later than December 29, 2009.

ADDRESSES: Please submit comments to any one of the addresses specified 
below:
     Federal eRulemaking Portal: You may submit electronic 
comments at https://www.regulations.gov.
     Regular, Express, or Overnight Mail: You may mail written 
comments to the following address only: U.S. Department of Health and 
Human Services, Office for Civil Rights, Attention: HIPAA Enforcement 
Rule IFR (RIN 0991-AB55), Hubert H. Humphrey Building, Room 509F, 200 
Independence Avenue, SW., Washington, DC 20201.
     Hand Delivery or Courier: If you prefer, you may deliver 
(by hand or courier) your written comments to the following address 
only: Office for Civil Rights, Attention: HIPAA Enforcement Rule IFR 
(RIN 0991-AB55), Hubert H. Humphrey Building, Room 509F, 200 
Independence Avenue, SW., Washington, DC 20201.

FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.

SUPPLEMENTARY INFORMATION: 

I. Public Participation

A. Instructions for Submission of Public Comments

    Please follow these instructions when submitting public comments. 
Please use only one of these methods.
     Federal eRulemaking Portal: Follow the instructions for 
submitting electronic comments at https://www.regulations.gov. 
Attachments will be accepted in Microsoft Word, WordPerfect, or Excel 
format, though Microsoft Word format is preferred.
     Regular, Express, or Overnight Mail: Submit one original 
and two copies of mailed, written comments. Please allow

[[Page 56124]]

sufficient time for timely receipt of mailed comments, as delivery may 
be subject to delay due to security procedures.
     Hand Delivery or Courier: Submit one original and two 
copies if delivering written comments by hand or by courier. Because 
access to the interior of the Hubert H. Humphrey Building is not 
readily available to persons without federal government identification, 
commenters are encouraged to leave their comments in the mail drop 
slots located in the main lobby of the building.

B. Inspection of Public Comments

    All comments received before the close of the comment period will 
be available for public inspection, including any personally 
identifiable or confidential business information contained within each 
comment. We will post all comments received before the close of the 
comment period at https://www.regulations.gov.

II. Background

    This interim final rule amends the sections within 45 CFR part 160 
that relate to the authority of the Secretary of the HHS (the 
Secretary) to impose civil money penalties on entities that violate the 
HIPAA rules adopted under subtitle F of title II of HIPAA. The interim 
final rule amends subpart D of part 160 to conform its language to the 
revisions that became effective on February 18, 2009, under section 
1176 of the Social Security Act (the Act), 42 U.S.C. 1320d-5, which was 
revised pursuant to section 13410(d) of the HITECH Act, Public Law 111-
5, 123 Stat. 115, and correspondingly amends the ``Statutory basis and 
purpose'' section in subpart A. HHS issues these amendments as an 
interim final rule with request for comments to immediately provide 
regulated entities with additional notice as to how the Secretary's 
civil money penalty authority has been strengthened by the HITECH Act 
and to explain HHS' implementation of such authority with respect to 
violations occurring on or after February 18, 2009. HHS also pursues 
this expedited rulemaking to avoid any public misunderstanding or undue 
delay with respect to implementing Congress' intent to strengthen 
enforcement of the HIPAA rules.
    We set out below the statutory and regulatory background for this 
interim final rule and follow with a description of our approach to 
this rulemaking. We then discuss each section of the interim final 
rule, request comments from the public, and conclude with our analyses 
of impact and other issues considered under applicable law.

A. Statutory Background

HIPAA Prior to the HITECH ACT
    Subtitle F of title II of HIPAA, entitled ``Administrative 
Simplification,'' was enacted in 1996, for the purpose of improving the 
Medicare program under title XVIII of the Act, the Medicaid program 
under title XIX of the Act, and the efficiency and effectiveness of the 
health care system by encouraging the development of a health 
information system through the establishment of standards and 
requirements for the electronic transmission of certain health 
information. 42 U.S.C. 1320d note. To this end, subtitle F directs the 
Secretary to adopt national standards (HIPAA standards) for certain 
information-related activities and to protect the privacy and security 
of such information.
    Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a), the HIPAA 
provisions apply to the following persons:
    (1) A health plan.
    (2) A health care clearinghouse.
    (3) A health care provider who transmits any health information in 
electronic form in connection with a transaction referred to in section 
1173(a)(1).

Under sections 1176 and 1177 of the Act, 42 U.S.C. 1320d-5 and 6, these 
persons or organizations, collectively referred to as ``covered 
entities,'' may be subject to civil money penalties and criminal 
penalties for violations of the HIPAA rules. HHS enforces the civil 
money penalties under section 1176 of the Act, and the U.S. Department 
of Justice enforces the criminal penalties under section 1177 of the 
Act.
    Prior to the HITECH Act, section 1176(a) of the Act, 42 U.S.C. 
1320d-5(a), authorized the Secretary to impose a civil money penalty, 
as follows:

    (1) IN GENERAL. Except as provided in subsection (b), the 
Secretary shall impose on any person who violates a provision of 
this part [42 U.S.C. 1320d et seq.] a penalty of not more than $100 
for each such violation, except that the total amount imposed on the 
person for all violations of an identical requirement or prohibition 
during a calendar year may not exceed $25,000.
    (2) PROCEDURES. The provisions of section 1128A [42 U.S.C. 
1320a-7a] (other than subsections (a) and (b) and the second 
sentence of subsection (f)) shall apply to the imposition of a civil 
money penalty under this subsection in the same manner as such 
provisions apply to the imposition of a penalty under such section 
1128A.

    Prior to the HITECH Act, section 1176(b) of the Act, 42 U.S.C. 
1320d-5(b), set out limitations on the Secretary's above referenced 
authority to impose civil money penalties. Such limitations included 
prohibitions on imposing civil money penalties for: (1) An act that 
``constitutes an offense punishable under section 1177'' of the Act 
(the criminal penalty provisions), (2) violations ``if it is 
established to the satisfaction of the Secretary that the person liable 
for the penalty did not know, and by exercising reasonable diligence 
would not have known, that such person violated the provision,'' and 
(3) violations if the failure to comply was due ``to reasonable cause 
and not to willful neglect'' and was corrected during a 30-day time 
period or pursuant to an extension determined to be appropriate by the 
Secretary based on the nature and circumstances of the covered entity's 
failure to comply.
Section 13410(d) of the HITECH Act
    The HITECH Act was incorporated into ARRA to promote the adoption 
and meaningful use of health information technology. Subtitle D of the 
HITECH Act, sections 13400-13424, addresses the privacy and security 
concerns associated with the electronic transmission of health 
information. It does so, in part, through several provisions that 
strengthen the civil and criminal enforcement of the HIPAA rules. Many 
of these enforcement provisions became effective as of February 18, 
2009 and are the impetus of this rulemaking. Other enforcement 
provisions have yet to become effective under the HITECH Act and are 
therefore subject to future rulemaking.
    Section 13410(d) of the HITECH Act became effective February 18, 
2009, revising section 1176 of the Act, 42 U.S.C. 1320d-5, to 
strengthen enforcement of the HIPAA rules in several ways. As modified, 
section 1176(a) establishes categories of violations that reflect 
increasing levels of culpability, requires that a penalty determination 
be based on the nature and extent of the violation and the nature and 
extent of the harm resulting from the violation, and establishes tiers 
of increasing penalty amounts that establish, by reference, the range 
of the Secretary's authority to impose civil money penalties. The 
revised text of section 1176(a) that became effective February 18, 
2009, pursuant to section 13410(d) of the HITECH Act is as follows:

    GENERAL PENALTY.
    (1) IN GENERAL. Except as provided in subsection (b), the 
Secretary shall impose on any person who violates a provision of 
this part--

[[Page 56125]]

    (A) in the case of a violation of such provision in which it is 
established that the person did not know (and by exercising 
reasonable diligence would not have known) that such person violated 
such provision, a penalty for each such violation of an amount that 
is at least the amount described in paragraph (3)(A) but not to 
exceed the amount described in paragraph (3)(D);
    (B) in the case of a violation of such provision in which it is 
established that the violation was due to reasonable cause and not 
to willful neglect, a penalty for each such violation of an amount 
that is at least the amount described in paragraph (3)(B) but not to 
exceed the amount described in paragraph (3)(D); and
    (C) in the case of a violation of such provision in which it is 
established that the violation was due to willful neglect--
    (i) if the violation is corrected as described in subsection 
(b)(3)(A),\1\ a penalty in an amount that is at least the amount 
described in paragraph (3)(C) but not to exceed the amount described 
in paragraph (3)(D); and
---------------------------------------------------------------------------

    \1\ We note that, as amended, section 1176 no longer includes a 
subsection (b)(3)(A). We interpret this text as referencing the 30-
day period in section 1176(b)(2)(A), which was designated as section 
1176(b)(3)(A) prior to the HITECH Act's amendment. We request public 
comment on this interpretation, to the extent there is disagreement.
---------------------------------------------------------------------------

    (ii) if the violation is not corrected as described in such 
subsection, a penalty in an amount that is at least the amount 
described in paragraph (3)(D).
    In determining the amount of a penalty under this section for a 
violation, the Secretary shall base such determination on the nature 
and extent of the violation and the nature and extent of the harm 
resulting from such violation.
    (2) PROCEDURES. The provisions of section 1128A (other than 
subsections (a) and (b) and the second sentence of subsection (f)) 
shall apply to the imposition of a civil money penalty under this 
subsection in the same manner as such provisions apply to the 
imposition of a penalty under such section 1128A.
    (3) Tiers of penalties described.--For purposes of paragraph 
(1), with respect to a violation by a person of a provision of this 
part--
    (A) the amount described in this subparagraph is $100 for each 
such violation, except that the total amount imposed on the person 
for all such violations of an identical requirement or prohibition 
during a calendar year may not exceed $25,000;
    (B) the amount described in this subparagraph is $1,000 for each 
such violation, except that the total amount imposed on the person 
for all such violations of an identical requirement or prohibition 
during a calendar year may not exceed $100,000;
    (C) the amount described in this subparagraph is $10,000 for 
each such violation, except that the total amount imposed on the 
person for all such violations of an identical requirement or 
prohibition during a calendar year may not exceed $250,000; and
    (D) the amount described in this subparagraph is $50,000 for 
each such violation, except that the total amount imposed on the 
person for all such violations of an identical requirement or 
prohibition during a calendar year may not exceed $1,500,000.

    Section 13410(d) of the HITECH Act also revised section 1176(b) of 
the Act by: (1) Striking the affirmative defense for violations in 
which the covered entity did not know, or by reasonable diligence would 
not have known, of the violation (such violations are now punishable 
under the first tier of penalties); and (2) revising the subsection 
that provides an affirmative defense for a 30-day time period of 
correction to only require that the covered entity demonstrate the 
violation was not due to willful neglect (the statute previously also 
required a showing that the violation was due to reasonable cause). The 
revised statutory text of section 1176(b) that became effective 
February 18, 2009,\2\ pursuant to section 13410(d) of the HITECH Act is 
as follows:
---------------------------------------------------------------------------

    \2\ Note that section 13410(a) of the HITECH Act further amends 
section 1176(b) of the Act with respect to penalties imposed on or 
after February 18, 2011. These changes are not reflected in the 
statutory text, as they have yet to become effective.

    LIMITATIONS.
    (1) OFFENSES OTHERWISE PUNISHABLE. No penalty may be imposed 
under subsection (a) and no damages obtained under subsection (d) 
with respect to an act if the act constitutes an offense punishable 
under section 1177.
    (2) FAILURES DUE TO REASONABLE CAUSE.
    (A) IN GENERAL. Except as provided in subparagraph (B) or 
subsection (a)(1)(C), no penalty may be imposed under subsection (a) 
and no damages obtained under subsection (d) if the failure to 
comply is corrected during the 30-day period beginning on the first 
date the person liable for the penalty knew, or by exercising 
reasonable diligence would have known, that the failure to comply 
occurred.
    (B) EXTENSION OF PERIOD.--
    (i) NO PENALTY.--With respect to the imposition of a penalty by 
the Secretary under subsection (a), the period referred to in 
subparagraph (A) may be extended as determined appropriate by the 
Secretary based on the nature and extent of the failure to comply.
    (ii) ASSISTANCE.--If the Secretary determines that a person 
failed to comply because the person was unable to comply, the 
Secretary may provide technical assistance to the person during the 
period described in subparagraph (A). Such assistance shall be 
provided in any manner determined appropriate by the Secretary.
    (3) REDUCTION.--In the case of a failure to comply which is due 
to reasonable cause and not to willful neglect, any penalty under 
subsection (a) and any damages under subsection (d) that is not 
entirely waived under paragraph (3) \3\ may be waived to the extent 
that the payment of such penalty would be excessive relative to the 
compliance failure involved.

    \3\ We note that this reference to paragraph (3) creates a 
circular reference which appears to be an error. Section 13410(d) of 
the HITECH Act redesignated the prior paragraph (3) to paragraph 
(2), but did not include a conforming revision to this reference. 
Accordingly, we interpret this reference as being to paragraph (2) 
(i.e., the affirmative defense for violations that are not due to 
willful neglect and are timely corrected) and request public comment 
to the extent there is disagreement.
---------------------------------------------------------------------------

B. Regulatory Background

    Section 1173 of the Act, 42 U.S.C. 1320d-2, and section 264 of 
HIPAA, require the Secretary to adopt a number of national standards to 
facilitate the exchange of certain health information and to protect 
the privacy and security of such information. The Secretary has adopted 
a number of national standards to that end, which include the 
following: Standards for Electronic Transactions and Code Sets 
(Transactions and Code Sets Rules); Standards for Privacy of 
Individually Identifiable Health Information (HIPAA Privacy Rule); 
Standard Unique Employer Identifier (EIN Rule); Security Standards 
(HIPAA Security Rule); and Standard Unique Health Identifier for Health 
Care Providers (NPI Rule). See 70 FR 20224, 20225-26 (April 18, 2005) 
for a more detailed description of the history of these HIPAA rules. 
Covered entities are required to comply with these HIPAA standards.
    In addition, the Secretary promulgated rules that relate to 
compliance with, and enforcement of, the HIPAA rules, which are 
codified at 45 CFR part 160, subparts C, D, and E and collectively 
referred to as the Enforcement Rule. The Secretary first issued an 
interim final rule promulgating the procedural requirements for 
imposition of civil money penalties on violations of the privacy 
standards on April 17, 2003, Civil Money Penalties: Procedures for 
Investigations, Imposition of Penalties (68 FR 18896). The Secretary 
subsequently proposed a rule on April 18, 2005, HIPAA Administrative 
Simplification: Enforcement; Proposed Rule (70 FR 20224), proposing the 
amendment of 45 CFR part 160, subparts A (General Provisions), C 
(Compliance and Enforcement), and E (Procedures for Hearing), proposing 
a new subpart D (Imposition of Civil Money Penalties) that addressed 
the substantive issues related to the imposition of civil money 
penalties, and proposing that the above provisions be applied to all of 
the HIPAA rules, rather

[[Page 56126]]

than only the privacy standards. The Secretary then adopted a final 
rule, HIPAA Administrative Simplification: Enforcement; Final Rule (71 
FR 8390, February 16, 2006). The preambles of these rulemakings provide 
additional information that may be helpful to readers seeking a general 
understanding of HIPAA's compliance and enforcement scheme. Where, if 
at all, language in these prior preambles is contrary to language in 
this preamble or regulation text, the language herein applies.
    Subpart D of the Enforcement Rule pertains to the imposition of 
civil money penalties under section 1176 of the Act and includes a 
number of provisions that apply to violations occurring before section 
13410(d) of the HITECH Act's effective date of February 18, 2009, but 
that conflict with the statutory language as it has been revised with 
respect to violations occurring on or after February 18, 2009. Thus, 
the primary objectives of this interim final rule are to conform the 
Enforcement Rule provisions found in subpart D to the amended language 
in section 1176 of the Act, to provide covered entities with additional 
notice of the Secretary's revised statutory authority with respect to 
the imposition of civil money penalties, and to avoid any public 
misunderstanding or undue delay with respect to Congress' intent to 
strengthen enforcement of the HIPAA rules.

III. Approach to the Interim Final Rule

    As stated previously, this interim final rule amends several 
provisions of the Enforcement Rule, subpart D, to conform its language 
regarding HHS' imposition of civil money penalties to section 1176 of 
the Act, which section 13410(d) of the HITECH Act revised as of 
February 18, 2009. Subtitle D of the HITECH Act, which specifically 
pertains to privacy, contains several other provisions crafted to 
strengthen enforcement, some but not all of which pertain to HHS' 
implementation of the Enforcement Rule. We recognize that additional 
amendments will become necessary as such provisions become effective, 
but we do not adopt amendments in this interim final rule pursuant to 
those other provisions of subtitle D which have not yet become 
statutorily effective and have not, as a result, yet operated to revise 
HHS' enforcement authority under section 1176 of the Act.
    HHS has concluded that it has good cause, under 5 U.S.C. 553(b)(B), 
to waive the notice-and-comment requirements of the Administrative 
Procedure Act (APA) and to proceed with this interim final rule. We 
first note that section 13410(d) of the HITECH Act's amendment of 
section 1176 of the Act, 42, U.S.C. 1320d-5, became effective the day 
after the date of enactment and that many covered entities may be 
unaware they are currently subject to significantly greater penalties 
for violations of the HIPAA rules. In addition, section 13410(d) of the 
HITECH Act's amendments have caused a number of provisions of the 
Enforcement Rule to conflict with the amended statute, and the 
resulting inconsistency has led to public confusion, both as to the 
penalty amounts for violations of the HIPAA rules and as to what 
defenses remain in effect. Delaying the promulgation of these 
conforming amendments would also forestall HHS' timely implementation 
of the strengthened enforcement approach mandated by statute and would 
maintain the status quo with respect to the heightened privacy and 
security concerns associated with the electronic transmission of health 
information among health care entities.
    Based on the above reasons, we believe that delaying amendment to 
the Enforcement Rule, through the exercise of notice-and-comment 
rulemaking prior to publication of a final rule, would be 
impracticable, unnecessary, or contrary to public policy. Accordingly, 
HHS has good cause under the APA, 5 U.S.C. 553(b)(B), to waive notice-
and-comment rulemaking and to proceed directly with the issuance of a 
final rule. At the same time, HHS is interested in the public's input 
and requests public comments regarding the substance of these 
amendments.
    While HIPAA generally requires certain consultations with industry 
as a predicate to the issuance of the HIPAA standards, this interim 
final rule does not adopt standards, as the term is defined and 
interpreted under subtitle F of title II of HIPAA. Therefore, the 
requirement for such industry consultations in section 1172(c) of the 
Act, 42 U.S.C. 1320d-1(c), does not apply. For the same reason, the 
timeframes for compliance with the HIPAA rules, as set forth in section 
1175 of the Act, 42 U.S.C. 1320d-4, do not apply.

IV. Provisions in the Interim Final Rule

    This interim final rule amends 45 CFR part 160, subpart D, which 
establishes rules relating to the imposition of civil money penalties, 
to conform several provisions to section 13410(d) of the HITECH Act's 
amendments to section 1176 of the Act, 42 U.S.C. 1320d-6, which became 
effective February 18, 2009. This interim final rule's amendments 
distinguish between violations occurring before February 18, 2009, and 
violations occurring on or after that date, with respect to the 
potential amount of the civil money penalty and the affirmative 
defenses available to covered entities. We discuss this interim final 
rule's amendments to the Enforcement Rule on a provision-by-provision 
basis below:

A. Subpart A--General Provisions

1. Section 160.101--Statutory Basis and Purpose
    Section 160.101 is amended to add the statutory citation for 
section 13410(d) of the HITECH Act to the list of the statutes that the 
requirements of the subchapter are designed to implement.

B. Subpart D--Imposition of Civil Money Penalties

1. Section 160.401--Definitions
    Section 160.401 is added and defines the terms of reasonable cause, 
reasonable diligence and willful neglect, using the same definitions 
currently found at Sec.  160.410. As discussed below, we are removing 
these terms from Sec.  160.410 as a conforming amendment. This 
reorganization of the definitions signals the application of these 
terms to the entirety of subpart D. We do not discuss the terms 
further, as we are amending their placement in the rule but not their 
substance. Readers who would like a better understanding of these terms 
are encouraged to consult prior preamble explanations at 70 FR 20224, 
20237-9 (April 18, 2005) and 71 FR 8390, 8409-11 (February 16, 2006).
2. Section 160.404--Amount of Civil Money Penalties
    Subsection 160.404(b) is amended to revise the range of potential 
civil money penalty amounts a covered entity will be subject to based 
on the HITECH Act's amendments of section 1176 of the Act, 42 U.S.C. 
1320-5, which are currently in effect. As amended, Sec.  160.404(b)(1) 
retains the range of penalty amounts enumerated prior to the statutory 
revision for those violations occurring before February 18, 2009. The 
current content of Sec.  160.404(b)(2) is re-designated as Sec.  
160.404(b)(3). A new Sec.  160.404(b)(2) is added which identifies the 
range of penalty amounts for violations occurring on or after February 
18, 2009.
    Section 160.404 currently implements a penalty scheme, as required 
by section 1176(a)(1) prior to the HITECH Act's revisions, which 
explicitly established the maximum penalty amount for each violation as 
``not more than $100'' and

[[Page 56127]]

the maximum penalty amount ``for all violations of an identical 
requirement or prohibition during a calendar year'' as ``not to exceed 
$25,000.'' Subsection 160.404(b)(1) retains this penalty scheme for 
violations occurring before February 18, 2009, though its language is 
slightly modified to accommodate the parallel provisions for those 
violations that occur on or after February 18, 2009.
    As modified, section 1176(a)(1) generally establishes a minimum 
penalty amount ``for each such violation'' by stating the penalty 
amount is to be ``at least'' the amount described in a specifically 
referenced tier and establishes a maximum penalty amount per violation 
by stating that each such violation is ``not to exceed the amount 
described in [section 1176(a)(3)(D)].'' \4\ Each referenced penalty 
tier additionally provides a total penalty amount for all such 
violations of an identical requirement or prohibition during a calendar 
year. The HITECH Act's revised penalty scheme is similar to its 
predecessor with respect to its identification of a range of available 
civil money penalty amounts, a maximum penalty amount for violations of 
identical provisions during a calendar year, and generally with respect 
to the discretion it allows HHS in determining the appropriate penalty 
amount within the range prescribed.
---------------------------------------------------------------------------

    \4\ Section 1176(a)(1) notably provides no maximum penalty 
amount, however, with respect to ``each such violation'' described 
in subparagraph (C)(ii) (for violations established as due to 
willful neglect and not timely corrected), although a cap is set by 
section 1176(a)(3)(D). This caveat is discussed further below.
---------------------------------------------------------------------------

    The revised penalty scheme differs significantly from its 
predecessor by its establishment of several categories of violations 
that reflect increasing levels of culpability. The revised penalty 
scheme also differs significantly from its predecessor in its 
establishment of the range of available penalty amounts for each 
category of violation by reference to tiers of penalty amounts. Each 
tier specifies a minimum penalty amount that accompanies the increasing 
culpability associated with each category of violation and, for three 
of the four violation categories, defaults to ``the amount described in 
paragraph 3(D)'' as the outside limit.
    For example, in the case of a violation where it is established 
that a covered entity did not know of the violation and would not have 
known through the exercise of reasonable diligence, section 13410(d) of 
the HITECH Act provides that the minimum penalty amount for each such 
violation is ``at least'' the amount described in paragraph (3)(A) 
[section 1176(a)(3)(A)] (i.e., $100) but is ``not to exceed'' the 
amount described in paragraph (3)(D) [section 1176(a)(3)(D)] (i.e., 
$50,000). Paragraphs 1176(a)(3)(A) and (D) each additionally provide 
that the total penalty amount for multiple violations of an identical 
requirement or prohibition during a calendar year is $25,000 and $1.5 
million respectively.
    HHS considered the conflicting statutory language that references 
two tiers of penalties ``for each violation,'' which each provide a 
penalty amount ``for all such violations'' of an identical requirement 
or prohibition in a calendar year. With the exception of violations due 
to willful neglect that are not timely corrected, this interim final 
rule adopts a range of penalty amounts between the minimum given in one 
tier and the maximum given in the second tier for each violation and 
adopts the amount of $1.5 million as the limit for all violations of an 
identical provision of the HIPAA rules. For violations due to willful 
neglect that are not timely corrected, this interim final rule adopts 
the penalty amount of $50,000 as the minimum for each violation and 
$1.5 million for all such violations of an identical requirement or 
prohibition. These regulatory amendments are consistent with the most 
logical reading of section 1176(a)(1) and (3). The amendments are also 
consistent with Congress' intent to strengthen enforcement, in part, by 
increasing the minimum penalty amounts available according to 
categories of violation, and with the clear discretion Congress has 
provided to impose a penalty amount up to the amount described in 
``paragraph (3)(D).''
    More specifically, HHS amends Sec.  160.404(b)(2) to reflect each 
category of violation that will serve as the basis for a civil money 
penalty on or after February 18, 2009, as well as the respective range 
of penalty amounts available. The range of penalty amounts available 
for the first three categories of violations (i.e., where it is 
established the covered entity did not reasonably know of the 
violation, the violation was due to a reasonable cause, or the 
violation was due to willful neglect but timely corrected) is defined 
consistent with the controlling language of section 1176(a)(1)(A)-
(C)(i), whereby the minimum penalty amount for each violation is set 
pursuant to the specific tier referenced by each category of violation, 
and the maximum penalty amount for each violation is capped at $50,000, 
the amount identified ``for such each violation'' in section 
1176(a)(3)(D). For these categories of violations, the maximum penalty 
amount available for all such violations of an identical provision in a 
calendar year is consistently capped at $1.5 million, the other amount 
referenced in section 1176(a)(1) as that ``not to exceed'' and 
identified in section 1176(a)(3)(D) ``for all such violations of an 
identical requirement or prohibition during a calendar year.''
    The penalty amounts available for the fourth level of culpability 
(i.e., where it is established the violation is due to willful neglect 
but not timely corrected) are also consistent with the controlling 
language of section 1176(a)(1)(C)(ii). Unlike the other levels of 
culpability at section 1176(a)(1)(A), (B) and (C)(i), section 
1176(a)(1)(C)(ii) only provides in its reference to section 
1176(a)(3)(D) a minimum penalty amount of $50,000 ``for each 
violation'' and a penalty cap of $1.5 million for multiple violations 
of an identical requirement or prohibition in a calendar year.
    We highlight the penalty amounts in Table 1, below, to ensure that 
covered entities are fully aware of their potential liability:

    Table 1--Categories of Violations and Respective Penalty Amounts
                                Available
------------------------------------------------------------------------
                                                            All such
                                                        violations of an
    Violation category--Section       Each violation       identical
            1176(a)(1)                                   provision in a
                                                         calendar year
------------------------------------------------------------------------
(A) Did Not Know..................       $100-$50,000         $1,500,000
(B) Reasonable Cause..............       1,000-50,000          1,500,000
(C)(i) Willful Neglect--Corrected.      10,000-50,000          1,500,000
(C)(ii) Willful Neglect--Not                   50,000          1,500,000
 Corrected........................
------------------------------------------------------------------------


[[Page 56128]]

    We note that HHS will not impose the maximum penalty amount in all 
cases. Rather, HHS will determine penalty amounts as required by the 
statute at section 1176(a)(1) and the regulations at Sec.  160.408. 
That is, penalty determinations will be based on the nature and extent 
of the violation, the nature and extent of the resulting harm, as well 
as the other factors set forth at Sec.  160.408 (such as the covered 
entity's history of prior compliance or financial condition).
    For counting violations that occur on or after February 18, 2009, 
HHS will continue to utilize the methodology discussed in prior 
preambles of the Enforcement Rule. See 70 FR 20224, 20233-35 (April 18, 
2005) and 71 FR 8390, 8404-07 (February 16, 2006). For violations that 
began prior to February 18, 2009, and continue after that date, we will 
treat violations occurring before February 18, 2009, as subject to the 
penalties in effect prior to February 18, 2009 and violations occurring 
on or after February 18, 2009, as subject to the penalties in effect on 
or after February 18, 2009.
3. Section 160.410--Affirmative Defenses
    As previously discussed, the terms reasonable cause, reasonable 
diligence and willful neglect, have been moved from Sec.  160.410 to 
Sec.  160.401 in order to apply more generally to all of subpart D. 
Accordingly, we have removed the current paragraph (a) from Sec.  
160.410 and redesignated paragraph (b) as paragraph (a).
    We also amended Sec.  160.410 to conform its provisions to the 
statutory language in section 1176(a)(3), as revised by section 
13410(d) of the HITECH Act. Section 160.410(b) currently provides three 
affirmative defenses to the Secretary's authority to impose a civil 
money penalty, including the following:

    (1) The violation is an act punishable under 42 U.S.C. 1320d-6;
    (2) The covered entity establishes, to the satisfaction of the 
Secretary, that it did not have knowledge of the violation, 
determined in accordance with the federal common law of agency, and 
by exercising reasonable diligence, would not have known that the 
violation occurred; or
    (3) The violation is--
    (i) Due to reasonable cause and not willful neglect; and
    (ii) Corrected during either:
    (A) The 30-day period beginning on the date the covered entity 
liable for the penalty knew, or by exercising reasonable diligence 
would have known, that the violation occurred; or
    (B) Such additional period as the Secretary determines to be 
appropriate based on the nature and extent of the failure to comply

    Section 13410(d) of the HITECH Act revises section 1176(b) of the 
Act to: (a) Strike the limitation on imposing a penalty when a covered 
entity establishes, to the Secretary's satisfaction, that it ``did not 
know, and by exercising reasonable diligence would not have known'' of 
the violation; and (b) extend the affirmative defense for violations 
that are timely corrected, which was previously limited to violations 
due to ``reasonable cause and not to willful neglect,'' to all 
violations not due to willful neglect.
    The amendments conform Sec.  160.410 to distinguish the limitations 
placed on the Secretary's authority to impose civil money penalties 
before and after the HITECH Act by: (a) Revising the current 
provisions, which have been redesignated as paragraph (a), to apply 
only ``[f]or violations occurring prior to February 18, 2009''; and (b) 
adding a new paragraph (b) that applies ``[f]or violations occurring on 
or after February 18, 2009.'' The amendments also conform Sec.  160.410 
to the amended section 1176(b) by removing a covered entity's lack of 
knowledge as an affirmative defense for violations occurring on or 
after February 18, 2009. As a result, a covered entity that did not 
know and reasonably should not have known of such violations, will not 
have this affirmative defense available, unless it also corrects the 
violation during the 30-day time period beginning on the first date of 
such knowledge or during the period determined appropriate by the 
Secretary based on the nature and extent of the failure to comply. The 
amendments likewise revise the affirmative defenses available for 
violations occurring on or after February 18, 2009 to conform to the 
amended statute by removing any specific reference to ``reasonable 
cause'' while retaining more generalized language applicable to all 
violations ``not due to willful neglect.'' Notwithstanding these 
revisions, the Secretary may continue to use discretion in providing 
technical assistance, obtaining corrective action, and resolving 
possible noncompliance by informal means where the possible 
noncompliance is due to reasonable cause or in the event a person did 
not reasonably know that the violation occurred.
    We note that the amendments made to Sec.  160.410 do not alter the 
beginning of the 30-day cure period. Section 1176(b)(2)(A) of the Act 
continues to provide that the 30-day cure period begins ``on the first 
date the person liable for the penalty knew, or by exercising 
reasonable diligence would have known, that the failure to comply 
occurred.'' As prior preambles to the Enforcement Rule explain, the 
statute, ``on its face suggests that the knowledge involved must be 
knowledge that a `violation' has occurred, not just knowledge of the 
facts constituting the violation. * * * [HHS], thus, interpret[s] this 
knowledge requirement to mean that the covered entity must have 
knowledge that a violation has occurred, not just knowledge of the 
facts underlying the violation.'' However, the ``reasonable diligence'' 
requirement makes the affirmative defense unavailable, in the event a 
covered entity's ``lack of knowledge'' resulted from its failure to 
inform itself about its compliance obligations or to investigate 
received complaints or other information indicating likely 
noncompliance. See 70 FR 20224, 20237-8 (April 18, 2005) and 71 FR 
8390, 8410 (February 16, 2006). Thus, HHS expects its determination of 
the beginning of the cure period will be based on evidence gathered 
during its investigation of when a covered entity had actual or 
constructive knowledge of a violation.
    We also note that the amendments made to Sec.  160.410 do not alter 
affirmative defenses with respect to violations due to willful neglect. 
Section 1176(b)(2)(A) still operates to exclude violations due to 
willful neglect from those that, if timely corrected, would be exempt 
from the imposition of a civil money penalty. Violations due to willful 
neglect are therefore not eligible for extension, nor will their timely 
correction be an affirmative defense. Timely correction will, however, 
determine which tier of penalty amounts will be applicable to 
violations due to willful neglect.
    Thus, for example, referring to ``Table 1. Categories of Violations 
and Respective Penalty Amounts Available,'' which appears in the 
discussion about Sec.  160.404, a covered entity's timely correction 
would bar the Secretary's imposition of the penalty amounts identified 
in columns two and three, if the covered entity did not reasonably know 
of the violation or if the violation was due to reasonable cause. In 
contrast, a covered entity's timely correction of a violation due to 
willful neglect would not be an affirmative defense that bars the 
Secretary's imposition of a penalty amount identified in columns two 
and three of the table.
    To determine the appropriate penalty tier for a violation due to 
willful neglect, HHS will calculate the 30-day cure period in the same 
manner as that described above for the affirmative defense of timely 
correction of a violation not due to willful neglect. Our determination 
of when a covered entity

[[Page 56129]]

first had actual or constructive knowledge of a violation due to 
willful neglect for the purpose of calculating whether it was timely 
corrected will be based on evidence gathered during our investigation 
and will thus necessarily be made on a case-by-case basis. The minimum 
penalty amount under the HITECH Act for a violation due to willful 
neglect that is corrected during the 30-day cure period is 
significantly less than the minimum penalty amount for a violation due 
to willful neglect that is not timely corrected. In recognition of the 
HITECH Act's enhanced penalties and its application of a 30-day cure 
period to a determination of the appropriate penalty tier for a 
violation due to willful neglect, we request public comment on whether 
there are alternative approaches to calculating the beginning of the 
30-day cure period for this purpose.
    This interim final rule does not amend Sec.  160.410 with respect 
to the affirmative defense pertaining to criminal violations, 
punishable under 42 U.S.C. 1320d-6, since the relevant statutory 
revision will not become effective until February 18, 2011. The interim 
final rule also does not amend Sec.  160.410 with respect to the 
enforcement authority of state attorneys general to bring civil actions 
under the HIPAA rules in certain circumstances, as set forth in Sec.  
13410(e) of the HITECH Act, since such authority operates pursuant to 
the statute and does not require HHS rulemaking.
4. Section 160.412--Waiver
    Section 160.412 is amended to reflect the revisions to Sec.  
160.410. Regardless of whether violations occur before, on, or after 
February 18, 2009, the Secretary may continue to provide a waiver for 
violations due to reasonable cause and not willful neglect that are not 
timely corrected (pursuant to the correction period in revised Sec.  
160.410(a)(3)(ii) or (b)(2)(ii), as applicable).
5. Section 160.420--Notice of Proposed Determination
    Section 160.420(a)(4) is amended to add the requirement that, in 
addition to the proposed penalty amount, HHS identify the applicable 
violation category in Sec.  160.404 upon which the proposed penalty 
amount is based. While such additional language is not required by 
statute, HHS makes this amendment to provide covered entities with 
additional notice and information to benefit their understanding of the 
violation findings in the Notice of Proposed Determination.

V. Request for Comments

    HHS seeks public comments on any aspect of this interim final rule. 
In particular, we invite public comments with respect to the following: 
(1) The calculation of when the 30-day cure period begins for the 
purpose of determining the appropriate penalty tier for a violation due 
to willful neglect as discussed above in the penultimate paragraph of 
Section IV.B.3; (2) whether moving the definitions of ``reasonable 
cause,'' ``reasonable diligence,'' and ``willful neglect'' to the new 
Sec.  160.401 leads to any unintended consequences; and (3) the HHS 
interpretations of Congressional intent referenced in footnotes 1 and 
3.

VI. Impact Statement and Other Required Analyses

A. Paperwork Reduction Act

    We reviewed this interim final rule to determine whether it invokes 
issues that would relate to the Paperwork Reduction Act (PRA). While 
the PRA applies to agencies and collections of information conducted or 
sponsored by those agencies, 5 CFR 1320.4(a) exempts collections of 
information that occur ``during the conduct of * * * an administrative 
action, investigation, or audit involving an agency against specific 
individuals or entities,'' except for investigations or audits 
``undertaken with reference to a category of individuals entities or 
entities such as a class of licensees or an entire industry.'' The 
rules adopted below come squarely within this exemption, as they deal 
entirely with administrative investigations and actions against 
specific individuals or entities. Therefore, we have determined that 
the PRA does not apply to this interim final rule and need not be 
reviewed by the Office of Management and Budget under the authority of 
the PRA.

B. Executive Order 12866

    We also reviewed the impacts of this interim final rule as required 
by Executive Order 12866 (58 FR 51735, October 4, 1993), which directs 
agencies to assess all costs and benefits of available regulatory 
alternatives and, if regulation is necessary, to select regulatory 
approaches that maximize net benefits (including potential economic, 
environmental, public health and safety effects, distributive impacts, 
and equity). Executive Order 12866 requires that a regulatory impact 
analysis (RIA) be prepared for ``significant regulatory actions,'' 
which it defines at section 3(f), to include rules that may:

    (1) Have an annual effect on the economy of $100 million or more 
or adversely affect in a material way the economy, a sector of the 
economy, productivity, competition, jobs, the environment, public 
health or safety, or state, local, or tribal government or 
communities;
    (2) Create a serious inconsistency or otherwise interfere with 
an action taken or planned by another agency;
    (3) Materially alter the budgetary impact of entitlements, 
grants, user fees, or loan programs or the rights and obligations of 
recipients thereof; or
    (4) Raise novel legal or policy issues arising out of legal 
mandates, the President's priorities, or the principles set forth in 
the Executive Order.

    Executive Order 12866 requires a full economic impact analysis only 
for ``economically significant'' rules under section 3(f)(1). The 
amendments contained within this interim final rule only conform the 
regulatory language of subpart D to that of the Act's revised statutory 
basis, in a way that differentiates the categories of violations for 
which a civil money penalty may be imposed, sets forth ranges of 
increasing penalty amounts with respect to each category of violation, 
and narrows the grounds for the affirmative defenses available.
    HHS has concluded, for reasons similar, and in addition to, those 
discussed in the preambles to the proposed and final Enforcement Rules 
at 70 FR 20224, 20248-49 (April 18, 2005) and 71 FR 8390, 8424 
(February 16, 2006), that the impact of this interim final rule is not 
such that it would reach the ``economically significant'' threshold 
under section 3(f)(1) of the Executive Order. As was the case at the 
time of earlier promulgations, the costs covered entities may incur 
with respect to their compliance with the Enforcement Rule, itself, 
should be low in most cases. That is, covered entities that comply with 
the HIPAA rules voluntarily, as is expected, should not incur any 
additional, significant costs with respect to the imposition of a civil 
money penalty. HHS' experience enforcing the HIPAA rules also suggests 
that violations should not collectively amount to an annual effect on 
the economy of $100 million or more, even in light of the higher 
penalty amounts prescribed by statute.
    Further, HHS does not expect the imposition of civil money 
penalties pursuant to these amendments to ``adversely affect in a 
material way the economy, a sector of the economy, productivity, 
competition, jobs, the environment, public health or safety, or state, 
local, or tribal government or communities.'' To the contrary, HHS 
maintains that the benefits brought by

[[Page 56130]]

the HIPAA provisions and their strengthened enforcement under this 
interim final rule will far outweigh the potential costs. We believe 
the added penalties will encourage covered entities to take steps 
necessary to comply and thus not be liable for violations. In addition, 
we believe the conforming amendments made with respect to the 
affirmative defenses available will encourage covered entities to 
quickly and voluntarily correct acts or omissions that might otherwise 
be established as violations of the HIPAA rules. Greater vigilance in 
protecting privacy may also encourage public trust in the industry's 
use of health information technology. For these reasons, among others, 
a detailed cost-benefit assessment of the interim final rule is not 
required.

C. Other Analyses

    We also examined the impacts of the interim final rule as required 
by the Regulatory Flexibility Act (RFA), section 1102(b) of the Act, 
the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), the Small 
Business Regulatory Enforcement and Fairness Act, 5 U.S.C. 801 et seq., 
and Executive Order 13132.
    The RFA requires agencies to determine whether a rule will have a 
significant economic impact on a substantial number of small entities. 
For purposes of the RFA, small entities include small businesses, 
nonprofit organizations, and government jurisdictions. The standard 
size of a ``small'' health care entity ranges from $7 million to $34.5 
million in revenues in any one year. HHS assumes that the majority of 
covered entities to which this interim final rule is applicable are 
likely to be deemed small businesses based on the size standards of the 
Small Business Administration. As is discussed above, HHS expects that 
a covered entity's voluntary compliance and timely correction will not 
result in any significant economic impact, and that only a small 
percentage of violations occurring on or after February 18, 2009, will 
necessitate investigation and the imposition of a civil money penalty 
due to willful neglect. As discussed in prior enforcement rulemakings, 
(70 FR 20224, 20249 (April 18, 2005) and 71 FR 8390, 8424 (February 16, 
2006)), the absence of evidence that small entities have a higher rate 
of noncompliance than larger entities provides additional support for 
the Secretary's certification that this rule will not have a 
significant economic impact on a substantial number of small entities.
    Section 1102(b) of the Act requires agencies to prepare a 
regulatory impact analysis if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. This 
analysis must conform to the provisions of section 603 (proposed 
documents)/604 (final documents) of the RFA. A small rural hospital, 
for purposes of section 1102(b) of the Act, is defined as a hospital 
that is located outside of a Metropolitan Statistical Area and has 
fewer than 100 beds. For reasons described above, this interim final 
rule is not expected to have a significant impact on small rural 
hospitals any more than it is expected to negatively impact any 
``small'' health care entity.
    Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 
1531 et seq., requires that agencies assess anticipated costs and 
benefits before issuing a rule that may result in an aggregate 
expenditure of $100 million in any one year, by State, local, or tribal 
governments, or by the private sector. The Small Business Regulatory 
Enforcement Act of 1996 (SBREFA), 5 U.S.C. 801 et seq., also requires 
that rules that will have an impact on the economy of $100 million or 
more per annum be submitted for Congressional review. For the reasons 
discussed above, this interim final rule would not impose a burden 
large enough to require a statement under section 202 of the Unfunded 
Mandates Reform Act of 1995 or Congressional review under the SBREFA.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a rule that imposes substantial 
direct requirement costs on State and local governments, preempts State 
law, or otherwise has Federalism implications. As previously discussed, 
this interim final rule is not likely to have substantial economic 
effects. Any preemption of State law that could occur would be a 
function of the HIPAA statute and the underlying HIPAA rules and not 
these amendments to the Enforcement Rule, which principally establish 
the means by which the statutory civil money penalty provisions will be 
implemented. This interim final rule does not have ``substantial direct 
effects on the States, on the relationship between the national 
government and the States, or on the distribution of power and 
responsibilities among the various levels of government,'' nor does it 
have ``Federalism implications.'' It is therefore not subject to 
Executive Order 13132.

List of Subjects in 45 CFR Part 160

    Administrative practice and procedure, Computer technology, 
Electronic transactions, Employer benefit plan, Health, Health care, 
Health facilities, Health insurance, Health records, Hospitals, 
Investigations, Medicaid, Medical research, Medicare, Penalties, 
Privacy, Reporting and recordkeeping requirements, Security.

0
For the reasons set forth in the preamble, the Department of Health and 
Human Services amends 45 CFR subtitle A, subchapter C, part 160, as set 
forth below.

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation for part 160 is revised to read as follows:

    Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d-1320d-8, sec. 264 
of Public Law 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 
(note)), 5 U.S.C. 552; and secs.13400 and 13402, Public Law 111-5, 
123 Stat. 258-263.

* * * * *

0
2. Revise Sec.  160.101 to read as follows:


Sec.  160.101  Statutory basis and purpose.

    The requirements of this subchapter implement sections 1171 through 
1179 of the Social Security Act (the Act), as added by section 262 of 
Public Law 104-191, section 264 of Public Law 104-191, section 13402 of 
Public Law 111-5, and section 13410(d) of Public Law 111-5.

0
3. Add Sec.  160.401 to subpart D to read as follows:


Sec.  160.401  Definitions.

    As used in this subpart, the following terms have the following 
meanings:
    Reasonable cause means circumstances that would make it 
unreasonable for the covered entity, despite the exercise of ordinary 
business care and prudence, to comply with the administrative 
simplification provision violated.
    Reasonable diligence means the business care and prudence expected 
from a person seeking to satisfy a legal requirement under similar 
circumstances.
    Willful neglect means conscious, intentional failure or reckless 
indifference to the obligation to comply with the administrative 
simplification provision violated.

0
4. Revise paragraph (b) of Sec.  160.404 to read as follows:


Sec.  160.404  Amount of a civil monetary penalty.

* * * * *

[[Page 56131]]

    (b) The amount of a civil money penalty that may be imposed is 
subject to the following limitations:
    (1) For violations occurring prior to February 18, 2009, the 
Secretary may not impose a civil money penalty--
    (i) In the amount of more than $100 for each violation; or
    (ii) In excess of $25,000 for identical violations during a 
calendar year (January 1 through the following December 31);
    (2) For violations occurring on or after February 18, 2009, the 
Secretary may not impose a civil money penalty--
    (i) For a violation in which it is established that the covered 
entity did not know and, by exercising reasonable diligence, would not 
have known that the covered entity violated such provision,
    (A) In the amount of less than $100 or more than $50,000 for each 
violation; or
    (B) In excess of $1,500,000 for identical violations during a 
calendar year (January 1 through the following December 31);
    (ii) For a violation in which it is established that the violation 
was due to reasonable cause and not to willful neglect,
    (A) In the amount of less than $1,000 or more than $50,000 for each 
violation; or
    (B) In excess of $1,500,000 for identical violations during a 
calendar year (January 1 through the following December 31);
    (iii) For a violation in which it is established that the violation 
was due to willful neglect and was corrected during the 30-day period 
beginning on the first date the covered entity liable for the penalty 
knew, or, by exercising reasonable diligence, would have known that the 
violation occurred,
    (A) In the amount of less than $10,000 or more than $50,000 for 
each violation; or
    (B) In excess of $1,500,000 for identical violations during a 
calendar year (January 1 through the following December 31);
    (iv) For a violation in which it is established that the violation 
was due to willful neglect and was not corrected during the 30-day 
period beginning on the first date the covered entity liable for the 
penalty knew, or, by exercising reasonable diligence, would have known 
that the violation occurred,
    (A) In the amount of less than $50,000 for each violation; or
    (B) In excess of $1,500,000 for identical violations during a 
calendar year (January 1 through the following December 31).
    (3) If a requirement or prohibition in one administrative 
simplification provision is repeated in a more general form in another 
administrative simplification provision in the same subpart, a civil 
money penalty may be imposed for a violation of only one of these 
administrative simplification provisions.

0
5. Revise Sec.  160.410 to read as follows:


Sec.  160.410  Affirmative defenses.

    (a) For violations occurring prior to February 18, 2009, the 
Secretary may not impose a civil money penalty on a covered entity for 
a violation if the covered entity establishes that an affirmative 
defense exists with respect to the violations, including the following:
    (1) The violation is an act punishable under 42 U.S.C. 1320d-6;
    (2) The covered entity establishes, to the satisfaction of the 
Secretary, that it did not have knowledge of the violation, determined 
in accordance with the federal common law of agency, and, by exercising 
reasonable diligence, would not have known that the violation occurred; 
or
    (3) The violation is--
    (i) Due to reasonable cause and not willful neglect; and
    (ii) Corrected during either:
    (A) The 30-day period beginning on the first date the covered 
entity liable for the penalty knew, or by exercising reasonable 
diligence would have known, that the violation occurred; or
    (B) Such additional period as the Secretary determines to be 
appropriate based on the nature and extent of the failure to comply.
    (b) For violations occurring on or after February 18, 2009, the 
Secretary may not impose a civil money penalty on a covered entity for 
a violation if the covered entity establishes that an affirmative 
defense exists with respect to the violations, including the following:
    (1) The violation is an act punishable under 42 U.S.C. 1320d-6; or
    (2) The covered entity establishes to the satisfaction of the 
Secretary that the violation is--
    (i) Not due to willful neglect; and
    (ii) Corrected during either:
    (A) The 30-day period beginning on the first date the covered 
entity liable for the penalty knew, or, by exercising reasonable 
diligence, would have known that the violation occurred; or
    (B) Such additional period as the Secretary determines to be 
appropriate based on the nature and extent of the failure to comply.

0
6. Revise Sec.  160.412 to read as follows:


Sec.  160.412  Waiver.

    For violations due to reasonable cause and not willful neglect that 
are not corrected within the period described in Sec.  
160.410(a)(3)(ii) or (b)(2)(ii), as applicable, the Secretary may waive 
the civil money penalty, in whole or in part, to the extent that the 
payment of the penalty would be excessive relative to the violation.

0
7. Revise Sec.  160.420(a)(4) to read as follows:


Sec.  160.420  Notice of Proposed Determination.

    (a) * * *
    (4) The amount of the proposed penalty and a reference to the 
subparagraph of Sec.  160.404 upon which it is based.
* * * * *

    Dated: August 11, 2009.
Kathleen Sebelius,
Secretary.
[FR Doc. E9-26203 Filed 10-29-09; 8:45 am]
BILLING CODE 4150-03-P