Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, 40868-40924 [2010-16718]

Agencies

• Office of the Secretary
• DEPARTMENT OF HEALTH AND HUMAN SERVICES

[Federal Register Volume 75, Number 134 (Wednesday, July 14, 2010)]
[Proposed Rules]
[Pages 40868-40924]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-16718]



[[Page 40867]]

-----------------------------------------------------------------------

Part II





Department of Health and Human Services





-----------------------------------------------------------------------



45 CFR Parts 160 and 164



Modifications to the HIPAA Privacy, Security, and Enforcement Rules 
Under the Health Information Technology for Economic and Clinical 
Health Act; Proposed Rule

Federal Register / Vol. 75 , No. 134 / Wednesday, July 14, 2010 / 
Proposed Rules

[[Page 40868]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN: 0991-AB57


Modifications to the HIPAA Privacy, Security, and Enforcement 
Rules Under the Health Information Technology for Economic and Clinical 
Health Act

AGENCY: Office for Civil Rights, Department of Health and Human 
Services.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS or ``the 
Department'') is issuing this notice of proposed rulemaking to modify 
the Standards for Privacy of Individually Identifiable Health 
Information (Privacy Rule), the Security Standards for the Protection 
of Electronic Protected Health Information (Security Rule), and the 
rules pertaining to Compliance and Investigations, Imposition of Civil 
Money Penalties, and Procedures for Hearings (Enforcement Rule) issued 
under the Health Insurance Portability and Accountability Act of 1996 
(HIPAA). The purpose of these modifications is to implement recent 
statutory amendments under the Health Information Technology for 
Economic and Clinical Health Act (``the HITECH Act'' or ``the Act''), 
to strengthen the privacy and security protection of health 
information, and to improve the workability and effectiveness of these 
HIPAA Rules.

DATES: Submit comments on or before September 13, 2010.

ADDRESSES: You may submit comments, identified by RIN 0991-AB57, by any 
of the following methods (please do not submit duplicate comments):
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments. Attachments should be 
in Microsoft Word, WordPerfect, or Excel; however, we prefer Microsoft 
Word.
     Regular, Express, or Overnight Mail: U.S. Department of 
Health and Human Services, Office for Civil Rights, Attention: HITECH 
Privacy and Security Rule Modifications, Hubert H. Humphrey Building, 
Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. Please 
submit one original and two copies.
     Hand Delivery or Courier: Office for Civil Rights, 
Attention: HITECH Privacy and Security Rule Modifications, Hubert H. 
Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, 
DC 20201. Please submit one original and two copies. (Because access to 
the interior of the Hubert H. Humphrey Building is not readily 
available to persons without Federal government identification, 
commenters are encouraged to leave their comments in the mail drop 
slots located in the main lobby of the building.)
    Inspection of Public Comments: All comments received before the 
close of the comment period will be available for public inspection, 
including any personally identifiable or confidential business 
information that is included in a comment. We will post all comments 
received before the close of the comment period at https://www.regulations.gov. Because comments will be made public, they should 
not include any sensitive personal information, such as a person's 
social security number; date of birth; driver's license number, State 
identification number or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. Comments also 
should not include any sensitive health information, such as medical 
records or other individually identifiable health information, or any 
non-public corporate or trade association information, such as trade 
secrets or other proprietary information.

FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.

SUPPLEMENTARY INFORMATION: 
    The discussion below includes a description of the statutory and 
regulatory background of the proposed rules, a section-by-section 
description of the proposed modifications, and the impact statement and 
other required regulatory analyses. We solicit public comment on the 
proposed rules. Persons interested in commenting on the provisions of 
the proposed rules can assist us by preceding discussion of any 
particular provision or topic with a citation to the section of the 
proposed rule being discussed.

I. Statutory and Regulatory Background

    The regulatory modifications proposed below concern several sets of 
rules that implement the Administrative Simplification provisions of 
title II, subtitle F, of the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA) (Pub. L. 104-191), which added a new 
part C to title XI of the Social Security Act (sections 1171-1179 of 
the Social Security Act, 42 U.S.C. 1320d-1320d-8). The Health 
Information Technology for Economic and Clinical Health (HITECH) Act, 
which was enacted as title XIII of division A and title IV of division 
B of the American Recovery and Reinvestment Act of 2009 (ARRA), Public 
Law 111-5, modifies certain provisions of the Social Security Act 
pertaining to the Administrative Simplification Rules (HIPAA Rules) and 
requires certain modifications to the HIPAA Rules themselves.

A. HIPAA Administrative Simplification--Statutory Background

    The Administrative Simplification provisions of HIPAA provided for 
the establishment of national standards for the electronic transmission 
of certain health information, such as standards for certain health 
care transactions conducted electronically and code sets and unique 
health care identifiers for health care providers and employers. The 
Administrative Simplification provisions of HIPAA also required the 
establishment of national standards to protect the privacy and security 
of personal health information and established civil money and criminal 
penalties for violations of the Administrative Simplification 
provisions. The Administrative Simplification provisions of HIPAA apply 
to three types of entities, which are known as ``covered entities'': 
health care providers who conduct covered health care transactions 
electronically, health plans, and health care clearinghouses.

B. HIPAA Administrative Simplification--Regulatory Background

    The rules proposed below concern the privacy and security standards 
issued pursuant to HIPAA, as well as the enforcement rules that 
implement HIPAA's civil money penalty authority. The Standards for 
Privacy of Individually Identifiable Health Information, known as the 
``Privacy Rule,'' were issued on December 28, 2000, and amended on 
August 14, 2002. See 65 FR 82462, as amended at 67 FR 53182. The 
Security Standards for the Protection of Electronic Protected Health 
Information, known as the ``Security Rule,'' were issued on February 
20, 2003. See 68 FR 8334. The Compliance and Investigations, Imposition 
of Civil Money Penalties, and Procedures for Hearings regulations, 
collectively known as the ``Enforcement Rule,'' were issued as an 
interim final rule on April 17, 2003 (68 FR 18895), and revised and 
issued as a final rule, following rulemaking, on February 16, 2006 (71 
FR 8390).
    The Privacy Rule protects individuals' medical records and other 
individually

[[Page 40869]]

identifiable health information created or received by or on behalf of 
covered entities, known as ``protected health information.'' The 
Privacy Rule protects individuals' health information by regulating the 
circumstances under which covered entities may use and disclose 
protected health information and by requiring covered entities to have 
safeguards in place to protect the privacy of the information. As part 
of these protections, covered entities are required to have contracts 
or other arrangements in place with business associates that perform 
functions for or provide services to the covered entity and that 
require access to protected health information to ensure that these 
business associates likewise protect the privacy of the health 
information. The Privacy Rule also gives individuals rights with 
respect to their protected health information, including rights to 
examine and obtain a copy of their health records and to request 
corrections.
    The Security Rule, which applies only to protected health 
information in electronic form, requires covered entities to implement 
certain administrative, physical, and technical safeguards to protect 
this electronic information. As with the Privacy Rule, the Security 
Rule requires covered entities to have contracts or other arrangements 
in place with their business associates that provide satisfactory 
assurances that the business associates will appropriately safeguard 
the electronic protected health information they receive, create, 
maintain, or transmit on behalf of the covered entities.
    The Enforcement Rule establishes rules governing the compliance 
responsibilities of covered entities with respect to cooperation in the 
enforcement process. It also provides rules governing the investigation 
by the Department of compliance by covered entities, both through the 
investigation of complaints and the conduct of compliance reviews. It 
establishes rules governing the process and grounds for establishing 
the amount of a civil money penalty where the Department has determined 
a covered entity has violated a requirement of a HIPAA Rule. Finally, 
the Enforcement Rule establishes rules governing the procedures for 
hearings and appeals where the covered entity challenges a violation 
determination.

C. The HITECH Act--Statutory Background

    The HITECH Act, enacted on February 17, 2009, is designed to 
promote the widespread adoption and standardization of health 
information technology. Subtitle D of title XIII, entitled ``Privacy,'' 
supports this goal by adopting amendments designed to strengthen the 
privacy and security protections of health information established by 
HIPAA. These provisions include extending the applicability of certain 
of the Privacy and Security Rules' requirements to the business 
associates of covered entities; requiring HIPAA covered entities and 
business associates to provide for notification of breaches of 
``unsecured protected health information''; establishing new 
limitations on the use and disclosure of protected health information 
for marketing and fundraising purposes; prohibiting the sale of 
protected health information; requiring the consideration of a limited 
data set as the minimum necessary amount of information; and expanding 
individuals' rights to access and receive an accounting of disclosures 
of their protected health information, and to obtain restrictions on 
certain disclosures of protected health information to health plans. In 
addition, subtitle D adopts provisions designed to strengthen and 
expand HIPAA's enforcement provisions. We provide a brief overview of 
the relevant statutory provisions below.
    In the area of business associates, the Act makes a number of 
changes. First, section 13401 of the Act applies certain provisions of 
the Security Rule that apply to covered entities directly to their 
business associates and makes business associates liable for civil and 
criminal penalties for the failure to comply with these provisions. 
Similarly, section 13404 makes business associates of covered entities 
civilly and criminally liable under the Privacy Rule for making uses 
and disclosures of protected health information that do not comply with 
the terms of their business associate contracts. The Act also provides 
that the additional privacy and security requirements of subtitle D of 
the Act are applicable to business associates and that such 
requirements shall be incorporated into business associate contracts. 
Finally, section 13408 of the Act requires that organizations that 
provide data transmission of protected health information to a covered 
entity or business associate and that require routine access to such 
information, such as Health Information Exchange Organizations, 
Regional Health Information Organizations, and E-prescribing Gateways, 
as well as vendors that contract with covered entities to offer 
personal health records to patients as part of the covered entities' 
electronic health records, shall be treated as business associates for 
purposes of the HITECH Act and the HIPAA Privacy and Security Rules and 
required to enter into business associate contracts.
    Section 13402 of the Act sets forth the breach notification 
provisions, requiring covered entities and business associates to 
provide notification following discovery of a breach of unsecured 
protected health information. Additionally, section 13407 of the Act, 
enforced by the Federal Trade Commission (FTC), applies similar breach 
notification provisions to vendors of personal health records and their 
third party service providers.
    Section 13405 of the Act requires the Department to modify certain 
Privacy Rule provisions. In particular, section 13405 sets forth 
certain circumstances in which covered entities must comply with an 
individual's request for restriction of disclosure of his or her 
protected health information, provides for covered entities to consider 
a limited data set as the minimum necessary for a particular use, 
disclosure, or request of protected health information, and requires 
the Secretary to issue guidance to address what constitutes minimum 
necessary under the Privacy Rule. Section 13405 also requires the 
Department to modify the Privacy Rule to require covered entities that 
use or maintain electronic health records to provide individuals, upon 
request, with an accounting of disclosures of protected health 
information through an electronic health record for treatment, payment, 
or health care operations; generally prohibits the sale of protected 
health information without a valid authorization from the individual; 
and strengthens an individual's right to an electronic copy of their 
protected health information, where a covered entity uses or maintains 
an electronic health record.
    Section 13406 of the Act requires the Department to modify the 
marketing and fundraising provisions of the Privacy Rule. With respect 
to marketing, the Act requires authorizations for certain health-
related communications, which are currently exempted from the 
definition of marketing, if the covered entity receives remuneration in 
exchange for making the communication. The Act also strengthens an 
individual's right under the Privacy Rule to opt out of fundraising 
communications by requiring the Department to modify the Privacy Rule 
so that covered entities must provide individuals with a clear and 
conspicuous opportunity to opt out of receiving fundraising

[[Page 40870]]

communications and by requiring that an opt out be treated as a 
revocation of authorization under the Privacy Rule.
    Section 13410 of the Act addresses enforcement in a number of ways. 
First, section 13410(a) provides that the Secretary's authority to 
impose a civil money penalty will only be barred to the extent a 
criminal penalty has been imposed, rather than in cases in which the 
offense in question merely constitutes an offense criminally 
punishable. In addition, section 13410(a) of the Act requires the 
Secretary to formally investigate any complaint where a preliminary 
investigation of the facts indicates a possible violation due to 
willful neglect and to impose a penalty where a violation is found in 
such cases. Section 13410(c) of the Act provides, for purposes of 
enforcement, for the transfer to the HHS Office for Civil Rights of any 
civil money penalty or monetary settlement collected under the Privacy 
and Security Rules and also requires the Department to establish by 
regulation a methodology for distributing to harmed individuals a 
percentage of the civil money penalties and monetary settlements 
collected under the Privacy and Security Rules. Effective as of 
February 18, 2009, section 13410(d) of the Act also modified the civil 
money penalty structure for violations of the HIPAA Rules by 
implementing a tiered increase in the amount of penalties based on 
culpability. In addition, as of February 18, 2009, section 13410(e) of 
the Act also granted State Attorneys General the authority to enforce 
the HIPAA Rules by bringing civil actions on behalf of State residents 
in court.
    Section 13421 states that HIPAA's State preemption provisions at 42 
U.S.C. 1320d-7 shall apply to the provisions of subtitle D of the 
HITECH Act in the same manner as they do to HIPAA's provisions.\1\ 
Section 13423 of the Act provides a general effective date of February 
18, 2010, for most of its provisions, except where a different 
effective date is otherwise provided.
---------------------------------------------------------------------------

    \1\ We note that section 13421 of the HITECH Act and HIPAA's 
State preemption provisions do not affect the applicability of other 
Federal law, such as the Confidentiality of Alcohol and Drug Abuse 
Patient Records Regulation at 42 CFR Part 2, to a covered entity's 
use or disclosure of health information.
---------------------------------------------------------------------------

    The Act also provides for the development of guidance, reports, and 
studies in a number of areas, including guidance on appropriate 
technical safeguards to implement the HIPAA Security Rule (section 
13401(c)); for purposes of breach notification, guidance on the methods 
and technologies for rendering protected health information unusable, 
unreadable, or indecipherable to unauthorized individuals (section 
13402(h)); guidance on what constitutes the minimum necessary amount of 
information for purposes of the Privacy Rule (section 13405(b)); a 
report by the Government Accountability Office (GAO) regarding 
recommendations for a methodology under which harmed individuals may 
receive a percentage of civil money penalties and monetary settlements 
under the HIPAA Privacy and Security Rules (section 13410(c)); a report 
to Congress on HIPAA Privacy and Security enforcement (section 
13424(a)); a study and report on the application of privacy and 
security requirements to non-HIPAA covered entities (section 13424(b)); 
guidance on de-identification (section 13424(c)); and a study on the 
Privacy Rule's definition of ``psychotherapy notes'' at 45 CFR 164.501, 
with regard to including test data that is related to direct responses, 
scores, items, forms, protocols, manuals, or other materials that are 
part of a mental health evaluation (section 13424(f)).
    Finally, the Act includes provisions for education by HHS on health 
information privacy and for periodic audits by the Secretary. Section 
13403(a) provides for the Secretary to designate HHS regional office 
privacy advisors to offer guidance and education to covered entities, 
business associates, and individuals on their rights and 
responsibilities related to Federal privacy and security requirements 
for protected health information. Section 13403(b) requires the HHS 
Office for Civil Rights, not later than 12 months after enactment, to 
develop and maintain a multi-faceted national education initiative to 
enhance public transparency regarding the uses of protected health 
information, including programs to educate individuals about potential 
uses of their protected health information, the effects of such uses, 
and the rights of individuals with respect to such uses. Section 13411 
requires the Secretary to provide for periodic audits to ensure covered 
entities and business associates comply with the applicable 
requirements of the HIPAA Privacy and Security Rules.
    We discuss many of the Act's statutory provisions in more detail 
below where we describe section-by-section how these proposed 
regulations would implement those provisions of the Act. However, we do 
not discuss in detail the breach notification provisions in sections 
13402 of the Act or the modified civil money penalty structure in 
section 13410(d) of the Act, which as explained below, have been the 
subject of previous rulemakings. In addition, we do not address in this 
rulemaking the accounting for disclosures requirement in section 13405 
of the Act, which is tied to the adoption of a standard under the 
HITECH Act at subtitle A of title XIII of ARRA, or the penalty 
distribution methodology requirement in section 13410(c) of the Act, 
which is to be based on the recommendations noted above to be developed 
at a later date by the GAO. These provisions will be the subject of 
future rulemakings. Further, we clarify that we are not issuing 
regulations with respect to the new authority of the State Attorneys 
General to enforce the HIPAA Rules. Finally, other than the guidance 
required by section 13405(b) of the Act with respect to what 
constitutes minimum necessary, this proposed rule does not address the 
studies, reports, guidance, audits, or education efforts required by 
the HITECH Act.

D. The HITECH Act--Regulatory Background

    As noted above, certain of the HITECH Act's privacy and security 
provisions have already been the subject of rulemakings and related 
actions. In particular, the Department published interim final 
regulations to implement the breach notification provisions at section 
13402 of the Act for HIPAA covered entities and business associates in 
the Federal Register on August 24, 2009 (74 FR 42740), effective 
September 23, 2009. Similarly, the FTC published final regulations 
implementing the breach notification provisions at section 13407 for 
personal health record vendors and their third party service providers 
on August 25, 2009 (74 FR 42962), effective September 24, 2009. For 
purposes of determining to what information the HHS and FTC breach 
notification regulations apply, the Department also issued, first on 
April 17, 2009 (published in the Federal Register on April 27, 2009, 74 
FR 19006), and then later with its interim final rule, the guidance 
required by the HITECH Act under 13402(h) specifying the technologies 
and methodologies that render protected health information unusable, 
unreadable, or indecipherable to unauthorized individuals. In addition, 
to conform the provisions of the Enforcement Rule to the new tiered and 
increased civil money penalty structure made effective by the HITECH 
Act on the day after enactment, or February 18, 2009, the Department 
published an interim final rule on October 30, 2009 (74 FR 56123), 
effective November 30, 2009.

[[Page 40871]]

II. General Issues

A. Effective and Compliance Dates

    As noted above, section 13423 of the Act provides that the 
provisions in subtitle D took effect one year after enactment, i.e., on 
February 18, 2010, except as specified otherwise. There are a number of 
exceptions to this general rule. Some provisions were effective the day 
after enactment, i.e., February 18, 2009. For example, the tiered and 
increased civil money penalty provisions of section 13410(d) were 
effective for violations occurring after the date of enactment. 
Sections 13402 and 13407 of the Act regarding breach notification 
required interim final rules within 180 days of enactment, with 
effective dates 30 days after the publication of such rules. Other 
provisions of the Act have later effective dates. For example, the 
provision at section 13410(a)(1) of the Act providing that the 
Secretary's authority to impose a civil money penalty will only be 
barred to the extent a criminal penalty has been imposed, rather than 
in cases in which the offense in question merely constitutes an offense 
that is criminally punishable, becomes effective for violations 
occurring on or after February 18, 2011. The rules proposed below 
generally pertain to the statutory provisions that became effective on 
February 18, 2010, or, in a few cases, on a later date.
    We note that the final rule will not take effect until after most 
of the provisions of the HITECH Act became effective on February 18, 
2010. We recognize that it will be difficult for covered entities and 
business associates to comply with the statutory provisions until after 
we have finalized our changes to the HIPAA Rules. In addition, we 
recognize that covered entities and business associates will need some 
time beyond the effective date of the final rule to come into 
compliance with the final rule's provisions. In light of these 
considerations, we intend to provide covered entities and business 
associates with 180 days beyond the effective date of the final rule to 
come into compliance with most of the rule's provisions. We believe 
that providing a 180-day compliance period best comports with section 
1175(b)(2) of the Social Security Act, 42 U.S.C. 1320d-4, and our 
implementing provision at 45 CFR 160.104(c)(1), which require the 
Secretary to provide at least a 180-day period for covered entities to 
comply with modifications to standards and implementation 
specifications in the HIPAA Rules. While the Social Security Act and 
the HIPAA Rules permit the Secretary to further delay the compliance 
date for small health plans, we do not believe that it is necessary to 
do so for this rule both because most of the changes being proposed are 
discrete modifications to existing requirements of the HIPAA Rules, as 
well as because the Department is proposing an additional one-year 
transition period to modify certain business associate agreements, 
which should provide sufficient relief to all covered entities, 
including small health plans. The Department welcomes comment on the 
assumption that it is not necessary to extend the compliance date for 
small health plans.
    We also expect that for future modifications to the HIPAA Rules, in 
most cases, a 180-day compliance period will suffice. Accordingly, we 
propose to add a provision at Sec.  160.105 to address the compliance 
date generally for implementation of new or modified standards in the 
HIPAA Rules. Proposed Sec.  160.105 would provide that with respect to 
new standards or implementation specifications or modifications to 
standards or implementation specifications in the HIPAA Rules, except 
as otherwise provided, covered entities and business associates must 
comply with the applicable new standards or implementation 
specifications or modifications to standards or implementation 
specifications no later than 180 days from the effective date of any 
such change. Where future modifications to the HIPAA Rules necessitate 
a longer compliance period, we would provide so accordingly in the 
regulatory text. We propose to retain the compliance date provisions at 
Sec. Sec.  164.534 and 164.318, which provide the compliance dates of 
April 14, 2003, and April 20, 2005, for initial implementation of the 
HIPAA Privacy and Security Rules, respectively, for historical purposes 
only.
    We note that proposed Sec.  160.105 regarding the compliance date 
of new or modified standards or implementation specifications would not 
apply to modifications to the provisions of the HIPAA Enforcement Rule 
because such provisions are not standards or implementation 
specifications (as the terms are defined at Sec.  160.103). Such 
provisions are in effect and apply at the time the final rule becomes 
effective or as otherwise specifically provided. We also note that our 
proposed general rule for a 180-day compliance period for new or 
modified standards would not apply where we expressly provide a 
different compliance period in the regulation for one or more 
provisions. For purposes of this proposed rule, this would mean that 
the 180-day compliance period would not govern the time period required 
to modify those business associate agreements that qualify for the 
longer transition period proposed in Sec.  164.532. We seek comments on 
any potential unintended consequences of establishing a 180-day 
compliance date as a regulatory default, with the noted exceptions.

B. Other Proposed Changes

    While passage of the HITECH Act necessitates much of the rulemaking 
below, it does not account for all of the proposed changes to the HIPAA 
Privacy, Security, and Enforcement Rules encompassed in this 
rulemaking. The Department is taking this opportunity to improve the 
workability and effectiveness of all three sets of HIPAA Rules. The 
Privacy Rule has not been amended since 2002, and the Security Rule has 
not been amended since 2003. While the Enforcement Rule was amended in 
the October 30, 2009, interim final rule to incorporate the 
enforcement-related HITECH statutory changes that are already 
effective, it has not been otherwise substantively amended since 2006. 
In the intervening years, HHS has accumulated a wealth of experience 
with these rules, both from public contact in various forums and 
through the process of enforcing the rules. In addition, we have 
identified a number of needed technical corrections to the rules. 
Accordingly, we propose a number of modifications that we believe will 
eliminate ambiguities in the rules and/or make them more workable and 
effective. Further, we propose a few modifications to conform the HIPAA 
Privacy Rule to provisions in the Patient Safety and Quality 
Improvement Act of 2005 (PSQIA). We address the substantive proposed 
changes in the section-by-section description of the proposed rule 
below. Technical corrections are discussed at the end of the section-
by-section description of the other proposed amendments to the rules.

III. Section-by-Section Description of the Proposed Amendments to 
Subparts A and B of Part 160

    Subpart A of part 160 of the HIPAA Rules contains general 
provisions that apply to all of the HIPAA Rules. Subpart B of part 160 
contains the regulatory provisions implementing HIPAA's preemption 
provisions. We propose to amend a number of these provisions. Some of 
the proposed changes are necessitated by the statutory changes made by 
the HITECH Act, while others are of a technical or conforming nature.

[[Page 40872]]

A. Subpart A--General Provisions, Section 160.101--Statutory Basis and 
Purpose

    This section sets out the statutory basis and purpose of the HIPAA 
Rules. We propose a technical change to include a reference to the 
provisions of the HITECH Act upon which most of the regulatory changes 
proposed below are based.

B. Subpart A--General Provisions, Section 160.102--Applicability

    This section sets out to whom the HIPAA Rules apply. We propose to 
add a new paragraph (b) to make clear, consistent with the provisions 
of the HITECH Act that are discussed more fully below, that the 
standards, requirements, and implementation specifications of the 
subchapter apply to business associates, where so provided.

C. Subpart A--General Provisions, Section 160.103--Definitions

    Section 160.103 contains definitions of terms that appear 
throughout the HIPAA Rules. For ease of reference, we propose to move 
several definitions currently found at Sec.  160.302 to Sec.  160.103 
without substantive change to the definitions themselves. This category 
includes definitions of the following terms: ``ALJ,'' ``civil money 
penalty,'' and ``violation or violate.'' As the removal of these 
definitions, along with the removal of other definitions discussed 
below (e.g., ``administrative simplification provision'' and 
``respondent''), would leave Sec.  160.302 unpopulated, we propose to 
reserve that section. We also propose to remove a comma from the 
definition of ``disclosure'' inadvertently inserted into the definition 
in a prior rulemaking, which is not intended as a substantive change to 
the definition. In addition, we propose to replace the term 
``individually identifiable health information'' with ``protected 
health information'' in the definition of ``standard'' to better 
reflect the scope of the Privacy and Security Rules. Further, we 
propose the following definitional changes:
1. Definition of ``Administrative Simplification Provision''
    This definition is currently located in the definitions section of 
subpart C of part 160 of the HIPAA Enforcement Rule. We propose to 
remove the definition of this term from Sec.  160.302 and move it to 
the definitions section located at Sec.  160.103 for clarity and 
convenience, as the term is used repeatedly throughout the entire part 
160. We also propose to add to the definition a reference to sections 
13400-13424 of the HITECH Act.
2. Definition of ``Business Associate''
    Sections 164.308(b) of the Security Rule and 164.502(e) of the 
Privacy Rule require a covered entity to enter into a contract or other 
written agreement or arrangement with its business associates. The 
purpose of these contracts or other arrangements, generally known as 
business associate agreements, is to provide some legal protection when 
protected health information is being handled by another person (a 
natural person or legal entity) on behalf of a covered entity. The 
HIPAA Rules define ``business associate'' generally to mean a person 
who performs functions or activities on behalf of, or certain services 
for, a covered entity that involve the use or disclosure of protected 
health information. Examples of business associates include third party 
administrators or pharmacy benefit managers for health plans, claims 
processing or billing companies, transcription companies, and persons 
who perform legal, actuarial, accounting, management, or administrative 
services for covered entities and who require access to protected 
health information. We propose a number of modifications to the 
definition of ``business associate.'' In particular, we propose to 
modify the definition to conform the term to the statutory provisions 
of PSQIA, 42 U.S.C. 299b-21, et seq., and the HITECH Act. Additional 
modifications are made for the purpose of clarifying circumstances when 
a business associate relationship exists and for general clarification 
of the definition.
a. Inclusion of Patient Safety Organizations
    We propose to add patient safety activities to the list of 
functions and activities a person may undertake on behalf of a covered 
entity that give rise to a business associate relationship. PSQIA, at 
42 U.S.C. 299b-22(i)(1), provides that Patient Safety Organizations 
(PSOs) must be treated as business associates when applying the Privacy 
Rule. PSQIA provides for the establishment of PSOs to receive reports 
of patient safety events or concerns from providers and provide 
analyses of events to reporting providers. A reporting provider may be 
a HIPAA covered entity and, thus, information reported to a PSO may 
include protected health information that the PSO may analyze on behalf 
of the covered provider. The analysis of such information is a patient 
safety activity for purposes of PSQIA and the Patient Safety Rule, 42 
CFR 3.10, et seq. While the HIPAA Rules as written would encompass a 
PSO as a business associate when the PSO was performing quality 
analyses and other activities on behalf of a covered health care 
provider, we propose this change to the definition of business 
associate to more clearly align the HIPAA and Patient Safety Rules.
    We note that in some cases a covered health care provider, such as 
a public or private hospital, may have a component PSO that performs 
patient safety activities on behalf of the health care provider. See 42 
CFR 3.20. In such cases, the component PSO would not be a business 
associate of the covered entity but rather the persons performing 
patient safety activities would be workforce members of the covered 
entity. However, if the component PSO contracts out some of its patient 
safety activities to a third party, the third party would be a business 
associate of the covered entity. In addition, if a component PSO of one 
covered entity performs patient safety activities for another covered 
entity, such component PSO would be a business associate of the other 
covered entity.
b. Inclusion of Health Information Organizations (HIO), E-Prescribing 
Gateways, and Other Persons That Facilitate Data Transmission; as Well 
as Vendors of Personal Health Records
    Section 13408 of the HITECH Act, which became effective on February 
18, 2010, provides that an organization, such as a Health Information 
Exchange Organization, E-prescribing Gateway, or Regional Health 
Information Organization, that provides data transmission of protected 
health information to a covered entity (or its business associate) and 
that requires access on a routine basis to such protected health 
information must be treated as a business associate for purposes of the 
Act and the HIPAA Privacy and Security Rules. Section 13408 also 
provides that a vendor that contracts with a covered entity to allow 
the covered entity to offer a personal health record to patients as 
part of the covered entity's electronic health record shall be treated 
as a business associate. Section 13408 requires that such organizations 
and vendors enter into a written business associate contract or other 
arrangement with the covered entity in accordance with the HIPAA Rules.
    In accordance with the Act, we propose to modify the definition of 
``business associate'' to explicitly designate these persons as 
business

[[Page 40873]]

associates. Under proposed paragraphs (3)(i) and (ii) of the 
definition, the term ``business associate'' would include: (1) A Health 
Information Organization, E-prescribing Gateway, or other person that 
provides data transmission services with respect to protected health 
information to a covered entity and that requires routine access to 
such protected health information; and (2) a person who offers a 
personal health record to one or more individuals on behalf of a 
covered entity.
    Section 13408 of the Act makes reference to Health Information 
Exchange Organizations; however, we instead include in the proposed 
definition the term ``Health Information Organization'' because it is 
our understanding that ``Health Information Organization'' is the more 
widely recognized and accepted term to describe an organization that 
oversees and governs the exchange of health-related information among 
organizations.\2\ Section 13408 of the Act also specifically refers to 
Regional Health Information Organizations. However, we do not believe 
the inclusion of the term in the definition of ``business associate'' 
is necessary as a Regional Health Information Organization is simply a 
Health Information Organization that governs health information 
exchange among organizations within a defined geographic area.\3\ 
Further, the specific terms of ``Health Information Organization'' and 
``E-prescribing Gateway'' are merely illustrative of the types of 
organizations that would fall within this paragraph of the definition 
of ``business associate.'' We request comment on the use of these terms 
within the definition and whether additional clarifications or 
additions are necessary.
---------------------------------------------------------------------------

    \2\ Department of Health and Human Services, Office of the 
National Coordinator for Health Information Technology, The National 
Alliance for Health Information Technology Report to the Office of 
the National Coordinator For Health Information Technology: Defining 
Key Health Information Terms, Pg. 24 (2008).
    \3\ Id. at 25.
---------------------------------------------------------------------------

    Section 13408 also provides that the data transmission 
organizations that the Act requires to be treated as business 
associates are those that require access to protected health 
information on a routine basis. Conversely, data transmission 
organizations that do not require access to protected health 
information on a routine basis would not be treated as business 
associates. This is consistent with our prior interpretation of the 
definition of ``business associate,'' through which we have indicated 
that entities that act as mere conduits for the transport of protected 
health information but do not access the information other than on a 
random or infrequent basis are not business associates. See https://www.hhs.gov/ocr/privacy/hipaa/faq/providers/business/245.html. In 
contrast, however, entities that manage the exchange of protected 
health information through a network, including providing patient 
locator services and performing various oversight and governance 
functions for electronic health information exchange, have more than 
``random'' access to protected health information and thus, would fall 
within the definition of ``business associate.''
c. Inclusion of Subcontractors
    We propose to add language in paragraph (3)(iii) of the definition 
of ``business associate'' to provide that subcontractors of a covered 
entity--i.e., those persons that perform functions for or provide 
services to a business associate, other than in the capacity as a 
member of the business associate's workforce, are also business 
associates to the extent that they require access to protected health 
information. We also propose to include a definition of 
``subcontractor'' in Sec.  160.103 to make clear that a subcontractor 
is a person who acts on behalf of a business associate, other than in 
the capacity of a member of the workforce of such business associate. 
Even though we use the term ``subcontractor,'' which implies there is a 
contract in place between the parties, we note that the definition 
would apply to an agent or other person who acts on behalf of the 
business associate, even if the business associate has failed to enter 
into a business associate contract with the person. We request comment 
on the use of the term ``subcontractor'' and its proposed definition.
    The proposed modifications are similar in structure and effect to 
the Privacy Rule's initial extension of privacy protections from 
covered entities to business associates through contract requirements 
to protect downstream protected health information. The proposed 
provisions avoid having privacy and security protections for protected 
health information lapse merely because a function is performed by an 
entity that is a subcontractor rather than an entity with a direct 
relationship with a covered entity. Allowing such a lapse in privacy 
and security protections may allow business associates to avoid 
liability imposed upon them by sections 13401 and 13404 of the Act, 
thus circumventing the congressional intent underlying these 
provisions. The proposed definition of ``subcontractor'' also is 
consistent with Congress' overall concern that the privacy and security 
protections of the HIPAA Rules extend beyond covered entities to those 
entities that create or receive protected health information in order 
for the covered entity to perform its health care functions. For 
example, as discussed above, section 13408 makes explicit that certain 
types of entities providing services to covered entities--e.g., vendors 
of personal health records--shall be considered business associates. 
Therefore, consistent with Congress' intent in sections 13401 and 13404 
of the Act, as well as its overall concern that the HIPAA Rules extent 
beyond covered entities to those entities that create or receive 
protected health information, we propose that downstream entities that 
work at the direction of or on behalf of a business associate and 
handle protected health information would also be required to comply 
with the applicable Privacy and Security Rule provisions in the same 
manner as the primary business associate, and likewise would incur 
liability for acts of noncompliance. We note, and further explain 
below, that this proposed modification would not require the covered 
entity to have a contract with the subcontractor; rather, the 
obligation would remain on each business associate to obtain 
satisfactory assurances in the form of a written contract or other 
arrangement that a subcontractor will appropriately safeguard protected 
health information. For example, under this proposal, if a business 
associate, such as a third party administrator, hires a company to 
handle document and media shredding to securely dispose of paper and 
electronic protected health information, then the shredding company 
would be directly required to comply with the applicable requirements 
of the HIPAA Security Rule (e.g., with respect to proper disposal of 
electronic media) and the Privacy Rule (e.g., with respect to limiting 
its uses and disclosures of the protected health information in 
accordance with its contract with the business associate).
d. Exceptions to Business Associate
    We also propose to move the provisions at Sec. Sec.  164.308(b)(2) 
and 164.502(e)(1)(ii) to the definition of business associate. These 
provisions provide that in certain circumstances, such as when a 
covered entity discloses protected health information to a health care 
provider concerning the treatment of an individual, a covered entity is 
not required to enter into a business

[[Page 40874]]

associate contract or other arrangement with the recipient of the 
protected health information. While we do not change the meaning of 
these provisions, we believe these limitations on the scope of 
``business associate'' are more appropriately placed in the definition 
as exceptions to the term to make clear that the Department does not 
consider the recipients of the protected health information in these 
circumstances to be business associates. The movement of these 
exceptions and refinement of the definition of ``business associate'' 
also would help clarify that a person is a business associate if it 
meets the definition of ``business associate,'' even if a covered 
entity, or business associate with respect to a subcontractor, fails to 
enter into the required contract with the business associate.
e. Technical Changes to the Definition
    For clarity and consistency, we also propose to change the term 
``individually identifiable health information'' in the current 
definition of ``business associate'' to ``protected health 
information,'' since a business associate has no obligations under the 
HIPAA Rules with respect to individually identifiable health 
information that is not protected health information.
3. Definition of ``Compliance Date''
    The term ``compliance date'' currently refers only to covered 
entities. We propose a technical change to include business associates 
in the term, in light of the HITECH Act amendments, which apply certain 
provisions of the HIPAA Rules to business associates.
4. Definition of ``Electronic Media''
    The term ``electronic media'' was originally defined in the 
Transactions and Code Sets Rule issued on August 17, 2000 (65 FR 50312) 
and was included in the definitions at Sec.  162.103. That definition 
was subsequently revised and moved to Sec.  160.103. The purpose of the 
revision was to clarify that--

    the physical movement of electronic media from place to place is 
not limited to magnetic tape, disk, or compact disk. This 
clarification removes a restriction as to what is considered to be 
physical electronic media, thereby allowing for future technological 
innovation. We further clarified that transmission of information 
not in electronic form before the transmission, for example, paper 
or voice, is not covered by this definition.

68 FR 8339, Feb. 20, 2003.
    We propose to revise the definition of ``electronic media'' in the 
following ways. First, we would revise paragraph (1) of the definition 
to conform it to current usage, as set forth in ``Guidelines for Media 
Sanitization'' (Definition of Medium, NIST SP 800-88, Glossary B, p. 27 
(2006)). The NIST definition, which was updated subsequent to the 
issuance of the Privacy and Security Rules, was developed in 
recognition of the likelihood that the evolution of development of new 
technology would make use of the term ``electronic storage media'' 
obsolete in that there may be ``storage material'' other than ``media'' 
that house electronic data. Second, we would add to paragraph (2) of 
the definition of ``electronic media'' a reference to intranets, to 
clarify that intranets come within the definition. Third, we propose to 
change the word ``because'' to ``if'' in the final sentence of 
paragraph (2) of the definition of ``electronic media.'' The definition 
assumed that no transmissions made by voice via telephone existed in 
electronic form before transmission; the evolution of technology has 
made this assumption obsolete. This modification would extend the 
policy described in the preamble discussion quoted above, but correct 
its application to current technology, where some voice technology is 
digitally produced from an information system and transmitted by phone.
5. Definition of ``Protected Health Information''
    We propose to modify the definition of ``protected health 
information'' at Sec.  160.103 to provide that the Privacy and Security 
Rules do not protect the individually identifiable health information 
of persons who have been deceased for more than 50 years. This proposed 
modification is explained more fully below in Section VI.E. of the 
preamble where we discuss the proposed changes to the Privacy Rule 
related to the protected health information of decedents.
6. Definition of ``Respondent''
    The definition of the term ``Respondent,'' which is currently in 
Sec.  160.302, would be moved to Sec.  160.103. A reference to 
``business associate'' would be added following the reference to 
``covered entity'' in recognition of the potential liability imposed on 
business associates for violations of certain provisions of the Privacy 
and Security Rules by sections 13401 and 13404 of the Act.
7. Definition of ``State''
    The HITECH Act at section 13400, which became effective February 
18, 2010, includes a definition of ``State'' to mean ``each of the 
several States, the District of Columbia, Puerto Rico, the Virgin 
Islands, Guam, American Samoa, and the Northern Mariana Islands.'' This 
definition varies from paragraph (2) of the HIPAA definition of 
``State'' at Sec.  160.103, which does not include reference to 
American Samoa and the Northern Mariana Islands. Thus, for consistency 
with the definition applied to the HIPAA Rules by the HITECH Act, we 
propose to add reference to American Samoa and the Commonwealth of the 
Northern Mariana Islands in paragraph (2) of the definition of 
``State'' at Sec.  160.103.
8. Definition of ``Workforce''
    The HITECH Act is directly applicable to business associates and 
has extended liability for compliance with certain provisions of the 
Privacy and Security Rules to business associates. Because some 
provisions of the Act and the Privacy and Security Rules place 
obligations on the business associate with respect to workforce 
members, we propose to revise the definition of ``workforce member'' in 
Sec.  160.103 to make clear that such term includes the employees, 
volunteers, trainees, and other persons whose conduct, in the 
performance of work for a business associate, is under the direct 
control of the business associate.

D. Subpart B--Preemption of State Law, Section 160.201--Statutory Basis

    We propose to modify Sec.  160.201 regarding the statutory basis 
for the preemption of State law provisions to add a reference to 
section 264(c) of HIPAA, which contains the statutory basis for the 
exception to preemption at Sec.  160.203(b) for State laws that are 
more stringent than the HIPAA Privacy Rule. We also propose to add a 
reference to section 13421(a) of the HITECH Act, which applies HIPAA's 
preemption rules to the HITECH Act's privacy and security provisions. 
Finally, we propose to re-title the provision to read ``Statutory 
basis'' instead of ``Applicability.''
    We also take this opportunity to make clear that section 264(c)(2) 
of HIPAA and Sec.  160.203(b) do not create a Federal evidentiary 
privilege. Additionally, we take this opportunity to make clear that 
neither the HIPAA statute nor its implementing regulations give effect 
to State physician-patient privilege laws or provisions of State law 
relating to the privacy of individually identifiable health information 
for use in Federal court proceedings. Therefore, consistent with the 
Supremacy Clause, any State law that was preempted prior to HIPAA 
because of conflicts with a Federal law would continue to be preempted. 
Nothing in HIPAA or its implementing regulations is intended to expand 
the

[[Page 40875]]

scope of State laws, regardless of whether they are more or less 
stringent than Federal law.

E. Subpart B--Preemption of State Law, Section 160.202--Definitions.

1. Definition of ``Contrary''
    The term ``contrary'' is currently defined in Sec.  160.202 to make 
clear when the preemption provisions of HIPAA apply to State law. 
Consistent with the limited application of the HIPAA provisions to 
covered entities only, the current definition of the term ``contrary'' 
does not include reference to business associates. However, section 
13421(a) of the HITECH Act provides that the HIPAA preemption provision 
(section 1178 of the Social Security Act) applies to the provisions and 
requirements under the HITECH Act ``in the same manner'' as it would 
apply under the HIPAA provisions. Thus, the preemption provisions would 
apply to business associates, who are now, by virtue of the HITECH Act, 
required to comply with certain provisions of the HIPAA Rules and are 
subject to penalties for noncompliance, as discussed elsewhere. Thus, 
we propose to amend the definition of ``contrary'' by inserting 
references to business associates in paragraph (1) of the definition. 
We also expand the reference to the HITECH statutory provisions in 
paragraph (2) of the definition to encompass all of the sections of 
subtitle D of the HITECH Act, rather than merely to section 13402, 
which was added by the breach notifications regulations. These changes 
would give effect to section 13421(a).
2. Definition of ``More Stringent''
    The term ``more stringent'' is part of the statutory preemption 
language under HIPAA. HIPAA preempts State law that is contrary to a 
HIPAA privacy standard unless, among other exceptions, the State law is 
more stringent than the contrary HIPAA privacy standard. The current 
regulatory definition of ``more stringent'' does not include business 
associates. We propose to amend the definition to add a reference to 
business associates, for the reasons set out in the preceding 
discussion.

IV. Section-by-Section Description of the Proposed Amendments to the 
Enforcement Rule--Subparts C and D of Part 160

    Section 13410 of the HITECH Act made several amendments that 
directly impact the Enforcement Rule, which applies to the Secretary's 
enforcement of all of the HIPAA Administrative Simplification Rules, as 
well as the recently promulgated Breach Notification Rule. We issued an 
interim final rule on October 30, 2009, 74 FR 56123, to address the 
HITECH Act amendments impacting the Enforcement Rule that became 
effective on February 18, 2009. For context, we describe those 
modifications to the Enforcement Rule briefly below. We then provide a 
section-by-section description of the other section 13410 amendments 
that are part of this proposed rule.
    In addition, sections 13401 and 13404 of the HITECH Act impose 
direct civil money penalty liability on business associates for 
violations of the HITECH Act and certain Privacy and Security Rule 
provisions. In doing so, sections 13401(b) and 13404(c) of the Act 
provide that section 1176 of the Social Security Act shall apply to a 
violation by a business associate ``in the same manner'' as it would 
apply to a covered entity with respect to such a violation. Both 
provisions are, by virtue of section 13423, effective February 18, 
2010.
    The provisions of subparts C and D of part 160 currently apply by 
their terms solely to covered entities. Accordingly, to implement 
sections 13401(b) and 13404(c) of the Act, we propose to revise a 
number of provisions in both subparts to reflect this statutory change 
by adding the term ``business associate'' where appropriate, following 
a reference to ``covered entity.'' For ease, we list the sections in 
which the term ``business associate'' is added here rather than repeat 
the change in each discussion of the sections below: Sec. Sec.  
160.300; 160.304; 160.306(a) and (c); 160.308; 160.310; 160.312; 
160.316; 160.401; 160.402; 160.404(b); 160.406; 160.408(c) and (d); and 
160.410(a) and (c).
    In addition to these references, we propose to add a paragraph in 
Sec.  160.402(c)(2) to describe a business associate's liability for 
the actions of its agents, in accordance with the Federal common law of 
agency. This proposed modification is discussed more fully below in the 
discussion of Sec.  160.402(c).
    As noted above, the Department issued an interim final rule (IFR) 
on October 30, 2009, revising the Enforcement Rule to incorporate the 
provisions required by section 13410(d) of the HITECH Act that 
immediately took effect: Four categories of violations that reflect 
increasing levels of culpability, the corresponding tiers of civil 
money penalty amounts, and the revised limitations placed on the 
Secretary's authority to impose penalties. More specifically, the IFR 
revised subpart D of the Enforcement Rule to transfer the definitions 
of ``reasonable cause,'' ``reasonable diligence,'' and ``willful 
neglect'' from Sec.  160.410(a) to a new definitions section at Sec.  
160.401. The IFR revised Sec.  160.404 to incorporate, for violations 
occurring on or after February 18, 2009, the new penalty scheme 
required by section 13410(d), as follows: For violations in which it is 
established that the covered entity did not know and, by exercising 
reasonable diligence, would not have known that the covered entity 
violated a provision, an amount not less than $100 or more than $50,000 
for each violation; for a violation in which it is established that the 
violation was due to reasonable cause and not to willful neglect, an 
amount not less than $1000 or more than $50,000 for each violation; for 
a violation in which it is established that the violation was due to 
willful neglect and was timely corrected, an amount not less than 
$10,000 or more than $50,000 for each violation; and for a violation in 
which it is established that the violation was due to willful neglect 
and was not timely corrected, an amount not less than $50,000 for each 
violation; except that a penalty for violations of the same requirement 
or prohibition under any of these categories may not exceed $1,500,000 
in a calendar year. It also revised the affirmative defenses in Sec.  
160.410 for violations occurring on or after February 18, 2009, to 
remove a covered entity's lack of knowledge as an affirmative defense 
and to provide an affirmative defense when violations not due to 
willful neglect are corrected within 30 days. Finally, the IFR added a 
requirement that a notice of proposed determination pursuant to Sec.  
160.420 also reference the applicable category of violation. Readers 
are encouraged to refer to the IFR for a more detailed discussion of 
these topics as well as the Enforcement Rule's statutory and regulatory 
background. See 74 FR 56123, 56124, Oct. 30, 2009.
    The rules proposed below would revise many provisions of subparts C 
and D of part 160. However, the Department's current interpretations of 
the regulatory provisions at subparts C and D continue unchanged, 
except to the extent they are inconsistent with the changes to those 
provisions, as indicated below.

A. Subpart C--Compliance and Investigations, Section 160.304--
Principles for Achieving Compliance

    Section 160.304 identifies cooperation and assistance as two 
overarching principles for achieving compliance. The principle of 
cooperation, in Sec.  160.304(a), states that ``[t]he Secretary will, 
to the extent practicable, seek the cooperation of covered entities in

[[Page 40876]]

obtaining compliance with the applicable administrative simplification 
provisions.''
    Section 13410(a) of the HITECH Act adds a new subsection (c) to 
section 1176 of the Social Security Act:

    (c) NONCOMPLIANCE DUE TO WILLFUL NEGLECT.--
    (1) IN GENERAL.--A violation of a provision of this part due to 
willful neglect is a violation for which the Secretary is required 
to impose a penalty under subsection (a)(1).
    (2) REQUIRED INVESTIGATION.--For purposes of paragraph (1), the 
Secretary shall formally investigate any complaint of a violation of 
a provision of this part if a preliminary investigation of the facts 
of the complaint indicate such a possible violation due to willful 
neglect.

Section 13410(b)(1) makes the provisions of section 13410(a) effective 
February 18, 2011.
    Under section 1176(c), HHS is required to impose a civil money 
penalty for violations due to willful neglect. Accordingly, although 
the Secretary often will still seek to correct indications of 
noncompliance through voluntary corrective action, there may be 
circumstances (such as circumstances indicating willful neglect), where 
the Secretary may seek to proceed directly to formal enforcement. As a 
conforming amendment, HHS proposes to add the phrase, ``and consistent 
with the provisions of this subpart,'' to Sec.  160.304(a) to recognize 
the statutory revision.

B. Subpart C--Compliance and Investigations, Section 160.306(c)--
Complaints to the Secretary

    Section 160.306(c) of the Enforcement Rule currently provides the 
Secretary with discretion to investigate HIPAA complaints, through use 
of the word ``may.'' The new willful neglect provisions, at section 
1176(c)(2) of the Social Security Act, will require HHS to investigate 
``any complaint of a violation of a provision of this part if a 
preliminary investigation of the facts of the complaint indicates * * * 
a possible violation due to willful neglect.''
    HHS proposes to implement section 1176(c)(2) by adding a new 
paragraph (1) at Sec.  160.306(c) to provide that the Secretary will 
investigate any complaint filed under this section when a preliminary 
review of the facts indicates a possible violation due to willful 
neglect. As a practical matter, HHS currently conducts a preliminary 
review of every complaint received and proceeds with the investigation 
in every eligible case where its preliminary review of the facts 
indicate a possible violation of the HIPAA Rules. Nevertheless, we 
propose this addition to Sec.  160.306 to make clear our intention to 
pursue an investigation where a preliminary review of the facts 
indicates a possible violation due to willful neglect.
    HHS proposes to conform the remainder of Sec.  160.306(c) 
accordingly. The new Sec.  160.306(c)(2) (presently, the initial 
sentence of Sec.  160.306(c)) would be revised by replacing 
``complaints'' with ``any other complaint'' to distinguish the 
Secretary's discretion with respect to complaints for which HHS's 
preliminary review of the facts does not indicate a possible violation 
due to willful neglect from the statutory requirement to investigate 
all complaints for which HHS's preliminary review of the facts 
indicates a possible violation due to willful neglect, as set out in 
the new Sec.  160.306(c)(1). The current second sentence of Sec.  
160.306(c), which addresses the content of an investigation, would be 
renumbered as Sec.  160.306(c)(3) and amended by changing the first 
word of the sentence from ``such'' to ``an,'' to signal the provision's 
application to any investigation, regardless of whether a preliminary 
review of the facts indicates a possible violation due to willful 
neglect.

C. Subpart C--Compliance and Investigations, Section 160.308--
Compliance Reviews

    Section 160.308 provides that the Secretary may conduct compliance 
reviews. Use of the word ``may'' in this section makes clear that this 
is a discretionary activity. While complaints and not compliance 
reviews are specifically mentioned in the statutory language of section 
13410(a)(1)(B) of the Act