- HHS Issues Final HIPAA Enforcement Rule
- March 1, 2006 | Author: Jan E. Murray
- Law Firms: Squire, Sanders & Dempsey L.L.P. - Columbus Office ; Squire, Sanders & Dempsey L.L.P. - Cleveland Office ; Squire, Sanders & Dempsey L.L.P. - Columbus Office ; Squire, Sanders & Dempsey L.L.P. - Cleveland Office
On February 16, 2006, the Department of Health and Human Services (HHS) published the long-anticipated final enforcement rule for the imposition of civil money penalties on entities that violate the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final enforcement rule (1) expands the existing investigative procedures for enforcement of the privacy rule to all of the rules adopted under HIPAA's administrative simplification provisions; (2) finalizes interim procedures for investigations and the imposition, and challenges to the imposition, of civil money penalties; and (3) addresses procedural matters such as appellate review and HHS' policies for determining violations and calculating penalties.
HIPAA's Administrative Simplification provisions require HHS to adopt national standards to facilitate the exchange, and protect the privacy and security, of certain health information. To date, HHS has adopted standards for electronic transaction and code sets, privacy, security and unique identifiers for employers and health care providers. Standards for claims attachments and health plan identifiers are still pending. Covered entities subject to the Administrative Simplification provisions include health plans, health care clearinghouses, providers that electronically transmit health information in connection with standardized transactions, and prescription drug card sponsors.
All HIPAA violations are subject to statutorily defined civil money penalties enforceable by the HHS Centers for Medicare & Medicaid Services (except for the Privacy Rule, which is administered and enforced by the HHS Office for Civil Rights) and criminal penalties enforceable by the Department of Justice. Civil penalties can be as much as $100 per violation subject to a $25,000 statutory cap on liability for violations of an identical provision in a calendar year. Criminal sanctions range from $50,000 and/or one year imprisonment for knowing violations to $250,000 and/or 10 years imprisonment for intentional violations for commercial advantage.
Summary of Key Provisions of the Enforcement Rule
HHS takes a complaint-driven approach to ensuring compliance with the enforcement rule. HHS will attempt to resolve complaints through informal means (e.g., demonstrated compliance, completed corrective action plan) and will resort to civil money penalties when a matter cannot be resolved by informal means. HHS also will attempt to use informal means to resolve the negative results of compliance reviews.
The enforcement rule outlines the requirements for filing a complaint, which only can be filed against a covered entity by any person or public or private entity within 180 days of when the complainant knew or should have known the act or omission occurred. HHS may waive this time limit for good cause. HHS has six years from the date the violation occurred to take action.
The covered entity will be informed of any matters that are not resolved by informal means and will have the opportunity to submit evidence of any mitigating factors or affirmative defenses within 30 days of receiving HHS' notice of nonresolution. Thereafter, if HHS determines that a civil money penalty should be imposed, it will provide the covered entity with a notice of proposed determination. If HHS determines that no further action is warranted, it will notify the covered entity and the complainant, if any.
The covered entity has 90 days from the receipt of notice of the determination to request a hearing before an administrative law judge and 30 days from the date of service of the administrative law judge's decision to appeal to the HHS Departmental Appeals Board. The enforcement rule also addresses the procedural requirements for HHS to issue subpoenas.
Once a penalty becomes final, HHS will notify the public, the appropriate state or local medical or professional organization, the agency that administers the state health care program, the appropriate utilization review and quality control peer review organization and the appropriate state or local licensing agencies.
Covered Entity Responsibilities
The enforcement rule imposes responsibilities on covered entities including the following:
- Maintain and submit compliance records to HHS.
- Permit HHS access to facilities, books, records and accounts pertaining to the administrative simplification provisions. If requested information is held by a third party who fails to furnish the information, the covered entity must so certify and identify its efforts to obtain the information.
- Cooperate with HHS in any investigations of compliance reviews of the covered entity's policies, procedures or practices in connection with the administrative simplification provisions.
- Refrain from intimidating or retaliating against any complainant or other person assisting in the investigation or proceeding.
Affiliated Covered Entities
A covered entity that is a member of an affiliated covered entity is jointly and severally liable for a civil money penalty based on an act or omission of the affiliated covered entity unless another covered entity is found to be responsible for the violation. There is also an exception for civil money liability where the act or omission was caused by a business associate.
For continuing violations of a provision, a separate violation occurs each day the covered entity violates the provision. The rule permits HHS to use a statistical sampling as evidence of the number of violations to determine the amount of the civil money penalty.
In determining the amount of the civil money penalty, HHS considers the nature and circumstances of the violation, the degree of culpability of the covered entity, the covered entity's prior compliance history and the financial condition of the covered entity.
HHS is not permitted to impose a civil money penalty on a covered entity if any of the following affirmative defenses are established:
- The violation is punishable as a criminal act.
- The covered entity did not have knowledge of the violation committed by its agent and would not have known of the violation even by exercising reasonable diligence.
- The violation is due to reasonable cause and not willful neglect and is corrected.
The enforcement rule becomes effective March 16, 2006. Please contact your Squire Sanders lawyer or any of the lawyers listed in this alert for assistance with the enforcement rule or other HIPAA requirements.