• HHS Proposes Expanded HIPAA Enforcement Rule
  • July 8, 2005 | Author: Rebekah A.Z. Monson
  • Law Firms: Pepper Hamilton LLP - Washington Office ; Pepper Hamilton LLP - Philadelphia Office
  • On April 18, 2005, the U.S. Department of Health and Human Services (HHS) published a proposed rule to complete the enforcement regulations for the HIPAA administrative simplification regulations (including transaction and code standards, privacy, security and standard identifiers). This proposed rule would amend existing components of the regulations relating to compliance with, and enforcement of, the HIPAA administrative simplification regulations (the HIPAA rules) and add new provisions for civil monetary penalties (CMPs) on entities that violate the HIPAA rules.

    The HIPAA statute established CMPs and criminal penalties for violations. HHS enforces the CMPs and the U.S. Department of Justice (DOJ) enforces the criminal penalties. (We plan on addressing the recent DOJ opinion on criminal penalties in an upcoming article.) The HIPAA privacy rule (which all covered entities were required to comply with by April 14, 2004), included provisions for compliance and enforcement, but only for compliance with the privacy rule. An interim final rule detailing procedural requirements for the imposition of CMPs was published on April 17, 2003.

    HHS' Voluntary Compliance Approach to Enforcement

    For most covered entities (health plans, health care clearinghouses, health care providers who transmit health information in electronic form in connection with HIPAA-covered transactions, and prescription drug card sponsors under the Medicare Prescription Drug, Improvement and Modernization Act of 2003), a key part of this proposed rule is the confirmation of HHS' voluntary compliance approach to enforcement. HHS emphasizes that it is "committed to promoting and encouraging voluntary compliance with the HIPAA rules through education, cooperation and technical assistance." Currently, compliance and enforcement activities are primarily complaint-based, however, HHS points out that it has the authority to conduct compliance reviews on covered entities. Only when HHS is unable to obtain compliance through voluntary and informal means are CMPs to be sought.

    The proposed rule also would expand the scope of the current compliance and enforcement regulations to cover all of the HIPAA rules. This is designed to reinforce the HHS Secretary's priority for the agency to have a consistent message. Also, the expansion was needed because the HIPAA statute only includes one statutory provision for imposing CMPs. To effect this approach, many existing sections of the regulations would be re-organized. In particular, the enforcement rule organizes Subparts C, D and E to reflect the stages of the enforcement process.

    Definition of "Person" -- Subpart A

    The enforcement rule would amend Subpart A, which contains the general provisions to the HIPAA rules, to add a definition for the term "person" to 45 CFR § 160.103. By placing the definition in Subpart A, the definition would apply throughout the HIPAA rules. The proposed definition is intended to be broad enough to encompass the categories included in the statutory definition of "person" in the Social Security Act (SSA) and HIPAA covered entities. HHS explained the necessity of including an expanded definition of "person" in the HIPAA regulations to ensure that Congress' intent in applying the statutory HIPAA requirement to covered entities would not be defeated because certain covered entities might not be covered by the definition of "person" in the SSA. The definition of "person" under the SSA is "an individual, a trust or estate, a partnership or corporation."

    HHS proposes to substitute "natural person" for the SSA's use of the term "individual" so as to distinguish from the defined term "individual" used throughout the HIPAA rules, which is defined as the person who is the subject of protected health information. The proposed amendment would add to the defined term "professional association or corporation or other entity, public or private," as certain covered entities are state or federal programs or other public entities which may not be included in the SSA definition of "person." The proposed definition is as follows:

    Person means a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.

    Compliance and Investigations -- Subpart C

    HHS proposes to amend Subpart C of the HIPAA rules to make the compliance and investigation provisions of the subpart applicable to all of the HIPAA rules. This would include moving certain provisions elsewhere in the HIPAA rules to Subpart C. The reorganized and amended Subpart C is "intended to provide a cooperative approach to obtaining compliance, including use of technical assistance and informal means to resolve disputes." With a few exceptions, the substance of existing Subpart C would not be amended by the enforcement rule.

    Currently, Subpart C only applies to compliance with the privacy rule, however, the enforcement rule would make the compliance and investigations provisions applicable to all of the HIPAA rules. A uniform regulatory scheme would simplify the process, particularly if a covered entity violates provisions of more than one rule, HHS explained.

    Two new definitions would be included in Subpart C (45 CFR § 160.302). First, the term "administrative simplification provision" would be added to address the scope of the compliance and investigation requirements. The HIPAA statute provides that the Secretary of HHS shall impose on any person who "violates a provision of this part a penalty . . ." The proposed definition interprets the phrase "provision of this part" to refer to any requirement or prohibition established by the HIPAA statute or any of the regulations promulgated under the statute, regardless of whether the requirement or prohibition falls within a standard, implementation specification or other stand-alone provision. The use of the words "requirement or prohibition," HHS explains, stems from the statutory use of the same phrase.

    Second, the term "violation or to violate" would be defined to mean "a failure to comply with an administrative simplification provision." This proposed definition does not distinguish between commissions and omissions of violations; a covered entity can violate the rules by failing to take a required action as well as by taking a prohibited action.

    Additional provisions are proposed in section 160.314 regarding investigational subpoenas and inquiries. The text of this section was adopted as part of the interim final enforcement rule adopted in April 2003, however the enforcement rule would add a number of sections, many based on existing non-HIPAA regulations for the procedures for investigational inquiries.

    A new section 160.316 would prohibit covered entities from threatening, intimidating, coercing, discriminating or taking other retaliatory action against individuals who complain or otherwise assist HHS in the enforcement process.

    Imposition of Civil Monetary Penalties -- Subparts D and E

    The bulk of the rule details how CMPs would be assessed, procedures for hearings and covered entities' rights to challenge CMPs. These details will be critical for any covered entity unable to resolve a HIPAA complaint or alleged violation through informal means.

    Section 1176(a)(1) of the HIPAA statute provides that the Secretary of HHS shall impose:

    on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000

    In the proposed rule, HHS attempts to clarify a number of the inherent ambiguities in this provision, which have led to confusion regarding the imposition of civil penalties for HIPAA violations.

    Proposed new Subpart D, titled "Imposition of Civil Monetary Penalties," addresses the issuance of a notice of proposed determination to impose a CMP, whether a hearing would follow, identifying and determining the number of violations, calculating CMPs and available affirmative defenses. Subpart E, as reorganized and modified, addresses the pre-hearing and hearing phases of the enforcement process. Key points include:

    • Violations by Multiple Parties. Where multiple covered entities violate a HIPAA provision, a CMP will be imposed on each of them. Affiliated entities will be jointly and severally liable.
    • Liability for Agents; Business Associates. In general, a covered entity will be held liable for CMPs based on the actions of its agents (such as employees or other members of its workforce).

      To the extent that an agent is a business associate, a covered entity will not be responsible for violations committed by its agent business associates, provided that the entity complied with the business associate provisions of the HIPAA rules, did not know of a pattern of activity or practice of the business associate that would violate HIPAA and took reasonable steps to cure any known violation, or if not feasible, took other steps (e.g., ending the business associate arrangement).

      HHS has previously issued guidance stating that covered entities are not required to monitor the activities of its business associates, and that they are not responsible or liable for the actions of their business associates. Proposed section 160.402(c) is consistent with this guidance in that if a covered entity fails to comply with the business associate provisions, it may be found liable for violations by its business associate agents.

    • Calculating the Amount of CMPs. The HIPAA statute provided the maximum amount of CMPs ($100 per violation and up to $25,000 for identical violations in the same calendar year). The proposed rule adds that a violation of a requirement or prohibition that violates more than one repeated or overlapping provision of the same subpart (privacy rule, security rule, etc.) will only result in the imposition of a single CMP. However, violations of multiple differing provisions of the same subpart or more than one subpart, will be considered multiple violations.
    • Authority to Settle. A provision would clarify that HHS has no limitation to settle any issue or case or to compromise on the amount of a CMP. However, CMPs are not the exclusive penalty that may be imposed; for example, criminal sanctions can be imposed by DOJ under certain circumstances.
    • Determining the Number of Violations. Determining the number of violations of an identical administrative simplification provision involves considering several variables, and the facts and circumstances of the violation including:

      1. how many times the covered entity omitted to conduct a required act or committed a prohibited act
      2. how many people were involved in or affected by the violation
      3. the duration of the violation.

    • Amount of CMP. In determining the amount of the CMP, HHS can consider any of these factors:

      1. the nature of the violation
      2. the circumstances and consequences of the violation, such as whether the violation caused physical or financial harm or hindered an individual's ability to receive health care
      3. the culpability of the covered entity, including an intention to commit the violation or direct control possessed by the covered entity
      4. any history of prior offenses, including any prior complaints, and how the covered entity has responded to attempt to correct previous violations
      5. the financial condition of the covered entity
      6. Other matters "as justice may require."

    • Affirmative Defenses. Proposed section 160.410 implements certain sections of the HIPAA statute that specify limitations regarding when CMPs may be imposed.

      1. A CMP may not be imposed for an act that would be punishable by a criminal penalty under HIPAA.
      2. No CMP will be imposed if the Secretary of HHS is satisfied that the covered entity did not know and "by exercising reasonable diligence would not have known" that the violation occurred.
      3. No CMP will be imposed if the failure to comply "was due to reasonable cause and not to willful neglect" and is corrected within a specified period.


    The enforcement rule, when finalized, will complete the compliance and enforcement sections of the HIPAA rules and will establish a procedure for redressing violations of HIPAA. As a practical matter, so long as HHS follows its voluntary compliance approach, it remains to be seen how often the proposed rules relating to CMPs will be used.