[Federal Register Volume 70, Number 73 (Monday, April 18, 2005)]
[Proposed Rules]
[Pages 20224-20258]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-7512]
[[Page 20223]]
-----------------------------------------------------------------------
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
HIPAA Administrative Simplification; Enforcement; Proposed Rule
��Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 /
Proposed Rules��
[[Page 20224]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB29
HIPAA Administrative Simplification; Enforcement
AGENCY: Office of the Secretary, HHS.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Secretary of Health and Human Services is proposing rules
for the imposition of civil money penalties on entities that violate
rules adopted by the Secretary to implement the Administrative
Simplification provisions of the Health Insurance Portability and
Accountability Act of 1996, Pub. L. 104-191 (HIPAA). The proposed rule
would amend the existing rules relating to the investigation of
noncompliance to make them apply to all of the HIPAA Administrative
Simplification rules, rather than exclusively to the privacy standards.
It would also amend the existing rules relating to the process for
imposition of civil money penalties. Among other matters, the proposed
rules would clarify and elaborate upon the investigation process, bases
for liability, determination of the penalty amount, grounds for waiver,
conduct of the hearing, and the appeal process.
DATES: Comments on the proposed rule will be considered if we receive
them at the appropriate address, as provided below, no later than June
17, 2005.
ADDRESSES: You may submit comments by any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Include agency name and ``RIN: 0991-AB29.''
E-mail: [email protected]. Include ``RIN: 0991-
AB29'' in the subject line of the message.
Mail: U.S. Department of Health and Human Services, Office
of General Counsel, Attention: HIPAA Enforcement Rule, 330 Independence
Ave., SW., Washington, DC 20201.
Hand Delivery/Courier: Attention: HIPAA Enforcement Rule,
Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington,
DC 20201.
Instructions: Because of staff and resource limitations, we cannot
accept comments by facsimile (FAX) transmission. For detailed
instructions on submitting comments and additional information on the
rulemaking process, see the ``Public Participation'' heading of the
SUPPLEMENTARY INFORMATION section of this document.
FOR FURTHER INFORMATION CONTACT: Carol Conrad, (202) 690-1840.
SUPPLEMENTARY INFORMATION:
I. Public Participation
We welcome comments from the public on all issues set forth in this
rule to assist us in fully considering issues and developing policies.
You can assist us by referencing the RIN number (RIN: 0991-AB29) and by
preceding your discussion of any particular provision with a citation
to the section of the proposed rule being discussed.
A. Inspection of Public Comments
Comments received timely will be available for public inspection as
they are received, generally beginning approximately 6 weeks after
publication of this document, at the mail address provided above,
Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule
an appointment to view public comments, call Karen Shaw, (202) 205-
0154.
B. Electronic Comments
We will consider all electronic comments that include the full
name, postal address, and affiliation (if applicable) of the sender and
are submitted to either of the electronic addresses identified in the
ADDRESSES section of this preamble. All comments must be incorporated
in the e-mail message, because we may not be able to access
attachments. Copies of electronically submitted comments will be
available for public inspection as soon as practicable at the address
provided, and subject to the process described, in the preceding
paragraph.
C. Mailed Comments and Hand Delivered/Couriered Comments
Mailed comments may be subject to delivery delays due to security
procedures. Please allow sufficient time for mailed comments to be
timely received in the event of delivery delays. Comments mailed to the
address indicated for hand or courier delivery may be delayed and could
be considered late.
D. Copies
To order copies of the Federal Register containing this document,
send your request to: New Orders, Superintendent of Documents, P.O. Box
371954, Pittsburgh, PA 15250-7954. Specify the date of the issue
requested and enclose a check or money order payable to the
Superintendent of Documents, or enclose your Visa or Master Card number
and expiration date. Credit card orders can also be placed by calling
the order desk at (202) 512-1800 (or toll-free at 1-866-512-1800) or by
faxing to (202) 512-2250. The cost for each copy is $10. As an
alternative, you may view and photocopy the Federal Register document
at most libraries designated as Federal Depository Libraries and at
many other public and academic libraries throughout the country that
receive the Federal Register.
E. Electronic Access
This Federal Register document is available from the Federal
Register online database through GPO Access, a service of the U.S.
Government Printing Office. The web site address is: http://www.gpoaccess.gov/nara/index.html. This document is available
electronically at the following web sites of the Department of Health
and Human Services (HHS): http://www.hhs.gov/ocr/hipaa/ and http://www.cms.gov/hipaa/hipaa2.
F. Response to Comments
Because of the large number of public comments we normally receive
on Federal Register documents, we are not able to acknowledge or
respond to them individually. We will consider all comments we receive
in accordance with the methods described above and by the date
specified in the DATES section of this preamble. When we proceed with a
final rule, we will respond to comments in the preamble to that rule.
II. Background
HHS proposes to amend or renumber existing rules that relate to
compliance with, and enforcement of, the Administrative Simplification
regulations (HIPAA rules) adopted by the Secretary of Health and Human
Services (Secretary) under subtitle F of Title II of HIPAA (HIPAA
provisions). These rules are codified at 45 CFR part 160, subparts C
and E. In addition, this proposed rule would add a new subpart D to
part 160. The new subpart D would contain additional rules relating to
the imposition by the Secretary of civil money penalties on covered
entities that violate the HIPAA rules. The full set of rules that will
ultimately be codified at subparts C, D, and E of 45 CFR part 160 is
collectively referred to in this proposed rule as the ``Enforcement
Rule.'' Finally, HHS proposes conforming changes to subpart A of part
160 and subpart E of part 164.
The statutory and regulatory background of the proposed rule is set
out below. A description of HHS's approach to enforcement of the HIPAA
provisions and the HIPAA rules in general, the approach of this
proposed
[[Page 20225]]
rule in particular, and each section of the proposed rule follows. The
preamble concludes with HHS's analyses of impact and other issues under
applicable law.
A. Statutory Background
Subtitle F of Title II of HIPAA, entitled ``Administrative
Simplification,'' requires the Secretary to adopt national standards
for certain information-related activities of the health care industry.
The purpose of subtitle F is to improve the Medicare program under
title XVIII of the Social Security Act (Act), the Medicaid program
under title XIX of the Act, and the efficiency and effectiveness of the
health care system, by mandating the development of standards and
requirements to enable the electronic exchange of certain health
information. Section 262 of subtitle F added a new Part C to Title XI
of the Act. Part C (sections 1171-1179 of the Act, 42 U.S.C. 1320d-
1320d-8) requires the Secretary to adopt national standards for certain
financial and administrative transactions and various data elements to
be used in those transactions, such as code sets and certain unique
health identifiers. Recognizing that the industry trend toward
computerizing health information, which HIPAA encourages, may increase
the accessibility of that information, sections 262 and 264 of HIPAA
also require the Secretary to adopt national standards to protect the
security and privacy of the information.
Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a), the HIPAA
provisions apply only to--
The following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information
in electronic form in connection with a transaction referred to in
section 1173(a)(1).
These entities are collectively known as ``covered entities.'' An
additional category of covered entities was added by the Medicare
Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L.
108-173) (MMA). As added by MMA, section 1860D-31(h)(6)(A) of the Act,
42 U.S.C. 1395w-141(h)(6)(A), provides that:
a prescription drug card sponsor is a covered entity for purposes of
applying part C of title XI and all regulatory provisions
promulgated thereunder, including regulations (relating to privacy)
adopted pursuant to the authority of the Secretary under section
264(c) of the Health Insurance Portability and Accountability Act of
1996 (42 U.S.C. 1320d-2 note).
HIPAA requires certain consultations with industry as a predicate
to the issuance of the HIPAA standards and provides that most covered
entities have up to 2 years (small health plans have up to 3 years) to
come into compliance with the standards, once adopted. The statute
establishes civil money penalties and criminal penalties for
violations. Act, sections 1172(c) (42 U.S.C. 1320d-1(c)), 1175(b) (42
U.S.C. 1320d-4(b)), 1176 (42 U.S.C. 1320d-5), 1177 (42 U.S.C. 1320d-6).
HHS enforces the civil money penalties, while the U.S. Department of
Justice enforces the criminal penalties.
HIPAA's civil money penalty provision, section 1176(a) of the Act,
42 U.S.C. 1320d-5(a), authorizes the Secretary to impose a civil money
penalty, as follows:
(1) IN GENERAL. Except as provided in subsection (b), the
Secretary shall impose on any person who violates a provision of
this part [42 U.S.C. Sec. 1320d et seq.] a penalty of not more than
$100 for each such violation, except that the total amount imposed
on the person for all violations of an identical requirement or
prohibition during a calendar year may not exceed $25,000.
(2) PROCEDURES. The provisions of section 1128A [42 U.S.C.
1320a-7a] (other than subsections (a) and (b) and the second
sentence of subsection (f)) shall apply to the imposition of a civil
money penalty under this subsection in the same manner as such
provisions apply to the imposition of a penalty under such section
1128A.
For simplicity, we refer throughout this preamble to this provision,
the related provisions at section 1128A of the Act, and other related
provisions of the Act, by their Social Security Act citations, rather
than by their U.S. Code citations.
Subsection (b) of section 1176 sets out limitations on the
Secretary's authority to impose civil money penalties and also provides
authority for waiving such penalties. Under section 1176(b)(1), a civil
money penalty may not be imposed with respect to an act that
``constitutes an offense punishable'' under the criminal penalty
provision. Under section 1176(b)(2), a civil money penalty may not be
imposed ``if it is established to the satisfaction of the Secretary
that the person liable for the penalty did not know, and by exercising
reasonable diligence would not have known, that such person violated
the provision.'' Under section 1176(b)(3), a civil money penalty may
not be imposed if the failure to comply was due ``to reasonable cause
and not to willful neglect'' and is corrected within a certain time.
Finally, under section 1176(b)(4), a civil money penalty may be reduced
or entirely waived ``to the extent that the payment of such penalty
would be excessive relative to the compliance failure involved.''
As noted above, HIPAA incorporates by reference certain provisions
of section 1128A of the Act. Those provisions, as relevant here,
establish a number of requirements with respect to the imposition of
civil money penalties. Under section 1128A(c)(1), the Secretary may not
initiate a civil money penalty action ``later than six years after the
date'' of the occurrence that forms the basis for the civil money
penalty. Under section 1128A(c)(2), a person upon whom the Secretary
seeks to impose a civil money penalty must be given written notice and
an opportunity for a determination to be made ``on the record after a
hearing at which the person is entitled to be represented by counsel,
to present witnesses, and to cross-examine witnesses against the
person.'' Section 1128A also provides, at subsections (c), (e), and
(j), respectively, requirements for: service of the notice and
authority for sanctions which the hearing officer may impose for
misconduct in connection with the civil money penalty proceeding;
judicial review of the Secretary's determination in the United States
Court of Appeals for the circuit in which the person resides or
maintains his/its principal place of business; and the issuance of
subpoenas by the Secretary and the enforcement of those subpoenas. In
addition, section 1128A of the Act contains provisions relating to
liability for civil money penalties and how they are dealt with, once
imposed. For example, section 1128A(d) provides that the Secretary must
take into account certain factors ``in determining the amount * * * of
any penalty,'' section 1128A(h) requires certain notifications once a
civil money penalty is imposed, and section 1128A(l) makes a principal
liable for penalties ``for the actions of the principal's agent acting
within the scope of the agency.'' These provisions are discussed more
fully below.
B. Regulatory Background
As noted above, HIPAA requires the Secretary to adopt a number of
national standards to facilitate the exchange, and protect the privacy
and security, of certain health information. The Secretary has already
adopted many of these HIPAA standards by regulation.
Regulations implementing the statutory requirement for the
adoption of standards for transactions and code sets, Health Insurance
Reform: Standards for Electronic Transactions (Transactions Rule), were
published on August 17, 2000 (65 FR 50312), and were modified on
February 20, 2003 (68 FR 8381). The Transactions Rule
[[Page 20226]]
became effective on October 16, 2000, with an initial compliance date
of October 16, 2002 for covered entities other than small health plans.
The passage of the Administrative Simplification Compliance Act (ASCA),
Pub. L. 107-105, in 2001 enabled covered entities to obtain an
extension of the compliance date to October 16, 2003 by filing a
compliance plan by October 15, 2002. If a covered entity (other than a
small health plan) did not file such a plan, it was required to comply
with the Transactions Rule by October 16, 2002. All covered entities
were required to be in compliance with the Transactions Rule, as
modified, by October 16, 2003.
Regulations implementing the statutory requirement for the
adoption of privacy standards, Standards for Privacy of Individually
Identifiable Health Information (Privacy Rule), were published on
December 28, 2000 (65 FR 82462). The Privacy Rule became effective on
April 14, 2001. Modifications to simplify and increase the workability
of the Privacy Rule were published on August 14, 2002 (67 FR 53182).
Compliance with the Privacy Rule, as modified, was required by April
14, 2003 for covered entities other than small health plans; small
health plans were required to come into compliance by April 14, 2004.
The Privacy Rule adopted rules relating to compliance and
enforcement. These rules are codified at 45 CFR part 160, subpart C.
Subpart C presently applies only to compliance with, and enforcement
of, the Privacy Rule.
Regulations implementing the statutory requirement for the
adoption of an employer identifier standard, Health Insurance Reform:
Standard Unique Employer Identifier (EIN Rule), were published on May
31, 2002 (67 FR 38009) and became effective on July 30, 2002. The
initial compliance date was July 30, 2004 for most covered entities;
small health plans have until July 30, 2005 to come into compliance.
These regulations were modified on January 23, 2004 (69 FR 3434),
effective the same date.
Regulations implementing the statutory requirement for the
adoption of security standards, Health Insurance Reform: Security
Standards, were published on February 20, 2003 (68 FR 8334), effective
on April 21, 2003. The initial compliance date for covered entities
other than small health plans is April 20, 2005; small health plans
have until April 20, 2006 to come into compliance.
An interim final rule promulgating procedural requirements
for imposition of civil money penalties, Civil Money Penalties:
Procedures for Investigations, Imposition of Penalties, and Hearings
(April 17, 2003 interim final rule), was published on April 17, 2003
(68 FR 18895), was effective on May 19, 2003, with a sunset date of
September 16, 2004 (as corrected at 68 FR 22453, April 28, 2003). The
April 17, 2003 interim final rule adopted a new subpart E of part 160.
The sunset date of the April 17, 2003 interim final rule was extended
to September 16, 2005 on September 15, 2004 (69 FR 55515).
Regulations implementing the requirement to issue
standards for a unique identifier for health care providers, HIPAA
Administrative Simplification: Standard Unique Health Identifier for
Health Care Providers (NPI Rule), were issued on January 23, 2004 (69
FR 3434), effective on May 23, 2005. The compliance date is May 23,
2007 for most covered entities; small health plans have until May 23,
2008 to come into compliance.
In addition to the foregoing regulations implementing the HIPAA
provisions, HHS has adopted two other regulations that are relevant,
for some covered entities, to compliance with those provisions.
Section 3 of the ASCA amended section 1862 of the Act to
require Medicare providers, with certain exceptions, to submit claims
to Medicare electronically (and, thus, in conformity with the
Transactions Rule) by October 16, 2003. Regulations implementing
section 3, Medicare Program: Electronic Submission of Medicare Claims,
were published on August 15, 2003 (68 FR 48805), effective on October
16, 2003.
Regulations implementing the Medicare Prescription Drug
Discount Card program under MMA and the statutory provision that
Medicare prescription drug discount card sponsors are covered entities
under HIPAA, were issued on December 15, 2003 (68 FR 69840), effective
the same date. These rules require such sponsors to comply with the
HIPAA rules when they become sponsors, except and to the extent that
the Secretary temporarily waives the Privacy Rule requirements, and
provides some rules regarding how these entities are to comply with the
HIPAA rules. The Secretary has indicated that he does not anticipate
that it will be necessary to waive the Privacy Rule requirements and
has not done so. 68 FR 69871.
III. General Approach
As the discussion above makes clear, the duty to comply with
certain HIPAA rules is now a reality for all covered entities. The
immediacy of the compliance obligation brings with it the issue of how
these rules will be enforced. Accordingly, we discuss below our general
approach to enforcement, how the rules proposed below would fit in with
the existing components of the Enforcement Rule, and the basic approach
of the proposed rule.
A. HHS's General Approach to Enforcement
One of the Secretary's priorities is ``One HHS'': HHS's public
health and welfare mission and message must be consistent, and HHS
should speak with one voice. Because of the Secretary's One HHS policy
and because there is one statutory provision for imposing civil money
penalties on covered entities that violate the HIPAA rules, there is
one enforcement and compliance policy for the HIPAA rules. We are
committed to promoting and encouraging voluntary compliance with the
HIPAA rules through education, cooperation, and technical assistance.
Many educational and technical assistance materials on HIPAA,
including the HIPAA rules, are already available on HHS's Web sites.
See http://www.hhs.gov/ocr/hipaa for the Privacy Rule and http://www.cms.gov/hipaa/hipaa2 for the other HIPAA rules. We continue to work
on educational and technical assistance materials, including additional
guidance on compliance and enforcement and targeted technical
assistance materials focused on particular segments of the health care
industry. We anticipate developing additional materials relevant to new
HIPAA rules as the need arises.
The authority for administering and enforcing compliance with the
Privacy Rule has been delegated to the HHS Office for Civil Rights
(OCR). 65 FR 82381 (December 28, 2000). The authority for administering
and enforcing compliance with the non-privacy HIPAA rules has been
delegated to the Centers for Medicare & Medicaid Services (CMS). 68 FR
60694 (October 23, 2003).
At present, our compliance and enforcement activities are primarily
complaint-based. Although our enforcement efforts are focused on
investigating complaints, they may also include conducting compliance
reviews to determine if a covered entity is in compliance. When
potential violations come to our attention through a complaint or a
compliance review, OCR or CMS's Office of HIPAA Standards (OHS), as
appropriate, attempts to resolve the matter informally. Many such
matters are resolved at the initial stage of contact. However, even
where a
[[Page 20227]]
matter is not resolved at this initial stage and the investigation
continues, the matter can still be resolved through voluntary
compliance (for example, by means of a corrective action plan); and OCR
or CMS may provide technical assistance to help the covered entity
achieve compliance. Resolving issues through such informal means is
often the quickest and most effective means of ensuring that the
benefits of the HIPAA rules are realized. However, if we are unable to
obtain compliance effectively on matters within our jurisdiction
through voluntary means, we may seek to impose civil money penalties.
Moreover, matters subject to criminal penalties are referred to the
Department of Justice.
B. HHS's Approach to the Enforcement Rule
The Enforcement Rule would bring together and adopt rules governing
the implementation of the civil money penalty authority of section 1176
of the Act for all of the HIPAA rules. As previously noted, parts of
the Enforcement Rule are already in place: subpart C of part 160
establishes certain investigative procedures for the Privacy Rule, and
subpart E establishes interim procedures for investigations and for the
imposition of, and challenges to the imposition of, civil money
penalties for all of the HIPAA rules. This proposed rule would complete
the Enforcement Rule by addressing, among other issues, our policies
for determining violations and calculating civil money penalties, how
we will address the statutory limitations on the imposition of civil
money penalties, and various procedural issues, such as provisions for
appellate review within HHS of a hearing decision, burden of proof, and
notification of other agencies of the imposition of a civil money
penalty.
In developing these regulations, several principles guided our
choice of policies from among the available options. The Enforcement
Rule should promote voluntary compliance with the HIPAA rules, be clear
and easy to understand, provide consistent results in the interest of
fairness, provide the Secretary with reasonable discretion,
particularly in areas where the exercise of judgment is called for by
the statute or rules, and avoid being overly prescriptive in areas
where it would be helpful to gain experience with the practical impact
of the HIPAA rules, to avoid unintended adverse effects.
With respect to many of the Enforcement Rule's provisions, we were
also mindful that section 1176(a) requires the Secretary to apply the
incorporated provisions of section 1128A to the imposition of a civil
money penalty under section 1176 ``in the same manner as'' they apply
to the imposition of civil money penalties under section 1128A itself.
As we explained in the preamble to the April 17, 2003 interim final
rule, the imposition of civil money penalties under section 1128A is
administered by the HHS Office of the Inspector General (OIG).
Accordingly, the rules proposed below, like those in the current
Subpart E, generally look to the regulations of the OIG that implement
section 1128A, which are codified at 42 CFR parts 1003, 1005, and 1006
(OIG regulations).
The Enforcement Rule does not adopt standards, as that term is
defined and interpreted under HIPAA. Thus, the requirement for industry
consultations in section 1172(c) of the Act does not apply. For the
same reason, HIPAA's time frames for compliance, set forth in section
1175 of the Act, will not apply to the Enforcement Rule, when adopted
in final form.
IV. Provisions of the Proposed Rule
The proposed rule would revise 45 CFR part 160 as follows: it would
revise the existing subpart C, adopt a new subpart D, and revise the
existing subpart E; a minor amendment of subpart A is also proposed.
Subpart A, which contains general provisions, would be amended to
include a definition of ``person.'' Subpart C includes all provisions
that relate to activities for determining compliance, including
investigations and cooperation by covered entities. The proposed
revisions of subpart C are largely technical, incorporating several
provisions currently found in subpart E. We also propose to make
subpart C applicable to the non-privacy HIPAA rules. The new subpart D
would establish rules relating to the imposition of civil money
penalties, including those which apply whether or not there is a
hearing. Subpart D would also incorporate several provisions currently
found in subpart E. Proposed subpart E would address the pre-hearing
and hearing phases of the enforcement process. Many of the provisions
of proposed subpart E were adopted by the April 17, 2003 interim final
rule and would not be substantively changed, although they would, in
general, be renumbered.
Finally, a conforming change to the privacy standards in subpart E
of part 164 is proposed. This conforming change is discussed in
connection with proposed Sec. 160.316 at section IV.B.5 below.
A. Subpart A
We propose to amend Sec. 160.103 to add a definition of the term
``person.'' This would replace the definition of that term adopted by
the April 17, 2003 interim final rule. We propose to place this
definition in Sec. 160.103 so that it applies to all of the HIPAA
rules. The term ``person'' appears throughout the HIPAA rules, and the
definition of the term we propose is a universal one that should work
in each of the contexts in which the term ``person'' occurs. If the
proposed placement would create problems, commenters should bring that
to our attention.
In Sec. 160.502 of the April 17, 2003 interim final rule, we
defined a ``person'' as ``a natural or legal person'' to clarify, in
the context of administrative subpoenas, the distinction between an
entity (defined as a ``legal person'') and natural persons who would
testify on the entity's behalf. The proposed rule would revise and
expand this definition.
The statutory definition of a ``person'' that would otherwise apply
to the HIPAA provisions is found in section 1101(3) of the Act. That
section, which has been in the Act since it was originally enacted in
1935, defines a person as ``an individual, a trust or estate, a
partnership, or a corporation.'' However, Part C of title XI specifies
that the class of ``persons'' to whom the HIPAA standards apply--health
plans, certain health care providers, and health care clearinghouses--
includes certain State and federal programs, which are not included in
the definition of ``person'' in section 1101(3). For example, section
1171(2) defines a health care clearinghouse as a ``public or private''
entity. Under section 1171(3), a ``health care provider'' is defined to
include a provider of services as defined in section 1861(u), for
purposes of the Medicare program. The definition includes hospitals,
which in turn include State or local government-owned hospitals.
Finally, the definition of ``health plan'' in section 1171(5) includes
State and federal health plans: section 1171(5)(A) includes a group
health plan ``as defined in section 2791(a) of the Public Health
Service Act,'' and this definition includes State and local
governmental group health plans; section 1171(5)(E) includes ``the
medicaid program under title XIX,'' which is a State program; and other
provisions of section 1171(5) explicitly include as health plans
various federal health plans, such as Medicare, the Federal Employee
Benefit Health Plan, CHAMPUS, and the program of benefits for veterans.
Section 1176, by its terms,
[[Page 20228]]
applies to ``any person who violates a provision of this part.''
Nothing in this language suggests that Congress intended to exempt any
class of covered entities from liability for a civil money penalty
under this section.
Thus, to effectuate Congress's purpose in enacting the HIPAA
provisions, it is necessary to define ``person'' sufficiently broadly
to encompass the entities to which the HIPAA rules apply. The Supreme
Court has recognized that this is a valid approach in appropriate
instances. See, e.g., Lawson v. Suwanee S.S. Co., 336 U.S. 198 (1949).
This proposed approach is also consistent with that taken by the OIG
regulations, the preamble to which explained that it was necessary to
expand the definition of ``person'' in the context of section 1128A of
the Act to include States because of clear Congressional intent to
include them in the class of entities subject to civil money penalties.
48 FR 38837, 38828 (August 26, 1983).
Accordingly, the proposed rule generally tracks the definition of
``person'' in the OIG regulations. In particular, by defining the term
as ``a natural person, trust or estate, partnership, corporation,
professional association or corporation, or other entity, public or
private,'' the proposed rule clarifies, consistent with the HIPAA
provisions, that the term includes States and other public entities.
However, we propose to adapt the language used in the OIG regulations
by substituting the term ``natural person'' for the term ``individual''
in the definition of ``person'' in the OIG regulations. The term
``individual'' is defined in Sec. 160.103 as ``the person who is the
subject of protected health information.'' Since the term
``individual'' has a defined, and narrower, meaning in the HIPAA rules
than it does in the OIG regulations, the proposed rule uses the term
``natural person'' to make the definition of ``person'' have the same
scope as in the OIG regulations.
B. Subpart C--Compliance and Investigations
We propose to amend subpart C to make the compliance and
investigation provisions of the subpart--which at present apply only to
the Privacy Rule--applicable to all of the HIPAA rules. In addition, we
propose to include in subpart C the definitions that apply to subparts
C, D, and E. In accordance with the organizational scheme described
above, we also propose to move to subpart C from subpart E the
provision relating to investigational subpoenas, which is currently
codified at Sec. 160.504. The title of this subpart has also been
changed (from ``Compliance and Enforcement'') to reflect the focus of
this subpart within the larger Enforcement Rule. Finally, we propose to
add to subpart C provisions prohibiting intimidation or retaliation
that are currently found in the Privacy Rule but not in the other HIPAA
rules. Aside from making conforming changes to Sec. 160.312, discussed
at section IV.B.3 below, we propose to leave the substance of the
existing provisions of subpart C unchanged. We solicit comment as to
whether these provisions should be revised and, if so, in what manner.
1. Application of Subpart C to the Non-Privacy HIPAA Rules
Subpart C is intended to provide a cooperative approach to
obtaining compliance, including use of technical assistance and
informal means to resolve disputes, and currently provides as follows.
Section 160.304 provides that the Secretary will, to the extent
practicable, seek the cooperation of covered entities in obtaining
compliance and may provide technical assistance to this end. Section
160.306 provides for the investigation of complaints by the Secretary
and provides requirements relating to the filing of such complaints.
Section 160.308 provides for the conduct of compliance reviews by the
Secretary. Section 160.310 requires covered entities to keep and submit
such records as the Secretary determines are necessary to determine
compliance and cooperate with the Secretary in an investigation or
compliance review. A covered entity must provide access during normal
business hours to their books and records pertinent to ascertaining
compliance; while we think such circumstances are very unlikely ever to
arise, a covered entity is also required, where exigent circumstances
exist, to permit such access at any time and without notice. This
section also provides that the Secretary may disclose protected health
information obtained in the course of an investigation or compliance
review only if necessary for ascertaining or enforcing compliance with
the applicable requirements of the Privacy Rule or if otherwise
required by law. Section 160.312 addresses Secretarial action regarding
complaints and compliance reviews. It provides that where noncompliance
is indicated, the Secretary will attempt to resolve the matter by
informal means wherever possible and provides for certain notifications
to the covered entity (and the complainant, if the matter arose from a
complaint).
At present, subpart C applies only to the Privacy Rule. However, to
simplify, clarify, and reduce the burden of the compliance process for
covered entities, the proposed rule would make this subpart applicable
to the other HIPAA rules as well. A uniform regulatory scheme would
simplify the compliance and enforcement process in the event that a
covered entity violates provisions of more than one HIPAA rule (for
example, where violations of both the Privacy Rule and the Security
Rule are at issue) and is also consistent with the Secretary's ``One
HHS'' policy.
Accordingly, we propose to amend the following sections of subpart
C to make them applicable to all of the HIPAA rules: Sec. 160.300--
Applicability; Sec. 160.304--Principles for achieving compliance;
Sec. 160.306--Complaints to the Secretary; Sec. 160.308--Compliance
reviews; and Sec. 160.310--Responsibilities of covered entities. This
would be accomplished by changing the present references in these
sections from ``subpart E of part 164'' to the more inclusive, defined
term, ``administrative simplification provision'' or ``administrative
simplification provisions,'' as appropriate.
2. Section 160.302--Definitions
Section 160.302 presently states that the terms used in subpart C
that are defined in Sec. 164.501 have the same meaning as defined in
that section. The terms that were initially defined in Sec. 164.501
that would continue to be used in this subpart ( ``individual,''
``disclose,'' ``protected health information,'' ``use'') have
subsequently been moved to Sec. 160.103. The term ``payment'' is used
in this subpart, but not as defined in Sec. 164.501. Thus, we propose
to delete this text, as it is no longer appropriate.
We propose to move to Sec. 160.302 three definitions that were
adopted in the April 17, 2003 interim final rule at Sec. 160.502:
``ALJ'', ``civil money penalty or penalty'', and ``respondent.'' These
terms are placed at the outset of the provisions that address
compliance and enforcement for clarity, since they are used in more
than one of the subparts that address compliance and enforcement. We do
not discuss these terms, as we do not propose to change them. We
discuss below two new terms which we propose to add to Sec. 160.302
and which are likewise used throughout subparts C, D, and E:
``administrative simplification provision'' and ``violation or
violate.''
[[Page 20229]]
a. ``Administrative Simplification Provision''
Section 1176(a)(1) provides that, except as provided in section
1176(b), the Secretary shall impose ``on any person who violates a
provision of this part a penalty of not more than $100 for each such
violation, except that the total amount imposed on the person for all
violations of an identical requirement or prohibition during a calendar
year may not exceed $25,000.'' (Emphasis added.) Based on this
statutory language, and also taking into account the structures of each
of the HIPAA rules, HHS considered a number of different options for
defining the term ``provision of this part'' in section 1176(a)(1) as
it applies to the HIPAA rules.
The HIPAA rules generally are comprised of standards,
implementation specifications, and requirements and prohibitions.
However, the structure and composition of the HIPAA rules with respect
to these elements vary. The Privacy Rule is generally comprised of
standards that contain implementation specifications and other
requirements or prohibitions. The identifier rules (the EIN Rule and
the NPI Rule) contain standards and implementation specifications, and
all requirements that apply to covered entities are in a standard or an
implementation specification. In the Security Rule, most requirements
are in standards or their related implementation specifications, but
some requirements are freestanding. The Transactions Rule contains
requirements and prohibitions, not all of which are contained in
standards and implementation specifications, and adopts standards that
are also implementation specifications. The provisions of subpart C of
part 160 that apply to covered entities are framed as requirements. The
HIPAA rules are silent as to which of these elements is a ``provision
of this part'' that may be violated and for which civil money penalties
may be assessed.
We propose to define a new term--``administrative simplification
provision''--to express the scope and application of the compliance and
investigation provisions, as well as the enforcement and penalty
provisions. This proposed provision interprets ``provision of this
part'' in section 1176 to refer to any requirement or prohibition
established by the statute or any of the HIPAA rules that are adopted
under the statute.
In determining how to define a ``provision of this part'' that
could be violated, we considered options in light of our goal of
implementing a unified approach with respect to all of the HIPAA rules.
Given the variation in structure of the HIPAA rules, we sought an
approach which would be flexible enough to apply to all the rules but
which would not be too complex. Accordingly, we decided against an
approach that would define the ``provision of this part'' that could be
violated as either any ``standard,'' or any ``implementation
specification,'' or both. These approaches would not have captured
stand-alone requirements or prohibitions--i.e., those requirements and
prohibitions in the HIPAA rules that fall outside of the structure of a
standard or implementation specification. For example, in the
Transactions Rule, the prohibition on a health plan delaying or
rejecting a transaction that is a standard transaction (Sec.
162.925(a)(2)), which implements the statutory prohibition at section
1175(a)(1)(B), is a stand-alone requirement. It would be anomalous to
create an enforcement scheme that, in effect, insulated this provision
from enforcement. These options would also have resulted in complexity
and inconsistency in the application of the Enforcement Rule to each of
the HIPAA rules, given their varied structures with respect to
standards and implementation specifications.
Instead, we propose to define a ``provision of this part'' that can
be violated as any ``requirement or prohibition'' found within the
rules, regardless of whether the requirement or prohibition falls
within a standard, implementation specification, or elsewhere in the
rules. This definition flows directly from the statutory language in
section 1176(a)(1) of the Act, which refers to ``violations of an
identical requirement or prohibition.'' It is also a definition that
can be applied consistently across the HIPAA rules, regardless of how
they are structured or titled. Accordingly, we propose to define the
term ``administrative simplification provision'' in Sec. 160.302 to
mean any requirement or prohibition established by the HIPAA provisions
or HIPAA rules: ``* * * any requirement or prohibition established by:
(1) 42 U.S.C. 1320d-1320d4, 1320d-7, and 1320d-8; (2) Section 264 of
Pub. L. 104-191; or (3) This subchapter.'' This definition would
include those provisions in subpart C which apply to covered entities.
b. ``Violation'' or ``Violate''
Building on this proposed definition of ``administrative
simplification provision,'' we propose to define a ``violation'' (or
``to violate'') to mean a ``failure to comply with an administrative
simplification provision.'' Like the proposed definition of
``administrative simplification provision,'' the proposed definition of
``violation'' flows directly from the statutory language: subsections
(b)(3) and (b)(4) of section 1176 equate a ``violation'' with a
``failure to comply.'' The proposed definition is likewise one that can
be applied consistently across the HIPAA rules. This proposed
definition would make no distinction between commissions and
omissions--that is, a violation occurs when a covered entity fails to
take an action required by a HIPAA rule, as well as when a covered
entity takes an action prohibited by a HIPAA rule.
3. Section 160.312--Secretarial Action Regarding Complaints and
Compliance Reviews
Section 160.312(a) currently provides that the Secretary will
inform the covered entity and the complainant, if applicable, if an
investigation or compliance review indicates a failure to comply and
attempt to resolve the matter by informal means whenever possible. If
the Secretary determines that the matter cannot be resolved by informal
means, the Secretary may issue findings to the covered entity and, if
applicable, the complainant.
Like the current Sec. 160.312(a), proposed Sec. 160.312(a)(1)
provides that, where noncompliance is indicated, the Secretary would
seek to reach a resolution of the matter satisfactory to the Secretary
by informal means. Informal means would include demonstrated
compliance, or a completed corrective action plan or other agreement.
Under this provision, entering into a corrective action plan or other
agreement would not, in and of itself, resolve the noncompliance;
rather, the full performance by the covered entity of its obligations
under the corrective action plan or other agreement would be necessary
to resolve the noncompliance.
Proposed Sec. Sec. 160.312(a)(2) and (3) address what
notifications will be provided by the Secretary where noncompliance is
indicated, based on an investigation or compliance review. Notification
under this paragraph would not be required where the only contacts made
were with the complainant, to determine whether the complaint warrants
investigation. Paragraph (a)(2) provides for written notice to the
covered entity and, if the matter arose from a complaint, the
complainant, where the matter is resolved by informal means. If the
matter is not resolved by informal means, paragraph (a)(3)(i) requires
the Secretary to so inform the covered entity and provide the covered
[[Page 20230]]
entity an opportunity to submit written evidence of any mitigating
factors or affirmative defenses for consideration under Sec. Sec.
160.408 and 160.410; the covered entity must submit any such evidence
to the Secretary within 30 days of receipt of such notification.
Paragraph (a)(3)(ii) would revise the current Sec. 160.312(a)(2) to
avoid confusion with the notice of proposed determination process
provided for at proposed Sec. 160.420. Where a matter is not resolved
by informal means and the Secretary finds that imposition of a civil
money penalty is warranted, the formal finding would be contained in
the notice of proposed determination issued under proposed Sec.
160.420. See also the discussion at section V.J below.
Paragraph (b) of the current Sec. 160.312 provides that if the
Secretary finds after an investigation or compliance review that no
further action is warranted, the Secretary will so inform the covered
entity and, if the matter arose from a complaint, the complainant. This
section does not apply where no investigation or compliance review has
been initiated, such as where a complaint has been dismissed due to
lack of jurisdiction. Paragraph (b) would remain largely unchanged.
4. Section 160.314--Investigational Subpoenas and Inquiries
The text of Sec. 160.314 was adopted by the April 17, 2003 interim
final rule as Sec. 160.504. We propose to move this section to subpart
C, consistent with our overall approach of organizing subparts C, D,
and E to reflect the stages of the enforcement process. Since the
investigational subpoenas and inquiries occur prior to the imposition
of a civil money penalty, we propose to move the rules relating to them
to subpart C, where other rules related to this stage of the process
are located. This organizational arrangement should facilitate use of
the Rule by covered entities and others.
One substantive change is proposed to paragraph (a). We would add
to the introductory language of this paragraph a sentence which states
that, for the purposes of paragraph (a), a person other than a natural
person is termed an ``entity.'' This permits us to avoid creating a
definition of the term ``entity'' that would have a broader application
and might be incorrect in other contexts, but preserves the utility of
the definition in this specific context. The term ``entity'' would no
longer be a defined term for the rest of the Rule, unlike the approach
taken in Sec. 160.502 of the April 17, 2003 interim final rule.
Proposed paragraphs (b)(1), (2) and (8) are unchanged from the
current paragraphs (b)(1)--(3) of Sec. 160.504. We propose to add new
paragraphs (3) through (7) and (9) to Sec. 160.314(b) and also to add
a new paragraph (c). Together, these additions would clarify the manner
in which investigational inquiries will be conducted, and how testimony
given, and evidence obtained, during such an investigation may be used.
The new paragraphs are based upon similar provisions in 42 CFR
1006.4. Proposed Sec. Sec. 160.314(b)(3)--(7) describe the rights of
the Secretary and the witness in the inquiry process: representatives
of the Secretary are entitled to attend and ask questions, a witness
may clarify his or her answers on the record following questioning by
the Secretary, the witness must place any claim of privilege on the
record, what requirements apply to the assertion of objections, and
under what circumstances and how the Secretary may seek enforcement of
the subpoena. Proposed Sec. 160.314(b)(8) (currently Sec.
160.504(b)(3) and which, as noted above, has not changed) recognizes
that investigational inquiries are non-public proceedings. Accordingly,
a witness's right to retain a copy of the transcript of his or her
testimony may be limited for good cause (5 U.S.C. 555(c)). Proposed
Sec. 160.314(b)(9) explains what would happen in such a case: The
witness would nonetheless be entitled to inspect the transcript and to
propose any corrections. If the witness is provided a copy of the
transcript, paragraph (b)(9)(i) would provide for the opportunity to
review the transcript and offer proposed corrections. This provision is
consistent with the practice under Rule 30(e) of the Federal Rules of
Civil Procedure (F.R.C.P.). Paragraph (b)(9)(ii) would allow the
Secretary to attach corrections to the transcript of a witness's
testimonial interview if the record transcribing the interview is
incorrect. Consistent with the practice under the OIG regulations, this
provision would not permit the Secretary to propose substantive changes
to the witness's testimony.
Proposed Sec. 160.314(c) provides that, consistent with Sec.
160.310, testimony and other evidence obtained in an investigational
inquiry may be used by HHS in any of its activities and may be used or
offered into evidence in any administrative or judicial proceeding.
This provision follows Sec. 1006.4(h) of the OIG regulations, but is
tailored to be consistent with the existing Sec. 160.310(c)(3). Under
this provision, evidence obtained in an investigational inquiry could
be used in any of HHS's activities and could be used or offered into
evidence in any administrative or judicial proceeding, except to the
extent it consists of protected health information. Evidence that is
protected health information may be disclosed only ``if necessary for
ascertaining or enforcing compliance with the applicable administrative
simplification provisions, or if otherwise required by law,'' as
provided at Sec. 160.310(c).
5. Section 160.316--Refraining From Intimidation or Retaliation
Proposed Sec. 160.316 would prohibit covered entities from
threatening, intimidating, coercing, discriminating against, or taking
any other retaliatory action against individuals or other persons
(including other covered entities) who complain to HHS or otherwise
assist or cooperate in the enforcement processes created by this rule.
This provision is taken from Sec. 164.530(g)(2) of the Privacy Rule,
with only minor changes designed to adapt the provision to the new
subparts which this rule would add. The intent of this addition to
subpart C is to make these non-retaliation provisions applicable to all
of the HIPAA rules, not just the Privacy Rule. The placement of these
provisions in subpart C accomplishes this.
Section 164.530(g) would retain existing provisions which provide
that a covered entity may not intimidate, threaten, coerce,
discriminate against, or take other retaliatory action against an
individual for exercising his or her rights or for participating in any
process established by the Privacy Rule, including filing a complaint
with a covered entity. A conforming change to Sec. 164.530(g) of the
Privacy Rule is proposed, to cross-reference proposed Sec. 160.316.
As with other provisions of subpart C that impose requirements or
prohibitions on covered entities, the provisions of Sec. 160.316 are
``administrative simplification provisions.'' Thus, a violation of a
requirement or prohibition of this section would be a basis for
imposition of a civil money penalty.
C. Subpart D--Imposition of Civil Money Penalties
Proposed subpart D addresses the issuance of a notice of proposed
determination to impose a civil money penalty and other events that
would be relevant thereafter, whether or not a hearing follows the
issuance of the notice of proposed determination. This subpart also
would contain provisions on identifying violations, determining the
number of violations, calculating civil money penalties for such
violations, and establishing affirmative
[[Page 20231]]
defenses to the imposition of civil money penalties. It would, thus,
implement the provisions of section 1176, as well as related provisions
of section 1128A. As noted above, many provisions of the Rule are based
in large part upon the OIG regulations, but, as with subpart E, we
propose to adapt the OIG language to reflect issues presented by, or
the authority underlying, the HIPAA rules.
1. Section 160.402--Basis for a Civil Money Penalty
Proposed Sec. 160.402(a) would require the Secretary to impose a
civil money penalty on any covered entity which the Secretary
determines has violated an administrative simplification provision,
unless the covered entity establishes that an affirmative defense, as
provided for by Sec. 160.410, exists. See the discussion at section
IV.C.3 below. This provision is based on the language in section
1176(a) that ``* * * the Secretary shall impose on any person who
violates a provision of this part a penalty * * *''. This proposed
provision interprets ``provision of this part'' in section 1176(a)(1)
to refer to any requirement or prohibition established by the statute
or any of the HIPAA rules that are adopted under the statute. See the
discussion of the definitions of ``administrative simplification
provision'' and ``violation'' in section IV.B.2 above.
The use of the term ``shall impose'' in section 1176(a) is more
than a mere conveyance of authority to the Secretary to impose a
penalty for a violation of an administrative simplification provision.
If the Secretary finds in a notice of proposed determination that a
covered entity has violated an administrative simplification provision,
he is required to impose a penalty unless a basis for not imposing the
penalty under section 1176 exists. Section 1176(a) does not limit the
Secretary's discretion to encourage a covered entity to come into
compliance voluntarily, to close a case without issuing a notice of
proposed determination if voluntary compliance is obtained, or to set
the amount of the penalty below the statutory caps. Nor does section
1176(a) limit the Secretary's discretion to settle any matter,
including cases in which a civil money penalty has been proposed or
which are in hearing. The first sentence of section 1128A(f) of the
Act, which is incorporated by reference in section 1176, states, in
part, ``Civil money penalties * * * imposed under this section may be
compromised by the Secretary * * *''. Therefore, the Secretary may
settle a case even after a civil money penalty has been proposed.
a. Section 160.402(b)--Violations by More than One Covered Entity
The proposed rule includes a provision, at Sec. 160.402(b), that
addresses what would happen if multiple covered entities were
responsible for violating a HIPAA provision. Proposed Sec.
160.402(b)(1) provides that, except with respect to covered entities
that are members of an affiliated covered entity, if the Secretary
determines that more than one covered entity was responsible for
violating an administrative simplification provision, the Secretary
will impose a civil money penalty against each such covered entity.
Proposed Sec. 160.402(b)(2) provides that each covered entity that is
a member of an affiliated covered entity would be jointly and severally
liable for a civil money penalty for a violation by the affiliated
covered entity.
Proposed Sec. 160.402(b)(1) is based on a similar provision in the
OIG regulations at 42 CFR 1003.102(d). It differs from the OIG
provision in that this proposed provision requires the imposition of a
penalty on each covered entity that the Secretary determines has
violated an administrative simplification provision, rather than giving
the Secretary discretion to determine whether to impose a civil money
penalty on one or all. This is based on the statutory language in
section 1176(a) which states that the Secretary ``* * * shall impose a
penalty * * *'' when there is a determination that an entity has
violated a HIPAA provision. As discussed above, the language in the
statute mandates the imposition of a penalty in appropriate situations
where there has been a finding of a violation. However, nothing in this
section would limit the Secretary's ability to exercise enforcement
discretion to investigate only one covered entity, to encourage one or
more covered entities to come into compliance, to close a case against
one or more covered entities without issuing a notice of proposed
determination if voluntary compliance is obtained, or to set the amount
of the penalty differently for each covered entity when multiple
covered entities are responsible for violating an administrative
simplification provision, to the extent section 1176 and this Rule
would allow.
With the exception of affiliated covered entity arrangements, this
provision may apply to any two covered entities, including, but not
limited to, those that are part of a joint arrangement, such as an
organized health care arrangement. The determination of whether or not
an entity is responsible for the violation would be based on the facts.
Simply being part of a joint arrangement would not, in and of itself,
make a covered entity responsible for a violation by another entity in
the joint arrangement, although it may be a factor considered in the
analysis.
Proposed Sec. 160.402(b)(2) provides that each covered entity that
is a member of an affiliated covered entity would be jointly and
severally liable for a civil money penalty for a violation by the
affiliated covered entity. An affiliated covered entity is a group of
covered entities under common ownership or control, which have elected
to be treated as if they were one covered entity for purposes of
compliance with the Security and Privacy Rules. See 45 CFR 164.105(b).
Electing to become an affiliated covered entity may reduce the
administrative burden and create certain efficiencies with respect to
compliance. There is no requirement to form an affiliated covered
entity; the entities that choose to form an affiliated covered entity
must designate themselves as such and must document the designation in
writing.
The December 2000 Privacy Rule stated as follows with respect to
the liability of the component covered entities of an affiliated
covered entity: ``The covered entities that together make up the
affiliated covered entity are separately subject to liability under
this rule.'' 65 FR 82503. We clarify this language in the proposed
rule. Under proposed Sec. 160.402(b)(2), each covered entity that is a
member of an affiliated covered entity would be jointly and severally
liable for a civil money penalty for a violation by the affiliated
covered entity. This means that we could enforce a violation of the
Security Rule or Privacy Rule by an affiliated covered entity against
any covered entity member of the affiliated covered entity separately
or against all of the covered entity members of the affiliated covered
entity jointly. The reason for joint and several liability is that the
affiliated covered entity is treated, under the Security and Privacy
Rules, as one entity. Thus, it may be impossible to know or prove which
covered entity within an affiliated covered entity is responsible for a
violation, particularly in the case of a failure to act. For example,
if an affiliated covered entity fails to appoint a privacy official as
required by Sec. 164.530(a)(1)(i), it may be impossible to identify
one entity as responsible for the omission.
Proposed Sec. 160.402(b)(2) differs from proposed Sec.
160.402(b)(1) in two ways. First, no covered entity in an affiliated
covered entity could avoid a civil money penalty by demonstrating that
it
[[Page 20232]]
was not responsible for the act or omission constituting the violation
or that another covered entity member of the affiliated covered entity
was the culpable entity. Second, the maximum penalty that could be
imposed on all members of the affiliated covered entity for identical
violations in a calendar year would be the maximum allowed for one
covered entity--$25,000. By contrast, under Sec. 160.402(b)(1), if
more than one covered entity were responsible for a violation of an
administrative simplification provision, each covered entity would be
treated as separately violating the provision, and each could be
assessed the maximum penalty of $25,000 in a calendar year for
sufficient identical violations.
b. Section 160.402(c)--Violations Attributed to a Covered Entity
Under section 1176(a)(2), ``the provisions of section 1128A * * *
shall apply to the imposition of a civil money penalty under [HIPAA] in
the same manner as such provisions apply to the imposition of a penalty
under such section 1128A.'' Section 1128A(l) of the Act addresses the
liability of a covered entity for violations committed by an agent. It
states that ``a principal is liable for penalties * * * under this
section for the actions of the principal's agents acting within the
scope of the agency.'' This is similar to the traditional rule of
agency in which principals are vicariously liable for the acts of their
agents acting within the scope of their authority. See Meyer v. Holley,
537 U.S. 280 (2003). The preamble to the December 2000 Privacy Rule
discussed the applicability of section 1128A(l) as follows:
we note that section 1128A(l) of the Social Security Act, which
applies to the imposition of civil monetary penalties under HIPAA,
provides that a principal is liable for penalties for the actions of
its agent acting within the scope of the agency. Therefore, a
covered entity will generally be responsible for the actions of its
employees such as where the employee discloses protected health
information in violation of the regulation.
65 FR 82603.
We clarify in proposed Sec. 160.402(c) that, in the context of the
HIPAA rules, this means that a covered entity generally can be held
liable for a civil money penalty based on the actions of any agent,
including an employee or other workforce member, acting within the
scope of the agency or employment. A business associate will often be
an agent of a covered entity, but, as discussed below, a covered entity
that complies with the HIPAA rules governing business associates will
not be held liable for a business associate's actions that violate the
rules.
i. Federal Common Law of Agency
A principal's liability for the actions of its agents is generally
governed by State law. However, the Supreme Court has provided that the
federal common law of agency may be applied where there is a strong
governmental interest in nationwide uniformity and a predictable
standard and when the federal rule in question is interpreting a
federal statute. Burlington Indus. v. Ellerth, 524 U.S. 742 (1998).
Here, there is a strong interest in nationwide uniformity. The
fundamental goal of the HIPAA provisions is to achieve standardization
of certain health care transactions, to standardize certain security
practices, and to set a federal floor of privacy practices, in order to
increase the efficiency and effectiveness of the health care system.
Therefore, it is essential for HHS to apply one consistent body of law
regardless of where an action is brought. The same considerations
support a strong federal interest in the predictable operation of the
standards, to ensure that the various covered entities operating
thereunder can do so consistently so as to facilitate the legitimate
exchange of information. Finally, the HIPAA rules interpret a federal
statute, the HIPAA provisions. Thus, the tests for application of the
federal common law of agency are met here. Accordingly, proposed Sec.
160.402(c) contains specific language to make clear that the federal
law of agency applies.
Where the federal common law of agency applies, the courts often
look to the Restatement (Second) of Agency (1958) (Restatement) as a
basis for explaining the common law's application. While the
determination of whether an agent is acting within the scope of its
authority must be decided on a case-by-case basis, the Restatement
provides guidelines for this determination. Section 229 of the
Restatement provides:
(1) To be within the scope of the employment, conduct must be of
the same general nature as that authorized, or incidental to the
conduct authorized.
(2) In determining whether or not the conduct, although not
authorized, is nevertheless so similar to or incidental to the
conduct authorized as to be within the scope of employment, the
following matters of fact are to be considered;
(a) Whether or not the act is one commonly done by such
servants;
(b) The time, place and purpose of the act;
(c) The previous relations between the master and the servant;
(d) The extent to which the business of the master is
apportioned between different servants;
(e) Whether or not the act is outside the enterprise of the
master or, if within the enterprise, has not been entrusted to any
servant;
(f) Whether or not the master has reason to expect that such an
act will be done;
(g) The similarity in quality of the act done to the act
authorized;
(h) Whether or not the instrumentality by which the harm is done
has been furnished by the master to the servant;
(i) The extent of departure from the normal method of
accomplishing an authorized result; and
(j) Whether or not the act is seriously criminal.
In some cases, under federal agency law, a principal may be liable
for an agent's acts even if the agent acts outside the scope of its
authority. Rest. 2nd Agency Sec. 219(2). However, proposed Sec.
160.402(c) would follow section 1128A(l), which limits liability for
the actions of an agent to those actions that are within the scope of
the agency.
ii. Agents
Various categories of persons may be agents of a covered entity.
These are workforce members, business associates, and others.
``Workforce'' is defined as ``employees, volunteers, trainees, and
other persons whose conduct, in the performance of work for a covered
entity, is under the direct control of such entity, whether or not they
are paid by the covered entity.'' 45 CFR 160.103. Because of the
``direct control'' language of the rule, we believe that all workforce
members, including those who are not employees, are agents of a covered
entity. This conclusion is consistent with the requirements at
Sec. Sec. 164.308(a)(5) and 164.530(b) for a covered entity to train
all workforce members and with the requirement at Sec. 164.514(d)(2)
for a covered entity to adopt minimum necessary policies and procedures
for use of protected health information by all workforce members. The
workforce may include an independent contractor; as explained in the
preamble to the Privacy Rule, independent contractors ``may or may not
be workforce members.'' 65 FR 82480. Under the proposed rule, a covered
entity could be liable for a civil money penalty for a violation by any
workforce member, whether an employee, contractor, volunteer, trainee,
etc., acting within the scope of his or her employment or agency. We
specifically request comment on whether there are categories of
workforce members whom it would be
[[Page 20233]]
inappropriate to treat as agents under Sec. 160.402(c).
The definition of the term ``business associate,'' set forth at
Sec. 160.103, includes any agents of a covered entity, other than
members of its workforce, that perform on its behalf any function or
activity regulated by the HIPAA rules or perform certain specified
services for the covered entity that involve the use or disclosure of
protected health information. Under the Security and Privacy Rules, the
covered entity may disclose protected health information to the
business associate, and allow the business associate to create or
receive protected health information on its behalf, if the covered
entity complies with relevant requirements to obtain satisfactory
assurances that the business associate will appropriately safeguard the
information. In particular, Sec. Sec. 164.308(b) and 164.502(e) of the
HIPAA rules require covered entities using the services of business
associates to obtain satisfactory assurances, by a written contract or
other arrangement, that the business associate will safeguard the
protected health information. If the covered entity complies with these
requirements, then it can protect itself from what could otherwise be
liability for actions of its agent business associates that violate the
HIPAA rules. As specified in Sec. Sec. 164.314(a)(1)(ii) and
164.504(e)(1)(ii), even if a covered entity knows of a pattern of
activity or practice by the business associate that constitutes a
material breach or violation of the business associate's obligations
under the contract, the covered entity will not be considered to be in
violation of the regulations if it takes certain actions. If the
covered entity fails to take these steps, however, it is outside the
safe harbor provided by the Security and Privacy Rules and may be
subject to penalty.
Some business associates are also covered entities. Health care
clearinghouses are one example of this situation, but a covered health
care provider or a health plan may also act as a business associate of
another covered entity. The business associate provisions of the
Security and Privacy Rules provide that where one covered entity acts
as the business associate of another covered entity and violates the
satisfactory assurances it provided as a business associate, it is
separately liable for violation of the business associate provisions of
the Security and Privacy Rules. See Sec. Sec. 164.308(b)(3) and
164.502(e)(1)(iii). If the act or omission that resulted in a breach of
the business associate contract by the covered entity business
associate would also constitute a violation of an underlying provision
of the Security or Privacy Rule by that covered entity business
associate, it would be in violation of the underlying provision as
well.
To make this proposed rule consistent with the business associate
provisions of the HIPAA rules, the proposed rule would carve out from
the provision for vicarious liability those actions by a business
associate that would be shielded by the business associate provisions
of the Security and Privacy Rules. Thus, a covered entity that is in
compliance with the business associate provisions of the Security and
Privacy Rules would not be liable for a violation of those rules by the
business associate, even though the business associate is the covered
entity's agent and was acting within the scope of its agency when it
violated the rule. We recognize that in many cases, a business
associate contract may establish an agency relationship. However, there
may also be situations in which the business associate may not be an
agent. For example, the Privacy Rule permits a covered entity to rely,
if such reliance is reasonable, on the request of a professional who is
a business associate as the minimum necessary. This suggests that a
business associate may not always be sufficiently under the direct
control of the covered entity to qualify as an agent.
HHS has issued guidance stating that a covered entity is not
required to monitor the activities of its business associate:
The HIPAA Privacy Rule requires covered entities to enter into
written contracts or other arrangements with business associates
which protect the privacy of protected health information; but
covered entities are not required to monitor or oversee the means by
which their business associate carry out privacy safeguards or the
extent to which the business associate abides by the privacy
requirements of the contract. Nor is the covered entity responsible
or liable for the actions of its business associates. However, if a
covered entity finds out about a material breach or violation of the
contract by the business associate, it must take reasonable steps to
cure the breach or end the violation, and, if unsuccessful,
terminate the contract with the business associate. If termination
is not feasible (e.g., where there are no other viable business
alternatives for the covered entity), the covered entity must report
the problem to the Department of Health and Human Services Office
for Civil Rights.
FAQ Answer ID 236 at www.hhs.gov/ocr/hipaa, entitled ``Is a
covered entity liable for, or required to monitor, the actions of its
business associates?'' (Click on the link for Answers to Your
Frequently Asked Questions, and then select and search on the
subcategory for Business Associates.) Proposed Sec. 160.402(c) is
consistent with this guidance. If the covered entity complies with the
applicable business associate provisions, the covered entity will not
be held liable for the actions of its business associate.
Concomitantly, if the covered entity fails to comply with those
provisions, such as by not entering into the requisite arrangements or
contracts, or by not taking reasonable steps to cure the breach or end
the violation, it could be held liable under proposed Sec. 160.402(c)
for the actions of its business associate agent.
2. Sections 160.404, 160.406, 160.408--Calculation of Penalties
a. Section 160.404--Amount of a Civil Money Penalty
Section 1176(a)(1) establishes maximum penalty amounts for
violations. The statute provides a maximum penalty of ``not more than
$100'' for each violation (see section IV.B.2 above for the discussion
of ``violation''), and the penalty imposed on a covered entity ``for
all violations of an identical requirement or prohibition during a
calendar year may not exceed $25,000.''
The statute establishes only maximum penalty amounts, so the
Secretary has the discretion to impose penalties that are less than the
statutory maximum. This proposed regulation would not establish minimum
penalties. Under proposed Sec. 160.404(a), the penalty amount would be
determined through the method provided for in proposed Sec. 160.406,
using the factors set forth in proposed Sec. 160.408, and subject to
the statutory caps reflected in proposed Sec. 160.404(b) and any
reduction under proposed Sec. 160.412.
Proposed Sec. 160.404 would follow the language of the statute and
establish the maximum penalties for a violation and for identical
violations during a calendar year, as set forth in the statute--up to
$100 per violation and up to $25,000 for identical violations in a
calendar year. Proposed Sec. 160.404(b) makes clear that the term
``calendar year'' means the period from January 1 through the following
December 31.
An identical violation is a violation of the same requirement or
prohibition in one of the HIPAA rules or in the statute. It is based on
the provision of the regulation or statute that has been violated and
not on whether the violations relate to the same individual's protected
health information, the same transaction, or are with the same trading
partner. For example, assume that a health plan includes in its trading
partner
[[Page 20234]]
agreements a provision that requires the submission of a data element
that is not included in the implementation guides for transactions
covered by the agreement and requires 7,500 different trading partners
to sign such agreements in a calendar year. Inclusion of the provision
violates Sec. 162.915(b), which prohibits covered entities from
entering into a trading partner agreement which adds any data element
or segments to the maximum defined data set. If the penalty is assessed
at $100/violation, the total penalty for all such violations would
amount to $750,000 ($100 x 7500). However, the maximum penalty that may
be assessed for the calendar year for those violations is $25,000,
because they all relate to the same prohibition. This is the case even
though the violations involve 7,500 different trading partners.
b. Section 160.404(b)(2)--Violations of Repeated or Overlapping
Provisions in a HIPAA Rule
Some requirements or prohibitions in the provisions of a HIPAA rule
may be repeated in, or may overlap, other provisions in the same rule.
We propose Sec. 160.404(b)(2) to make clear that a violation of a more
specific requirement or prohibition, such as one contained within an
implementation specification, is not also counted, for purposes of
determining civil money penalties, as an automatic violation of a
broader requirement or prohibition that entirely encompasses the more
specific one, in that such duplicative requirements generally reflect
considerations of drafting and not of substance. Under this proposal,
the Secretary could impose a civil money penalty for violation of
either the general or the specific requirement, but not both.
For example, if, after the applicable compliance date for the
Security Rule, a covered entity violates the requirement to implement
policies and procedures for facility access controls at Sec.
164.310(a)(1), the covered entity will also have violated the Security
Rule's provision at Sec. 164.316(a), which is the general standard
requiring the implementation of policies and procedures. Similarly, if
a covered entity fails to implement minimum necessary policies and
procedures for uses of protected health information as required by the
implementation specification at Sec. 164.514(d)(2) of the Privacy
Rule, the covered entity also has violated the minimum necessary
standard at Sec. 164.514(d)(1), which requires compliance with the
implementation specification. In these two examples, the proposed
provision would treat the act or omission as a violation of only one of
the identified administrative simplification provisions, not both, for
purposes of imposing civil money penalties.
Proposed Sec. 160.404(b)(2) would not apply where a covered
entity's action results in violations of multiple, differing
requirements or prohibitions within the same HIPAA rule, however. The
following is an example: due to inadequate safeguards, a covered entity
uses protected health information in a manner prohibited by the Privacy
Rule. Civil money penalties may be imposed on the covered entity for
its violation of the use provision in Sec. 164.502(a), as well as for
its violation of the safeguards requirement in Sec. 164.530(c).
Proposed Sec. 160.404(b)(2) would also not apply where a covered
entity's action may result in a violation of more than one HIPAA rule;
for example, failure to adopt administrative safeguards may violate
both the Privacy Rule (Sec. 164.530(c)) and the Security Rule (Sec.
164.308). In such a case, more than one regulatory standard has been
violated, and the Secretary may assess a penalty under both HIPAA
rules. The proposed provision is limited to duplicate provisions in the
same subpart, or HIPAA rule, and would not apply to limit civil money
penalties for violations of more than one HIPAA rule.
Proposed Sec. 160.404(b)(2) would also not preclude assessing
civil money penalties for multiple violations of an identical
requirement or prohibition.
c. Section 160.406--Number of Violations
As stated above, section 1176(a) provides a maximum penalty for
identical violations by a covered entity in a calendar year. However,
in many cases, it may not be clear exactly how to quantify the number
of violations. Furthermore, the types of requirements and prohibitions
vary among and within the HIPAA rules--for example, requirements to
adopt policies and procedures versus requirements to conduct
transactions in standard format.
There are various possible measures, or variables, that can be used
to count violations, and different laws use one or multiple approaches.
See, e.g., 42 CFR part 488, subpart F. In the context of the HIPAA
rules, there are three basic variables that seem reasonable to use in
calculating the number of violations that have occurred--(1) the number
of impermissible actions or failures to take required actions, (2) the
number of persons involved, and (3) the amount of time during which the
violation occurred.
i. Variables
Actions--The number of violations could be based on the number of
times a covered entity takes a prohibited action (commission) or the
number of times a covered entity fails to take a required action
(omission). The ``action'' variable seems likely to be a workable
variable for determining the number of violations where the acts in
question are discrete and/or repetitive, such as could be the case with
the Transactions Rule. However, the ``action'' variable may have a very
different result in other circumstances. For example, if a covered
entity fails to implement a required policy, there is only one failure
to act, and, therefore, using this variable, the number of violations
of the requirement would be one, even though such a failure to act
might have extended over a long period of time, be intentional, and
have serious consequences for other entities or individuals. Thus, the
``action'' variable might not be appropriate in many circumstances.
Persons--The number of violations could be measured in terms of the
number of persons involved or affected. Persons may be natural persons
or entities, and violations could be counted in terms of one of four
categories of persons.
Individuals who are the subject of protected health
information--for example, the number of individuals who did not receive
access to their records.
Employees for whom the covered entity has an obligation--
for example, the number of employees who improperly took one or more
impermissible actions, such as improperly using protected health
information.
Persons who receive information in violation of the
rules--for example, the number of employees who have access to
protected health information but who should not have such access,
either in violation of the covered entity's minimum necessary policies
or in violation of its access control security procedures.
Other persons affected by the violation--for example, the
number of providers affected by an impermissible health plan
requirement that providers use codes not permitted under subpart J of
the Transactions Rule.
Using the ``person'' variable to determine the number of violations
of a HIPAA rule may or may not be an appropriate approach, depending on
the purpose of the regulatory provision. For example, counting by the
``person'' variable may not be appropriate for
[[Page 20235]]
purposes of counting violations of most of the Transactions Rule
requirements.
Time--When violations are continuous, they could be calculated in
terms of a unit of time, such as calendar days. For example, inclusion
of a term in a trading partner agreement that is not permitted by Sec.
162.915 would be one action, if counted as an action, but, if counted
by time, the number of violations would depend on how long the
impermissible agreement was in effect and what unit of time was applied
to count the number of violations. However, using a time variable makes
less sense for violations that are distinct and repetitive, such as
many Transactions Rule violations would be. For example, if a covered
entity conducted 3000 transactions that were not in standard form over
a two-day period and another covered entity conducted two transactions
that were not in standard form over a two-day period, each set of facts
would result in two violations under a ``per day'' approach.
ii. Determining the Number of Violations
Proposed Sec. 160.406 would establish the general rule that the
Secretary will determine the number of violations of an identical
requirement or prohibition by a covered entity by applying any of the
variables of action, person, or time, as follows: (1) The number of
times the covered entity failed to engage in required conduct or
engaged in a prohibited act; (2) the number of persons involved in, or
affected by, the violation; or (3) the duration of the violation,
counted in days (because many of the HIPAA requirements are in terms of
days, this seems to be the most appropriate unit of time to use).
Paragraph (a) of this section would require the Secretary to determine
the appropriate variable or variables for counting the number of
violations based on the specific facts and circumstances related to the
violation, and take into consideration the underlying purpose of the
particular HIPAA rule that is violated. More than one variable could be
used to determine the number of violations (for example, the number of
people affected times the time (number of days) over which the
violation occurred). Because of the range of circumstances that can be
presented in determining the number of violations and the very
different nature of the HIPAA rules that may be implicated by those
violations, the Secretary would have discretion in determining which
variable or variables were appropriate for determining the number of
violations rather than being required to use a rigid formula, which
could produce arbitrary results. Under this proposal, the policy for
determining which variable(s) to use for which type of violation would
be developed in the context of specific cases rather than established
by regulation. Subsequent cases would be decided consistently with
prior similar cases. This option would defer more specific decisions
regarding the appropriate variable(s) for counting penalties to such
time as a case raising the HIPAA provision occurs.
Several approaches were considered in deciding how to determine the
number of violations:
Use one variable for all of the HIPAA rules. While this
approach has greater consistency, the variation among the rules in
terms of their types of requirements and prohibitions makes it
difficult to identify one variable that would work equally well in each
rule.
Use one variable or approach for each individual HIPAA
rule. This approach would also have greater consistency and certainty.
However, it would not address the variations within HIPAA rules and
could be confusing when a covered entity violated more than one rule.
Categorize requirements and prohibitions and assign
variables to each. This approach would increase certainty and
consistency across all of the HIPAA rules but would likely result in a
complex scheme that might operate unfairly.
After weighing the advantages and disadvantages of each approach,
it was determined that it would be preferable to determine the
appropriate variable(s) for particular types of violations based on the
context of a specific case. We welcome comments on this approach, the
options that were considered, and other potential options for
determining the number of violations.
d. Section 160.408--Factors Considered in Determining the Amount of a
Civil Money Penalty
Section 1176(a)(2) states that, with some exceptions, the
provisions of section 1128A of the Act shall apply to the imposition of
a civil money penalty under section 1176 ``in the same manner as'' such
provisions apply to the imposition of a civil money penalty under
section 1128A. Section 1128A(d) requires that--
in determining the amount of * * * any penalty, * * * the Secretary
shall take into account--
(1) The nature of the claims and the circumstances under which
they were presented,
(2) The degree of culpability, history of prior offenses and
financial condition of the person presenting the claims, and
(3) Such other matters as justice may require.
This language establishes factors to be considered in determining
the ultimate amount of a civil money penalty. Because section 1176
requires that civil money penalties be imposed in the same manner as
civil money penalties are imposed under section 1128A, such factors
should be applied to determining the amount of a civil money penalty
for HIPAA violations. This approach is consistent with the approach
taken in other regulations that cross-reference section 1128A, which
rely on these factors for purposes of determining civil money penalty
amounts. See, e.g., 42 CFR 488.438.
The factors listed in section 1128A(d) were drafted to apply to
violations involving claims for payment under federally funded health
programs. Because HIPAA violations will usually not be about specific
claims, HHS proposes to tailor the section 1128A(d) factors to the
HIPAA rules and break them into their component elements for ease of
understanding and application, as follows: (1) The nature of the
violation; (2) the circumstances under which the violation occurred;
(3) degree of culpability; (4) history of prior offenses; (5) financial
condition of the covered entity; and (6) such other matters as justice
may require.
Many regulations that implement section 1128A, such as the OIG
regulations, further particularize the statutory factors by providing
discrete criteria. Consistent with these other regulations, and in
order to provide more guidance to covered entities as to the factors
that would be used in calculating civil money penalties for violations
of the HIPAA rules, we propose a more specific list of circumstances
that would be considered in calculating penalty amounts. Therefore,
proposed Sec. 160.408 provides detailed factors, within the categories
stated above, to consider in determining the amount of a civil money
penalty, as follows:
(1) The nature of the violation, when considered in light of the
purposes of the rule violated.
(2) The circumstances under which the violation occurred and the
consequences, including the time period during which the violation(s)
occurred, whether the violation caused physical harm, whether the
violation hindered or facilitated an individual's ability to obtain
health care, and whether the violation resulted in financial harm.
(3) The degree of culpability of the covered entity, including
whether the violation was intentional, and whether the violation was
beyond the direct control of the covered entity.
[[Page 20236]]
(4) Any history of prior offenses of the covered entity, including
whether the current violation is the same or similar to prior
violation(s), whether and to what extent the covered entity has
attempted to correct previous violations, how the covered entity has
responded to technical assistance from the Secretary provided in the
context of a compliance effort, and how the covered entity has
responded to prior complaints. This could include any violations that
have been brought to the covered entity's attention, including
complaints raised by individuals directly to the covered entity,
violations of which the covered entity became aware on its own, and
violations that have been raised in the context of a complaint to the
Secretary.
(5) The financial condition of the covered entity, including
whether the covered entity had financial difficulties that affected its
ability to comply, whether the imposition of a civil money penalty
would jeopardize the ability of the covered entity to continue to
provide, or to pay for, health care, and the size of the covered
entity.
(6) Such other matters as justice may require.
In many regulations that implement section 1128A, including the OIG
regulations, the statutory factors and/or the discrete criteria are
designated as either aggravating or mitigating. See, e.g., 42 CFR
1003.106(b)-(d). For example, in some of these regulations, history of
prior offenses is listed as an aggravating factor. See, e.g., 42 CFR
1003.106(b)(3). However, because the Enforcement Rule will apply to a
number of rules and an enormous number of entities and circumstances,
factors may be aggravating or mitigating, depending on the context. For
example, the factor ``time period during which the violation(s)
occurred'' could be an aggravating circumstance where the covered
entity decided not to comply at all with a HIPAA provision, but be a
mitigating circumstance where a covered entity quickly found and
corrected repetitive noncompliance. Thus, we do not propose to label
any of these factors as aggravating or mitigating. Rather, proposed
Sec. 160.408 lists factors that may be considered by the Secretary as
aggravating or mitigating in determining the amount of the civil money
penalty to impose. The proposed approach would allow the Secretary to
choose whether to consider a particular factor and how to consider each
factor as appropriate in each situation to avoid unfair or
inappropriate results. It also would keep the rule simple and makes
possible a list of factors to consider in determining penalties that
can work in all cases.
We propose to leave to the Secretary's discretion the decision
regarding when aggravating and mitigating factors will be taken into
account in determining the amount of the civil money penalty. This
approach is consistent with other regulations implementing section
1128A, which do not explain how or at what point in the process these
factors apply. See, e.g., 42 CFR 488.438.
3. Section 160.410--Affirmative Defenses to the Imposition of a Civil
Money Penalty
Proposed Sec. 160.410 implements section 1176(b)(1)--(3) of the
Act, which specify certain limitations with respect to when civil money
penalties may be imposed. Paragraphs (1), (2), and (3) of section
1176(b) each state that, if the conditions described in those
paragraphs are met, ``a penalty may not be imposed under subsection
(a)'' of section 1176. Under section 1176(b)(1), a civil money penalty
may not be imposed with respect to an act that would be punishable by a
criminal penalty under section 1177 of the Act. Under section
1176(b)(2), a civil money penalty may not be imposed if it is
established to the satisfaction of the Secretary that the person who
would be liable for the civil money penalty ``did not know, and by
exercising reasonable diligence would not have known'' that the person
violated the provision. Under section 1176(b)(3), a civil money penalty
may not be imposed if the failure to comply ``was due to reasonable
cause and not to willful neglect'' and is corrected within a certain
period.
Where it is shown that one or more of these grounds exists with
respect to a violation for which a civil money penalty is sought, such
a showing bars the imposition of a civil money penalty for the
violation. The provisions at section 1176(b)(1), (2), and (3), thus,
constitute complete defenses to the imposition of a civil money
penalty. As such, they meet the definition of an affirmative defense:
``A defendant's assertion raising new facts and arguments that, if
true, will defeat the plaintiff's or prosecution's claim, even if all
allegations in the complaint are true.'' Black's Law Dictionary (West,
7th ed. 1999).
Accordingly, proposed Sec. 160.410 would characterize the
limitations under section 1176(b)(1), (2), and (3) as ``affirmative
defenses,'' to make clear that they must be raised in the first
instance by the respondent. See the discussion at section IV.D.10 below
regarding proposed Sec. 160.534, with respect to the burden of proof.
However, characterizing these grounds as affirmative defenses would not
prevent the Secretary from concluding, based on information already in
his possession, that one of these limitations applied. If the Secretary
were to conclude, based on his investigation or on information provided
by the covered entity under proposed Sec. 160.312(a)(3)(i), that one
or more of these limitations applied with respect to a violation, the
Secretary would not pursue the civil money penalty action with respect
to the violation. However, proposed Sec. 160.410 assumes the situation
where the Secretary, through OCR or CMS, has concluded that none of the
statutory limitations at section 1176(b)(1), (2), or (3) applies to a
particular case and has, accordingly, issued a notice of proposed
determination to impose a civil money penalty. The purpose of Sec.
160.410, therefore, is to describe what the respondent must show in
order to establish such a defense in the proceeding that could then
follow.
The grounds stated in sections 1176(b)(2) and (b)(3) are grounds
about which the covered entity would be knowledgeable and could produce
evidence. Treating them as affirmative defenses is consistent with how
similar language in other statutes has been implemented. For example,
similar language in section 102 of HIPAA has been treated as an
affirmative defense: Under the implementing regulations at 45 CFR
150.341(b), the burden of persuasion is on the entity to establish that
no responsible entity knew, or, exercising reasonable diligence, would
have known of the violation. Examples of a similar assignment of burden
in connection with similar statutory language are found elsewhere. See,
e.g., 26 CFR 301.6651-1(c), implementing 26 U.S.C. 6651 (a failure to
timely file a tax return ``is due to reasonable cause and not due to
willful neglect * * * ''), requires ``an affirmative showing of all
facts alleged as a reasonable cause * * * '' by the taxpayer; 8 CFR
280.5, 280.51, implementing 8 U.S.C. 1323 (remission of penalty for
bringing in illegal aliens if the person ``could not have ascertained,
by the exercise of reasonable diligence, that * * * ''), place the
burden on the party seeking remission; 11 U.S.C. 110 (penalties for
persons who fraudulently prepare bankruptcy petitions except where
failure is ``due to reasonable cause'') has been treated as an
affirmative defense, U.S. Trustee v. Womack, 201 B.R. 511, 518 (E.D.
Ark. 1996).
Under section 1176(b)(1), a civil money penalty may not be imposed
if the act in question ``constitutes an offense punishable under
section 1177.'' While it might appear unlikely that a
[[Page 20237]]
covered entity would raise this as an affirmative defense, section
1176(b)(1) parallels sections 1176(b)(2) and (b)(3) in both structure
and function. This construction suggests that Congress intended that it
be treated in a parallel manner. Proposed Sec. 160.410, accordingly,
would do so.
Finally, we recognize that other affirmative defenses might be
available in a particular case. In order not to preclude the raising of
affirmative defenses that could legitimately be raised, the
introductory text of proposed Sec. 160.410 is drafted to permit a
respondent to offer affirmative defenses other than those provided in
section 1176(b).
a. Section 160.410(b)(1)--Affirmative Defense Based on Violation Being
a Criminal Offense
Section 1176(b)(1) provides that the Secretary may not impose a
civil money penalty ``with respect to an act if the act constitutes an
offense punishable under section 1177.'' Section 1177(a) provides as
follows:
A person who knowingly and in violation of this part--
(1) Uses or causes to be used a unique health identifier;
(2) Obtains individually identifiable health information
relating to an individual; or
(3) Discloses individually identifiable health information
relating to another person, shall be punished as provided in
subsection (b).
Subsection (b) of section 1177, in turn, sets out three levels of
penalties. The level of penalty varies depending on the circumstances
under which the offense was committed.
The proposed rule simply refers to the statutory provision. As the
criminal penalty provision that provides the basis for this defense is
administered by the U.S. Department of Justice, we do not propose to
elaborate upon it in this regulation.
b. Section 160.410(b)(2)--Affirmative Defense Based on Lack of
Knowledge
Section 1176(b)(2) provides as follows:
A penalty may not be imposed under subsection (a) with respect
to a provision of this part if it is established to the satisfaction
of the Secretary that the person liable for the penalty did not
know, and by exercising reasonable diligence would not have known,
that such person violated the provision.
For a covered entity to establish an affirmative defense under section
1176(b)(2), it must show that it did not have actual or constructive
knowledge of the violation. What is required for such a showing raises
several issues: (1) What ``knowledge'' will make the ``lack of
knowledge'' defense no longer available; (2) when is the ``knowledge''
of an agent imputed to the covered entity; and (3) what constitutes
``reasonable diligence.''
i. ``Knowledge''
The first question is what must the covered entity ``know'' in
order for the defense of section 1176(b)(2) to be no longer available.
Specifically, if the covered entity knows of the facts that constitute
the violation, but does not know that they constitute a violation, is
the defense under section 1176(b)(2) no longer available?
A civil money penalty may not be imposed for a violation ``if it is
established to the satisfaction of the Secretary that the person liable
for the penalty did not know * * * that such person violated the
provision.'' This language on its face suggests that the knowledge
involved must be knowledge that a ``violation'' has occurred, not just
knowledge of the facts constituting the violation. Section 1176(b)(3)
supports this reading. Under section 1176(b)(3)(A)(i), the cure
period--i.e., the period in which the violation must be corrected if
the covered entity is to avail itself of the defense under section
1176(b)(3)--begins to run ``on the first date the person liable for the
penalty knew, or by exercising reasonable diligence would have known,
that the failure to comply occurred.'' The duty to take corrective
action under section 1176(b)(3), thus, flows from knowledge that ``the
failure to comply occurred.'' We, thus, interpret this knowledge
requirement to mean that the covered entity must have knowledge that a
violation has occurred, not just knowledge of the facts underlying the
violation. We use the statutory language in framing this requirement.
This reading of the statute would not reward ignorance that is
careless or deliberate. The requirement of section 1176(b)(2) that the
covered entity exercise ``reasonable diligence,'' discussed below,
would make a lack of knowledge defense unavailable where a covered
entity's ignorance arises from its failure to inform itself about its
compliance obligations or to investigate complaints or other
information it receives indicating likely noncompliance.
ii. Imputed Knowledge
In order to avail itself of the lack of knowledge defense, a
corporate entity must show that (1) its responsible officers or
managers did not know about the violation, and (2) even if an employee
or other agent had actual knowledge of the violation, why that
knowledge should not be imputed to the managers and, thus, to the
corporate entity itself. Whether knowledge can be imputed to a covered
entity's responsible officers or managers will be determined by
principles of agency. We clarify this by providing in proposed Sec.
160.410(b)(2) that such knowledge will be ``determined by the federal
common law of agency.'' As noted in the discussion in section
IV.C.1.b.i above, we would expect, as a general matter, to follow the
principles set forth in the Restatement (Second) of Agency with respect
to this issue. Under the general rule at section 272 of the
Restatement, an agent's actual or constructive knowledge is imputed to
the principal, subject to certain exceptions. Rest. 2nd of Agency
(1958), comments a and b. Whether any of these exceptions are
applicable would depend on the circumstances of each case. We solicit
comment on this approach and, in particular, illustrations and
explanations of cases where more or less specificity might be helpful.
iii. Reasonable Diligence
The defense under section 1176(b)(2) is available only if the
covered entity ``by exercising reasonable diligence would not have
known ... that the [covered entity] violated the provision.'' The
question this language raises is what action is required in order for a
covered entity to be able to show that it has exercised reasonable
diligence and that its ignorance of the violation is, hence, excused.
The phrase ``reasonable diligence'' has applications in many areas
of the law. ``Reasonable diligence'' is typically defined as ``1. A
fair degree of diligence expected from someone of ordinary prudence
under circumstances like those at issue. 2. See due diligence (1).''
Black's Law Dictionary (West, 7th edition, 1999). ``Due diligence'' is,
in turn, defined as ``1. The diligence reasonably expected from, and
ordinarily exercised by, a person who seeks to satisfy a legal
requirement or to discharge an obligation.--Also termed reasonable
diligence.'' Id. In the context of section 1176(b)(2), these concepts
equate, we believe, to the concept of ``constructive knowledge.'' As
usually defined, ``constructive knowledge'' is the ``knowledge that one
using reasonable care or diligence should have, and therefore that is
attributed by law to a given person.'' Id.
The determination of whether a person acted with reasonable
diligence is generally a factual one, since what is reasonable depends
on the circumstances. Martin v. OSHRC (Milliken & Co.), 947 F.2d 1483
(11th Cir. 1991); Bell Telephone Laboratories,
[[Page 20238]]
Inc. v. Hughes Aircraft Co., 564 F.2d 654 (3rd Cir. 1977). The courts
use a variety of formulations to articulate when a person will be
deemed to have known--i.e., to have constructive knowledge--that a
particular incident occurred. However, the various formulations have
common elements. They identify a ``prudent'' or ``reasonable'' person
and consider whether that person would, under similar circumstances,
have become aware of the information in question. They consider how
``available'' the information is; for example, was the information in
the covered entity's possession (such as in its electronic information
system) or not. They consider whether there was ``some reason to awaken
inquiry and suggest investigation;'' for example, had prior experience
suggested that there could be problems, which a reasonable person would
have investigated.
We considered three options for implementing the provisions at
section 1176(b)(2). One approach would be simply to repeat the
statutory language; a second approach would be to provide a more
detailed statement of criteria for establishing reasonable diligence;
and the third approach would be to provide examples of situations that
would (or would not) constitute reasonable diligence. We selected the
second in order to provide some guidance, but not unduly circumscribe
future decisions. Adapting the Black's definition of due diligence to
the present context, proposed Sec. 160.410(a) would define
``reasonable diligence'' to mean ``the business care and prudence
expected from a person seeking to satisfy a legal requirement under
similar circumstances.'' Factors to be considered in evaluating the
applicability of this affirmative defense would include whether the
covered entity took reasonable steps to learn of such violations and
whether there were indications of possible violations, such as a
complaint or other information made known to the entity, that a person
seeking to satisfy a legal requirement would have investigated under
similar circumstances.
c. Section 160.410(b)(3)--Affirmative Defense Based on Reasonable Cause
Section 1176(b)(3) provides as follows:
(A) In general. Except as provided in subparagraph (B), a
penalty may not be imposed under subsection (a) if--
(i) The failure to comply was due to reasonable cause and not to
willful neglect; and
(ii) The failure to comply is corrected during the 30-day period
beginning on the first date the person liable for the penalty knew,
or by exercising reasonable diligence would have known, that the
failure to comply occurred.
(B) Extension of period.
(i) No penalty. The period referred to in subparagraph (a)(ii)
may be extended as determined appropriate by the Secretary based on
the nature and extent of the failure to comply.
These provisions raise several issues: (1) What is reasonable cause;
(2) what is willful neglect; and (3) how should the cure period be
determined.
i. Reasonable Cause
For the defense under section 1176 (b)(3) to be available, the
failure to comply at issue must be ``due to reasonable cause and not to
willful neglect'' (as well as corrected within the cure period). This
language has a close analog in the Internal Revenue Code (IRC), which
provides for an exemption from penalties for late filing where the late
filing ``is due to reasonable cause and not due to willful neglect.''
26 U.S.C. 6651(a). This IRC language was construed by the United States
Supreme Court in United States v. Boyle, 469 U.S. 241, 245 (1985). The
Internal Revenue Service (IRS) had articulated specific factors that
would constitute reasonable cause for late filing; in discussing these
factors, the Court noted that the underlying principle was whether the
circumstances were beyond the taxpayer's control.
HHS has already adopted criteria interpreting paragraph (b)(3) that
are not unlike those adopted by the IRS in connection with its late
filing penalty statute. In the guidance published on July 24, 2003 (CMS
Guidance), the criteria developed to address the October 16, 2003
compliance deadline problems for the Transactions Rule are similar in
nature to those developed by the IRS. Like the IRS criteria, they
premise the existence of reasonable cause on the existence of
circumstances outside of the covered entity's control which make
compliance with the Transactions Rule unreasonable.
We considered three options for implementing the reasonable cause
language of section 1176(b)(3): repeating the statutory language;
providing a more detailed statement of the criteria for establishing
reasonable cause; or providing examples of situations that would (or
would not) constitute reasonable cause. As with our decision about
reasonable diligence, we took the second approach. Proposed Sec.
160.410(a) would define ``reasonable cause'' as ``circumstances that
make it unreasonable for the covered entity, despite the exercise of
ordinary business care and prudence, to comply with the administrative
simplification provision violated.'' This definition is generally based
on the view of the Supreme Court in Boyle, but it is tailored to the
HIPAA context in which the judgment in question would be made. It
describes with more specificity the test for determining whether
reasonable cause exists, but does not limit this test by specific
examples. Thus, establishing reasonable cause under section 1176(b)(3)
would require demonstrating circumstances that would make it
unreasonable to expect an entity exercising ordinary business care and
prudence to comply with the particular requirement that has been
violated. The determination of whether reasonable cause exists is
generally, and under this definition would be, a factual one, since
what is ``reasonable'' depends on the circumstances.
ii. Willful Neglect
For the defense under section 1176(b)(3) to be available, the
failure of compliance must not be due to ``willful neglect.'' In Boyle,
discussed above, the Supreme Court defined ``willful neglect'' as
``conscious, intentional failure or reckless indifference'' and
indicated that this concept includes carelessness or other types of
fault. 469 U.S. at 245. Since the definition of the term ``willful
neglect'' is well settled, we propose to adapt this definition of the
term in proposed Sec. 160.410(a): ``conscious, intentional failure or
reckless indifference to the obligation to comply with the
administrative simplification provision violated.'' This definition
reflects the concern that underlies the statutory language: where
willful neglect caused the ``failure to comply'' in question, the
penalty should not be excused.
The proposed definition is also consistent with the approach
already taken by HHS in the CMS Guidance. In the CMS Guidance, HHS
stated that, in determining whether noncompliance with the Transactions
Rule would be penalized, it would consider the ``good faith efforts''
of the covered entities deploying contingency measures after October
16, 2003 as they work to come into compliance with the Transactions
Rule. The presence of such ``good faith'' or diligent efforts to comply
evidences the absence of willful neglect, because it demonstrates the
absence of a ``reckless indifference to the obligation to comply with
the administrative simplification provision violated.''
The issue of whether there was willful neglect would be a factual
inquiry separate from the question of whether reasonable cause existed,
because section 1176(b)(3) requires both the presence of reasonable
cause and the
[[Page 20239]]
absence of willful neglect. In the IRC cases discussed above, for
example, proving the lack of willful neglect does not establish the
existence of reasonable cause. However, a finding concerning one
element may obviate the necessity of determining the other element, by
ruling out the existence of a condition precedent for the affirmative
defense. Thus, where it is found that reasonable cause does not exist,
the presence or absence of willful neglect need not be determined;
similarly, if it is found that willful neglect exists, the presence or
absence of reasonable cause need not be determined.
iii. Determination of the Cure Period
The presence of reasonable cause and absence of willful neglect are
not sufficient, in themselves, to establish an affirmative defense
under section 1176(b)(3). The covered entity must also correct the
violation during the 30-day period beginning when the person knew or
should have known that the violation existed. The statute gives the
Secretary the right to extend this period to the extent he determines
appropriate based on the nature and the extent of the failure to
comply. This language presents two issues with respect to the cure
period: (1) When does the cure period begin; and (2) what limitations,
if any, should be placed on the Secretary's ability to extend the cure
period.
Beginning of the Cure Period. Section 1176(b)(3)(A) provides that
the cure period begins ``on the first date the person liable for the
penalty knew, or by exercising reasonable diligence would have known,
that the failure to comply occurred.'' This language is the converse of
section 1176(b)(2). These two provisions, accordingly, dictate a
sequential analysis. The first question is whether the covered entity
knew, or with reasonable diligence would have known, about the
violation. If the covered entity was ignorant of the violation (i.e.,
it did not have actual or constructive knowledge of the violation),
then no civil money penalty may be imposed for the period in which such
ignorance existed. In such a situation, the covered entity's ignorance
of the violation is a complete defense to imposition of the civil money
penalty, so it is not necessary to reach the question of whether the
grounds for a defense under section 1176(b)(3) are also met. However,
as soon as the covered entity knows (or should have known) of the
violation, then the cure period under section 1176(b)(3)(A)(ii) begins;
simultaneously, the defense of ignorance stops being available to the
covered entity. At that point, the question is whether the grounds for
the ``reasonable cause'' defense (the presence of reasonable cause, the
absence of willful neglect, and cure) exist.
We do not propose to elaborate on the statutory language with
regard to when the cure period begins. The text of proposed Sec.
160.410(b)(3), like the statute, uses the defined term ``reasonable
diligence'' and, thus, builds on the analysis conducted under proposed
Sec. 160.410(b)(2).
Extension of the Cure Period. Section 1176(b)(3)(A)(i) provides
that the cure period may be extended ``as determined appropriate by the
Secretary based on the nature and extent of the failure to comply.''
This statutory language is a broad grant of discretion to the Secretary
to determine what is ``appropriate,'' requiring only that the Secretary
base his decision on the ``nature and extent of the failure to
comply.'' The statutory language requires an analysis based on the
specific circumstances of the particular failure to comply at issue.
Given the enormous number of covered entities, the almost infinite
possible combinations of violations and circumstances, the extensive
and varying experiences of covered entities in coming into compliance,
the newness of both their and our experience with respect to compliance
with the HIPAA rules, and the brevity of the 30-day period during which
changes are required, the Secretary should be afforded significant
discretion to decide when it is appropriate to extend the cure period.
Proposed Sec. 160.410(b)(3)(ii)(B) accordingly follows the statutory
language and would permit the Secretary to use the full discretion
provided by the statute.
4. Section 160.412--Waiver
Section 1176(b)(4) of the Act provides for waiver of a civil money
penalty in certain circumstances. Section 1176(b)(4) provides that, if
the failure to comply is ``due to reasonable cause and not to willful
neglect,'' a penalty that has not already been waived under section
1176(b)(3) ``may be waived to the extent that the payment of such
penalty would be excessive relative to the compliance failure
involved.'' If there is reasonable cause and no willful neglect and
violation has been timely cured, the imposition of the civil money
penalty would be precluded under section 1176(b)(3). Therefore, waiver
under this section would be available only where there is reasonable
cause for the violation and no willful neglect, but the violation was
not timely cured.
Section 1176(b)(4) affords a covered entity a statutory right to
request a waiver. However, the Secretary is not required to grant such
a request: the words ``may be waived'' indicate that the decision to
grant the waiver is discretionary. Moreover, the language ``to the
extent that'' and ``excessive relative to'' indicate that the Secretary
must consider the facts of the case to determine whether, and by what
amount, a penalty may be reduced.
While section 1176(b)(4) might appear to be subsumed by certain of
the statutory factors that could be seen as mitigating factors, this
provision duplicates neither those factors nor the affirmative
defenses. In contrast to the statutory factors, which apply to
determining the amount of a civil money penalty, section 1176(b)(4)
comes formally into play once the penalty amount has been determined,
because only after there is a specific proposed penalty amount can it
be determined whether the penalty ``would be excessive relative to the
compliance failure involved.'' Section 1176(b)(4) differs from the
affirmative defenses in that it is not an absolute preclusion of civil
money penalties; rather, waiver or reduction under section 1176(b)(4)
is discretionary. Finally, in contrast to the mitigating factors and
affirmative defenses, section 1176(b)(4) provides a ground on which a
covered entity may request waiver or reduction of a penalty, once the
penalty amount has been determined.
Proposed Sec. 160.412 does not elaborate on the statute in any
material way. This provision would provide the Secretary with the
flexibility to utilize the discretion provided by the statutory
language as necessary. We deem the statutory criterion itself
reasonably capable of application, and, therefore, are not stating
further criteria at this time.
5. Section 160.414--Limitations
Proposed Sec. 160.414 was adopted by the April 17, 2003 interim
final rule as Sec. 160.522. We propose to move this section, which
sets forth the 6-year limitation period provided for in section
1128A(c)(1), from subpart E to subpart D. We propose to do so because
this provision applies generally to the imposition of civil money
penalties and is not dependent on whether a hearing is requested. We
also propose to change the language of this provision so that the date
of the occurrence of the violation is the date from which the
limitation is determined. We propose this change because the term
``violation'' is defined in this proposed rule, whereas it was not
defined in the April 17, 2003
[[Page 20240]]
interim final rule. Thus, the date of the violation can now be
accurately used to calculate when ``the occurrence took place,'' as
referenced in the statute. See also the discussion at section V.G
below.
6. Section 160.416--Authority To Settle
Proposed Sec. 160.416 was adopted by the April 17, 2003 interim
final rule as Sec. 160.510. We propose to move this section, which
addresses the authority of the Secretary to settle any issue or case or
to compromise any penalty imposed on a covered entity, from subpart E
to subpart D. We propose to do so because this provision applies
generally to the imposition of civil money penalties, and is not
dependent on whether a hearing is requested. No change is made to the
text of the provision.
7. Section 160.418--Penalty Not Exclusive
Proposed Sec. 160.418 is new. It is based upon Sec. 1003.109 of
the OIG regulations. We propose to add this section to make clear that
penalties imposed under this part are not intended to be exclusive
where a violation under this part may also be a violation of, and
subject the respondent to penalties under, another federal or a State
law. Proposed Sec. 160.418 would, however, recognize that, under
section 1176(b)(1) of the Act, a penalty may not be imposed under
section 1176(a) if the act constitutes an offense punishable under
section 1177.
8. Section 160.420--Notice of Proposed Determination
The text of proposed Sec. 160.420 was adopted by the April 17,
2003 interim final rule as Sec. 160.514. We propose to move this
section from subpart E, which sets out the procedures and rights of the
parties to a hearing, to subpart D. We propose to do so because the
notice provided for in this section must be given whenever a civil
money penalty is proposed, regardless of whether a hearing is
requested. No changes are proposed to paragraphs (a)(1) and (a)(3),
(4), or to paragraph (b), except conforming changes. Paragraph (a)(2)
would be revised by adding that, in the event the Secretary employs
statistical sampling techniques under Sec. 160.536, the sample relied
upon and the methodology employed must be generally described in the
notice of proposed determination. A new paragraph (a)(5) would require
the notice to describe any circumstances described in Sec. 160.408
that were considered in determining the amount of the proposed penalty;
this provision corresponds to Sec. 1003.109(a)(5) of the OIG
regulations. The present paragraph (a)(5) would be renumbered as
(a)(6). See also the discussion at sections V.H-V.J below.
9. Section 160.422--Failure To Request a Hearing
The text of proposed Sec. 160.422 was adopted by the April 17,
2003 interim final rule as Sec. 160.516. We would add language (``and
the matter is not settled pursuant to Sec. 160.416'') to recognize
that the Secretary and the respondent may agree to a settlement after
the Secretary has issued a notice of proposed determination. We also
provide that the penalty is final upon receipt of the penalty notice,
to make clear when subsequent actions, such as collection, may
commence.
10. Section 160.424--Collection of Penalty
The text of Sec. 160.424 was adopted by the April 17, 2003 interim
final rule as Sec. 160.518. We propose to move this section, which
addresses how a final penalty is collected, from subpart E to subpart
D. We propose to do so because this provision applies generally to the
imposition of civil money penalties and is not dependent upon whether a
hearing is requested.
11. Section 160.426--Notification of the Public and Other Agencies
Proposed Sec. 160.426 would implement section 1128A(h) of the Act.
When a penalty proposed by the Secretary becomes final, section
1128A(h) directs the Secretary to notify certain specified appropriate
State or local agencies, organizations, and associations and to provide
the reasons for the penalty. We propose to add the public generally, in
order to make the information available to anyone who must make
decisions with respect to covered entities. For instance, knowledge of
the imposition of a civil money penalty for violation of the Privacy
Rule could be important to health care consumers, as well as to covered
entities throughout the industry, while information about the
imposition of a civil money penalty for violation of the Transactions
Rule or other HIPAA rules could be of interest to a covered entity's
trading partners.
The regulatory language would provide for notification in such
manner as the Secretary deems appropriate. Posting to an HHS Web site
and/or the periodic publication of a notice in the Federal Register are
among the methods which the Secretary is considering using for the
efficient dissemination of such information. These methods would avoid
the need for the Secretary to determine which entities, among a
potentially large universe, should be notified and would also permit
the general public served by covered entities upon whom civil money
penalties have been imposed to be apprised of this fact, where that
information is of interest to them. While the Secretary could provide
notice to individual agencies where desired, the Secretary could, at
his option, use a single public method of notice, such as posting to an
HHS Web site, to satisfy the obligation to notify the specified
agencies and the public. See also the discussion at V.B below.
D. Subpart E--Procedures for Hearings
As previously explained, the provisions of section 1128A of the Act
apply to the imposition of a civil money penalty under section 1176
``in the same manner as'' they apply to the imposition of civil money
penalties under section 1128A itself. The provisions of subpart E are,
as a consequence, based in large part upon, and are in many respects
the same as, the OIG regulations. We propose to adapt, re-order, or
combine the language of the OIG regulations in a number of places for
clarity of presentation or to reflect concepts unique to the HIPAA
provisions or rules. To avoid confusion, we have also employed certain
language usages in order to make the usage in the rules consistent with
that in the other HIPAA rules (for example, for mandatory duties,
``must'' or ``will'' instead of ``shall'' is used; for discretionary
duties, ``may'' instead of ``has the authority to'' is used). We do not
discuss those nonsubstantive changes below. Where we propose to
materially change the language of the OIG regulations, however, we
discuss our reasons for doing so.
As noted above, we have reorganized subparts C, D, and E so that
there is a logical organization to the three subparts. Subpart E, as we
propose to revise it, will address the pre-hearing and hearing phases
of the enforcement process. We have discussed the sections that we have
moved to subparts C and D in the discussion of those subparts. The
proposed movement of sections out of subpart E and the introduction of
new sections into subpart E, described below, necessitates the
reordering and renumbering of other sections of the existing subpart E,
so that the subpart is organized logically. We do not discuss such
proposed reordering and renumbering, unless we propose to change
substantially the text of the section in question.
In the April 17, 2003 interim final rule, we deferred consideration
of certain provisions so that they could be
[[Page 20241]]
addressed through notice-and-comment rule making. Claims of privilege
and other objections to the taking of testimony at investigational
hearings are addressed in proposed Sec. 160.314. The proposed rules
relating to what constitutes ``a violation of a provision of this
part'' and how the amount of civil money penalties will be determined
are found in Sec. 160.302 of the proposed subpart C and in Sec. Sec.
160.402--160.408, respectively, of the proposed subpart D. We include
in proposed subpart E the proposed rules that relate to the conduct of
a hearing.
1. Section 160.500--Applicability
This section has been revised to reflect the more limited scope
proposed for subpart E, resulting from the movement of many of the
provisions in the April 17, 2003 interim final rule to proposed
subparts C and D.
2. Section 160.502--Definitions
Most of the definitions in this section of the April 17, 2003
interim final rule have been moved either to Sec. 160.103 or to Sec.
160.302, and are discussed in connection with those sections. In
addition, we propose to delete the term ``entity'' from this section.
The term is used in various contexts throughout the HIPAA rules, and we
believe that the definition in the April 17, 2003 interim final rule
may prove confusing with respect to the other HIPAA rules.
A new definition is added to this section--a definition of the term
``Board,'' which stands for the HHS Departmental Appeals Board. The
term ``Board'' is used instead of the term ``DAB'', which is used in
the OIG regulations, to make clear that the reviewing body is the panel
of three judges that conducts appellate review of ALJ decisions for
HHS. This term is defined because it appears in proposed Sec. 160.548,
discussed below.
3. Section 160.504--Hearing before an ALJ
This section, which is Sec. 160.526 of the April 17, 2003 interim
final rule, would be largely unchanged. We note that, for a hearing
request dismissed under this section as failing to raise any issue that
may be properly addressed in a hearing (such as a hearing request that
only raises constitutional claims), this subpart provides the
administrative review channel leading to judicial review of such
claims. Thus, such a dismissal would have to be appealed to the Board,
under proposed Sec. 160.548, as a predicate to appeal to the federal
courts.
The current Sec. 160.526(a)(2) states that the Departmental party
in a hearing is ``the Secretary.'' The term ``Secretary'' is defined at
Sec. 160.103 of the HIPAA rules as ``the Secretary of Health and Human
Services or any other officer or employee of HHS to whom the authority
involved has been delegated.'' The Secretary's authority to interpret
and enforce the HIPAA rules has been delegated to OCR, in the case of
the Privacy Rule, and to CMS, in the case of the non-privacy HIPAA
rules. Thus, the Secretary's investigative authority and authority to
make a proposed determination of liability for a civil money penalty
are exercised by OCR and/or CMS, depending on the HIPAA rule or rules
at issue. However, in proposed subpart E, the Secretary is performing
diverse functions: the adjudicative function is being performed for the
Secretary by the ALJ and the Board, and the decision reached through
this adjudicative process becomes the decision of the Secretary; at the
same time, OCR and/or CMS are acting for the Secretary in defending the
proposed determination in the adjudication. The reference to ``the
Secretary'' may, thus, be confusing, as what part of HHS is being
referred to depends on the context.
Proposed Sec. 160.504(a)(2) would clarify which part of HHS acts
as the ``party'' in the hearing. Because which component of HHS will be
the ``party'' in a particular case will depend on which rule is alleged
to have been violated, and because a particular case could involve more
than one HIPAA rule, we define the Secretarial party generically, by
reference to the component with the delegated enforcement authority. We
adapt the regulatory definition of ``Secretary'' to make it clear that
the Secretarial party could consist of more than one officer or
employee, so that it is possible for both CMS and OCR to be the
Secretarial party in a particular case.
The last sentence of proposed Sec. 160.504(b) (current Sec.
160.526(b)) provides that the date of receipt of the notice of proposed
determination is presumed to be 5 days after the date of the notice
unless the respondent makes a reasonable showing to the contrary. This
showing may be made even where the notice is sent by mail and is not
precluded by the computation of time rule of proposed Sec. 160.526(c)
(current Sec. 160.548(c)) establishing a 5-day allowance for mailing.
See section V.K below for further discussion of this provision.
4. Section 160.506--Rights of the Parties
The text of paragraphs (a) and (b) of proposed Sec. 160.506 was
adopted at Sec. 160.528 of the April 17, 2003 interim final rule, and
no change, other than a conforming change, is proposed to those
paragraphs. We propose to add a new paragraph (c) to address the issue
of legal fees. Proposed subsection (c) adopts the same position taken
in Sec. 1005.3(b) of the OIG regulations, by recognizing that a party
who is accompanied, represented or advised by an attorney is free to
enter into a fee arrangement of that party's choosing. This provision
is included to make clear that the Secretary is not limiting how much
the respondent's attorney may charge in attorneys fees.
5. Section 160.508--Authority of the ALJ
The text of proposed Sec. 160.508 was adopted by the April 17,
2003 interim final rule as Sec. 160.530. No changes to paragraphs (a)
and (b) are proposed. We propose to revise paragraph (c) by adding
paragraphs (c)(1) and (5) to the list of limitations on the authority
of the ALJ. Proposed paragraph (c)(1) would require the ALJ to follow
federal statutes, regulations, and Secretarial delegations of
authority, and to give deference to published guidance to the extent
not inconsistent with statute or regulation. By ``published guidance''
we mean guidance that has been publicly disseminated, including posting
on the CMS or OCR Web site. Although we recognize that such guidance is
not controlling upon the courts, we believe that the ALJ and the Board
(see the discussion below in connection with proposed Sec. 160.548),
as components of HHS, must afford deference to such guidance to ensure
that, to the extent possible, consistent decisions and compliance
guidance are provided by the Secretary to covered entities.
Proposed paragraph (c)(5) clarifies that ALJs may not review the
Secretary's exercise of discretion whether to grant an extension or to
provide technical assistance under section 1176(b)(3)(B) of the Act or
the Secretary's exercise of discretion in the choice of variable(s)
under proposed Sec. 160.406. Proposed paragraphs (c)(1) and (5)
together make clear that the purpose of the hearing, and the authority
of the ALJ in conducting the hearing, would only be to review the
proposed civil money penalty. Thus, the ALJ would not have authority to
refuse to follow, or to find invalid, the authorities cited as the
basis for the proposed civil money penalty. The ALJ also would not have
authority to review the Secretary's exercise of discretion under
section 1176(b)(3)(B) of the Act to grant an extension or to provide
technical assistance, nor would the ALJ have authority to review the
Secretary's choice of variable(s) in
[[Page 20242]]
determining the number of violations of an identical administrative
simplification provision, as that choice is likewise committed to the
Secretary's discretion. The ALJ could, however, review whether the
variable(s), once chosen, were properly applied.
6. Section 160.512--Prehearing Conferences
Proposed Sec. 160.512 would revise paragraph (a) to establish a
minimum amount of notice (not less than 14 business days) that must be
provided to the parties in the scheduling of prehearing conferences. We
propose this limitation to address problems that have been experienced
in the context of administrative hearings in other programs. Proposed
Sec. 160.512 would also revise paragraph (b)(11) to include the issue
of the protection of individually identifiable health information as a
matter that may be discussed at the prehearing conference, if
appropriate. See also the discussion at section V.AA below, with regard
to this provision.
7. Section 160.518--Exchange of Witness Lists, Witness Statements, and
Exhibits
Proposed Sec. 160.518 carries forward Sec. 160.540 of the
existing subpart E with one substantive change. It would revise
paragraph (a) to provide time limits within which the exchange of
witness lists, statements, and exhibits must occur prior to a hearing.
Under proposed Sec. 160.518(a), these items must be exchanged not more
than 60, but not less than 15, days prior to the scheduled hearing. We
are concerned that the information not be exchanged too early, lest the
evidence become stale, and we are also concerned that the time period
not be too short, depriving the parties of adequate time to prepare.
Experience with administrative hearings in other programs suggests the
need for this provision. See also the discussion at section V.R below.
8. Section 160.520--Subpoenas for Attendance at Hearing
Proposed Sec. 160.520 would carry forward Sec. 160.542 of the
existing subpart E mainly unchanged. The current Sec. 160.542(c) would
be revised to clarify that when a subpoena is served on HHS, the
Secretary may comply with the subpoena by designating any knowledgeable
representative to testify. See also the discussion at sections V.W and
V.X below.
9. Section 160.532--Collateral Estoppel
Proposed Sec. 160.532 would adopt the doctrine of collateral
estoppel applied in federal cases that once a court decides an issue of
fact or law necessary to its judgment, the court's decision precludes
the same parties from relitigating the same issue in another suit on a
different cause of action. Allen v. McCurry, 449 U.S. 90 (1980). The
doctrine also applies to a final decision of an administrative agency,
acting in a judicial capacity, that resolves disputed issues before it,
which the parties have had a fair opportunity to fully litigate.
Astoria Federal Savings & Loan Ass'n v. Solimino, 501 U.S. 104, 107-108
(1991). The proposed rule is modeled on Sec. 1003.114(a) of the OIG
regulations. Section 1003.114(b), relating to the issue preclusion
arising out of a conviction or plea in a federal criminal case based
upon fraud or false statements, appears inapplicable to enforcement of
the HIPAA rules, and, hence, no comparable provision is proposed for
inclusion in this Rule.
10. Section 160.534--The Hearing
The text of proposed Sec. 160.534 was adopted by the April 17,
2003 interim final rule as Sec. 160.554. No changes to paragraphs (a)
and (c) are proposed. However, HHS proposes to add a new paragraph (b)
allocating the burden of proof at the hearing.
Under the Administrative Procedure Act (APA), 5 U.S.C. 556(d), the
burden of proof in ALJ hearings has two components--the burden of going
forward and the burden of persuasion. The burden of going forward
relates to the obligation to go forward initially with evidence that
supports a prima facie case. The burden of going forward then shifts to
the other party. The burden of persuasion relates to the obligation
ultimately to convince the trier of fact that it is more likely than
not that the advocated position is true. The party with the burden of
persuasion loses in the situation where the evidence is in perfect
balance.
Proposed Sec. 160.534 would adopt the allocation of the burden of
proof found in the OIG regulations and in administrative hearings
generally, which is consistent with the APA. The respondent would bear
the burden of proof with respect to (1) any affirmative defense,
including those set out in section 1176(b) of the Act, as implemented
by proposed Sec. 160.410, (2) any challenge to the amount or scope of
a proposed penalty under section 1128A(d), as implemented by proposed
Sec. Sec. 160.404--160.408, including mitigating factors, or (3) any
contention that a proposed penalty should be reduced or waived under
section 1176(b)(4), as implemented by Sec. 160.412. The Secretary
would have the burden of proof with respect to all other issues,
including issues of liability and the factors considered as aggravating
factors under proposed Sec. 160.408 in determining the amount of
penalties to be imposed. The burden of persuasion would be judged by a
preponderance of the evidence (i.e., it is more likely than not that
the position advocated is true).
It is also proposed to revise the current Sec. 160.554(c) by
adding a new paragraph (1) at proposed Sec. 160.534(d). Proposed Sec.
160.534(d)(1) would provide that, at a hearing under this part, any
party may present items or information, during its case in chief, that
were discovered after the date of the notice of proposed determination
or request for a hearing, as applicable. The admissibility of such
proffered evidence would be governed generally by the provisions of
proposed Sec. 160.540, and be subject to the 15-day rule for the
exchange of trial exhibits, witness lists and statements set out at
proposed Sec. 160.518(a). Any such evidence would not be admissible,
if offered by the Secretary, unless it is relevant and material to the
findings of fact set forth in the notice of proposed determination,
including circumstances that may increase such penalty. If any such
evidence is offered by the respondent, it would not be admissible
unless it is relevant and material to a specific admission, denial or
explanation of a finding of fact, or to a specific circumstance or
argument expressly stated in the respondent's request for hearing that
are alleged to constitute grounds for any defense or the factual and
legal basis for opposing or reducing the penalty. Proposed Sec.
160.534(d) would allow the parties the opportunity to present items and
information that are relevant and material exclusively to the issues
actually in dispute as expressly set forth in the notice of proposed
determination and request for hearing. Items and information that would
be relevant and material evidence of other violations, and support the
imposition of other or additional penalties would be inadmissible.
Likewise, items or information that support defenses, arguments, legal
theories, or contentions other than those expressly set forth in the
notice of hearing, or which are not relevant and material to the
admissions, denials or explanations therein made, would not be
admissible. Proposed Sec. 160.534(d)(2) would republish paragraph (c)
of the present Sec. 160.554.
11. Section 160.536--Statistical Sampling
Proposed Sec. 160.536, on statistical sampling, is new. A similar
provision appears at Sec. 1003.133 of the OIG
[[Page 20243]]
regulations, and the use of sampling and statistical methods is
recognized under Rule 702 of the Federal Rules of Evidence. Proposed
Sec. 160.536 would permit the Secretary to introduce the results of a
statistical sampling study as evidence of any variable under Sec.
160.406(b) used to determine the number of violations of a particular
administrative simplification provision, or, where appropriate, any
factor considered in determining the amount of the civil money penalty
under proposed Sec. 160.408. If the estimation is based upon an
appropriate sampling and employs valid statistical methods, it would
constitute prima facie evidence of the number of violations or amount
of the penalty sought that is a part of the Secretary's burden of
proof. Such a showing would cause the burden of going forward to shift
to the respondent, although the burden of persuasion would remain with
the Secretary.
12. Section 160.542--The Record
This section is Sec. 160.560 of the April 17, 2003 interim final
rule. Since the section provides that the record of the proceedings be
transcribed, we propose to add to paragraph (a) of this section a
requirement that the cost of transcription of the record be borne
equally by the parties, in the interest of fairness.
13. Section 160.546--ALJ Decision
Since we are proposing a process for administrative review of ALJ
decisions (see section IV.D.14 below), the ALJ decision would be the
initial decision of the Secretary, rather than the final decision of
the Secretary as set forth in Sec. 160.564(d) of the April 17, 2003
interim final rule. Thus, we propose to revise paragraph (d) to provide
that the decision of the ALJ will be final and binding on the parties
60 days from the date of service of the ALJ decision, unless it is
timely appealed by either party. See also the discussion at section V.U
below, with respect to proposed Sec. 160.546(b).
14. Section 160.548--Appeal of the ALJ Decision
The April 17, 2003 interim final rule, at Sec. 160.564, makes the
decision of the ALJ the final decision of the Secretary, thus
permitting a respondent to file a petition for judicial review. In the
preamble to the interim final rule, we noted that a second level of
administrative review is generally available in Departmental hearings
and that, while we had not provided for a second level of
administrative review in the interim final rule, we intended to address
the issue of further administrative review in this proposed rule. We do
so now.
Proposed Sec. 160.548 is modeled on the provisions that apply to
appellate review under the OIG regulations. It provides that any party
may appeal the initial decision of the ALJ to the HHS Departmental
Appeals Board (Board) within 30 days of the date of service of the ALJ
initial decision, unless extended for good cause. The appealing party
must file a written brief specifying its exceptions to the initial
decision. The opposing party may file an opposition brief, which is
limited to the exceptions raised in the brief accompanying notice of
appeal and any relevant issues not addressed in said exceptions and
must be filed within 30 days of receiving the appealing party's notice
of appeal and brief. The appealing party may, if permitted by the
Board, file a reply brief. These briefs may be the only means that the
parties will have to present their case to the Board, since there is no
right to appear personally before the Board. The proposed rule provides
that if a party demonstrates that additional evidence is material and
relevant and there are reasonable grounds why such evidence was not
introduced at the ALJ hearing, the Board may remand the case to the ALJ
for consideration of the additional evidence.
In an appeal to the Board, the standard of review on a disputed
issue of fact is whether the ALJ's initial decision is supported by
substantial evidence on the record as a whole; on a disputed issue of
law, the standard of review is whether the ALJ's initial decision is
erroneous. The Board may decline to review the case; may affirm,
increase (subject to the statutory caps), reduce, or reverse any
penalty; or may remand a penalty determination to the ALJ.
We propose this process for administrative review of initial ALJ
decisions to achieve consistency in civil money penalty decisions.
Because hearings could be conducted by different ALJs, it is
conceivable that different ALJs might decide the same or similar issues
differently. Should this occur, it would be problematic for both
covered entities and HHS. Provision for an internal, centralized review
process should reduce the likelihood of inconsistent results. Indeed,
provision for administrative review of ALJ decisions is common in other
federal administrative hearing processes. Because the HIPAA rules
affect such a large part of the health industry and the requirements of
the various HIPAA regulatory schemes are new and interrelated, HHS
considers it crucial that the decisions reached in the adjudicative
process be consistent with other adjudicated decisions as well as with
the policy decisions of the Secretary in the rules and in departmental
guidance. Since only aggrieved respondents can appeal to the U.S. Court
of Appeals under section 1128A(e), administrative review of ALJ
decisions will help to ensure that the final decisions subject to
judicial review represent a consistent interpretation of the HIPAA
rules by the Secretary. While a process for administrative review of
ALJ decisions will add cost and time to the process of imposing a civil
money penalty for both HHS and covered entities, we believe that these
disadvantages are outweighed by the compelling need to ensure
consistency in the decisions of HHS with respect to such civil money
penalties. Consistency will benefit both HHS and covered entities.
Paragraphs (i) and (j) of proposed Sec. 160.548 address the
issuance of the Board's decision on appeal. Under paragraph (i), the
Board must serve its decision on the parties within 60 days after final
briefs are filed. Under paragraph (j), the decision of the Board
constitutes the final decision of the Secretary from which a petition
for judicial review may be filed by a respondent aggrieved by the
Board's decision. This option is the traditional process for
administrative review of ALJ initial decisions regarding civil money
penalties within HHS and is based on the process set forth in the OIG
regulations. The decision of the Board becomes the final decision of
the Secretary 60 days after service of the decision, except where the
decision is to remand to the ALJ or a party requests reconsideration
before the decision becomes final. Paragraph (j) provides that a party
may request reconsideration of the Board's decision, provides a
reconsideration process, and provides that the Board's reconsideration
decision becomes final on service.
Proposed Sec. 160.548(k) provides for a petition for judicial
review of a final decision of the Secretary. Thus, we propose to remove
Sec. 160.568 of the April 17, 2003 interim final rule as duplicative.
The right to petition for judicial review is not altered under this
proposal, although an ALJ decision must be reviewed by the Board before
a petition for judicial review can be filed by a respondent.
15. Section 160.552--Harmless Error
Proposed Sec. 160.552 is new. It would adopt the ``harmless
error'' rule that applies generally to civil litigation in federal
courts. The provision provides,
[[Page 20244]]
in general, that the ALJ and the Board at every stage of the proceeding
will disregard any error or defect in the proceeding that does not
affect the substantial rights of the parties. It is modeled on Rule 61,
F.R.C.P., and on Sec. 1005.23 of the OIG regulations. In its
application, it would further promote the efficient resolution of cases
where the proposed imposition of a civil money penalty is challenged.
V. Response to Public Comments
HHS requested comment on the April 17, 2003 interim final rule and
received timely and substantive comments from 19 persons or
organizations. We summarize those comments, and our responses to the
comments, below.
A. Comment: Two comments disagreed with HHS's approach of
encouraging voluntary compliance. One argued that such an approach is
tantamount to no enforcement; the other argued that since the Secretary
already has the authority to conduct compliance reviews, a complaint-
driven approach fails to reflect the agency's statutory obligation to
enforce the law and the mandate under section 1176 to impose civil
money penalties for violations. It was also stated that while HHS's
intention to resolve potential violations by informal means might be
appropriate for minor violations, it is inappropriate for more serious
violations or for covered entities that demonstrate repeated resistance
to compliance.
Most persons who commented on the voluntary compliance approach
supported it, however. Several of these comments urged HHS to focus on
resolving issues quickly and informally, particularly with respect to
alleged violations of the Transactions Rule. One comment asked for
assurance that covered entities will face only one set of enforcement
rules and procedures, given that two different components of HHS have
enforcement responsibilities. Several organizations asked HHS to
provide more guidance with respect to how covered entities can comply,
and can demonstrate compliance, with the HIPAA rules.
Response: We do not agree that emphasizing voluntary compliance
amounts to a policy of nonenforcement. To the contrary, our experience
to date has been that covered entities are generally responsive to our
investigative inquiries and act promptly to remedy deficiencies that
are brought to their attention. The overarching goal of our enforcement
program is to bring covered entities into compliance, so that the
benefits of the HIPAA rules are fully realized. Securing voluntary
compliance achieves this goal much more quickly and efficiently than
would a process that was formal and adversarial from the start. This
approach is consistent with the statute. As discussed above, one of the
statutory defenses to a civil money penalty is the covered entity's
taking corrective action on a timely basis, where reasonable cause for
the noncompliance exists. See section 1176(b)(3)(A). As stated above,
however, should informal, cooperative efforts fail, HHS would move
forward with the civil money penalty remedy the statute provides.
The Enforcement Rule addresses the concern that covered entities
not face multiple sets of enforcement rules and procedures, as it
provides for uniform procedures that will apply to all of the HIPAA
rules. With respect to the concerns about guidance, HHS agrees that the
provision of guidance on an ongoing basis is vitally important. As
noted above, HHS is continuing to develop guidance on the various HIPAA
rules, and will be publishing such guidance on an ongoing basis on the
following HHS Web sites: http://www.hhs.gov/ocr/hipaa/ for the Privacy
Rule and http://www.cms.gov/hipaa/hipaa2/ for the other HIPAA rules.
B. Comment: Several comments suggested that information about
complaints and other noncompliance issues should be made public to
assist other covered entities in coming into compliance. One
organization stated that the Enforcement Rule should include a
requirement that the Secretary should annually report to Congress and
the public on the number of complaints filed and their disposition.
Response: The statute provides for formal notification of a number
of entities when a penalty is final. Proposed Sec. 160.426 reflects
this requirement and would provide for notification of the public in
such circumstances. As previously noted, however, we expect most
complaints to be resolved informally, and informal resolutions would
not come within the process provided for by proposed Sec. 160.426. OCR
and CMS will consider whether compilation and release of analyses of
complaint dispositions would be an appropriate use of limited
resources; however, we do not propose to mandate such action by this
rule.
C. Comment: One comment asked whether HHS anticipated developing a
separate complaint mechanism for security complaints.
Response: CMS has developed complaint procedures for the complaints
regarding the Transactions Rule and a complaint tool for making such
complaints is on the Web at http://www.cms.hhs.gov/hipaa/hipaa2. As the
compliance dates of the HIPAA rules other than the Privacy and the
Transactions Rules arrive, it is expected that the complaint tool will
be modified to permit the filing of complaints relating to compliance
with those other rules.
D. Comment: One comment stated that additional protections are
needed for investigational inquiries. The comment suggested that the
rule should include the procedural protections of the OIG regulations,
such as permission for witnesses to object to answering questions on
the basis of privilege and to clarify their answers for the record.
Response: Proposed Sec. 160.314(b) would revise Sec. 160.504(b)
to include such procedural protections.
E. Comment: One comment suggested that the rule contain a provision
establishing the bases under which a complaint will be dismissed prior
to a request for a hearing. Bases suggested were that the complaint has
been litigated in another forum, the opportunity to contest the matter
was available but not used in another forum, and another statutory
remedy exists.
Response: Consistent with the practice under the OIG regulations,
the rules provide for general settlement authority, rather than
specific grounds for dismissal. See proposed Sec. 160.416. In
addition, the bases suggested in the comment would not be grounds, per
se, for dismissal.
F. Comment: One comment asked HHS to clarify the circumstances
under which it would investigate a covered entity that was not the
subject of a complaint.
Response: We cannot project the variety of circumstances under
which compliance reviews might be undertaken. Therefore, we do not
propose to limit the situations in which this authority could be
exercised.
G. Comment: Several comments objected to Sec. 160.522. One argued
that running the 6-year limitations period from the ``latest act or
omission'' is a problem with respect to the 6-year record retention
period provided for by the Privacy Rule, as covered entities might
believe that they could destroy records that they would later need for
defense purposes. It was also argued that the rule should clarify that
actions may only be taken for violations which occur on or after the
compliance date of the rule in question and that the date of the civil
money penalty action is the date of the notice of proposed
determination.
Response: We agree. Proposed Sec. 160.414 would revise Sec.
160.522 to provide that the period of limitations runs ``from the date
of the occurrence of
[[Page 20245]]
the violation'' and that the Secretary commences the action ``in
accordance with Sec. 160.420, `` meaning that the action is considered
to be commenced by (and, therefore, on) the date of the notice of
proposed determination. The definition of the term ``violation'' at
proposed Sec. 160.302 builds in the concept of a duty to comply, since
it defines that term as a ``failure to comply with an administrative
simplification provision;'' the definition of the term ``administrative
simplification provision'' in turn references the underlying HIPAA
rules, which each explicitly state when the duty to comply begins.
With respect to the 6-year document retention requirement of Sec.
164.530(j)(2), insofar as compliance issues arise out of complaints, it
is unlikely that a covered entity would be required to defend itself
against a stale complaint, in view of the requirement at proposed Sec.
160.306(b)(3) that complaints be filed within 180 days of when the
complainant knew or should have known of the occurrence of the
violation. In any event, nothing in the Privacy Rule precludes covered
entities from retaining documents for a longer period than Sec.
164.530(j)(2) requires, if they wish to do so.
H. Comment: Nine comments expressed concern that Sec. 160.514 does
not specify to whom the notice of proposed determination must be
addressed. The concern was that, because receipt is presumed 5 days
after mailing, a notice of proposed determination which was sent to a
large organization might not get to the proper official on a timely
basis, thereby wasting some of the covered entity's time for response.
Several comments suggested that the rule require delivery to the chief
executive officer and, as appropriate, to the company's privacy
officer, security officer, or chief information officer. A couple of
comments suggested that the rule incorporate the service standards of
Rule 4, F.R.C.P., and require service upon ``an officer, a managing or
general agent, or to any other agent authorized by statute to receive
service.'' Several comments expressed support for the use of certified
mail.
Response: Like Sec. 160.514, proposed Sec. 160.420 does not
identify the person(s) to whom the notice of proposed determination
should be addressed, nor do we think it is necessary or feasible to do
so. Rule 4, which applies under section 1128A(c), establishes who may
be served and applies without need for further regulatory action.
Because the size and other organizational circumstances of covered
entities vary greatly, a rule that further limited or defined who must
be served would most likely be inappropriate for some covered entities.
Further, it is likely that a notice of proposed determination would be
issued after significant prior contact with the covered entity, and we
anticipate that our investigators would in any case be able to
ascertain which officer would be the appropriate recipient of the
notice.
I. Comment: Several comments also argued that Sec. 160.514 should,
like the analogous OIG regulations, require the notice of proposed
determination to state the basis for the penalty calculation. Such
information would help the covered entity understand the charges
against it and prepare its defense. These comments recommended that the
language in Sec. 1003.109(a)(5) of the OIG regulations be used.
Response: We agree. A provision comparable to that in Sec.
1003.109(a)(5) was omitted from Sec. 160.514 because the interim final
rule did not provide for the aggravating and mitigating factors
referenced in this provision of the OIG regulations. The proposed rule,
however, contains the factors that may be considered in determining the
amount of the penalty. Accordingly, proposed Sec. 160.420 follows the
OIG regulations in this respect.
J. Comment: One comment stated that it was not clear how the notice
of proposed determination would interface with Sec. 160.312 and
whether the written findings there end the informal resolution phase.
The comment advocated that notice be provided before the notice of
proposed determination.
Response: We agree that it is not clear how Sec. 160.514
interfaces with the notice process described at Sec. 160.312. At
present, Sec. 160.312(a)(2) provides that the Secretary may issue
written findings documenting noncompliance, if noncompliance is found
and not informally resolved. Thus, we propose to revise Sec. 160.312
to make the interface between that section and proposed Sec. 160.420
(currently Sec. 160.514) seamless. Specifically, proposed Sec.
160.312(a)(3)(ii) would provide that if the Secretary finds that a
covered entity is not in compliance, the matter is not settled by
informal means, and imposition of a civil money penalty is warranted,
the Secretary will so inform the covered entity in a notice of proposed
determination in accordance with Sec. 160.420. The notice of proposed
determination would constitute the formal notice that the matter had
not been informally resolved and that HHS had decided to seek civil
money penalties. Further, with respect to notice prior to the notice of
proposed determination, proposed Sec. 160.312(a)(3)(i) would provide
that where noncompliance is indicated and the matter is not resolved by
informal means, HHS would so inform the covered entity and give the
covered entity an opportunity to submit written evidence of any
affirmative defenses or mitigating factors, prior to issuing a notice
of proposed determination.
K. Comment: Several comments objected to the presumption in Sec.
160.526(b) that the date of receipt of the notice of proposed
determination is 5 days after the date of the notice. They argued that
this presumption could work a hardship, in combination with the 60-day
time limit for requesting a hearing, if the notice went to the wrong
person in the organization or otherwise went astray.
Response: Proposed Sec. 160.504(b) retains the language of the
interim final rule. We believe the concerns about hardship are
misplaced. The requirement permits the ALJ to grant an extension of the
5-day time period if the respondent demonstrates that the presumption
should not apply: ``For purposes of this section, the respondent's date
of receipt of the notice of proposed determination is presumed to be 5
days after the date of the notice unless the respondent makes a
reasonable showing to the contrary to the ALJ.'' This language tracks
the comparable provision at Sec. 1005.2(c) of the OIG regulations and
has worked well.
L. Comment: A number of comments objected to the 60-day time limit
in Sec. 160.526(b) for a respondent to file its request for hearing,
in combination with the specific detail required by that section. They
objected to the time limit and the related requirement for specific
response on several grounds: the level of specificity demanded requires
the respondent to devise its entire defense, and, because the notice of
proposed determination is the first notice the respondent has of the
charges, 60 days is too short a time period in which to do this; the
requirement requires more specificity of the respondent than of the
Secretary, which is unfair; and the requirements, together with the 5-
day presumption of receipt and the failure to specify who receives the
notice of proposed determination, are unfair and a violation of a
respondent's right to due process. It was generally recommended that
the request for hearing requirement parallel Sec. 1005.2 of the OIG
regulations, which requires the request to be made within 60 days of
receipt of the notice, but requires that the request for hearing state
which findings of fact and
[[Page 20246]]
conclusions of law are disputed and the basis for the dispute.
Response: The comments on this issue assume that a notice of
proposed determination will be served on a respondent with no warning.
This assumption is not reasonable under the procedures the proposed
rule would establish, however. Proposed Sec. 160.304 would require the
Secretary to seek the cooperation of the covered entity in obtaining
compliance to the extent practicable, which will necessitate
communication about the noncompliance at issue. The investigation or
compliance review process itself will necessarily disclose much about
the noncompliance at issue to the facility, since the covered entity
will typically be the primary source of information relevant to the
investigation. If an investigation or compliance review indicates
noncompliance, proposed Sec. 160.312(a)(1) provides that the Secretary
will attempt to reach a resolution of the matter satisfactory to the
Secretary by informal means. Further, where noncompliance is indicated
and the matter is not resolved by informal means, HHS will so inform
the covered entity and give it the opportunity to submit written
evidence of any affirmative defenses or mitigating factors, prior to
issuing a notice of proposed determination. See proposed Sec.
160.312(a)(3)(i). Thus, the covered entity necessarily will be made
aware of, and have the opportunity to address, HHS's compliance
concerns throughout the investigative period preceding the notice of
proposed determination and should not be surprised by the matters
described in the notice. For these reasons, we do not believe that the
60-day response time is inadequate.
M. Comment: One comment stated that settlements should be approved
by the ALJ. Another asked whether settlements will be a viable path to
resolution of disputes.
Response: Consistent with our commitment to obtaining voluntary
compliance and the regulatory policies discussed in the preceding
response, we expect that settlement of compliance issues will be
frequent. We do not propose to have the ALJ approve such settlements,
to preserve our ability to resolve compliance issues and achieve
voluntary compliance through informal means. See proposed Sec.
160.514.
N. Comment: Several comments queried whether covered entities would
be held liable under the Enforcement Rule for violations by their
business associates. Of particular concern were violations committed by
health care clearinghouses.
Response: Under Sec. 160.402 of the proposed rule, a covered
entity would not be liable for the actions of its business associates
where the covered entity has complied with the appropriate business
associate provisions. See section IV.C.1.b. above for further
discussion.
O. Comment: Several comments stated that the rule needs to state
what a violation is, what the aggravating and mitigating circumstances
are, how the total fine for violations is calculated, and what would
constitute an acceptable defense and indicate an appropriate level of
``due diligence.'' One comment suggested that evidence of willingness
to enter into a corrective action plan should be a mitigating factor.
One comment noted that the full Enforcement Rule was needed before the
April 17, 2003 interim final rule expires.
Response: We generally agree. The proposed rule addresses the
violation and affirmative defense issues at Sec. Sec. 160.402-160.410.
Also, the April 17, 2003 interim final rule has been extended by
separate regulatory action to permit ongoing enforcement while this
rulemaking proceeds. Proposed Sec. 160.408(d)(3) provides that the
Secretary may consider, as an aggravating or mitigating factor, how the
covered entity has responded to technical assistance from the Secretary
provided in the context of a compliance effort, with respect to prior
offenses.
P. Comment: One comment asked that the Enforcement Rule describe
the procedures for referral to the Department of Justice of suspected
criminal violations. Another comment asked that HHS attempt to ensure
that the application of the criminal provisions by the Department of
Justice was the same as the application of the civil provisions by HHS.
Response: The procedures for referral of criminal matters to the
Department of Justice lie outside the scope of the Enforcement Rule,
which implements only HHS's authority under section 1176 of the Act.
Q. Comment: One comment requested clarification of the statutory
basis for imposing penalties for violations of the Privacy Rule, since
section 264 is a footnote in the U.S. Code.
Response: Section 264 of the Act is codified as a note to 42 U.S.C.
1320d-2. We have always read section 264 as functionally a part of Part
C. Section 264 and Part C cross-reference each other, and the
terminology of section 264 is also the terminology of Part C
(``standard'', ``individually identifiable health information'',
``implementation specification''). Further, the criminal penalty
provisions of section 1177 would not make sense if they did not apply
to the privacy standards, and section 1176 is, as discussed at IV.C.3
above, closely related to section 1177. The legislative history
confirms this common-sense reading. See H. Rep. No. 496, 104th Cong.,
2d Sess., 1996 U.S. Code Cong. & Admin. News, p. 1865.
This reading of the statute accords with that of Congress. Section
1860D-31(h)(6)(A) of the Act, adopted by MMA, states that an endorsed
discount drug card sponsor--
is a covered entity for purposes of applying part C of title XI and
all regulatory provisions promulgated thereunder, including
regulations (relating to privacy) adopted pursuant to the authority
of the Secretary under section 264(c) of the Health Insurance
Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note).
R. Comment: With respect to prehearing proceedings, two comments
stated that permitting the ALJ to require exchange of witness lists
more than 15 days prior to the hearing could seriously infringe on the
amount of time the covered entity has to prepare its case. It was also
argued that 60 days is too short a period to prepare for the hearing.
One comment stated that interrogatories should be allowed, because
records may be incomplete or contain mistakes. One comment supported
the requirement of Sec. 160.540(b)(3) (proposed Sec. 160.518(b)(3)),
requiring the ALJ to recess the hearing for a reasonable time for an
objecting party to prepare a response to witnesses or exhibits that
were not exchanged prior to the hearing.
Response: The scheduling of a hearing will depend on the schedule
of the ALJ to whom the case is assigned, among other factors. There is
nothing in the Enforcement Rule that requires the scheduling of the
hearing within a certain period of time following the request for
hearing. Thus, we do not think that the provision for exchange of
information earlier than 15 days prior to hearing should work a
hardship on either side, and the ALJ should be able to establish a
schedule that takes into consideration the needs of the parties.
Indeed, we believe that this requirement will assist each party in
presenting a well-prepared case that will result in an efficient and
effective hearing. As the prehearing procedures permit both documentary
and testimonial discovery, we do not permit interrogatories, which we
believe would add extra time and burden to the preparation process
without commensurate benefit.
S. Comment: Several comments urged that the rule should contain a
procedure to permit the parties to waive the prehearing conference and
the formal
[[Page 20247]]
hearing and request that the case be submitted on documentary evidence
and written argument, to make the process more efficient and less
expensive.
Response: Proposed Sec. Sec. 160.508(b)(13) and 160.512(b)(4), (5)
would permit this.
T. Comment: One comment stated that the covered entity should have
the burdens of going forward and persuasion on affirmative defenses and
mitigating circumstances, while HHS should have the burdens of going
forward and persuasion on allegations of violation.
Response: We agree. Proposed Sec. 160.534(b) so provides.
U. Comment: Several comments stated that the ``affirm, increase, or
reduce the penalties imposed by the Secretary'' language of Sec.
160.564(b) would not permit the ALJ to decide that no violation
occurred.
Response: The language of Sec. 160.564 of the April 17, 2003
interim final rule, which is now found at proposed Sec. 160.546, will
permit the ALJ to decide that no violation occurred. Proposed Sec.
160.546(a) requires the ALJ to make findings of fact and conclusions of
law. If these findings and conclusions support a determination that the
respondent did not violate an administrative simplification provision,
then no penalty may be imposed. The language in proposed Sec.
160.546(b) permits an ALJ who determines that a respondent has violated
an administrative simplification provision to act in regard to the
penalty amount set forth in the notice of proposed determination, that
is, to affirm, increase, or reduce the amount of the proposed penalty
in accordance with the other applicable provisions of the regulations.
V. Comment: Several comments argued that statistical sampling would
be inappropriate to establish the number of violations. It was argued
that statistical sampling, as used in the OIG hearings, had been used
improperly, in studies that had basic weaknesses, such as a too small
sample size.
Response: Proposed Sec. 160.536 provides for the use of
statistical sampling, as a well-established evidentiary tool. Proposed
Sec. 160.536(b), which affords the opposing side the opportunity to
rebut the statistical proof offered, provides a procedural safeguard to
permit a respondent to challenge the reliability of any statistical
proof offered.
W. Comment: Two comments suggested that respondents should be able
to subpoena HHS witnesses with direct knowledge of the investigation or
other matters at issue.
Response: Proposed Sec. 160.520(c) provides that the Secretary
must designate a representative who is ``knowledgeable'' to testify. It
would disrupt the agency's operations if a respondent could subpoena
any HHS official by name. The requirement that the HHS representative
be knowledgeable should permit the presentation of informed testimony,
while permitting the orderly conduct of government business to
continue.
X. Comment: One comment stated that the rule should permit
acceptance of testimony or a written statement from individuals whose
privacy was violated, permit such individuals to testify, and require
that such individuals be given 30 days notice of the hearing.
Response: The proposed rule would not preclude us from offering the
testimony of such individuals, but the decision to do so is a
litigation decision that must be reserved to the agency. We do not
require that notice of the hearing be provided to the individuals whose
privacy was violated, but such information is publicly available.
Y. Comment: A number of comments stated that agency review of the
ALJ decision was needed or questioned why it was not provided. A few
comments supported having the ALJ decision be the final agency action
as resulting in a more efficient and expeditious process.
Response: We have proposed a second level of agency review, for the
reasons set out at section IV.D.14 above.
Z. Comment: Two comments questioned the provision for set-off at
Sec. 160.518(c). One asked whether set-off would occur without state-
level due process. The other was concerned about provision of notice.
Both were concerned that set-off could have a devastating impact on
those to whom it was applied.
Response: The right of set-off is provided for by section 1128A(f).
Proposed Sec. 160.424(c) accordingly retains it. We intend to follow
applicable procedures in pursuing set-off.
AA. Comment: A couple of comments objected to Sec. 160.560. It was
stated that the rule should incorporate additional procedures to ensure
that protected health information introduced into evidence is protected
from review by outside parties, redactions should be made available to
the parties for review, and OCR should be required to pay for the court
reporter.
Response: The protection of protected health information, including
by redaction of the record, is a matter than can be addressed in the
prehearing conference. See proposed Sec. 160.512(b)(11). We believe
that the ALJ will be in the best position to determine what specific
steps should be taken in a particular case to protect the privacy of
any protected health information introduced into evidence. In the
interest of fairness, proposed Sec. 160.542(a) would apportion the
cost of transcription of the record equally between the parties.
BB. Comment: One comment stated that Sec. 160.558(g) should be
revised to require the Secretary to include notice to the respondent
where HHS intends to present in its case in chief evidence of past
crimes or similar evidence to show motive, opportunity, intent, etc.
Response: Proposed Sec. 160.540(g) would retain this provision.
This provision tracks Sec. 1005.17(g) of the OIG regulations, and we
see no basis to depart from our practice in this regard.
VI. Impact Statement and Other Required Analyses
A. Paperwork Reduction Act
We reviewed this proposed rule to determine whether it raises
issues that would subject it to the Paperwork Reduction Act (PRA).
While the PRA applies to agencies and collections of information
conducted or sponsored by those agencies, 5 CFR 1320.4(a) exempts
collections of information that occur ``during the conduct of * * * an
administrative action, investigation, or audit involving an agency
against specific individuals or entities,'' except for investigations
or audits ``undertaken with reference to a category of individual or
entities such as a class of licensees or an entire industry.'' The
proposed rule comes within this exemption, as it deals entirely with
administrative investigations and actions against specific individuals
or entities. Consequently, it need not be reviewed by the Office of
Management and Budget under the authority of the PRA.
B. Executive Order 12866; Regulatory Flexibility Act; Section 1102,
Social Security Act; Unfunded Mandates Reform Act of 1995; Small
Business Regulatory Enforcement Fairness Act of 1996; Executive Order
13132
We have examined the impacts of this proposed rule as required by
Executive Order 12866 (September 1993, Regulatory Planning and Review),
the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-
354), section 1102(b) of the Social Security Act, the Unfunded Mandates
Reform Act of 1995 (Pub. L. 104-4), the Small Business Regulatory
Enforcement and Fairness Act, 5 U.S.C. 801 et seq., and Executive Order
13132.
[[Page 20248]]
1. Executive Order 12866
Executive Order 12866 (as amended by Executive Order 13258, which
merely reassigns responsibility of duties) directs agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). Executive
Order 12866 defines, at section 3(f), several categories of
``significant regulatory actions.'' One category is ``economically
significant'' rules, which are defined in section 3(f)(1) of the Order
as rules that may ``have an annual effect on the economy of $100
million or more, or adversely affect in a material way the economy,
productivity, competition, jobs, the environment, public health or
safety, or State, local, or tribal governments or communities.''
Another category, under section 3(f)(4) of the Order, consists of rules
that are ``significant regulatory actions'' because they ``raise novel
legal or policy issues arising out of legal mandates, the President's
priorities, or the principles set forth in this Executive Order.''
Executive Order 12866 requires a full economic impact analysis only for
``economically significant'' rules under section 3(f)(1).
We have concluded that this rule should be treated as a
``significant regulatory action'' within the meaning of section 3(f)(4)
of Executive Order 12866, because the HIPAA provisions to be enforced
have extremely broad implications for the Nation's health care system,
and because of the novel issues presented by, and the uncertainties
surrounding, compliance among covered entities. However, we have
determined that the impact of this rule is not such that it reaches the
economically significant threshold under section 3(f)(1) of the Order.
Estimating the impacts of this rule presents unique challenges. On
its face, the rule simply describes how HHS plans to enforce the HIPAA
provisions, and can be considered a procedural rule without any
intrinsic impact. However, health care providers, insurers, and health
care clearinghouses that are covered by the HIPAA provisions represent
a large proportion of their respective economic sectors. Further, all
are within the jurisdiction of the Enforcement Rule (which is a
``significant regulatory action,'' as noted above).
The actual economic impacts of implementing the HIPAA provisions
are subsumed in each of the applicable substantive regulations (Privacy
Rule, Security Rule, Transactions Rule, et cetera). The economic
impacts properly attributable to this rule, however, are those stemming
from changes to current practice as a result of the Enforcement Rule
and the cost of new and additional responsibilities that are required
to conform to the Rule. In general, these costs are limited to costs
related to conducting and responding to the investigation of complaints
concerning the alleged HIPAA violations over which HHS has jurisdiction
and compliance reviews, conducting hearings, and levying and collecting
civil money penalties. The cost of conducting and responding to
investigations of privacy complaints and compliance reviews with
respect to the Privacy Rule has already been covered by the impact
analysis of the Privacy Rule. Here we extend these processes to the
other HIPAA rules. For reasons outlined in the following narrative, we
anticipate the impacts of the additional activities covered by this
rule to fall below the $100 million annual threshold that would raise
this rule to the definition of ``economically significant,'' but
acknowledge there is much that is unknown underlying the assumptions
that have led us to this conclusion. We discuss these assumptions
below.
Affected Entities and Projected Costs. Because of its scope,
purview, and potential application, the Enforcement Rule is a
significant regulatory action within the meaning of section 3(f)(4) of
Executive Order 12866. We believe that over 2.5 million health care
providers, health plans, and health care clearinghouses will meet the
definition of a covered entity.
It is difficult for us to determine or estimate the impact of the
Enforcement Rule on covered entities. All covered entities are expected
to comply with the HIPAA rules. Enhancing the likelihood of compliance
is the fact that each substantive HIPAA rule (e.g., the Privacy Rule,
the Security Rule, the Transactions Rule) has at least a twenty-six
month period between publication of the final rule and the compliance
date (60 days for APA Congressional review, plus 24 months for covered
entities or 36 months for small health plans). Thus, covered entities
have at least 26 months to prepare for implementation, and HHS has
provided, and will continue to provide, ample educational opportunities
for covered entities during these periods. We also note that, as
evidenced by the CMS Guidance, discussed above, where HHS became aware
of potential noncompliance problems with the Transactions Rule, it
acted proactively to outline an approach to enforcement that would
permit flexibility under certain circumstances and which would not
penalize good faith efforts to come into compliance. Accordingly,
noncompliance that would be pursued under the provisions of the
proposed Enforcement Rule should be considered to be the exception,
rather than the norm.
Further minimizing the impact of the Enforcement Rule is the fact
that most compliance efforts undertaken under the provisions of the
rule are expected to result from complaints, rather than compliance
reviews. To date, complaints have involved only an infinitesimal
percentage of the universe of covered entities. As of the end of July
2004, OCR has received over 7,500 complaints related to the Privacy
Rule since the compliance date of April 14, 2003, and CMS has received
145 complaints related to the Transactions Rule since the compliance
date of October 16, 2003.
The most expensive impacts of this rule will derive from those
cases in which the covered entities exercise their rights of appeal
under subpart E of part 160. Based on our experience with other civil
money penalty cases, the costs of such cases can be expected to dwarf
the costs of cases that are resolved prior to the hearing stage.
However, again based on our experience in other civil money penalty
cases, very few of the cases opened will proceed through that stage.
That other Departmental experience is borne out by our experience with
respect to the HIPAA complaints received to date. Of the privacy
complaints received and processed by the end of July 2004,
approximately 57% were resolved immediately due to lack of jurisdiction
(e.g, the complaint pertained to events that occurred before the
implementation date of the relevant HIPAA regulation, the complaint did
not relate to a covered entity, et cetera) or because of action taken
by the covered entity to resolve the complaint voluntarily; similarly,
of the 145 transactions complaints received from October 2003 through
July 2004, 60% were closed in that period. Thus, it seems reasonable to
assume that the costs attributable to the provisions of this rule will,
in most cases that are opened, be low.
We recognize that our experience to date reflects slightly over one
year of experience under the Privacy Rule, and less than one year under
the Transactions Rule. Data generated on cases that might lead to the
imposition of a civil money penalty during this time frame may not be
typical of what we will see over time. For example, the
[[Page 20249]]
number of complaints that may be dismissed because they involve
situations that occurred before the relevant compliance date should
decrease with the passage of time. Similarly, we would expect the
instances of noncompliance to decrease as covered entities gain
experience in complying with the HIPAA rules; on the other hand, the
number of complaints could increase as individuals and entities become
more aware of the rules' requirements. As we acquire experience under
the rules, we will have a more extensive database for evaluating the
impacts of enforcement activities.
Benefits of the Enforcement Rule. We believe that the value of the
benefits brought by the HIPAA provisions are sufficient to warrant
appropriate enforcement efforts. The benefits of the underlying HIPAA
rules have been previously estimated in connection with the Privacy and
the Transactions Rules, and are significant. The Enforcement Rule will
encourage voluntary compliance, and provide a means for enforcing
compliance where it is not forthcoming voluntarily, thereby
facilitating the achievement of the benefits of the other HIPAA rules.
See, 65 FR 50350-50351; 65 FR 82760, 82776-82779; 68 FR 8370-8371. The
benefits of these protections far outweigh the costs of this
enforcement regulation.
Summary. In most cases, if covered entities comply with the various
HIPAA rules, they should not incur any significant additional costs as
a result of the Enforcement Rule. This is based on the fact the costs
intrinsic to most of the HIPAA rules and operating directions against
which compliance is evaluated have been scored independently of this
rule and the requirements have not changed. We recognize that the
specific requirements against which compliance is evaluated are not yet
well known and may evolve with experience under HIPAA, but we expect
that covered entities have both the ability and expectation to maintain
compliance, especially given our commitment to encouraging and
facilitating voluntary compliance. While not straightforward to
project, it seems likely that the number of times in which the full
civil money penalty enforcement process will be invoked will be
extremely small, based on the evidence to date.
2. Other Analyses
We also examined the impact of the proposed Rule as required by the
Regulatory Flexibility Act (RFA). The RFA requires agencies to
determine whether a rule will have a significant economic impact on a
substantial number of small entities. For purposes of the RFA, small
entities include small businesses, nonprofit organizations, and
government jurisdictions; for health care entities, the size standard
for a ``small'' entity ranges from $6 million to $29 million in
revenues in any one year. Most hospitals and most other providers and
suppliers are small entities, either by nonprofit status or by having
revenues less than the applicable size standard in any one year. As
discussed above, the incidence of noncompliance is expected to be low,
and, as also discussed above, it is expected that most issues of
noncompliance will be resolved with minimal enforcement action. Even
though the burden of regulatory compliance often falls
disproportionately on small entities, there is no evidence to suggest
that small entities have a higher rate of noncompliance than large
entities. The Secretary therefore certifies that this rule will not
have a significant economic impact on a substantial number of small
entities.
Section 1102(b) of the Act requires agencies to prepare a
regulatory impact analysis if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. This
analysis must conform to the provisions of section 603 (proposed
documents)/604 (final documents) of the RFA. For purposes of section
1102(b) of the Act, we define a small rural hospital as a hospital that
is located outside of a Metropolitan Statistical Area and has fewer
than 100 beds. This proposed rule would not have a significant impact
on small rural hospitals. The rule would implement procedures necessary
for the Secretary to enforce subtitle F of Title II of HIPAA. As noted
earlier, we do not expect that covered entities will willfully be out
of compliance in such a way that would result in an enforcement action
proceeding through the hearing stage.
Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C.
1531 et seq., also requires that agencies assess anticipated costs and
benefits before issuing any rule that may result in expenditure in any
one year by State, local, or tribal governments, in the aggregate, or
by the private sector, of $100 million. The Small Business Regulatory
Enforcement Fairness Act of 1996 (SBREFA), 5 U.S.C. 801 et seq.,
requires that rules that will have an impact on the economy of $100
million or more per annum be submitted for Congressional review. For
the reasons discussed above, this proposed rule would not impose a
burden large enough to require a section 202 statement under the
Unfunded Mandates Reform Act of 1995 or Congressional review under
SBREFA.
Executive Order 13132 establishes certain requirements that an
agency must meet when it adopts a proposed rule (and subsequent final
rule) that imposes substantial direct requirement costs on State and
local governments, preempts State law, or otherwise has Federalism
implications. This proposed rule does not have ``Federalism
implications.'' The rule would not have ``substantial direct effects on
the States, on the relationship between the national government and the
States, or on the distribution of power and responsibilities among the
various levels of government.'' As the Enforcement Rule is procedural
in nature, its economic effects would not be substantial, as explained
previously. Any preemption of State law that could occur would be a
function of the underlying HIPAA rules, not the Enforcement Rule, which
principally establishes the means by which the statutory civil money
penalty provisions will be implemented. Therefore, the Enforcement Rule
is not subject to Executive Order 13132 (Federalism).
Dated: April 8, 2005.
Michael O. Leavitt,
Secretary.
List of Subjects
45 CFR Part 160
Administrative practice and procedure, Computer technology,
Electronic transactions, Employer benefit plan, Health, Health care,
Health facilities, Health insurance, Health records, Hospitals,
Investigations, Medicaid, Medical research, Medicare, Penalties,
Privacy, Reporting and record keeping requirements, Security.
45 CFR Part 164
Administrative practice and procedure, Electronic information
system, Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health Insurance, Health records, Hospitals,
Medicaid, Medical research, Medicare, Privacy, Reporting and record
keeping requirements, Security.
For the reasons set forth in the preamble, the Department of Health
and Human Services proposes to amend 45 CFR subtitle A, subchapter C,
parts 160 and 164, as set forth below.
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part 160 is revised to read as
follows:
[[Page 20250]]
Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d-1320d-8, and sec.
264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2
(note)).
2. Section Sec. 160.103 is amended by adding the definition
``Person'' in alphabetical order to read as follows:
Sec. 160.103 Definitions.
* * * * *
Person means a natural person, trust or estate, partnership,
corporation, professional association or corporation, or other entity,
public or private.
* * * * *
3. Revise subpart C of this part to read as follows:
Subpart C--Compliance and Investigations
Sec.
160.300 Applicability.
160.302 Definitions.
160.304 Principles for achieving compliance.
160.306 Complaints to the Secretary.
160.308 Compliance reviews.
160.310 Responsibilities of covered entities.
160.312 Secretarial action regarding complaints and compliance
reviews.
160.314 Investigational subpoenas and inquiries.
160.316 Refraining from intimidation or retaliation.
Subpart C--Compliance and Investigations
Sec. 160.300 Applicability.
This subpart applies to actions by the Secretary, covered entities,
and others with respect to ascertaining the compliance by covered
entities with, and the enforcement of, the applicable requirements of
this part 160 and the applicable standards, requirements, and
implementation specifications of parts 162 and 164 of this subchapter.
Sec. 160.302 Definitions.
As used in this subpart and subparts D and E of this part, the
following terms have the following meanings:
Administrative simplification provision means any requirement or
prohibition established by:
(1) 42 U.S.C. 1320d-1320d-4, 1320d-7, and 1320d-8;
(2) Section 264 of Pub. L. 104-191; or
(3) This subchapter.
ALJ means Administrative Law Judge.
Civil money penalty or penalty means the amount determined under
Sec. 160.404 of this part and includes the plural of these terms.
Respondent means a covered entity upon which the Secretary has
imposed, or proposes to impose, a civil money penalty.
Violation or violate means, as the context may require, failure to
comply with an administrative simplification provision.
Sec. 160.304 Principles for achieving compliance.
(a) Cooperation. The Secretary will, to the extent practicable,
seek the cooperation of covered entities in obtaining compliance with
the applicable administrative simplification provisions.
(b) Assistance. The Secretary may provide technical assistance to
covered entities to help them comply voluntarily with the applicable
administrative simplification provisions.
Sec. 160.306 Complaints to the Secretary.
(a) Right to file a complaint. A person who believes a covered
entity is not complying with the administrative simplification
provisions may file a complaint with the Secretary.
(b) Requirements for filing complaints. Complaints under this
section must meet the following requirements:
(1) A complaint must be filed in writing, either on paper or
electronically.
(2) A complaint must name the person that is the subject of the
complaint and describe the acts or omissions believed to be in
violation of the applicable administrative simplification provision(s).
(3) A complaint must be filed within 180 days of when the
complainant knew or should have known that the act or omission
complained of occurred, unless this time limit is waived by the
Secretary for good cause shown.
(4) The Secretary may prescribe additional procedures for the
filing of complaints, as well as the place and manner of filing, by
notice in the Federal Register.
(c) Investigation. The Secretary may investigate complaints filed
under this section. Such investigation may include a review of the
pertinent policies, procedures, or practices of the covered entity and
of the circumstances regarding any alleged violation.
Sec. 160.308 Compliance reviews.
The Secretary may conduct compliance reviews to determine whether
covered entities are complying with the applicable administrative
simplification provisions.
Sec. 160.310 Responsibilities of covered entities.
(a) Provide records and compliance reports. A covered entity must
keep such records and submit such compliance reports, in such time and
manner and containing such information, as the Secretary may determine
to be necessary to enable the Secretary to ascertain whether the
covered entity has complied or is complying with the applicable
administrative simplification provisions.
(b) Cooperate with complaint investigations and compliance reviews.
A covered entity must cooperate with the Secretary, if the Secretary
undertakes an investigation or compliance review of the policies,
procedures, or practices of the covered entity to determine whether it
is complying with the applicable administrative simplification
provisions.
(c) Permit access to information. (1) A covered entity must permit
access by the Secretary during normal business hours to its facilities,
books, records, accounts, and other sources of information, including
protected health information, that are pertinent to ascertaining
compliance with the applicable administrative simplification
provisions. If the Secretary determines that exigent circumstances
exist, such as when documents may be hidden or destroyed, a covered
entity must permit access by the Secretary at any time and without
notice.
(2) If any information required of a covered entity under this
section is in the exclusive possession of any other agency,
institution, or person and the other agency, institution, or person
fails or refuses to furnish the information, the covered entity must so
certify and set forth what efforts it has made to obtain the
information.
(3) Protected health information obtained by the Secretary in
connection with an investigation or compliance review under this
subpart will not be disclosed by the Secretary, except if necessary for
ascertaining or enforcing compliance with the applicable administrative
simplification provisions, or if otherwise required by law.
Sec. 160.312 Secretarial action regarding complaints and compliance
reviews.
(a) Resolution when noncompliance is indicated. (1) If an
investigation of a complaint pursuant to Sec. 160.306 or a compliance
review pursuant to Sec. 160.308 indicates noncompliance, the Secretary
will attempt to reach a resolution of the matter satisfactory to the
Secretary by informal means. Informal means may include demonstrated
compliance or a completed corrective action plan or other agreement.
(2) If the matter is resolved by informal means, the Secretary will
so inform the covered entity and, if the
[[Page 20251]]
matter arose from a complaint, the complainant, in writing.
(3) If the matter is not resolved by informal means, the Secretary
will--
(i) So inform the covered entity and provide the covered entity an
opportunity to submit written evidence of any mitigating factors or
affirmative defenses for consideration under Sec. Sec. 160.408 and
160.410. The covered entity must submit any such evidence to the
Secretary within 30 days (computed in the same manner as prescribed
under Sec. 160.526) of receipt of such notification; and
(ii) If, following action pursuant to paragraph (a)(3)(i) of this
section, the Secretary finds that a civil money penalty should be
imposed, inform the covered entity of such finding in a notice of
proposed determination in accordance with Sec. 160.420.
(b) Resolution when no violation is found. If, after an
investigation pursuant to Sec. 160.306 or a compliance review pursuant
to Sec. 160.308, the Secretary determines that further action is not
warranted, the Secretary will so inform the covered entity and, if the
matter arose from a complaint, the complainant, in writing.
Sec. 160.314 Investigational subpoenas and inquiries.
(a) The Secretary may issue subpoenas in accordance with 42 U.S.C.
405(d) and (e), 1320a-7a(j), and 1320d-5 to require the attendance and
testimony of witnesses and the production of any other evidence during
an investigation pursuant to this part. For purposes of this paragraph,
a person other than a natural person is termed an ``entity.''
(1) A subpoena issued under this paragraph must--
(i) State the name of the person (including the entity, if
applicable) to whom the subpoena is addressed;
(ii) State the statutory authority for the subpoena;
(iii) Indicate the date, time, and place that the testimony will
take place;
(iv) Include a reasonably specific description of any documents or
items required to be produced; and
(v) If the subpoena is addressed to an entity, describe with
reasonable particularity the subject matter on which testimony is
required. In that event, the entity must designate one or more natural
persons who will testify on its behalf, and must state as to each such
person that person's name and address and the matters on which he or
she will testify. The designated person must testify as to matters
known or reasonably available to the entity.
(2) A subpoena under this section must be served by--
(i) Delivering a copy to the natural person named in the subpoena
or to the entity named in the subpoena at its last principal place of
business; or
(ii) Registered or certified mail addressed to the natural person
at his or her last known dwelling place or to the entity at its last
known principal place of business.
(3) A verified return by the natural person serving the subpoena
setting forth the manner of service or, in the case of service by
registered or certified mail, the signed return post office receipt,
constitutes proof of service.
(4) Witnesses are entitled to the same fees and mileage as
witnesses in the district courts of the United States (28 U.S.C. 1821
and 1825). Fees need not be paid at the time the subpoena is served.
(5) A subpoena under this section is enforceable through the
district court of the United States for the district where the
subpoenaed natural person resides or is found or where the entity
transacts business.
(b) Investigational inquiries are non-public investigational
proceedings conducted by the Secretary.
(1) Testimony at investigational inquiries will be taken under oath
or affirmation.
(2) Attendance of non-witnesses is discretionary with the
Secretary, except that a witness is entitled to be accompanied,
represented, and advised by an attorney.
(3) Representatives of the Secretary are entitled to attend and ask
questions.
(4) A witness will have the opportunity to clarify his or her
answers on the record following questioning by the Secretary.
(5) Any claim of privilege must be asserted by the witness on the
record.
(6) Objections must be asserted on the record. Errors of any kind
that might be corrected if promptly presented will be deemed to be
waived unless reasonable objection is made at the investigational
inquiry. Except where the objection is on the grounds of privilege, the
question will be answered on the record, subject to objection.
(7) If a witness refuses to answer any question not privileged or
to produce requested documents or items, or engages in conduct likely
to delay or obstruct the investigational inquiry, the Secretary may
seek enforcement of the subpoena under paragraph (a)(5) of this
section.
(8) The proceedings will be recorded and transcribed. The witness
is entitled to a copy of the transcript, upon payment of prescribed
costs, except that, for good cause, the witness may be limited to
inspection of the official transcript of his or her testimony.
(9)(i) The transcript will be submitted to the witness for
signature.
(A) Where the witness will be provided a copy of the transcript,
the transcript will be submitted to the witness for signature. The
witness may submit to the Secretary written proposed corrections to the
transcript, with such corrections attached to the transcript. If the
witness does not return a signed copy of the transcript or proposed
corrections within 30 days (computed in the same manner as prescribed
under Sec. 160.526) of its being submitted to him or her for
signature, the witness will be deemed to have agreed that the
transcript is true and accurate.
(B) Where, as provided in paragraph (b)(8) of this section, the
witness is limited to inspecting the transcript, the witness will have
the opportunity at the time of inspection to propose corrections to the
transcript, with corrections attached to the transcript. The witness
will also have the opportunity to sign the transcript. If the witness
does not sign the transcript or offer corrections within 30 days
(computed in the same manner as prescribed under Sec. 160.526 of this
part) of receipt of notice of the opportunity to inspect the
transcript, the witness will be deemed to have agreed that the
transcript is true and accurate.
(ii) The Secretary's proposed corrections to the record of
transcript will be attached to the transcript.
(c) Consistent with Sec. 160.310(c)(3), testimony and other
evidence obtained in an investigational inquiry may be used by HHS in
any of its activities and may be used or offered into evidence in any
administrative or judicial proceeding.
Sec. 160.316 Refraining from intimidation or retaliation.
A covered entity may not threaten, intimidate, coerce, discriminate
against, or take any other retaliatory action against any individual or
other person for--
(a) Filing of a complaint under Sec. 160.306;
(b) Testifying, assisting, or participating in an investigation,
compliance review, proceeding, or hearing under this part; or
(c) Opposing any act or practice made unlawful by this subchapter,
provided the individual or person has a good faith belief that the
practice opposed is unlawful, and the manner of opposition is
reasonable and does not involve a disclosure of protected health
information in violation of subpart E of part 164 of this subchapter.
[[Page 20252]]
4. Amend 45 CFR part 160 by adding a new subpart D to read as
follows:
Subpart D--Imposition of Civil Money Penalties
Sec.
160.400 Applicability.
160.402 Basis for a civil money penalty.
160.404 Amount of a civil money penalty.
160.406 Number of violations.
160.408 Factors considered in determining the amount of a civil
money penalty.
160.410 Affirmative defenses.
160.412 Waiver.
160.414 Limitations.
160.416 Authority to settle.
160.418 Penalty not exclusive.
160.420 Notice of proposed determination.
160.422 Failure to request a hearing.
160.424 Collection of penalty.
160.426 Notification of the public and other agencies.
Subpart D--Imposition of Civil Money Penalties
Sec. 160.400 Applicability.
This subpart applies to the imposition of a civil money penalty by
the Secretary under 42 U.S.C. 1320d-5.
Sec. 160.402 Basis for a civil money penalty.
(a) General rule. Subject to Sec. 160.410, the Secretary will
impose a civil money penalty upon a covered entity if the Secretary
determines that the covered entity has violated an administrative
simplification provision.
(b) Violation by more than one covered entity. (1) Except as
provided in paragraph (b)(2) of this section, if the Secretary
determines that more than one covered entity was responsible for a
violation, the Secretary will impose a civil money penalty against each
such covered entity.
(2) Each covered entity that is a member of an affiliated covered
entity, in accordance with Sec. 164.105(b) of this subchapter, is
jointly and severally liable for a civil money penalty for a violation
of part 164 of this subchapter based on an act or omission of the
affiliated covered entity.
(c) Violation attributed to a covered entity. A covered entity is
liable, in accordance with the federal common law of agency, for a
civil money penalty for a violation based on the act or omission of any
agent of the covered entity, including a workforce member, acting
within the scope of the agency, unless--
(1) The agent is a business associate of the covered entity;
(2) The covered entity has complied, with respect to such business
associate, with the applicable requirements of Sec. Sec. 164.308(b)
and 164.502(e) of this subchapter; and
(3) The covered entity did not--
(i) Know of a pattern of activity or practice of the business
associate, and
(ii) Fail to act as required by Sec. Sec. 164.314(a)(1)(ii) and
164.504(e)(1)(ii) of this subchapter, as applicable.
Sec. 160.404 Amount of a civil money penalty.
(a) The amount of a civil money penalty will be determined in
accordance with paragraph (b) of this section and Sec. Sec. 160.406,
160.408, and 160.412.
(b) The amount of a civil money penalty that may be imposed is
subject to the following limitations:
(1) The Secretary may not impose a civil money penalty--
(i) In the amount of more than $100 for each violation; or
(ii) In excess of $25,000 for identical violations during a
calendar year (January 1 through the following December 31).
(2) If a requirement or prohibition in one administrative
simplification provision is repeated in a more general form in another
administrative simplification provision in the same subpart, a civil
money penalty may be imposed for a violation of only one of these
administrative simplification provisions.
Sec. 160.406 Number of violations.
(a) General rule. To determine the number of violations of an
identical administrative simplification provision by a covered entity,
the Secretary will apply, as he deems appropriate, any variables
identified at paragraph (b) of this section, based upon:
(1) The facts and circumstances of the violation; and
(2) The underlying purpose of the subpart of this subchapter that
is violated.
(b) Variables. (1) The number of times the covered entity failed to
engage in required conduct or engaged in a prohibited act;
(2) The number of persons involved in, or affected by, the
violation; or
(3) The duration of the violation counted in days.
Sec. 160.408 Factors considered in determining the amount of a civil
money penalty.
In determining the amount of any civil money penalty, the Secretary
may consider as aggravating or mitigating factors, as appropriate, any
of the following:
(a) The nature of the violation, in light of the purpose of the
rule violated.
(b) The circumstances, including the consequences, of the
violation, including but not limited to:
(1) The time period during which the violation(s) occurred;
(2) Whether the violation caused physical harm;
(3) Whether the violation hindered or facilitated an individual's
ability to obtain health care; and
(4) Whether the violation resulted in financial harm.
(c) The degree of culpability of the covered entity, including but
not limited to:
(1) Whether the violation was intentional; and
(2) Whether the violation was beyond the direct control of the
covered entity.
(d) Any history of prior offenses of the covered entity, including
but not limited to:
(1) Whether the current violation is the same or similar to prior
violation(s);
(2) Whether and to what extent the covered entity has attempted to
correct previous violations;
(3) How the covered entity has responded to technical assistance
from the Secretary provided in the context of a compliance effort; and
(4) How the covered entity has responded to prior complaints.
(e) The financial condition of the covered entity, including but
not limited to:
(1) Whether the covered entity had financial difficulties that
affected its ability to comply;
(2) Whether the imposition of a civil money penalty would
jeopardize the ability of the covered entity to continue to provide, or
to pay for, health care; and
(3) The size of the covered entity.
(f) Such other matters as justice may require.
Sec. 160.410 Affirmative defenses.
(a) As used in this section, the following terms have the following
meanings:
Reasonable cause means circumstances that would make it
unreasonable for the covered entity, despite the exercise of ordinary
business care and prudence, to comply with the administrative
simplification provision violated.
Reasonable diligence means the business care and prudence expected
from a person seeking to satisfy a legal requirement under similar
circumstances.
Willful neglect means conscious, intentional failure or reckless
indifference to the obligation to comply with the administrative
simplification provision violated.
(b) The Secretary may not impose a civil money penalty on a covered
entity for a violation if the covered entity establishes that an
affirmative defense exists with respect to the violation, including the
following:
[[Page 20253]]
(1) The violation is an act punishable under 42 U.S.C. 1320d-6;
(2) The covered entity establishes, to the satisfaction of the
Secretary, that it did not have knowledge of the violation, determined
in accordance with the federal common law of agency, and, by exercising
reasonable diligence, would not have known that the violation occurred;
or
(3) The violation is--
(i) Due to reasonable cause and not willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the date the covered entity
liable for the penalty knew, or by exercising reasonable diligence
would have known, that the violation occurred; or
(B) Such additional period as the Secretary determines to be
appropriate based on the nature and extent of the failure to comply.
Sec. 160.412 Waiver.
For violations described in Sec. 160.410(b)(3)(i) that are not
corrected within the period described in Sec. 160.410(b)(3)(ii), the
Secretary may waive the civil money penalty, in whole or in part, to
the extent that payment of the penalty would be excessive relative to
the violation.
Sec. 160.414 Limitations.
No action under this subpart may be entertained unless commenced by
the Secretary, in accordance with Sec. 160.420, within 6 years from
the date of the occurrence of the violation.
Sec. 160.416 Authority to settle.
Nothing in this subpart limits the authority of the Secretary to
settle any issue or case or to compromise any penalty.
Sec. 160.418 Penalty not exclusive.
Except as otherwise provided by 42 U.S.C. 1320d-5(b)(1), a penalty
imposed under this part is in addition to any other penalty prescribed
by law.
Sec. 160.420 Notice of proposed determination.
(a) If a penalty is proposed in accordance with this part, the
Secretary must deliver, or send by certified mail with return receipt
requested, to the respondent, written notice of the Secretary's intent
to impose a penalty. This notice of proposed determination must
include--
(1) Reference to the statutory basis for the penalty;
(2) A description of the findings of fact regarding the violations
with respect to which the penalty is proposed (except in cases where
the Secretary is relying upon a statistical sampling study in
accordance with Sec. 160.536, in which case the notice must describe
the study relied upon and briefly describe the statistical sampling
technique used by the Secretary);
(3) The reason(s) why the violation(s) subject(s) the respondent to
a penalty;
(4) The amount of the proposed penalty;
(5) Any circumstances described in Sec. 160.408 that were
considered in determining the amount of the proposed penalty; and
(6) Instructions for responding to the notice, including a
statement of the respondent's right to a hearing, a statement that
failure to request a hearing within 60 days permits the imposition of
the proposed penalty without the right to a hearing under Sec. 160.504
or a right of appeal under Sec. 160.548, and the address to which the
hearing request must be sent.
(b) The respondent may request a hearing before an ALJ on the
proposed penalty by filing a request in accordance with Sec. 160.504.
Sec. 160.422 Failure to request a hearing.
If the respondent does not request a hearing within the time
prescribed by Sec. 160.504 and the matter is not settled pursuant to
Sec. 160.416, the Secretary will impose the proposed penalty or any
lesser penalty permitted by 42 U.S.C. 1320d-5. The Secretary will
notify the respondent by certified mail, return receipt requested, of
any penalty that has been imposed and of the means by which the
respondent may satisfy the penalty, and the penalty is final on receipt
of the notice. The respondent has no right to appeal a penalty under
Sec. 160.548 with respect to which the respondent has not timely
requested a hearing.
Sec. 160.424 Collection of penalty.
(a) Once a determination of the Secretary to impose a penalty has
become final, the penalty will be collected by the Secretary, subject
to the first sentence of 42 U.S.C. 1320a-7a(f).
(b) The penalty may be recovered in a civil action brought in the
United States district court for the district where the respondent
resides, is found, or is located.
(c) The amount of a penalty, when finally determined, or the amount
agreed upon in compromise, may be deducted from any sum then or later
owing by the United States, or by a State agency, to the respondent.
(d) Matters that were raised or that could have been raised in a
hearing before an ALJ, or in an appeal under 42 U.S.C. 1320a-7a(e), may
not be raised as a defense in a civil action by the United States to
collect a penalty under this part.
Sec. 160.426 Notification of the public and other agencies.
Whenever a proposed penalty becomes final, the Secretary will
notify, in such manner as the Secretary deems appropriate, the public
and the following organizations and entities thereof and the reason it
was imposed: The appropriate State or local medical or professional
organization, the appropriate State agency or agencies administering or
supervising the administration of State health care programs (as
defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and
quality control peer review organization, and the appropriate State or
local licensing agency or organization (including the agency specified
in 42 U.S.C. 1395aa(a), 1396a(a)(33)).
5. Revise subpart E to read as follows:
Subpart E--Procedures for Hearings
Sec.
160.500 Applicability.
160.502 Definitions.
160.504 Hearing before an ALJ.
160.506 Rights of the parties.
160.508 Authority of the ALJ.
160.510 Ex parte contacts.
160.512 Prehearing conferences.
160.514 Authority to settle.
160.516 Discovery.
160.518 Exchange of witness lists, witness statements, and exhibits.
160.520 Subpoenas for attendance at hearing.
160.522 Fees.
160.524 Form, filing, and service of papers.
160.526 Computation of time.
160.528 Motions.
160.530 Sanctions.
160.532 Collateral estoppel.
160.534 The hearing.
160.536 Statistical sampling.
160.538 Witnesses.
160.540 Evidence.
160.542 The record.
160.544 Post hearing briefs.
160.546 ALJ decision.
160.548 Appeal of the ALJ decision.
160.550 Stay of the Secretary's decision.
160.552 Harmless error.
Subpart E--Procedures for Hearings
Sec. 160.500 Applicability.
This subpart applies to hearings conducted relating to the
imposition of a civil money penalty by the Secretary under 42 U.S.C.
1320d-5.
Sec. 160.502 Definitions.
As used in this subpart, the following term has the following
meaning:
Board means the members of the HHS Departmental Appeals Board, in
the Office of the Secretary, who issue decisions in panels of three.
[[Page 20254]]
Sec. 160.504 Hearing before an ALJ.
(a) A respondent may request a hearing before an ALJ. The parties
to the hearing proceeding consist of--
(1) The respondent; and
(2) The officer(s) or employee(s) of HHS to whom the enforcement
authority involved has been delegated.
(b) The request for a hearing must be made in writing signed by the
respondent or by the respondent's attorney and sent by certified mail,
return receipt requested, to the address specified in the notice of
proposed determination. The request for a hearing must be mailed within
60 days after notice of the proposed determination is received by the
respondent. For purposes of this section, the respondent's date of
receipt of the notice of proposed determination is presumed to be 5
days after the date of the notice unless the respondent makes a
reasonable showing to the contrary to the ALJ.
(c) The request for a hearing must clearly and directly admit,
deny, or explain each of the findings of fact contained in the notice
of proposed determination with regard to which the respondent has any
knowledge. If the respondent has no knowledge of a particular finding
of fact and so states, the finding shall be deemed denied. The request
for a hearing must also state the circumstances or arguments that the
respondent alleges constitute the grounds for any defense and the
factual and legal basis for opposing the penalty.
(d) The ALJ must dismiss a hearing request where--
(1) The respondent's hearing request is not filed as required by
paragraphs (b) and (c) of this section;
(2) The respondent withdraws the request for a hearing;
(3) The respondent abandons the request for a hearing; or
(4) The respondent's hearing request fails to raise any issue that
may properly be addressed in a hearing.
Sec. 160.506 Rights of the parties.
(a) Except as otherwise limited by this subpart, each party may--
(1) Be accompanied, represented, and advised by an attorney;
(2) Participate in any conference held by the ALJ;
3) Conduct discovery of documents as permitted by this subpart;
(4) Agree to stipulations of fact or law that will be made part of
the record;
(5) Present evidence relevant to the issues at the hearing;
(6) Present and cross-examine witnesses;
(7) Present oral arguments at the hearing as permitted by the ALJ;
and
(8) Submit written briefs and proposed findings of fact and
conclusions of law after the hearing.
(b) A party may appear in person or by a representative. Natural
persons who appear as an attorney or other representative must conform
to the standards of conduct and ethics required of practitioners before
the courts of the United States.
(c) Fees for any services performed on behalf of a party by an
attorney are not subject to the provisions of 42 U.S.C. 406, which
authorizes the Secretary to specify or limit their fees.
Sec. 160.508 Authority of the ALJ.
(a) The ALJ must conduct a fair and impartial hearing, avoid delay,
maintain order, and ensure that a record of the proceeding is made.
(b) The ALJ may--
(1) Set and change the date, time and place of the hearing upon
reasonable notice to the parties;
(2) Continue or recess the hearing in whole or in part for a
reasonable period of time;
(3) Hold conferences to identify or simplify the issues, or to
consider other matters that may aid in the expeditious disposition of
the proceeding;
(4) Administer oaths and affirmations;
(5) Issue subpoenas requiring the attendance of witnesses at
hearings and the production of documents at or in relation to hearings;
(6) Rule on motions and other procedural matters;
(7) Regulate the scope and timing of documentary discovery as
permitted by this subpart;
(8) Regulate the course of the hearing and the conduct of
representatives, parties, and witnesses;
(9) Examine witnesses;
(10) Receive, rule on, exclude, or limit evidence;
(11) Upon motion of a party, take official notice of facts;
(12) Conduct any conference, argument or hearing in person or, upon
agreement of the parties, by telephone; and
(13) Upon motion of a party, decide cases, in whole or in part, by
summary judgment where there is no disputed issue of material fact. A
summary judgment decision constitutes a hearing on the record for the
purposes of this subpart.
(c) The ALJ--
(1) May not find invalid or refuse to follow Federal statutes,
regulations, or Secretarial delegations of authority and must give
deference to published guidance to the extent not inconsistent with
statute or regulation;
(2) May not enter an order in the nature of a directed verdict;
(3) May not compel settlement negotiations;
(4) May not enjoin any act of the Secretary; or
(5) May not review the exercise of discretion by the Secretary with
respect to--
(i) Whether to grant an extension under Sec. 160.410(b)(3)(ii)(B)
or to provide technical assistance under 42 U.S.C. 1320d-5(b)(3)(B);
and
(ii) Selection of variable(s) under Sec. 160.406.
Sec. 160.510 Ex parte contacts.
No party or person (except employees of the ALJ's office) may
communicate in any way with the ALJ on any matter at issue in a case,
unless on notice and opportunity for both parties to participate. This
provision does not prohibit a party or person from inquiring about the
status of a case or asking routine questions concerning administrative
functions or procedures.
Sec. 160.512 Prehearing conferences.
(a) The ALJ must schedule at least one prehearing conference, and
may schedule additional prehearing conferences as appropriate, upon
reasonable notice, which may not be less than 14 business days, to the
parties.
(b) The ALJ may use prehearing conferences to discuss the
following--
(1) Simplification of the issues;
(2) The necessity or desirability of amendments to the pleadings,
including the need for a more definite statement;
(3) Stipulations and admissions of fact or as to the contents and
authenticity of documents;
(4) Whether the parties can agree to submission of the case on a
stipulated record;
(5) Whether a party chooses to waive appearance at an oral hearing
and to submit only documentary evidence (subject to the objection of
the other party) and written argument;
(6) Limitation of the number of witnesses;
(7) Scheduling dates for the exchange of witness lists and of
proposed exhibits;
(8) Discovery of documents as permitted by this subpart;
(9) The time and place for the hearing;
(10) The potential for the settlement of the case by the parties;
and
(11) Other matters as may tend to encourage the fair, just and
expeditious disposition of the proceedings, including the protection of
privacy of individually identifiable health information that may be
submitted into evidence or otherwise used in the proceeding, if
appropriate.
[[Page 20255]]
(c) The ALJ must issue an order containing the matters agreed upon
by the parties or ordered by the ALJ at a prehearing conference.
Sec. 160.514 Authority to settle.
The Secretary has exclusive authority to settle any issue or case
without the consent of the ALJ.
Sec. 160.516 Discovery.
(a) A party may make a request to another party for production of
documents for inspection and copying that are relevant and material to
the issues before the ALJ.
(b) For the purpose of this section, the term ``documents''
includes information, reports, answers, records, accounts, papers and
other data and documentary evidence. Nothing contained in this section
may be interpreted to require the creation of a document, except that
requested data stored in an electronic data storage system must be
produced in a form accessible to the requesting party.
(c) Requests for documents, requests for admissions, written
interrogatories, depositions and any forms of discovery, other than
those permitted under paragraph (a) of this section, are not
authorized.
(d) This section may not be construed to require the disclosure of
interview reports or statements obtained by any party, or on behalf of
any party, of persons who will not be called as witnesses by that
party, or analyses and summaries prepared in conjunction with the
investigation or litigation of the case, or any otherwise privileged
documents.
(e)(1) When a request for production of documents has been
received, within 30 days the party receiving that request must either
fully respond to the request, or state that the request is being
objected to and the reasons for that objection. If objection is made to
part of an item or category, the part must be specified. Upon receiving
any objections, the party seeking production may then, within 30 days
or any other time frame set by the ALJ, file a motion for an order
compelling discovery. The party receiving a request for production may
also file a motion for protective order any time before the date the
production is due.
(2) The ALJ may grant a motion for protective order or deny a
motion for an order compelling discovery if the ALJ finds that the
discovery sought--
(i) Is irrelevant;
(ii) Is unduly costly or burdensome;
(iii) Will unduly delay the proceeding; or
(iv) Seeks privileged information.
(3) The ALJ may extend any of the time frames set forth in
paragraph (e)(1) of this section.
(4) The burden of showing that discovery should be allowed is on
the party seeking discovery.
Sec. 160.518 Exchange of witness lists, witness statements, and
exhibits.
(a) The parties must exchange witness lists, copies of prior
written statements of proposed witnesses, and copies of proposed
hearing exhibits, including copies of any written statements that the
party intends to offer in lieu of live testimony in accordance with
Sec. 160.538, not more than 60, and not less than 15, days before the
scheduled hearing.
(b)(1) If, at any time, a party objects to the proposed admission
of evidence not exchanged in accordance with paragraph (a) of this
section, the ALJ must determine whether the failure to comply with
paragraph (a) of this section should result in the exclusion of that
evidence.
(2) Unless the ALJ finds that extraordinary circumstances justified
the failure timely to exchange the information listed under paragraph
(a) of this section, the ALJ must exclude from the party's case-in-
chief--
(i) The testimony of any witness whose name does not appear on the
witness list; and
(ii) Any exhibit not provided to the opposing party as specified in
paragraph (a) of this section.
(3) If the ALJ finds that extraordinary circumstances existed, the
ALJ must then determine whether the admission of that evidence would
cause substantial prejudice to the objecting party.
(i) If the ALJ finds that there is no substantial prejudice, the
evidence may be admitted.
(ii) If the ALJ finds that there is substantial prejudice, the ALJ
may exclude the evidence, or, if he or she does not exclude the
evidence, must postpone the hearing for such time as is necessary for
the objecting party to prepare and respond to the evidence, unless the
objecting party waives postponement.
(c) Unless the other party objects within a reasonable period of
time before the hearing, documents exchanged in accordance with
paragraph (a) of this section will be deemed to be authentic for the
purpose of admissibility at the hearing.
Sec. 160.520 Subpoenas for attendance at hearing.
(a) A party wishing to procure the appearance and testimony of any
person at the hearing may make a motion requesting the ALJ to issue a
subpoena if the appearance and testimony are reasonably necessary for
the presentation of a party's case.
(b) A subpoena requiring the attendance of a person in accordance
with paragraph (a) of this section may also require the person (whether
or not the person is a party) to produce relevant and material evidence
at or before the hearing.
(c) When a subpoena is served by a respondent on a particular
employee or official or particular office of HHS, the Secretary may
comply by designating any knowledgeable HHS representative to appear
and testify.
(d) A party seeking a subpoena must file a written motion not less
than 30 days before the date fixed for the hearing, unless otherwise
allowed by the ALJ for good cause shown. That motion must--
(1) Specify any evidence to be produced;
(2) Designate the witnesses; and
(3) Describe the address and location with sufficient particularity
to permit those witnesses to be found.
(e) The subpoena must specify the time and place at which the
witness is to appear and any evidence the witness is to produce.
(f) Within 15 days after the written motion requesting issuance of
a subpoena is served, any party may file an opposition or other
response.
(g) If the motion requesting issuance of a subpoena is granted, the
party seeking the subpoena must serve it by delivery to the person
named, or by certified mail addressed to that person at the person's
last dwelling place or principal place of business.
(h) The person to whom the subpoena is directed may file with the
ALJ a motion to quash the subpoena within 10 days after service.
(i) The exclusive remedy for contumacy by, or refusal to obey a
subpoena duly served upon, any person is specified in 42 U.S.C. 405(e).
Sec. 160.522 Fees.
The party requesting a subpoena must pay the cost of the fees and
mileage of any witness subpoenaed in the amounts that would be payable
to a witness in a proceeding in United States District Court. A check
for witness fees and mileage must accompany the subpoena when served,
except that, when a subpoena is issued on behalf of the Secretary, a
check for witness fees and mileage need not accompany the subpoena.
Sec. 160.524 Form, filing, and service of papers.
(a) Forms. (1) Unless the ALJ directs the parties to do otherwise,
documents
[[Page 20256]]
filed with the ALJ must include an original and two copies.
(2) Every pleading and paper filed in the proceeding must contain a
caption setting forth the title of the action, the case number, and a
designation of the paper, such as motion to quash subpoena.
(3) Every pleading and paper must be signed by and must contain the
address and telephone number of the party or the person on whose behalf
the paper was filed, or his or her representative.
(4) Papers are considered filed when they are mailed.
(b) Service. A party filing a document with the ALJ or the Board
must, at the time of filing, serve a copy of the document on the other
party. Service upon any party of any document must be made by
delivering a copy, or placing a copy of the document in the United
States mail, postage prepaid and addressed, or with a private delivery
service, to the party's last known address. When a party is represented
by an attorney, service must be made upon the attorney in lieu of the
party.
(c) Proof of service. A certificate of the natural person serving
the document by personal delivery or by mail, setting forth the manner
of service, constitutes proof of service.
Sec. 160.526 Computation of time.
(a) In computing any period of time under this subpart or in an
order issued thereunder, the time begins with the day following the
act, event or default, and includes the last day of the period unless
it is a Saturday, Sunday, or legal holiday observed by the Federal
Government, in which event it includes the next business day.
(b) When the period of time allowed is less than 7 days,
intermediate Saturdays, Sundays, and legal holidays observed by the
Federal Government must be excluded from the computation.
(c) Where a document has been served or issued by placing it in the
mail, an additional 5 days must be added to the time permitted for any
response. This paragraph does not apply to requests for hearing under
Sec. 160.504.
Sec. 160.528 Motions.
(a) An application to the ALJ for an order or ruling must be by
motion. Motions must state the relief sought, the authority relied upon
and the facts alleged, and must be filed with the ALJ and served on all
other parties.
(b) Except for motions made during a prehearing conference or at
the hearing, all motions must be in writing. The ALJ may require that
oral motions be reduced to writing.
(c) Within 10 days after a written motion is served, or such other
time as may be fixed by the ALJ, any party may file a response to the
motion.
(d) The ALJ may not grant a written motion before the time for
filing responses has expired, except upon consent of the parties or
following a hearing on the motion, but may overrule or deny the motion
without awaiting a response.
(e) The ALJ must make a reasonable effort to dispose of all
outstanding motions before the beginning of the hearing.
Sec. 160.530 Sanctions.
The ALJ may sanction a person, including any party or attorney, for
failing to comply with an order or procedure, for failing to defend an
action or for other misconduct that interferes with the speedy, orderly
or fair conduct of the hearing. The sanctions must reasonably relate to
the severity and nature of the failure or misconduct. The sanctions may
include--
(a) In the case of refusal to provide or permit discovery under the
terms of this part, drawing negative factual inferences or treating the
refusal as an admission by deeming the matter, or certain facts, to be
established;
(b) Prohibiting a party from introducing certain evidence or
otherwise supporting a particular claim or defense;
(c) Striking pleadings, in whole or in part;
(d) Staying the proceedings;
(e) Dismissal of the action;
(f) Entering a decision by default;
(g) Ordering the party or attorney to pay the attorney's fees and
other costs caused by the failure or misconduct; and
(h) Refusing to consider any motion or other action that is not
filed in a timely manner.
Sec. 160.532 Collateral estoppel.
When a final determination that the respondent violated an
administrative simplification provision has been rendered in any
proceeding in which the respondent was a party and had an opportunity
to be heard, the respondent is bound by that determination in any
proceeding under this part.
Sec. 160.534 The hearing.
(a) The ALJ must conduct a hearing on the record in order to
determine whether the respondent should be found liable under this
part.
(b)(1) The respondent has the burden of going forward and the
burden of persuasion with respect to any:
(i) Affirmative defense pursuant to Sec. 160.410;
(ii) Challenge to the amount of a proposed penalty pursuant to
Sec. Sec. 160.404-160.408, including any factors raised as mitigating
factors; or
(iii) Claim that a proposed penalty should be reduced or waived
pursuant to Sec. 160.412.
(2) The Secretary has the burden of going forward and the burden of
persuasion with respect to all other issues, including issues of
liability and the existence of any factors considered as aggravating
factors in determining the amount of the proposed penalty.
(3) The burden of persuasion will be judged by a preponderance of
the evidence.
(c) The hearing must be open to the public unless otherwise ordered
by the ALJ for good cause shown.
(d)(1) Subject to the 15-day rule under Sec. 160.518(a) and the
admissibility of evidence under Sec. 160.540, either party may
introduce, during its case in chief, items or information that arose or
became known after the date of the issuance of the notice of proposed
determination or the request for hearing, as applicable. Such items and
information may not be admitted into evidence, if introduced--
(i) By the Secretary, unless they are material and relevant to the
acts or omissions with respect to which the penalty is proposed in the
notice of proposed determination pursuant to Sec. 160.420, including
circumstances that may increase penalties; or
(ii) By the respondent, unless they are material and relevant to an
admission, denial or explanation of a finding of fact in the notice of
proposed determination under Sec. 160.420, or to a specific
circumstance or argument expressly stated in the request for hearing
under Sec. 160.504, including circumstances that may reduce penalties.
(2) After both parties have presented their cases, evidence may be
admitted in rebuttal even if not previously exchanged in accordance
with Sec. 160.518.
Sec. 160.536 Statistical sampling.
(a) In meeting the burden of proof set forth in Sec. 160.534, the
Secretary may introduce the results of a statistical sampling study as
evidence of the number of violations under Sec. 160.406, or the
factors considered in determining the amount of the civil money penalty
under Sec. 160.408. Such statistical sampling study, if based upon an
appropriate sampling and computed by valid statistical methods,
constitutes prima facie evidence of the number of violations and the
existence of factors material to the proposed civil money
[[Page 20257]]
penalty as described in Sec. Sec. 160.406 and 160.408.
(b) Once the Secretary has made a prima facie case, as described in
paragraph (a) of this section, the burden of going forward shifts to
the respondent to produce evidence reasonably calculated to rebut the
findings of the statistical sampling study. The Secretary will then be
given the opportunity to rebut this evidence.
Sec. 160.538 Witnesses.
(a) Except as provided in paragraph (b) of this section, testimony
at the hearing must be given orally by witnesses under oath or
affirmation.
(b) At the discretion of the ALJ, testimony of witnesses other than
the testimony of expert witnesses may be admitted in the form of a
written statement. Any such written statement must be provided to the
other party, along with the last known address of the witness, in a
manner that allows sufficient time for the other party to subpoena the
witness for cross-examination at the hearing. Prior written statements
of witnesses proposed to testify at the hearing must be exchanged as
provided in Sec. 160.518. The ALJ may, at his or her discretion, admit
prior sworn testimony of experts that has been subject to adverse
examination, such as a deposition or trial testimony.
(c) The ALJ must exercise reasonable control over the mode and
order of interrogating witnesses and presenting evidence so as to:
(1) Make the interrogation and presentation effective for the
ascertainment of the truth;
(2) Avoid repetition or needless consumption of time; and
(3) Protect witnesses from harassment or undue embarrassment.
(d) The ALJ must permit the parties to conduct cross-examination of
witnesses as may be required for a full and true disclosure of the
facts.
(e) The ALJ may order witnesses excluded so that they cannot hear
the testimony of other witnesses, except that the ALJ may not order to
be excluded--
(1) A party who is a natural person;
(2) In the case of a party that is not a natural person, the
officer or employee of the party appearing for the entity pro se or
designated as the party's representative; or
(3) A natural person whose presence is shown by a party to be
essential to the presentation of its case, including a person engaged
in assisting the attorney for the Secretary.
Sec. 160.540 Evidence.
(a) The ALJ must determine the admissibility of evidence.
(b) Except as provided in this subpart, the ALJ is not bound by the
Federal Rules of Evidence. However, the ALJ may apply the Federal Rules
of Evidence where appropriate, for example, to exclude unreliable
evidence.
(c) The ALJ must exclude irrelevant or immaterial evidence.
(d) Although relevant, evidence may be excluded if its probative
value is substantially outweighed by the danger of unfair prejudice,
confusion of the issues, or by considerations of undue delay or
needless presentation of cumulative evidence.
(e) Although relevant, evidence must be excluded if it is
privileged under Federal law.
(f) Evidence concerning offers of compromise or settlement are
inadmissible to the extent provided in Rule 408 of the Federal Rules of
Evidence.
(g) Evidence of crimes, wrongs, or acts other than those at issue
in the instant case is admissible in order to show motive, opportunity,
intent, knowledge, preparation, identity, lack of mistake, or existence
of a scheme. This evidence is admissible regardless of whether the
crimes, wrongs, or acts occurred during the statute of limitations
period applicable to the acts or omissions that constitute the basis
for liability in the case and regardless of whether they were
referenced in the Secretary's notice of proposed determination under
Sec. 160.420.
(h) The ALJ must permit the parties to introduce rebuttal witnesses
and evidence.
(i) All documents and other evidence offered or taken for the
record must be open to examination by both parties, unless otherwise
ordered by the ALJ for good cause shown.
Sec. 160.542 The record.
(a) The hearing must be recorded and transcribed. Transcripts may
be obtained following the hearing from the ALJ. Cost of transcription
will be borne equally by the parties.
(b) The transcript of the testimony, exhibits, and other evidence
admitted at the hearing, and all papers and requests filed in the
proceeding constitute the record for decision by the ALJ and the
Secretary.
(c) The record may be inspected and copied (upon payment of a
reasonable fee) by any person, unless otherwise ordered by the ALJ for
good cause shown.
(d) For good cause, the ALJ may order appropriate redactions made
to the record.
Sec. 160.544 Post hearing briefs.
The ALJ may require the parties to file post-hearing briefs. In any
event, any party may file a post-hearing brief. The ALJ must fix the
time for filing the briefs. The time for filing may not exceed 60 days
from the date the parties receive the transcript of the hearing or, if
applicable, the stipulated record. The briefs may be accompanied by
proposed findings of fact and conclusions of law. The ALJ may permit
the parties to file reply briefs.
Sec. 160.546 ALJ decision.
(a) The ALJ must issue a decision, based only on the record, which
must contain findings of fact and conclusions of law.
(b) The ALJ may affirm, increase, or reduce the penalties imposed
by the Secretary.
(c) The ALJ must issue the decision to both parties within 60 days
after the time for submission of post-hearing briefs and reply briefs,
if permitted, has expired. If the ALJ fails to meet the deadline
contained in this paragraph, he or she must notify the parties of the
reason for the delay and set a new deadline.
(d) Unless the decision of the ALJ is timely appealed as provided
for in Sec. 160.548, the decision of the ALJ will be final and binding
on the parties 60 days from the date of service of the ALJ's decision.
Sec. 160.548 Appeal of the ALJ decision.
(a) Any party may appeal the decision of the ALJ to the Board by
filing a notice of appeal with the Board within 30 days of the date of
service of the ALJ decision. The Board may extend the initial 30 day
period for a period of time not to exceed 30 days if a party files with
the Board a request for an extension within the initial 30 day period
and shows good cause.
(b) If a party files a timely notice of appeal with the Board, the
ALJ must forward the record of the proceeding to the Board.
(c) A notice of appeal must be accompanied by a written brief
specifying exceptions to the initial decision and reasons supporting
the exceptions. Any party may file a brief in opposition to the
exceptions, which may raise any relevant issue not addressed in the
exceptions, within 30 days of receiving the notice of appeal and the
accompanying brief. The Board may permit the parties to file reply
briefs.
[[Page 20258]]
(d) There is no right to appear personally before the Board or to
appeal to the Board any interlocutory ruling by the ALJ.
(e) The Board may not consider any issue not raised in the parties'
briefs, nor any issue in the briefs that could have been raised before
the ALJ but was not.
(f) If any party demonstrates to the satisfaction of the Board that
additional evidence not presented at such hearing is relevant and
material and that there were reasonable grounds for the failure to
adduce such evidence at the hearing, the Board may remand the matter to
the ALJ for consideration of such additional evidence.
(g) The Board may decline to review the case, or may affirm,
increase, reduce, reverse or remand any penalty determined by the ALJ.
(h) The standard of review on a disputed issue of fact is whether
the initial decision of the ALJ is supported by substantial evidence on
the whole record. The standard of review on a disputed issue of law is
whether the decision is erroneous.
(i) Within 60 days after the time for submission of briefs and
reply briefs, if permitted, has expired, the Board must serve on each
party to the appeal a copy of the Board's decision and a statement
describing the right of any respondent who is penalized to seek
judicial review.
(j)(1) The Board's decision under paragraph (i) of this section,
including a decision to decline review of the initial decision, becomes
the final decision of the Secretary 60 days after the date of service
of the Board's decision, except with respect to a decision to remand to
the ALJ or if reconsideration is requested under this paragraph.
(2) The Board will reconsider its decision only if it determines
that the decision contains a clear error of fact or error of law. New
evidence will not be a basis for reconsideration unless the party
demonstrates that the evidence is newly discovered and was not
previously available.
(3) A party may file a motion for reconsideration with the Board
before the date the decision becomes final under paragraph (j)(1) of
this section. A motion for reconsideration must be accompanied by a
written brief specifying any alleged error of fact or law and, if the
party is relying on additional evidence, explaining why the evidence
was not previously available. Any party may file a brief in opposition
within 15 days of receiving the motion for reconsideration and the
accompanying brief unless this time limit is extended by the Board for
good cause shown. Reply briefs are not permitted.
(4) The Board must rule on the motion for reconsideration not later
than 30 days from the date the opposition brief is due. If the Board
denies the motion, the decision issued under paragraph (i) of this
section becomes the final decision of the Secretary on the date of
service of the ruling. If the Board grants the motion, the Board will
issue a reconsidered decision, after such procedures as the Board
determines necessary to address the effect of any error. The Board's
decision on reconsideration becomes the final decision of the Secretary
on the date of service of the decision, except with respect to a
decision to remand to the ALJ.
(5) If service of a ruling or decision issued under this section is
by mail, the date of service will be deemed to be 5 days from the date
of mailing.
(k)(1) A respondent's petition for judicial review must be filed
within 60 days of the date on which the decision of the Board becomes
the final decision of the Secretary under paragraph (j) of this
section.
(2) In compliance with 28 U.S.C. 2112(a), a copy of any petition
for judicial review filed in any U.S. Court of Appeals challenging the
final decision of the Secretary must be sent by certified mail, return
receipt requested, to the General Counsel of HHS. The petition copy
must be a copy showing that it has been time-stamped by the clerk of
the court when the original was filed with the court.
(3) If the General Counsel of HHS received two or more petitions
within 10 days after the final decision of the Secretary, the General
Counsel will notify the U.S. Judicial Panel on Multidistrict Litigation
of any petitions that were received within the 10 day period.
Sec. 160.550 Stay of the Secretary's decision.
(a) Pending judicial review, the respondent may file a request for
stay of the effective date of any penalty with the ALJ. The request
must be accompanied by a copy of the notice of appeal filed with the
federal court. The filing of the request automatically stays the
effective date of the penalty until such time as the ALJ rules upon the
request.
(b) The ALJ may not grant a respondent's request for stay of any
penalty unless the respondent posts a bond or provides other adequate
security.
(c) The ALJ must rule upon a respondent's request for stay within
10 days of receipt.
Sec. 160.552 Harmless error.
No error in either the admission or the exclusion of evidence, and
no error or defect in any ruling or order or in any act done or omitted
by the ALJ or by any of the parties is ground for vacating, modifying
or otherwise disturbing an otherwise appropriate ruling or order or
act, unless refusal to take such action appears to the ALJ or the Board
inconsistent with substantial justice. The ALJ and the Board at every
stage of the proceeding must disregard any error or defect in the
proceeding that does not affect the substantial rights of the parties.
PART 164--SECURITY AND PRIVACY
1. The authority citation for part 164 is revised to read as
follows:
Authority: 42 U.S.C. 1320d-1320d-8 and sec. 264, Pub. L. 104-
191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).
2. Revise Sec. 164.530(g) to read as follows:
Sec. 164.530 Standard: refraining from intimidating or retaliatory
acts.
* * * * *
(g) A covered entity--
(1) May not intimidate, threaten, coerce, discriminate against, or
take other retaliatory action against any individual for the exercise
by the individual of any right established, or for participation in any
process provided for by this subpart, including the filing of a
complaint under this section; and
(2) Must refrain from intimidation and retaliation as provided in
Sec. 160.316 of this subchapter.
* * * * *
[FR Doc. 05-7512 Filed 4-14-05; 8:45 am]
BILLING CODE 4153-01-P