[Federal Register Volume 71, Number 32 (Thursday, February 16, 2006)]
[Rules and Regulations]
[Pages 8389-8433]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 06-1376]



[[Page 8389]]

-----------------------------------------------------------------------

Part III





Department of Health and Human Services





-----------------------------------------------------------------------



Office of the Secretary



-----------------------------------------------------------------------



45 CFR Parts 160 and 164



HIPAA Administrative Simplification: Enforcement; Final Rule

Federal Register / Vol. 71, No. 32 / Thursday, February 16, 2006 / 
Rules and Regulations

[[Page 8390]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0991-AB29


HIPAA Administrative Simplification: Enforcement

AGENCY: Office of the Secretary, HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Secretary of Health and Human Services is adopting rules 
for the imposition of civil money penalties on entities that violate 
rules adopted by the Secretary to implement the Administrative 
Simplification provisions of the Health Insurance Portability and 
Accountability Act of 1996, Public Law 104-191 (HIPAA). The final rule 
amends the existing rules relating to the investigation of 
noncompliance to make them apply to all of the HIPAA Administrative 
Simplification rules, rather than exclusively to the privacy standards. 
It also amends the existing rules relating to the process for 
imposition of civil money penalties. Among other matters, the final 
rule clarifies and elaborates upon the investigation process, bases for 
liability, determination of the penalty amount, grounds for waiver, 
conduct of the hearing, and the appeal process.

DATES: This final rule is effective on March 16, 2006.

FOR FURTHER INFORMATION CONTACT: Carol C. Conrad, (202) 690-1840.

SUPPLEMENTARY INFORMATION: On April 18, 2005, the Department of Health 
and Human Services (HHS) published a Notice of Proposed Rulemaking 
(proposed rule) proposing to revise the existing rules relating to 
compliance with, and enforcement of, the Administrative Simplification 
regulations (HIPAA rules) adopted by the Secretary of Health and Human 
Services (Secretary) under subtitle F of Title II of HIPAA (HIPAA 
provisions). 70 FR 20224. The proposed rule also proposed the adoption 
of new provisions relating to the imposition of civil money penalties 
on covered entities that violate a HIPAA provision or HIPAA rule. The 
comment period on the proposed rule closed on June 17, 2005. Forty-nine 
comments, principally from health care organizations, were received 
during the comment period.
    In this final rule, HHS revises existing rules that relate to 
compliance with, and enforcement of, the HIPAA rules. These rules are 
codified at 45 CFR part 160, subparts C and E. In addition, this final 
rule adds a new subpart D to part 160. The new subpart D contains 
additional rules relating to the imposition by the Secretary of civil 
money penalties on covered entities that violate the HIPAA rules. The 
full set of rules to be codified at subparts C, D, and E of 45 CFR part 
160 is collectively referred to in this final rule as the ``Enforcement 
Rule.'' Finally, HHS makes minor and conforming changes to subpart A of 
part 160 and subpart E of part 164.
    The statutory and regulatory background of the final rule is set 
out below. A description of the provisions of the proposed rule, the 
public comments, and HHS's responses to the comments follows. The 
preamble concludes with HHS's analyses of impact and other issues under 
applicable law.

I. Background

A. Statutory Background

    Subtitle F of Title II of HIPAA, entitled ``Administrative 
Simplification,'' requires the Secretary to adopt national standards 
for certain information-related activities of the health care industry. 
Under section 1173 of the Social Security Act (Act), 42 U.S.C. 1320d-2, 
the Secretary is required to adopt national standards for certain 
financial and administrative transactions, code sets, the security of 
health information, and certain unique health identifiers. In addition, 
section 264 of HIPAA, 42 U.S.C. 1320d-2 note, requires the Secretary to 
promulgate standards to protect the privacy of certain health 
information. Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a), 
the provisions of Subtitle F apply only to--

    The following persons:
    (1) A health plan.
    (2) A health care clearinghouse.
    (3) A health care provider who transmits any health information 
in electronic form in connection with a transaction referred to in 
section 1173(a)(1).

    These entities are collectively known as ``covered entities.'' \1\
---------------------------------------------------------------------------

    \1\ An additional category of covered entities was added by the 
Medicare Prescription Drug, Improvement, and Modernization Act of 
2003 (Pub. L. 108-173) (MMA). As added by MMA, section 1860D-
31(h)(6)(A) of the Act, 42 U.S.C. 1395w-141(h)(6)(A), provides that 
a prescription drug card sponsor is a covered entity for purposes of 
applying part C of title XI and all regulatory provisions 
promulgated thereunder, including regulations (relating to privacy) 
adopted pursuant to the authority of the Secretary under section 
264(c) of the Health Insurance Portability and Accountability Act of 
1996 (42 U.S.C. 1320d-2 note).
---------------------------------------------------------------------------

    HIPAA requires certain consultations with industry as a predicate 
to the issuance of the HIPAA standards and provides that most covered 
entities have up to 2 years (small health plans have up to 3 years) to 
come into compliance with the standards, once adopted. Act, sections 
1172(c) (42 U.S.C. 1320d-1(c)), 1175(b) (42 U.S.C. 1320d-4(b)). The 
statute establishes civil money penalties and criminal penalties for 
violations. Act, sections 1176 (42 U.S.C. 1320d-5), 1177 (42 U.S.C. 
1320d-6). HHS enforces the civil money penalties, while the U.S. 
Department of Justice enforces the criminal penalties.
    HIPAA's civil money penalty provision, section 1176(a) of the Act, 
42 U.S.C. 1320d-5(a), authorizes the Secretary to impose a civil money 
penalty, as follows:

    (1) IN GENERAL. Except as provided in subsection (b), the 
Secretary shall impose on any person who violates a provision of 
this part [42 U.S.C. 1320d, et seq.] a penalty of not more than $100 
for each such violation, except that the total amount imposed on the 
person for all violations of an identical requirement or prohibition 
during a calendar year may not exceed $25,000.
    (2) PROCEDURES. The provisions of section 1128A [42 U.S.C. 
1320a-7a] (other than subsections (a) and (b) and the second 
sentence of subsection (f)) shall apply to the imposition of a civil 
money penalty under this subsection in the same manner as such 
provisions apply to the imposition of a penalty under such section 
1128A.

For simplicity, we refer throughout this preamble to this provision, 
the related provisions at section 1128A of the Act, and other related 
provisions of the Act, by their Social Security Act citations, rather 
than by their U.S. Code citations.
    Subsection (b) of section 1176 sets out limitations on the 
Secretary's authority to impose civil money penalties and also provides 
authority for waiving such penalties. Under section 1176(b)(1), a civil 
money penalty may not be imposed with respect to an act that 
``constitutes an offense punishable'' under the related criminal 
penalty provision, section 1177 of the Act. Under section 1176(b)(2), a 
civil money penalty may not be imposed ``if it is established to the 
satisfaction of the Secretary that the person liable for the penalty 
did not know, and by exercising reasonable diligence would not have 
known, that such person violated the provision.'' Under section 
1176(b)(3), a civil money penalty may not be imposed if the failure to 
comply was due ``to reasonable cause and not to willful neglect'' and 
is corrected within a certain time. Finally, under section 1176(b)(4), 
a civil money penalty may be reduced or entirely waived ``to the extent 
that the payment of such penalty would be excessive relative to the 
compliance failure involved.''
    As noted above, section 1176(a) incorporates by reference certain

[[Page 8391]]

provisions of section 1128A of the Act. Those provisions, as relevant 
here, establish a number of requirements with respect to the imposition 
of civil money penalties. Under section 1128A(c)(1), the Secretary may 
not initiate a civil money penalty action ``later than six years after 
the date'' of the occurrence that forms the basis for the civil money 
penalty. Under section 1128A(c)(2), a person upon whom the Secretary 
seeks to impose a civil money penalty must be given written notice and 
an opportunity for a determination to be made ``on the record after a 
hearing at which the person is entitled to be represented by counsel, 
to present witnesses, and to cross-examine witnesses against the 
person.'' Section 1128A also provides, at subsections (c), (e), and 
(j), respectively, requirements for: Service of the notice and 
authority for sanctions which the hearing officer may impose for 
misconduct in connection with the civil money penalty proceeding; 
judicial review of the Secretary's determination in the United States 
Court of Appeals for the circuit in which the person resides or 
maintains his/its principal place of business; and the issuance and 
enforcement of subpoenas by the Secretary. In addition, section 1128A 
of the Act contains provisions relating to liability for civil money 
penalties and what measures must be taken once they are imposed. For 
example, section 1128A(d) provides that the Secretary must take into 
account certain factors ``in determining the amount * * * of any 
penalty''; section 1128A(h) requires certain notifications once a civil 
money penalty is imposed; and section 1128A(l) makes a principal liable 
for penalties ``for the actions of the principal's agent acting within 
the scope of the agency.'' These provisions are discussed more fully 
below.

B. Regulatory Background

    As noted above, section 1173 of the Act and section 264 of HIPAA 
require the Secretary to adopt a number of national standards to 
facilitate the exchange, and protect the privacy and security, of 
certain health information. The Secretary has already adopted many of 
these HIPAA standards by regulation. These regulations consist of the 
following: Health Insurance Reform: Standards for Electronic 
Transactions (Transactions Rule); Standards for Privacy of Individually 
Identifiable Health Information (Privacy Rule); Health Insurance 
Reform: Standard Unique Employer Identifier (EIN Rule); Health 
Insurance Reform: Security Standards (Security Rule); and HIPAA 
Administrative Simplification: Standard Unique Health Identifier for 
Health Care Providers (NPI Rule). Proposed standards for certain claims 
attachments were published on September 23, 2005 (70 FR 55990) and 
proposed standards for health plan identifiers are under development. 
The history of these and related rules is described in a proposed rule 
published on April 18, 2005 at 70 FR 20225-20226.
    An interim final rule promulgating procedural requirements for 
imposition of civil money penalties, Civil Money Penalties: Procedures 
for Investigations, Imposition of Penalties, and Hearings (April 17, 
2003 interim final rule), was published on April 17, 2003 (68 FR 
18895), and was effective on May 19, 2003, with a sunset date of 
September 16, 2004 (as corrected at 68 FR 22453, April 28, 2003). The 
April 17, 2003 interim final rule adopted a new subpart E of part 160. 
The sunset date of the April 17, 2003 interim final rule was extended 
to September 16, 2005 on September 15, 2004 (69 FR 55515) and was 
further extended to March 16, 2006 on September 14, 2005 (70 FR 54293).
    The authority for administering and enforcing compliance with the 
Privacy Rule has been delegated to the HHS Office for Civil Rights 
(OCR). 65 FR 82381 (December 28, 2000). The authority for administering 
and enforcing compliance with the non-privacy HIPAA rules has been 
delegated to the HHS Centers for Medicare & Medicaid Services (CMS). 68 
FR 60694 (October 23, 2003).

II. Overview of the Proposed and Final Rules

A. The Proposed Rule

    In the proposed rule, we proposed to bring together and adopt rules 
governing the implementation of the civil money penalty authority of 
section 1176 of the Act for all of the HIPAA rules. As previously 
noted, parts of the Enforcement Rule are already in place: subpart C of 
part 160 establishes certain investigative procedures for the Privacy 
Rule, and subpart E establishes interim procedures for investigations 
and for the imposition, and challenges to the imposition, of civil 
money penalties for all of the HIPAA rules. The proposed rule would 
complete the Enforcement Rule by (1) making subpart C applicable to all 
of the HIPAA rules; (2) adopting on a permanent basis most of the 
provisions of subpart E; and (3) addressing, among other issues, our 
policies for determining violations and calculating civil money 
penalties, how we will address the statutory limitations on the 
imposition of civil money penalties, and various procedural issues, 
such as provisions for appellate review within HHS of a hearing 
decision, burden of proof, and notification of other agencies of the 
imposition of a civil money penalty.
    Several fundamental considerations shaped the proposed rule. First, 
there is one statutory provision for imposing civil money penalties on 
covered entities that violate the HIPAA rules; thus, the proposed rule 
sought to establish a uniform enforcement and compliance policy for all 
of the HIPAA rules to minimize the potential for confusion and burden 
and maximize the potential for fairness and consistency in enforcement. 
Second, the proposed rule sought to facilitate the movement from 
noncompliance to compliance by covered entities by extending to all of 
the HIPAA rules the regulatory commitment to promoting and encouraging 
voluntary compliance with the HIPAA rules that currently applies to the 
Privacy Rule, subpart C of part 160. Third, the proposed rule sought to 
minimize confusion with the procedures for investigations and hearings 
by building upon pre-existing Departmental procedures for 
investigations and hearings under section 1128A of the Act--the civil 
money penalty regulations of the Office of the Inspector General, which 
are codified at 42 CFR parts 1003, 1005, and 1006 (OIG regulations). 
Fourth, the proposed rule was intended to be clear and easy to 
understand. Finally, the proposed rule sought to provide the Secretary 
with reasonable discretion, particularly in areas where the exercise of 
judgment is called for by the statute or rules, and to avoid being 
overly prescriptive in areas where it would be helpful to gain 
experience with the practical impact of the HIPAA rules, to avoid 
unintended adverse effects.
    We proposed to amend subpart A of part 160, which contains general 
provisions, to include a definition of ``person.'' With respect to 
subpart C of part 160, we proposed to incorporate several provisions 
currently found in subpart E and to make subpart C applicable to the 
non-privacy HIPAA rules. We also proposed to add to part 160 a new 
subpart D, which would establish rules relating to the imposition of 
civil money penalties, including those which apply whether or not there 
is a hearing. We also proposed to incorporate into subpart D several 
provisions currently found in subpart E. Proposed subpart E addressed 
the pre-hearing and hearing phases of the enforcement process. Many of 
the provisions of proposed subpart E were adopted by the April 17, 2003 
interim final rule; we did not propose to change them substantively, 
although we

[[Page 8392]]

proposed to renumber them. Finally, a conforming change to the privacy 
standards in subpart E of part 164 was proposed.

B. The Final Rule

    While the final rule adopts most of the provisions of the proposed 
rule without change, several significant changes to certain provisions 
of the proposed rule have been made in response to comments. We do not 
list variables in the final rule, as was proposed, to count the number 
of violations of an identical requirement or prohibition; rather, the 
final rule clarifies that the method for determining the number of such 
violations is grounded in the substantive requirement or prohibition 
violated. In addition, the ALJ will be able to review the number of 
violations determined as part of his or her review of the proposed 
civil money penalty. The provision for joint and several liability of 
the members of an affiliated covered entity is retained, unless it is 
established that another member of the affiliated covered entity was 
responsible for the violation. While we continue to treat section 
1176(b)(1) as an affirmative defense, we provide that it may be raised 
at any time. We retain the provision for statistical sampling, but we 
provide that, where statistical sampling is used, HHS must provide a 
copy of the study on which its statistical findings are based with the 
notice of proposed determination. As a corollary, we provide that a 
respondent who intends to introduce evidence of its statistical expert 
at the hearing must provide the study prepared by its expert to HHS at 
least 30 days prior to the scheduled hearing. We also provide that a 
respondent will have 90, rather than 60, days in which to file its 
request for hearing. Other changes made by the final rule are described 
below.
    The Enforcement Rule does not adopt standards, as that term is 
defined and interpreted under Subtitle F of Title II of HIPAA. Thus, 
the requirement for industry consultations in section 1172(c) of the 
Act does not apply. For the same reason, the statute's time frames for 
compliance, set forth in section 1175 of the Act, do not apply to the 
Enforcement Rule. Accordingly, the Enforcement Rule is effective on 
March 16, 2006.


III. Section-by-Section Description of the Final Rule and Response to 
Comments

    We received 49 comments on the proposed rule. Many of these 
comments were from associations or interest groups involved in the 
health care industry. We also received comments from covered entities, 
a state agency, a law school class, and a number of individuals.
    While the comments addressed most of the provisions of the proposed 
rule, the following 14 sections of the proposed rule received no 
comment: proposed Sec. Sec.  160.400, 160.418, 160.500, 160.502, 
160.506, 160.510, 160.514, 160.524, 160.526, 160.528, 160.530, 160.532, 
160.544, and 160.550. We have, accordingly, not changed these sections 
in the final rule from what was proposed, and we do not discuss them 
below. The basis and purpose of sections that are unchanged from the 
proposed rule and are not discussed below are set out in the proposed 
rule published on April 18, 2005 at 70 FR 20240-20247 and, in certain 
cases, in the interim final rule published on April 17, 2003 at 68 FR 
18895-18901.
    A number of comments also expressed support for particular 
provisions. In most cases, we do not discuss these comments, with which 
we generally agree, below. Finally, certain comments raised issues 
concerning other HIPAA rules, such as allegations that a particular 
entity had violated the Privacy Rule or that particular provisions of a 
HIPAA rule create a hardship. Such issues are outside the scope of this 
rulemaking and, accordingly, are not addressed here.

A. Subpart A

    Subpart A of the final rule adopts a new definition of the term 
``person.'' This definition is placed in Sec.  160.103, which contains 
definitions that apply to all of the HIPAA rules. Thus, the new 
definition of ``person'' applies to all of the HIPAA rules.
    Proposed rule: We proposed to amend Sec.  160.103 to add a 
definition of the term ``person'' to replace the definition of that 
term adopted by the April 17, 2003 interim final rule. We proposed to 
define the term ``person'' as ``a natural person, trust or estate, 
partnership, corporation, professional association or corporation, or 
other entity, public or private.'' As more fully explained at 70 FR 
20227-20228, the proposed definition clarified, consistent with the 
HIPAA provisions, that the term includes States and other public 
entities.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: We received one comment on this section, endorsing its 
application to all of the HIPAA rules.
    Response: The definition of ``person'' in the final rule remains 
the same as proposed.

B. Subpart C--Compliance and Investigations

    We amend subpart C to make the compliance and investigation 
provisions of the subpart--which at present apply only to the Privacy 
Rule--apply to all of the HIPAA rules. In addition, we include in 
subpart C the definitions that apply to subparts C, D, and E. We move 
to subpart C from subpart E the provisions relating to investigational 
subpoenas and inquiries. We also add to subpart C provisions 
prohibiting intimidation or retaliation that are currently found in the 
Privacy Rule but not in the other HIPAA rules. We change the title of 
this subpart to reflect the focus of this subpart within the larger 
Enforcement Rule. Aside from a change to Sec.  160.306 and certain 
minor and conforming changes to Sec. Sec.  160.300, 160.312, 160.314, 
and 160.316, we do not change the substance of the existing provisions 
of subpart C.
1. Section 160.300--Applicability
    Proposed rule: We proposed to amend Sec.  160.300 (along with Sec.  
160.304--Principles for achieving compliance; Sec.  160.306--Complaints 
to the Secretary; Sec.  160.308--Compliance reviews; and Sec.  
160.310--Responsibilities of covered entities) to make the provisions 
of subpart C applicable to all of the HIPAA rules, instead of 
applicable only to the Privacy Rule. The proposed rule would accomplish 
this by changing the present references in these sections from 
``subpart E of part 164'' to the more inclusive, defined term, 
``administrative simplification provision'' or ``administrative 
simplification provisions,'' as appropriate. As explained at 70 FR 
20228, the purpose of this proposed change was to simplify and make 
uniform the compliance and enforcement process for the HIPAA rules.
    Final rule: The final rule streamlines the provisions of the 
proposed rule by substituting the term ``provisions'' for the 
references to standards, requirements, and implementation 
specifications in Sec.  160.300.
    Comment: A number of comments endorsed the approach of having 
uniform compliance and enforcement provisions for the HIPAA rules, and 
no comments disagreed with this approach.
    Response: The final rule retains the policy of the proposed rule, 
consistent with the expression of support for this approach in the 
public comment, but streamlines the language of the section.
    Comment: A couple of comments asked whether ``affiliated entities'' 
were the same as ``hybrid entities,'' in terms of applying the rule.

[[Page 8393]]

    Response: As described at Sec.  164.105(b)(2)(i)(A), an affiliated 
covered entity consists of ``[l]egally separate covered entities [that] 
designate themselves (including any health care component of such 
covered entity) as a single affiliated covered entity * * * [where] all 
of the covered entities designated are under common ownership or 
control.'' Thus, an affiliated covered entity is comprised of more than 
one covered entity. By contrast, a hybrid entity is defined at Sec.  
164.103 as ``a single legal entity: (1) That is a covered entity; (2) 
Whose business activities include both covered and non-covered 
functions; and (3) That designates health care components in accordance 
with [the regulation].'' The Privacy and Security Rules apply to any 
covered entity in either arrangement. The issue of liability for a 
particular violation with respect to covered entities in an affiliated 
covered entity is discussed in connection with Sec.  160.402(b) below.
2. Section 160.302--Definitions
    Proposed rule: We proposed to move to Sec.  160.302 three 
definitions that were adopted in the April 17, 2003 interim final rule 
at Sec.  160.502: ``ALJ'' (Administrative Law Judge), ``civil money 
penalty or penalty'', and ``respondent.'' We also proposed to add to 
Sec.  160.302 two terms which are used throughout subparts C, D, and E: 
``administrative simplification provision'' and ``violation'' or ``to 
violate.'' We proposed to define the term ``administrative 
simplification provision'' in Sec.  160.302 to mean any requirement or 
prohibition established by the HIPAA provisions or HIPAA rules: ``* * * 
any requirement or prohibition established by: (1) 42 U.S.C. 1320d-
1320d-4, 1320d-7, and 1320d-8; (2) Section 264 of Public Law 104-191; 
or (3) This subchapter.'' We proposed to define a ``violation'' (or 
``to violate'') to mean a ``failure to comply with an administrative 
simplification provision.'' As more fully explained at 70 FR 20228-
20229, both definitions derive directly from the statutory language, 
and both definitions function consistently and fairly across the 
various HIPAA rules.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
a. ``Administrative Simplification Provision''
    Comment: One comment expressed general support for the definitions. 
Another comment stated that the definition of ``administrative 
simplification provision'' should be revised to include only standards. 
The comment argued that this approach would be more consistent with the 
statute, which provides that covered entities must comply with 
standards, not requirements, prohibitions, or other restrictions set 
forth in the HIPAA rules.
    Response: No change is made to the definition of ``administrative 
simplification provision.'' With respect to the second comment above, 
we do not agree that the definition of this term should be limited to 
standards. As discussed at 70 FR 20229, limiting the elements of the 
HIPAA rules that could be violated to those designated as standards 
would have the effect of, among other things, insulating from 
enforcement explicit statutory requirements and prohibitions (e.g., the 
prohibitions at section 1175(a) of the Act, which the statute terms 
``requirements'' and which the Transactions Rule treats as requirements 
but not standards). We do not agree that Congress intended such an 
effect. We note, moreover, that the statute explicitly provides for the 
adoption of implementation specifications. See section 1172(d) of the 
Act. Furthermore, we disagree with the contention that the statute does 
not contemplate that violations may be tied to requirements and 
prohibitions: section 1176(a)(1) speaks of ``violations of an identical 
requirement or prohibition.''
    Comment: Several comments argued that this definition could lead to 
multiple violations from a single act and lead to more liability than 
covered entities could reasonably expect. It also was argued that this 
definition would render almost meaningless the statutory $25,000 cap on 
liability for violations of an identical provision in a calendar year.
    Response: No examples were supplied to illustrate the concern as to 
how this definition would increase the anticipated liability of covered 
entities, so we can only respond generally. The prohibition in Sec.  
160.404(b)(2) on counting overlapping requirements twice should 
minimize any such effect. As for violations that might be implicated in 
a single act and not be insulated by Sec.  160.404(b)(2), we see no 
reason why they should not be considered as separate violations, since 
covered entities must comply with all applicable requirements and 
prohibitions of the HIPAA provisions and rules. Also, the definition 
does not render the statutory cap meaningless; rather, the 
``requirement or prohibition'' language of the definition is taken 
directly from the part of section 1176(a) that establishes the $25,000 
statutory cap (``the total amount imposed on the person for all 
violations of an identical requirement or prohibition for a calendar 
year may not exceed $25,000''). Furthermore, for the reasons explained 
in the preamble to the proposed rule, none of the other possible 
formulations of what constitutes a ``provision of this part'' works 
uniformly and fairly across the HIPAA rules. Thus, we retain the 
definition of ``administrative simplification provision'' as proposed.
b. ``Violation'' or ``Violate''
    Comment: One comment asked how the definition of ``violation'' 
would work with the addressable components of the Security Rule.
    Response: With respect to the issue of how this term would apply to 
the addressable implementation specifications of the Security Rule, we 
provide the following guidance. Under Sec.  164.306(d)(3)(ii), a 
covered entity must implement an addressable implementation 
specification if doing so is ``reasonable and appropriate.'' Where that 
condition is met, the addressable implementation specification is a 
requirement, and failure to implement the addressable implementation 
specification would, accordingly, constitute a violation. Where that 
condition is not met, the covered entity must document why it would not 
be reasonable and appropriate to implement the implementation 
specification and implement ``an equivalent alternative measure if 
reasonable and appropriate.'' In this latter situation, creating the 
documentation referred to is a requirement, and implementing an 
alternative measure is also a requirement, if doing so is reasonable 
and appropriate in the covered entity's circumstances; failure to take 
either required action would, accordingly, constitute a violation.
3. Section 160.304--Principles for Achieving Compliance
    Proposed rule: We proposed to amend Sec.  160.304 to make it 
applicable to all of the HIPAA rules; otherwise, we proposed to leave 
the rule substantively unchanged. Section 160.304 provides that the 
Secretary will, to the extent practicable, seek the cooperation of 
covered entities in obtaining compliance. Section 160.304 also provides 
that the Secretary may provide technical assistance to help covered 
entities voluntarily comply with the HIPAA rules.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: Many comments supported HHS's approach to voluntary 
compliance and the use of a complaint-based process to identify and 
correct

[[Page 8394]]

noncompliance, on the grounds that it is the most efficient and 
effective way of obtaining compliance and realizing the benefits of the 
HIPAA rules. In addition, some contended that, given the confusion of 
many covered entities with many of the rules' requirements, it is an 
appropriate approach. However, one comment criticized HHS's reliance on 
voluntary compliance and informal resolution of complaints on the 
ground that the statute contemplates that violations of the HIPAA rules 
should be pursued in the same manner as fraud and abuse cases, that is, 
through the formal, adversarial process provided for by section 
1128A(c). Another comment stated that HHS's reliance on voluntary 
compliance has led to lax enforcement and that reliance on a complaint-
based system is a fundamentally flawed approach, particularly with 
respect to enforcement of the Privacy Rule, because HHS has provided 
insufficient education to consumers, and it is impossible for consumers 
to complain about a law about which they know very little. Several 
comments urged that OCR and CMS continue to provide educational 
materials and guidance to help covered entities comply with the HIPAA 
rules and to educate consumers about their rights under the Privacy 
Rule.
    Response: We agree that encouraging voluntary compliance is the 
most effective and quickest way of obtaining compliance in most cases. 
We do not agree that encouraging voluntary compliance and seeking 
informal resolution of complaints in individual cases constitutes lax 
enforcement or that such an approach is inconsistent with our statutory 
obligations. Our experience to date with privacy complaints illustrates 
the effectiveness of our enforcement approach. As of October 31, 2005, 
OCR had received and initiated reviews of over 16,000 privacy 
complaints from health care consumers and others across the country. 
These complaints are widespread and diverse, not only geographically, 
but also with respect to the type of entity complained against, as well 
as the Privacy Rule issues raised by the complaints. Complaints are 
filed against all sizes and types of covered entities, from solo 
practitioners to hospitals and pharmacy chains, and from health 
insurance issuers to group health plans, for example. In addition, the 
complaints implicate a full range of Privacy Rule issues, from uses and 
disclosures of protected health information to individual rights to 
administrative requirements. The variation and expansiveness of the 
complaints provide HHS with a much broader approach to compliance than 
would a compliance review system, which likely would need to be 
targeted to larger institutions and/or a smaller set of concerns. 
Further, our experience with these cases--68 percent have been resolved 
or otherwise closed to date--indicates that generally we are receiving 
good cooperation from covered entities in quickly addressing compliance 
problems. Such resolutions bring the benefits of the HIPAA rules to 
consumers far more quickly than would a formalized, adversarial 
process, which would also be time-consuming and costly for both sides.
    We also do not agree that the statute contemplates only a 
formalized, adversarial process; rather, it only requires such a 
process where a proposed civil money penalty is contested. It is 
important to note, moreover, that section 1176 contemplates that we 
would work with covered entities to help them achieve compliance, even 
when there is an allegation that the covered entity is in violation of 
the rules. Section 1176 provides that a civil money penalty may not be 
imposed if the failure to comply was due to reasonable cause and not 
willful neglect and is corrected within a certain period of time after 
the covered entity knew or should have known of the compliance failure, 
and that the Secretary may, in some circumstances, provide technical 
assistance to the covered entity during that period. Further, an 
approach that is primarily complaint-based does not limit our ability 
to perform compliance reviews when appropriate, and this has, in fact, 
occurred. We will continue to review the effectiveness of our 
enforcement approach and revise it, if needed. Notwithstanding our 
above approach, however, we will resort to civil money penalties, as 
needed, for matters that cannot be resolved by informal means.
    Further, we disagree that persons affected by the Privacy Rule and 
the other HIPAA rules are unaware of their rights, as evidenced by the 
large number of complaints that HHS has received from consumers and 
covered and other entities. HHS has an ongoing program of providing 
information to the public and guidance to covered entities through the 
Internet, public speaking and educational events, and toll-free call-in 
lines. The millions of hits to our Web sites--http://www.hhs.gov/ocr/hipaa for the Privacy Rule and http://www.cms.gov/hipaa/hipaa2 for the 
other HIPAA rules--suggest that covered entities and the public are 
increasingly aware of the application of the HIPAA rules to their 
business activities and lives, respectively, and are able to access the 
information we have made available. In addition, the American Health 
Information Management Association issued the results of their latest 
compliance survey in a report entitled ``The State of HIPAA Privacy and 
Security Compliance, April 2005,'' which indicated, with respect to the 
Privacy Rule, that over two-thirds of all hospital and health system 
patients had some or a complete understanding of their rights and the 
facility's responsibilities. Nonetheless, while such evidence is 
encouraging, we recognize that HHS must remain active in providing 
outreach and public education. We are committed to doing so, and thus, 
continue to develop educational material for consumers and industry 
guidance for covered entities.
    Comment: One comment suggested that the Secretary commit to 
providing technical assistance to covered entities.
    Response: We do not agree that the provision of technical 
assistance should be mandated. The statute (at section 
1176(b)(3)(B)(ii)) makes the provision of technical assistance 
discretionary if the Secretary determines that the compliance failure 
was due to the covered entity's inability to comply. While OCR and CMS 
provide technical assistance in many cases, it is not necessary in all 
instances to provide such assistance in order to obtain compliance. 
Thus, it is inappropriate to mandate the provision of technical 
assistance.
    Comment: One comment suggested amending Sec.  160.304(b) to require 
ongoing reporting of complaints and resolutions to the healthcare 
industry. The goal in requiring reporting would be to educate covered 
entities regarding complaints that are found to be actual violations 
and encourage them to review their compliance. The comment stated that 
the current reports made by OCR to the National Committee on Vital and 
Health Statistics are not helpful since they only report the volume of 
complaints, not the nature of the complaints or whether a violation 
occurred.
    Response: We do not believe mandatory reporting of complaints and 
resolutions is necessary. Both CMS and OCR currently have the ability 
to report to the public, including the healthcare industry, about 
complaints and their resolutions, and do so in summary form. We 
continue to present summaries of actions on complaints in various fora, 
including in public presentations, testimony, and in written documents. 
Our enforcement experience also informs our development of FAQs and 
guidance documents to explain certain

[[Page 8395]]

provisions and how to comply with them. In any event, covered entities 
should use their own internal complaint processes and experience to 
assess and improve their compliance and ability to serve the needs of 
their customers.
    Comment: One comment suggested that the informal resolution process 
should allow HHS to render opinions on a covered entity's 
interpretation of the HIPAA rules. The comment expressed concern that a 
covered entity would not be able to resolve a compliance issue during 
the informal resolution process if it made a good faith, but incorrect, 
interpretation of a HIPAA rule. The comment suggested allowing HHS to 
render an opinion on the entity's interpretation to facilitate the 
informal resolution of compliance problems.
    Response: As a general matter, we do not issue advisory opinions, 
but the informal resolution process will provide covered entities with 
information about HHS's interpretation of the HIPAA rules. Covered 
entities may also find guidance as to the proper interpretation of a 
HIPAA rule in the FAQs posted on the HHS website and technical 
assistance offered to the covered entities by HHS. Covered entities may 
also submit questions to HHS for consideration with respect to future 
FAQs and guidance.
4. Section 160.306--Complaints to the Secretary
    Proposed rule: Section 160.306 provides for investigations of 
covered entities by the Secretary. It also outlines the procedure and 
requirements for filing a complaint against a covered entity. For 
example, it provides that a complaint must name the person that is the 
subject of the complaint and describe the acts or omissions believed to 
be violations. It also requires that complaints be filed within 180 
days of when the complainant knew or should have known that the act or 
omission occurred, unless this time limit is waived for good cause. The 
proposed rule would have amended this section to apply it to all of the 
HIPAA rules, rather than exclusively to the Privacy Rule, but otherwise 
proposed no substantive changes to the section.
    Final rule: The final rule adopts the provisions of the proposed 
rule, except that proposed Sec.  160.306(c) is revised to require the 
Secretary to describe the basis of the complaint in the first written 
communication with the covered entity about the complaint.
    Comment: One comment asked for clarification on when a complaint 
will be considered to have been timely filed in situations when a 
complainant should have known of the violation, thus triggering the 
180-day time period for filing a complaint.
    Response: Deciding whether or not a complaint was properly filed 
within the 180-day period will need to be determined in each case. For 
example, an individual who is informed through an accounting of 
disclosures that his or her health information was impermissibly 
disclosed would be considered to know of the violation at the time the 
individual receives the accounting. In any event, however, the 180-day 
period can be waived for good cause shown.
    Comment: Two comments suggested that HHS be required to inform a 
covered entity of the specific basis for an investigation or compliance 
review. These comments suggested the best way to accomplish this goal 
would be to send a copy of the complaint to the covered entity. The 
comments stated that, without specific information as to the basis of 
the complaint, a covered entity will not be able to properly respond to 
the agency's request for information.
    Response: Both CMS and OCR currently provide the basis for an 
investigation in the first written communication with a covered entity 
about a complaint. This policy will continue to be followed, and the 
final rule is revised to require it. It should be noted that provision 
of a description of the basis for the complaint does not circumscribe 
the investigation, if the investigation subsequently uncovers other 
compliance issues with respect to the covered entity.
    We disagree that sending a copy of the complaint is necessary for a 
covered entity to adequately respond to the Secretary's inquiries. As 
noted above, covered entities receive a description of the basis for 
the complaint. Other information contained in the complaint, such as 
the complainant's identity, is not always relevant to the 
investigation. In some cases, in fact, it may be necessary to withhold 
such information to, for example, protect the complainant's privacy. In 
instances where it is necessary to provide the complainant's identity 
in order for the covered entity to properly respond to the 
investigation, the complainant is so informed before this information 
is released to the covered entity.
    Comment: One comment suggested that the rule be revised to require 
that a complaint include the name of the covered entity that is the 
subject of the complaint.
    Response: The rule, both as proposed and as adopted below, already 
requires that a complaint ``name the person that is the subject of the 
complaint.'' See Sec.  160.306(b)(2).
    Comment: In one comment, a covered entity complained that it had 
expended a great deal of time and money defending itself against what 
turned out to be a false allegation and asked that HHS put more effort 
into gathering detailed information from complainants and helping 
covered entities respond to complaints. Another comment criticized the 
rule for providing no way of sanctioning a person bringing a negligent 
or malicious complaint.
    Response: We understand that it may take time and effort to 
establish that an allegation is unfounded. When complaints are 
received, we make every effort to determine if the complaint is 
legitimate, so as not to place undue burdens on covered entities. 
Further, covered entities are encouraged promptly to contact the OCR or 
CMS investigators handling their complaints to discuss the allegations 
once notice of an investigation is received by the covered entity. 
Doing so should help a covered entity avoid the expenditure of 
unnecessary time and funds on defending itself against baseless 
complaints. The statute provides no basis for our penalizing a person 
for bringing a negligent or malicious complaint, although remedies may 
exist at common law. However, as discussed below in connection with 
Sec.  160.316, lack of good faith would typically be a matter that is 
looked at in the course of investigating a complaint.
    Comment: One comment suggested that only individuals or personal 
representatives should have standing to file a complaint. The comment 
takes the position that one covered entity should not be able to bring 
a complaint against another.
    Response: We disagree. The purpose of the complaint process is to 
bring violations to the attention of HHS, so that any noncompliance 
with the HIPAA rules may be corrected. Particularly with respect to the 
Transactions Rule, the persons or entities that are likely to be 
disadvantaged by the noncompliance of a covered entity are other 
covered entities. It would, accordingly, be inconsistent with the 
purpose of the complaint process to exclude such entities from it.
    Comment: Two comments suggested that HHS be required to notify 
covered entities of a complaint within a specified time-frame.
    Response: OCR and CMS make every effort to notify covered entities 
of complaints on a timely basis. However, we do not include a specific 
deadline for notifying covered entities of

[[Page 8396]]

complaints in the rule. The time needed to determine whether a 
complaint states issues that should be investigated can vary greatly, 
while fluctuations in the volume of complaints and other workload 
demands may also make meeting a specific deadline problematic.
    Comment: One comment suggested that Sec.  160.306(a)(2) should be 
amended to require that ``uses or disclosures'' be described in the 
complaint rather than ``acts or omissions.''
    Response: The suggested change would not be appropriate. The 
provisions of this rule apply to all of the HIPAA rules, not just the 
Privacy Rule; the other HIPAA rules regulate actions other than uses 
and disclosures of protected health information. Moreover, even under 
the Privacy Rule, a violation may occur where no impermissible use or 
disclosure of protected health information has occurred. Failure to 
comply with a notice requirement under Sec.  164.520 is an example of a 
violation that does not involve a use or disclosure of protected health 
information.
    Comment: One comment suggested that the Secretary should be 
required to investigate all complaints and that failure to do so is 
inconsistent with section 1176(a) of the Act, which compels the 
Secretary to impose penalties for violations unless a statutory 
limitation applies. Imposing a deadline for beginning investigations 
was also suggested.
    Response: The decision to investigate a complaint is based on the 
facts presented. Not all complaints need to be investigated. For 
example, in our experience, a substantial percentage of privacy 
complaints allege facts that fall outside of OCR's jurisdiction under 
HIPAA--e.g., an action prior to the compliance date of the Privacy Rule 
or an action by an entity not covered by the Rule. Revising the rule to 
require the Secretary to investigate all complaints would be 
counterproductive and lead to an inefficient allocation of enforcement 
resources. Similarly, imposing a deadline for beginning an 
investigation is unrealistic: Some investigations may turn out to be 
more time-consuming than anticipated, delaying the start of other 
investigations. It is necessary to provide OCR and CMS with the 
flexibility to deal with variations in circumstances and resource 
constraints.
5. Section 160.308--Compliance Reviews
    Proposed rule: The proposed rule provided that the Secretary may 
conduct compliance reviews to determine whether covered entities are 
complying with the applicable administrative simplification provisions.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: Several comments asked HHS to outline the circumstances 
under which a compliance review would be undertaken or asked that the 
compliance review provision be eliminated from the rule. One comment 
suggested that compliance reviews be limited to evidence-based reviews. 
These comments expressed concern that the rule does not specifically 
define when a compliance review will be undertaken.
    Response: Compliance reviews are conducted at the discretion of the 
Secretary. Outlining specific instances in which a compliance review 
will be conducted could have the counterproductive effect of skewing 
compliance efforts toward those aspects of compliance that had been 
identified as likely to result in a compliance review. It also does not 
seem advisable to limit, by rule, the circumstances under which such 
reviews may be conducted at this early stage of the enforcement 
program, when our knowledge of the types of violations that may arise 
is necessarily limited. We also do not agree that the provision for 
compliance reviews should be eliminated. There are situations where 
instances of potential noncompliance come to HHS's attention outside of 
the complaint process (e.g., where media reports suggest that a 
violation has occurred), and HHS must have clear authority to 
investigate such situations.
    Comment: A number of comments suggested that HHS detail the 
compliance review process and rules for notification of covered 
entities when they are being reviewed.
    Response: The rule already contains procedures to be followed, and 
requirements to be met, that apply to compliance reviews. See 
Sec. Sec.  160.304, 160.310, 160.312, 160.314, and 160.316. It is 
unnecessary to establish procedures comparable to the complaint filing 
procedures of Sec.  160.306 for compliance reviews, since they are 
initiated by HHS. The concerns expressed by most of the comments on 
this topic--that HHS would undertake a compliance review without notice 
to the covered entity and without specifying the basis for, or the 
focus of, the review--are misplaced. Section 160.312 requires HHS to 
attempt to resolve violations found in a compliance review by informal 
means and to inform the covered entity in writing if a compliance 
review is or is not resolved by informal means. Failing to notify the 
covered entity of a compliance review or the basis for such a review is 
not consistent with our practice generally and would be unlikely to 
yield much information of use, resulting in an ineffective use of the 
covered entity's and the agency's resources.
    Comment: One comment suggests that compliance reviews should be 
mandatory and should be initiated within a specified time period.
    Response: The rule, as proposed and adopted, does not preclude 
establishing a compliance review program or schedule, but it does not 
require it either. One purpose of compliance reviews is to permit 
investigation when allegations or situations warranting investigation 
come to our attention outside of the complaint process. The necessity 
for a compliance review in a particular case or a program of scheduled 
compliance reviews is inherently unpredictable, and it is important to 
retain the administrative flexibility to address such situations. 
Mandating compliance reviews on a fixed basis or schedule would be an 
inefficient allocation of limited enforcement resources and would 
hamper the agency's ability to target resources at actual noncompliance 
problems as they arise.
    Comment: One comment suggested that the rule contain provisions 
outlining the coordination and cooperation between CMS and OCR when a 
compliance review under more than one rule occurs.
    Response: As with complaint-based investigations, CMS and OCR will 
coordinate and allocate responsibility for compliance reviews based 
upon the HIPAA provisions involved and the facts of the case. We do not 
consider it advisable to specify detailed rules in this regard, as the 
allocation of function and responsibility will depend on the facts of 
each case and the resources available at the time.
6. Section 160.310--Responsibilities of Covered Entities
    Proposed rule: Section 160.310 addresses the responsibilities of a 
covered entity, such as providing records and compliance reports to the 
Secretary and cooperating during a compliance review or complaint 
investigation. Section 160.310(c) provides that a covered entity must 
permit HHS to have access during normal business hours to its 
facilities, books, records, and other information necessary to 
determine compliance, but provides that if the Secretary determines 
that ``exigent circumstances exist, such as when documents may be 
hidden or destroyed,'' the covered entity must permit access at any 
time without

[[Page 8397]]

notice. Section 160.310 also requires that the Secretary may not 
disclose protected health information obtained by the Secretary in the 
course of an investigation or compliance review except when necessary 
to ascertaining or enforcing compliance or as otherwise required by 
law. The proposed rule would amend this section to apply it to all of 
the HIPAA rules, rather than exclusively to the Privacy Rule, but 
otherwise proposed no substantive changes to the section.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: A couple of comments asked HHS either to further define 
``exigent circumstances,'' such as by limiting it to situations 
involving national security or by inserting specific examples of 
exigent circumstances in Sec.  160.310(c)(1). One comment suggested 
that the rule be revised to require that the Secretary's determination 
that ``exigent circumstances'' exist be a ``reasonable'' one.
    Response: The determination of what constitutes ``exigent 
circumstances'' will inevitably be fact-dependent. Specific language 
defining ``exigent circumstances'' is unnecessary, as the rule already 
provides a clarifying example and the principle underlying the 
provision is reasonably universal. We note that limiting the provision 
to situations where matters of national security are involved would 
most likely not cover the types of situations the provision is intended 
to cover--situations in which it is likely that the covered entity will 
seek to conceal or destroy evidence of noncompliance that HHS needs to 
carry out its statutory obligation to enforce the HIPAA rules.
    Comment: Two comments asked for further guidance and notice of 
record retention requirements and another comment expressed concerns 
with the record retention requirements of the Privacy Rule.
    Response: Record retention requirements applicable to the Privacy 
and Security Rules are spelled out in those rules; see, Sec.  
164.530(j) and Sec.  164.316(b), respectively. We do not address these 
record retention requirements here, as this topic lies outside the 
scope of this rule.
    The other HIPAA rules do not contain explicit record retention 
requirements, as such. However, it is likely that the documentation 
that would be relevant to showing compliance with those rules--such as 
health plan instructions to providers, software documentation, 
contracts, and systems processes--is kept as part of normal business 
practices. Covered entities should consider any other applicable laws, 
such as state law, in making such decisions.
7. Section 160.312--Secretarial Action Regarding Complaints and 
Compliance Reviews
    Proposed rule: We proposed to revise Sec.  160.312(a) to require 
that, where noncompliance is indicated, the Secretary would seek to 
reach by informal means a resolution of the matter that is satisfactory 
to the Secretary. Informal means could include demonstrated compliance, 
or a completed corrective action plan or other agreement. We proposed 
to revise Sec.  160.312(a)(2) to require, where noncompliance is 
indicated and the matter is resolved by informal means, that HHS notify 
the covered entity in writing and, if the matter arose from a 
complaint, the complainant. Where noncompliance is indicated and the 
matter is not resolved by informal means, proposed Sec.  
160.312(a)(3)(i) would require the Secretary to so inform the covered 
entity and provide the covered entity an opportunity to submit, within 
30 days of receipt of such notification, written evidence of any 
mitigating factors or affirmative defenses. To avoid confusion with the 
notice of proposed determination process provided for at proposed Sec.  
160.420, proposed Sec.  160.312(a)(3)(ii) provided that, where the 
matter is not resolved by informal means and the Secretary finds that 
imposition of a civil money penalty is warranted, the formal finding 
would be contained in the notice of proposed determination issued under 
proposed Sec.  160.420. We proposed to leave Sec.  160.312(b) 
substantively unchanged.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment suggested that covered entities should be able 
to appeal the Secretary's findings during the informal resolution 
process and that the Secretary's decision to resolve a matter 
informally should not preclude the respondent from questioning the 
Secretary's interpretation or application of the rule in question.
    Response: The purpose of the informal resolution process described 
in Sec.  160.312 is to bring closure at an early stage to a matter 
where compliance is in issue and, thus, to obviate the need to issue a 
notice of proposed determination. Section 160.312 recognizes, however, 
that informal resolutions will not always be achieved. Where the agency 
and the covered entity are not able to resolve the matter informally, 
HHS (through OCR and/or CMS) will make a finding of noncompliance 
pursuant to Sec.  160.420, which the covered entity may then challenge 
through the applicable procedures of subparts D and E. Nothing in the 
rule compels the covered entity to challenge the finding of 
noncompliance under Sec.  160.420, but if the covered entity wishes to 
challenge such a finding, including the agency's interpretation or 
application of a rule, it must do so through the procedural avenue 
provided by subparts D and E. These procedures implement the 
requirement of section 1128A(c) of the Act that the Secretary may not 
make an adverse determination against a person until the person has 
been given written notice and an opportunity for a hearing on the 
record on the adverse determination.
    Comment: One comment asked how informal resolution is possible, 
given HHS's position that, where a violation is found, a CMP must be 
imposed. Another comment expressed concern that the informal resolution 
process would allow covered entities to skirt penalties and the 
consequences of noncompliance with the HIPAA rules and suggested that 
the Secretary should not be compelled to reach a resolution through 
informal processes.
    Response: These comments misunderstand our position as to the 
mandatory nature of the statute. The Secretary must impose a civil 
money penalty where a formal determination of a violation is made. 
However, many opportunities exist prior to this determination that 
allow the Secretary to exercise his discretion to not impose a penalty. 
This issue is discussed more fully in connection with Sec.  160.402 
below.
    The second comment above also misconstrues Sec.  160.312. Nothing 
in that section compels OCR or CMS to resolve matters informally. 
Indeed, Sec.  160.312(a)(3) describes the actions to be taken ``[i]f 
the matter is not resolved by informal means * * *''.
    Comment: One comment suggested that HHS and the covered entity 
should be required to put the informal resolution in writing.
    Response: Both Sec.  160.312(a)(2) and Sec.  160.312(b) require 
that the resolutions contemplated in those sections be ``in writing.'' 
CMS and OCR currently document informal resolutions.
    Comment: One comment suggested that the 30-day time period for a 
covered entity to submit to the Secretary evidence of mitigating 
factors or affirmative defenses should be extended.
    Response: Thirty days should be sufficient for a covered entity to 
submit such evidence. The opportunity to provide additional evidence 
comes at

[[Page 8398]]

the end of investigation, and the covered entity should be gathering 
any evidence of mitigating factors or affirmative defenses during the 
investigation. In addition, the covered entity will have the 
opportunity to present such evidence to the ALJ if it chooses to appeal 
the Secretary's findings. Accordingly, we do not change this provision.
    Comment: One comment suggested that a deadline should be imposed 
for HHS to notify the covered entity of its findings after an 
investigation.
    Response: The time needed to finalize the agency's findings will 
depend on the complexity of the case, its outcome, and workload 
considerations. As these factors are inherently variable and 
unpredictable, we do not believe it would be advisable to impose fixed 
deadlines for taking the actions described in Sec.  160.312.
    Comment: One comment requested clarification of proposed Sec.  
160.312(a)(3)(ii), with respect to what action is referred to and the 
associated time frame.
    Response: The action referred to is HHS's notification of the 
covered entity of its finding of noncompliance when it determines that 
the matter cannot be resolved informally. Section 160.312(a)(3)(ii) 
provides that, if HHS decides to impose a civil money penalty, it will 
send a notice of proposed determination to the covered entity pursuant 
to Sec.  160.420. Thus, the intent of this provision is to clarify 
that, once OCR and/or CMS, as applicable, has determined that a 
violation has occurred, the matter cannot be resolved informally in a 
manner that is satisfactory to OCR and/or CMS, and a civil money 
penalty should be imposed, the agency's next step is to provide the 
formal notice required by section 1128A(c)(1), which in this rule is 
the notice of proposed determination under Sec.  160.420. The rule 
imposes no specific deadline on the agency for sending this notice. 
However, it should be noted that if the notice is not sent within six 
years of the violation, pursuit of the civil money penalty would be 
precluded by section 1128A(c)(1), which is implemented in this rule by 
Sec.  160.414.
    Comment: One comment requested that Sec.  160.312(a)(3) be revised 
to afford complainants the opportunity to express, in writing, the 
impact of the violation.
    Response: The suggested change is unnecessary, since nothing in the 
rule precludes a complainant from providing such information to the 
agency at any point in the process. Complainants frequently describe, 
in their complaints or in the course of OCR's or CMS's initial contacts 
with the complainants, the impact of the alleged violation. HHS also 
may request such information from the complainant where, for example, 
it bears on the amount of the penalty to be imposed.
8. Section 160.314--Investigational Subpoenas and Inquiries
    Proposed rule: The text of proposed Sec.  160.314 was adopted by 
the April 17, 2003 interim final rule as Sec.  160.504. We proposed to 
move this section to subpart C, consistent with our overall approach of 
organizing subparts C, D, and E to reflect the stages of the 
enforcement process. We proposed to include in the introductory 
language of proposed Sec.  160.314(a) a sentence which states that, for 
the purposes of paragraph (a), a person other than a natural person is 
termed an ``entity.'' We proposed not to modify Sec.  160.314(b)(1), 
(2) and (8) from the provisions of the April 17, 2003 interim final 
rule at paragraphs (b)(1)-(3) of Sec.  160.504. However, we proposed to 
add new paragraphs (3) through (7) and (9) to Sec.  160.314(b) and also 
to add a new paragraph (c). The proposed new paragraphs at Sec. Sec.  
160.314(b)(3)-(b)(7) would permit representatives of HHS to attend and 
ask questions at the inquiry, give a witness the opportunity to clarify 
his answers on the record after being questioned by HHS, require any 
objections or claims of privilege to be asserted on the record, and 
permit HHS to seek enforcement of the subpoena through the federal 
district court if a witness refuses to answer non-privileged questions 
or produce requested documents or items. Further, proposed Sec.  
160.314(c) provided that, consistent with Sec.  160.310, testimony and 
other evidence obtained in an investigational inquiry may be used by 
HHS in any of its activities and may be used or offered into evidence 
in any administrative or judicial proceeding. Together, these additions 
would clarify the manner in which investigational inquiries will be 
conducted, and how testimony given, and evidence obtained, during such 
an investigation may be used.
    Final rule: The final rule adopts the provisions of the proposed 
rule, except that paragraph (a) is revised to clarify that 
investigational subpoenas may issue when a compliance review is 
conducted.
    Comment: A few comments requested that this section provide for the 
protection of privileged documents when subpoenaed by the Secretary. 
Comments also suggested that covered entities should have the ability 
to challenge a subpoena issued by the Secretary.
    Response: The rule, as proposed and adopted, provides a process for 
a subpoenaed witness to challenge the subpoena and/or assert privilege. 
Under section 205(e) of the Act, made applicable by section 1128A(j)(1) 
of the Act, the federal district court in which a person charged with 
contumacy or refusal to obey a subpoena resides or transacts business 
has jurisdiction upon application of HHS. As provided in Sec.  
160.314(a)(5), HHS may seek to enforce the subpoena in such cases 
through action in the relevant federal district court, which would 
presumably hear the basis for the witness's refusal to obey or claim of 
privilege in connection with a motion to quash under Fed. R. Civ. P. 
45(c)(3). (28 U.S.C. Appendix).
    Comment: Several comments requested that the scope of the subpoenas 
issued by the Secretary be limited to the investigation and that the 
Secretary not be allowed to pursue open-ended inquiries.
    Response: Section 205(d) of the Act, which is made applicable by 
section 1128A(j)(1), provides that a subpoena may issue for ``the 
production of any evidence that relates to any matter under 
investigation or in question before [the Secretary].'' Moreover, the 
federal courts subject the exercise of an agency's administrative 
subpoena authority to a reasonableness analysis. In U.S. v. Powell, 397 
U.S. 481 (1964), the holding of which was extended to all 
administrative subpoena authorities in Securities and Exchange 
Commission v. Jerry T. O'Brien, Inc., 467 U.S. 735, 741-42 (1984), the 
U.S. Supreme Court articulated a standard for the judicial review of 
administrative subpoenas that requires that the investigation be 
conducted pursuant to a legitimate purpose and that the information 
requested under the subpoena is relevant to that purpose. HHS is 
required to comply with this standard in the exercise of the subpoena 
authority under this section.
    Comment: One comment asked that covered entities be given notice of 
investigational inquiries directed at them.
    Response: In general, we would expect that an investigational 
subpoena would be used where a covered entity has failed to respond to 
HHS's requests for information in the course of an investigation 
conducted under Sec.  160.306. In such a case, the covered entity will 
have been previously notified of the investigation pursuant to Sec.  
160.306(c). Similarly, a subpoena would typically be issued in 
connection with a compliance review under Sec.  160.308 where the 
covered entity had

[[Page 8399]]

failed to respond to HHS's prior requests for information. Thus, we do 
not expect the element of surprise to be present, which appears to be 
the concern underlying these comments. We clarify in Sec.  160.314(a) 
that this section also applies to compliance reviews.
    Comment: One comment suggested that Sec.  160.314(a) be revised to 
state that the admissibility of written statements obtained by HHS 
during an investigational inquiry is subject to 45 CFR 160.518 and 
160.538.
    Response: We do not consider the suggested language necessary. 
Sections 160.518 and 160.538 apply to the exchange and admission of 
written statements. Should OCR or CMS seek to have written statements 
obtained during an investigation admitted into evidence, those 
statements would be subject to the requirements of Sec. Sec.  160.518 
and 160.538.
    Comment: One comment asked for clarification as to who may amend a 
transcript and whether the Secretary has the discretion to limit a 
witness's amendment of his or her testimony transcript.
    Response: Under Sec.  160.314(b)(9), both sides may propose 
corrections to the transcript, and any proposed corrections are 
attached to the transcript; the transcript itself is not altered. 
Section 160.314(b)(9)(i) provides that, if a witness is provided with a 
copy of the transcript, the witness may submit written proposed 
corrections to the transcript, or, if the witness is afforded only the 
opportunity to inspect the transcript, the witness may propose 
corrections to the transcript at the time of inspection. In either 
case, the witness's proposed corrections are attached to the 
transcript. Similarly, under Sec.  160.314(b)(9)(ii), the Secretary's 
proposed corrections are attached to the transcript. The purpose of the 
proposed corrections is to make the transcript ``true and accurate.'' 
See Sec.  160.314(b)(9)(i). Under this process, then, HHS would not be 
changing the witness's proposed corrections; HHS would, at most, be 
proposing different corrections.
    Comment: One comment suggested that Sec.  160.314 be revised to 
require HHS to provide for the same protection of protected health 
information that is required of covered entities when HHS receives 
protected health information during an investigation.
    Response: Section 160.310(c)(3) explicitly protects the 
confidentiality of protected health information received by HHS ``in 
connection with an investigation or compliance review under this 
subpart.'' Although these protections are not the same as those 
required of covered entities with respect to protected health 
information, in some respects they are more stringent, given the 
limited circumstances for which the information may be disclosed under 
this provision. Because Sec.  160.314 is now part of the subpart, the 
restriction of Sec.  160.310(c)(3) applies to protected health 
information received during an investigational inquiry. See Sec.  
160.314(c), which provides that testimony and other evidence obtained 
in an investigational inquiry may only be used ``[c]onsistent with 
Sec.  160.310(c)(3) * * *''.
    Comment: One comment asked for clarification of the ``good cause'' 
limitation on a witness's ability to inspect the official transcript of 
their testimony.
    Response: This provision derives from the Administrative Procedure 
Act, which requires, at 5 U.S.C. 555(c), that ``[a] person compelled to 
submit data or evidence is entitled to retain or, on payment of 
lawfully prescribed costs, procure a copy or transcript thereof, except 
that in a nonpublic investigatory proceeding the witness may for good 
cause be limited to inspection of the official transcript of his 
testimony.'' The ``good cause'' language of this provision has been 
explained as follows:

    The * * * grant[] to agencies of the right to inhibit access to 
testimony in nonpublic investigatory proceedings were in recognition 
that such investigations, ``like those of a grand jury, might be 
thwarted in certain cases if not kept secret, and that if witnesses 
were given a copy of their transcript, suspected violators would be 
in a better position to tailor their own testimony to that of the 
previous testimony, and to threaten witness about to testify with 
economic or other reprisals.''

LaMorte v. Mansfield, 438 F.2d 448, 451 (2d Cir. 1971) (quoting 
Commercial Capital Corp. v. S.E.C., 360 F.2d 856, 858 (7th Cir. 1966)).
    Comment: Several comments suggested that evidence obtained during 
an investigation by HHS should be used only within the scope of that 
investigation, not for other matters, as provided for by Sec.  
160.314(c).
    Response: Section 160.314(c) mirrors the OIG rule. The concept that 
HHS may use evidence obtained in an investigation for matters outside 
the scope of the investigation is not novel. While we would expect to 
be careful in using such information for other purposes, we are legally 
obligated to take appropriate action if we obtain clear evidence of 
wrongdoing.
9. Section 160.316--Refraining From Intimidation or Retaliation
    Proposed rule: Proposed Sec.  160.316, which was taken from Sec.  
164.530(g)(2) of the Privacy Rule, would prohibit covered entities from 
threatening, intimidating, coercing, discriminating against, or taking 
any other retaliatory action against individuals or other persons 
(including other covered entities) who complain to HHS or otherwise 
assist or cooperate in the enforcement processes created by this rule. 
The intent of this addition to subpart C was to make these non-
retaliation provisions applicable to all of the HIPAA rules, not just 
the Privacy Rule. A conforming change to Sec.  164.530(g) of the 
Privacy Rule was proposed, to cross-reference proposed Sec.  160.316.
    Final rule: The final rule adopts the provisions of the proposed 
rule, except that the verb ``harass'' is inserted in the introductory 
language of this section. The related revision to Sec.  164.530(g) is 
adopted without change.
    Comment: Two comments asked HHS to strengthen the prohibition on 
retaliation and intimidation. The comments express concern that the 
current provision is not a sufficient deterrence to covered entities, 
particularly payers. One comment suggested that the language be revised 
to read in pertinent part as follows: ``A covered entity may not 
threaten * * * including not threaten to reduce or eliminate payment, 
intimidate, coerce, harass, discriminate against, or take any other 
retaliatory action against any individual or other person * * * 
including suspending or terminating participation in a Medicaid program 
and/or in any other program or network or reducing or eliminating 
payment for * * *''. Another comment suggested that persons who engage 
in prohibited retaliation or intimidation should be considered to have 
``knowingly'' violated the statute and be subject to criminal penalties 
under section 1177 of the Act.
    Response: We agree with the comment that the actions covered in the 
suggested language would constitute intimidation or retaliation under 
the appropriate facts, but we think that such claims may be made under 
the existing language. However, while harassment is encompassed by the 
phrase ``other retaliatory action'' in this section, since harassment 
is a form of pressure that is sufficiently different from, and as 
objectionable as, the other intimidating or retaliatory acts that are 
specifically mentioned, we clarify the section by including it in the 
text of the regulation;

[[Page 8400]]

the text of the final rule is revised accordingly.
    The statute does not make retaliation or intimidation the subject 
of a criminal penalty under section 1177, and we cannot expand the 
scope of the criminal provision by regulation. Accordingly, we do not 
adopt this suggestion.
    Comment: One comment suggested amending the section to require that 
a complaint be filed in good faith under Sec.  160.306 and that the 
same change be made to the remaining language in proposed Sec.  
164.530(g). The comment stated that covered entities should not be 
prohibited from firing employees who file false complaints and that 
covered health care providers should not be prohibited from terminating 
the provider-patient relationship where the patient files a false 
complaint.
    Response: The good faith of a complainant is currently evaluated by 
OCR to the extent it bears upon determining whether a compliance 
failure appears to have occurred and the extent to which the complaint 
should be investigated. We do not read the rule as prohibiting the 
firing of an employee or the termination of a provider-patient 
relationship where other legitimate grounds for such action exist; 
whether such grounds exist would be a matter to be ascertained in the 
course of the investigation.
    Comment: Two comments asked HHS to provide examples of retaliation 
and/or outline procedures or criteria for how the occurrence of 
retaliation will be investigated and determined. One comment asked that 
the rule stipulate that an act be considered to be one of retaliation 
or intimidation only if it occurred after the filing of a complaint.
    Response: Complaints regarding retaliation or intimidation will be 
handled in the same manner as investigations regarding other possible 
violations of the HIPAA rule, as Sec.  160.316 is considered an 
administrative simplification provision for the purposes of imposing a 
civil money penalty. Because such situations are likely to be quite 
varied and factually complex, we are reluctant to preclude 
consideration of events prior to the filing of a complaint that may be 
relevant to a claim of retaliation or intimidation. We, thus, retain 
the language as proposed.

C. Subpart D--Imposition of Civil Money Penalties

    Subpart D of the final rule addresses the issuance of a notice of 
proposed determination to impose a civil money penalty and other 
actions that are relevant thereafter, whether or not a hearing is 
requested following the issuance of the notice of proposed 
determination. It also contains provisions on identifying violations, 
calculating civil money penalties for such violations, and establishing 
affirmative defenses to the imposition of civil money penalties. It, 
thus, implements the provisions of section 1176, as well as related 
provisions of section 1128A. As noted above, many provisions of subpart 
D are based in large part upon the OIG regulations, but we adapt the 
language of the OIG regulations to reflect issues presented by, or the 
authority underlying, the HIPAA rules.
1. Section 160.402--Basis for a Civil Money Penalty
    Section 160.402 sets forth the rules concerning the basis for 
liability for a civil money penalty. It includes the rules for 
determining liability if more than one covered entity is responsible 
for a violation and where an agent of a covered entity is responsible 
for a violation.
a. Section 160.402(a)--General Rule
    Proposed rule: Proposed Sec.  160.402(a) would require the 
Secretary to impose a civil money penalty on any covered entity which 
the Secretary determines has violated an administrative simplification 
provision, unless the covered entity establishes that an affirmative 
defense, as provided for by Sec.  160.410, exists. This provision is 
based on the language in section 1176(a) that ''* * * the Secretary 
shall impose on any person who violates a provision of this part a 
penalty * * * ''. A ``provision of this part'' is considered to be a 
requirement or prohibition of the HIPAA statute or rules. See the 
discussion of ``administrative simplification provision'' under Sec.  
160.302 above.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: A number of comments suggested that the words ``the 
Secretary will impose a civil money penalty * * * '' are too strict. 
Some comments expressed concern that this language could jeopardize 
HHS's ability to resolve a matter informally; other comments questioned 
how this language was consistent with the provisions for voluntary 
compliance (Sec.  160.304), informal resolution (Sec.  160.312), and 
settlement (Sec.  160.416). Most of these comments suggested that the 
rule give the Secretary discretion to impose a civil money penalty 
instead of making it mandatory.
    Response: Section 160.402(a) states the general rule of section 
1176(a): If the Secretary determines that a covered entity has violated 
an administrative simplification provision, he will impose a civil 
money penalty unless a basis for not imposing a penalty under section 
1176(b) exists. The use of the words ``shall impose'' in section 
1176(a) is more than the mere conveyance of authority to the Secretary 
to exercise his discretion where he has made a formal determination 
that a covered entity has violated an administrative simplification 
provision. Under the procedures set forth in this final rule, the 
formal determination is proposed in a notice of proposed determination 
under Sec.  160.420. A covered entity may request administrative review 
by an administrative law judge of this determination. If the covered 
entity does not so request, the proposed determination becomes final.
    Many opportunities will precede a determination of a violation, 
however, that will permit the Secretary to exercise his discretion to 
not impose a penalty. As set forth in Sec.  160.304, the principle for 
achieving compliance is to seek voluntary compliance by covered 
entities. To implement this principle in complaints and compliance 
reviews, Sec.  160.312 provides that the Secretary will attempt to 
reach resolution by informal means prior to proposing a determination 
under Sec.  160.420 that a covered entity has violated an 
administrative simplification provision. If resolution satisfactory to 
the Secretary is reached by informal means, the Secretary may exercise 
his discretion to close the matter without formally proposing a 
determination under Sec.  160.420. The Secretary is also authorized by 
section 1128A(f) of the Act, which is incorporated by reference in 
section 1176, to exercise discretion to settle any matter. Thus, under 
Sec. Sec.  160.416 and 160.514, settlements of civil money penalties 
which have been proposed or are being challenged through the 
administrative hearing process are possible. The Secretary also has 
discretion to waive civil money penalties, in whole or in part, in 
certain cases under Sec.  160.412.
    The general rule stated in Sec.  160.402(a) that the Secretary will 
impose a civil money penalty upon a covered entity if the Secretary 
determines that the covered entity has violated an administrative 
simplification provision is not at odds with the Secretary's authority 
to exercise his discretion pursuant to Sec. Sec.  160.304, 160.312, 
160.412, 160.416, and 160.514. However, these exercises of Secretarial 
discretion require actions by covered entities. When a covered entity 
acts, or fails to act, in ways that do not allow the exercise of 
Secretarial discretion not to

[[Page 8401]]

impose a penalty, the Secretary will impose a civil money penalty upon 
the covered entity if the Secretary determines that the covered entity 
has violated an administrative simplification provision.
    Comment: One comment complained that Sec.  160.402(a) does not 
allow for early termination of frivolous complaints. The comment stated 
that covered entities are locked into paying a civil money penalty or 
initiating an expensive and elaborate defense to the complaint.
    Response: It is our expectation that complaints that are frivolous 
will be resolved at an early stage of the informal resolution process 
under Sec.  160.312. A covered entity can facilitate this process by 
cooperating with the OCR or CMS investigators on a timely basis.
    Comment: One comment suggested that Sec.  160.402(a) be revised to 
require HHS to issue a finding that informal resolution is not 
sufficient and that a civil money penalty is necessary.
    Response: The provision suggested would be redundant. The notice of 
proposed determination under Sec.  160.420 essentially fulfills this 
function, in that it must state the grounds upon which the Secretary 
has decided to impose the penalty.
b. Section 160.402(b)--Violations by More Than One Covered Entity
    Proposed rule: Proposed Sec.  160.402(b) provided that, except with 
respect to covered entities that are members of an affiliated covered 
entity, if the Secretary determines that more than one covered entity 
was responsible for violating an administrative simplification 
provision, the Secretary will impose a civil money penalty against each 
such covered entity. Based on the statutory language in section 
1176(a), which states that the Secretary ``* * * shall impose a penalty 
* * *'' when there is a determination that an entity has violated a 
HIPAA provision, this provision would apply to any two or more covered 
entities (other than members of an affiliated covered entity, discussed 
below), including, but not limited to, those that are part of a joint 
arrangement, such as an organized health care arrangement. The preamble 
to the proposed rule noted that the determination of whether or not an 
entity is responsible for the violation would be based on the facts and 
that, while simply being part of a joint arrangement would not, in and 
of itself, make a covered entity responsible for a violation by another 
entity in the joint arrangement, it could be a factor considered in the 
analysis. See 70 FR 20231.
    Proposed Sec.  160.402(b)(2) provided that each covered entity that 
is a member of an affiliated covered entity would be jointly and 
severally liable for a civil money penalty for a violation by the 
affiliated covered entity. An affiliated covered entity is a group of 
covered entities under common ownership or control, which have elected 
to be treated as if they were one covered entity for purposes of 
compliance with the Security and Privacy Rules. See Sec.  164.105(b).
    Final rule: The final rule provides that a member of an affiliated 
covered entity is jointly and severally liable for a violation by the 
affiliated covered entity, unless it is established that another member 
of the affiliated covered entity was responsible for the violation.
    Comment: Proposed Sec.  160.402(b) was opposed by many on the 
ground that it was unfair to make one covered entity liable for a 
violation committed by another covered entity. A number of comments 
stated that this provision was particularly unfair, when coupled with 
the requirement of proposed Sec.  160.426 that the public be notified 
of civil money penalties imposed, in that a covered entity that was not 
responsible for the violation in question could bear the reputational 
injury associated with such notification, due to the operation of 
proposed Sec.  160.402(b). One comment pointed out that violations may 
not be system-wide, but may be limited to one member of the affiliated 
covered entity; in such a situation, it would not be fair to penalize 
the other members of the affiliated covered entity.
    Response: We agree with these comments to a certain extent and have 
changed the final rule accordingly. We agree that, if responsibility 
for a violation can be shown to lie with one member of an affiliated 
covered entity, that member should be held liable for the violation. 
Thus, we have provided that a covered entity member of an affiliated 
covered entity may avoid liability if it is established that another 
member was responsible for the violation. We suspect that in most 
cases, which member was responsible for the violation will be clear--
for example, if four of five members of a covered entity distributed 
privacy notices but the fifth member did not, the violations of the 
notice distribution requirement of Sec.  164.520 would be attributed to 
the fifth member. In such cases, the objections to publication 
described above are beside the point, because liability follows 
responsibility.
    However, we do not agree that the inability to assign specific 
responsibility for a violation to one or more members of an affiliated 
covered entity should shield all of its members from liability. We 
doubt that such situations will arise often, but they may arise where 
the affiliated covered entity has failed to take a required act--for 
example, where the affiliated covered entity has failed to appoint a 
privacy officer. In such a case, all of the members of the affiliated 
covered entity bear a share of the responsibility for the failure to 
act, since any of them could have presumably taken action to bring the 
group, as a whole, into compliance. It is, thus, not unreasonable that 
all members of the affiliated covered entity should be jointly and 
severally liable for the consequent penalty. Moreover, absent joint and 
several liability, each member of the affiliated covered entity would 
be separately liable for the penalty for the violation, e.g., the 
failure to appoint a privacy officer. Thus, the removal of joint and 
several liability may result in greater liability for the members of an 
affiliated covered entity in some cases.
    Comment: Several comments argued that there is no statutory 
authority for holding the members of an affiliated covered entity 
jointly and severally liable, in that the statute requires that the 
penalty ``shall be imposed on any person who violates a provision * * 
*'' and, thus, does not authorize imposition of a penalty on a person 
who has not violated a provision of the statute or rules. One comment 
argued that proposed Sec.  160.402(b) would violate the due process 
clause by imposing liability on entities not responsible for a 
violation.
    Response: These objections are misplaced. Where, as will usually be 
the case, responsibility for the violation is evident and the 
responsible party is charged with the violation, they are obviously not 
relevant. In the case of other violations, where the responsibility for 
the violation is shared by the members of the affiliated covered 
entity, as in where the affiliated covered entity fails to take 
required actions, they are likewise not relevant. Since each covered 
entity member of the affiliated covered entity is responsible for 
complying with the rule in question, responsibility for the failure to 
act may be properly imputed to each member. Moreover, since an 
affiliated covered entity is a type of joint undertaking, it is 
reasonable to impute responsibility to the members of the affiliated 
covered entity, as is typically done with joint ventures.
    Comment: Several comments argued that proposed Sec.  160.402(b) 
uses a legal fiction of the Privacy and Security Rules to create 
liability where liability would not otherwise exist and substitutes 
this fiction for the corporate form and structure that establish the 
basis for enterprise liability under U.S. law.

[[Page 8402]]

Another comment stated that this section is inconsistent with the 
provision of the HIPAA rules (Sec.  160.105(b)) that defines an 
affiliated covered entity as an entity comprised of ``legally 
separate'' entities.
    Response: We disagree. The affiliated covered entity concept is 
more than a legal fiction. It is an operational approach to discharging 
certain compliance responsibilities. When covered entities create an 
affiliated covered entity, they mutually agree to conduct their 
business in a certain manner and hold themselves out to the world as a 
joint undertaking. While the Privacy and Security Rules do not 
prescribe detailed requirements for how an affiliated covered entity 
must be organized, the level of cooperation such an undertaking 
necessitates, the requirement for designation, and the requirement of 
common ownership or control mean that the participating members will 
have entered into an agreement of some sort, whether formal or 
informal. We, thus, think that it is properly viewed as a joint 
venture.
    The fact that an affiliated covered entity is composed of ``legally 
separate'' entities is beside the point. Joint and several liability, 
as a concept, is imposed on legally separate entities. See, e.g., 
Black's Law Dictionary (8th ed. 2004), liability.
    Comment: A number of comments argued that the provision for joint 
and several liability would discourage covered entities from setting up 
affiliated covered entities. One comment stated that proposed Sec.  
160.402(b) represents a change in position by HHS, in that the preamble 
to the Privacy Rule, on which many covered entities relied, stated that 
covered entities that formed an affiliated covered entity are 
``separately subject to liability under this rule.''
    Response: Section 160.402(b), as adopted, should allay the concerns 
expressed by these comments with respect to the potential exposure to 
liability for the members of affiliated covered entities. We think 
that, in most cases, which member of an affiliated covered entity is 
responsible for a violation will be obvious; where this is the case, 
HHS would seek to impose the civil money penalties on that member. Even 
if it is not obvious from the violation itself who the responsible 
party is, a covered entity may adduce evidence to establish that 
responsibility for the violation lies elsewhere, and, if this is shown, 
avoid liability. In any event, the establishment of an affiliated 
covered entity is not mandated by either the Privacy Rule or the 
Security Rule. Rather, establishing an affiliated covered entity is a 
business decision to be made by the covered entities involved. The 
affiliated covered entity arrangement carries with it certain benefits 
for the member entities; any increased exposure to potential liability 
under this rule, assuming there is one, should be part of the business 
calculus.
    In addition, we do not agree that Sec.  160.402(b) is inconsistent 
with the position taken in the preamble to the Privacy Rule. Our prior 
statement was intended to provide notice that liability for violations 
by an affiliated covered entity would devolve onto the member covered 
entities of an affiliated covered entity, rather than being attributed 
to the affiliated covered entity itself, so that member covered 
entities could not avoid liability by arguing that the affiliated 
covered entity had committed the violation in question. It was not 
intended to indicate the bases upon which that liability would be 
determined, which is the purpose of Sec.  160.402(b).
    Comment: A couple of comments supported the policy of holding the 
members of an affiliated covered entity jointly and severally liable. 
One comment supported holding all covered entities in an affiliated 
covered entity liable for the violations of one as an efficient 
mechanism for highlighting the seriousness of violations of the HIPAA 
rules.
    Response: For the reasons set forth above, we have not adopted this 
policy in the final rule, insofar as responsibility for a violation can 
be determined.
    Comment: Two comments requested clarification of the maximum amount 
of the penalty that will be assessed against an affiliated covered 
entity when one of its members has been found noncompliant.
    Response: Where responsibility for a violation is allocated to 
individual covered entities, each covered entity determined to be 
responsible for the violation would be liable for violations of an 
identical requirement or prohibition in a calendar year up to the 
statutory maximum of $25,000. If responsibility for particular 
violations cannot be determined, so that the members of the affiliated 
covered entity are jointly and severally liable for the violation, the 
maximum that would be imposed for violations of an identical 
requirement or prohibition in a calendar year would be $25,000.
    Comment: Several comments requested clarification of the statement 
in the preamble to the proposed rule that membership in an organized 
health care arrangement ``could be a factor considered in the 
analysis'' in determining the liability of a member of such arrangement 
for a violation. Of particular concern was the potential liability of a 
hospital for the actions of physicians with privileges; one comment 
noted that the hospital exercises little control over medical staff in 
such situations. One comment requested that the final rule clarify that 
membership in an organized health care arrangement would not increase a 
covered entity's exposure to liability.
    Response: As we noted in the preamble to the proposed rule, the 
members of an organized health care arrangement would be individually--
not jointly and severally--liable for any violation of the HIPAA rules. 
What our preamble statement intended to indicate was that HHS might 
have to look carefully at how the organized health care arrangement 
operated in determining which member(s) of the organized health care 
arrangement was responsible for a particular violation, if that was not 
clear at the outset.
c. Section 160.402(c)--Violations Attributed to a Covered Entity
    Proposed rule: Proposed Sec.  160.402(c) provided that a covered 
entity can be held liable for a civil money penalty based on the 
actions of any agent, including a workforce member, acting within the 
scope of the agency. This provision derives from section 1128A(l) of 
the Act, which is made applicable to HIPAA by section 1176(a)(2) of the 
Act. Section 1128A(l) states that ``a principal is liable for penalties 
* * * under this section for the actions of the principal's agents 
acting within the scope of the agency.'' Under the proposed rule, a 
covered entity could be liable for a civil money penalty for a 
violation by any agent acting within the scope of the agency, including 
a workforce member. (``Workforce'' is defined at Sec.  160.103 as 
``employees, volunteers, trainees, or other persons whose conduct in 
the performance of work for a covered entity is under the direct 
control of such entity, whether or not they are paid by the covered 
entity.'') The proposed rule excepted covered entities from liability 
for actions of a business associate agent that violate the HIPAA rules, 
if the covered entity was in compliance with the HIPAA rules governing 
business associates at Sec. Sec.  164.308(b) and 164.502(e). Proposed 
Sec.  160.402(c) also provided that the Federal common law of agency 
would apply to determine agency issues under this provision.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: A number of comments supported the provision of proposed 
Sec.  160.402(c) relating to business

[[Page 8403]]

associates and requested that it be retained in the final rule.
    Response: We agree and have done so.
    Comment: One comment requested clarification of the liability of a 
covered entity for a violation committed by a non-covered entity who is 
not a business associate or workforce member, such as researchers, 
medical device vendors, and non-covered providers who have treatment 
privileges and access to protected health information at a covered 
entity's facility. The comment argued that, depending on the 
circumstances, such persons may or may not be considered agents.
    Response: In general, a ``violation'' cannot occur, if the act in 
question is not done by a covered entity or its agent, because only 
covered entities are subject to the HIPAA rules. For example, if a 
permitted or required disclosure of protected health information is 
made by a covered entity to a person or entity that is not a workforce 
member or business associate, the covered entity would not generally be 
responsible for that person's or entity's subsequent use or disclosure 
of the information. Thus, if a hospital that is a covered entity 
discloses protected health information to a non-covered health care 
provider with privileges for treatment of a patient, the hospital would 
not be liable for a subsequent use or disclosure by that provider, as 
long as the hospital is not also involved in that use or disclosure. If 
the provider is an agent of the hospital, however, the hospital's 
liability will be determined in accordance with Sec.  160.402(c).
    Comment: We requested comment in the proposed rule on whether there 
are categories of workforce members whom it would be inappropriate to 
treat as agents under Sec.  160.402(c). A number of comments suggested 
that independent contractors, volunteers, and students under the 
supervision of an academic institution be excluded from the definition 
of an agent for whose acts the covered entity could be liable, provided 
that the covered entity has given the requisite training to such 
persons. The comments indicated that generally covered entities have 
less control over such persons than they have over employees.
    Response: Whether a person is sufficiently under the control of a 
covered entity and acting within the scope of the agency has to be 
determined on the facts of each situation, but Sec.  160.402(c) creates 
a presumption that a workforce member is an agent of the covered entity 
for the member's conduct under the HIPAA rules, such as using and 
disclosing protected health information. With regard to whether an 
independent contractor is a member of the covered entity's workforce, 
the question would be whether the covered entity had direct control 
over the independent contractor in the performance of its work for the 
covered entity. See Sec.  160.103 (definition of ``workforce''). If the 
covered entity does not have direct control over such persons, they do 
not fall within the definition of ``workforce.'' Where persons, such as 
independent contractors, who are not under the direct control of the 
covered entity perform a function or activity that involves the use or 
disclosure of individually identifiable health information or a 
function or activity regulated by this subchapter on behalf of a 
covered entity, such persons would fall within the definition of 
``business associate,'' and the covered entity would be required to 
comply with the business associate provisions of the Privacy and 
Security Rules with regard to such persons. Because of the direct 
control requirement in the definition of workforce, we think it is 
appropriate for a covered entity to be liable for a violative act of an 
independent contractor who is a member of the workforce, that is, who 
is under the direct control of the covered entity.
    With respect to volunteers and trainees, we note that, while 
covered entities may have less control over these persons, they do 
control their performance of activities that are governed by the HIPAA 
rules, such as access to protected health information. In regard to 
privacy, a covered entity is required to train these categories of 
workforce members as necessary and appropriate for these volunteers and 
trainees to carry out their functions within the covered entity. 45 CFR 
164.530(b). This requirement allows a covered entity to adapt its 
training to a volunteer's or trainee's scope of duties. For example, a 
volunteer who files laboratory results in a medical record will require 
training that is different and more extensive than the training given 
to a volunteer in the lobby gift shop of a hospital. Section 160.402(c) 
is consistent with these distinctions. The acts of volunteers and 
trainees will be examined on a case-by-case basis to determine if they 
are acting as agents within the scope of their agency. Thus, we think 
that it is appropriate to treat volunteers and trainees as persons for 
whose acts a covered entity may be liable, if they act as agents for 
the covered entity and violate the HIPAA rules within the scope of 
their agency.
    Comment: One comment recommended that the rule be revised to make 
covered entities liable for violations committed by business 
associates. The comment suggested that, if a covered entity is not 
liable for the actions of its business associates, covered entities 
will outsource the handling of protected health information to avoid 
liability.
    Response: We included the business associate exception in proposed 
Sec.  160.402(c)(1)-(3) to make this rule consistent with the business 
associate provisions in the Privacy and Security Rules. Changing the 
business associate provisions in the Privacy and Security Rules is 
outside the scope of this rulemaking. (See the extensive discussion 
about business associates in the Privacy Rule and Security Rule 
preambles at 65 FR 82503-82507 and 82640-82645, 67 FR 53251-53253, and 
68 FR 8358-8361). The satisfactory assurances that are required in 
written contracts or arrangements between covered entities and their 
business associates are intended to protect the confidentiality of 
protected health information handled by business associates. If a 
covered entity fails to comply with the business associate provisions 
in the Privacy and Security Rules, such as by not entering into the 
requisite contracts or arrangements, or by not taking reasonable steps 
to cure a breach or end a violation that is known to the covered 
entity, the covered entity may be liable for the actions of a business 
associate agent. We, therefore, decline to follow the recommendation.
    Comment: Two comments suggested that HHS limit its use of the 
Federal common law of agency because its application may make a covered 
entity liable for the actions of a person, such as an independent 
contractor, for whom the covered entity is not liable under state law.
    Response: As we stated above, covered entities must comply with the 
business associate provisions of the Privacy and Security Rules for 
independent contractors who are not under the direct control of the 
covered entity and who perform a function or activity that involves the 
use or disclosure of individually identifiable health information or a 
function or activity regulated by ``this subchapter'' (i.e., the HIPAA 
rules) on behalf of a covered entity. If a covered entity complies with 
the business associate provisions, the exception from liability in 
Sec.  160.402(c) will be applicable. The purpose of establishing the 
Federal common law of agency to determine when a covered entity is 
vicariously liable for the acts of its agents is to achieve nationwide 
uniformity in the implementation of the HIPAA rules by covered entities 
and nationwide

[[Page 8404]]

consistency in the enforcement of these rules by HHS. The comments 
reinforced our conclusion that reliance on state law could introduce 
inconsistency in the implementation of the HIPAA rules by covered 
entities in different states. Thus, we retain the Federal common law of 
agency as the standard by which agency questions in specific cases will 
be determined.
    Comment: Two comments requested clarification of how this section 
will apply to insurance agents, brokers, and consultants.
    Response: Insurance agents, brokers, and consultants who are not 
members of the covered entity's workforce but with whom the covered 
entity shares protected health information will generally fall within 
the definition of ``business associate'' at Sec.  160.103. A covered 
entity that complies with the business associate provisions of the 
Privacy and Security Rules would not be liable for a violation of those 
rules by the business associate pursuant to the liability exception in 
Sec.  160.402(c). It is also possible that the insurance agent, broker, 
or consultant may be the covered entity's agent in some, but not all, 
of his or her activities. An agent or broker may be working on behalf 
of an employer to arrange insurance coverage for its employees and not 
on behalf of the health insurance issuer that is a covered entity. In 
cases where the liability exception for business associates is not 
available or not met, the determination of whether an insurance agent, 
broker, or consultant is an agent of a covered entity and was acting 
within the scope of the agency will be made based on the facts of each 
situation.
    Comment: One comment argued that covered entities should not be 
liable for acts of employees outside the scope of their employment. 
Another comment suggested that covered entities should not be liable 
for the actions of agents who have been informed of the covered 
entity's HIPAA compliance policies, yet act contrary to them. Another 
suggested that a covered entity should not be liable for the acts of 
agents who, although authorized to disclose protected health 
information, disclose it for purposes of sale or with intent to do 
harm.
    Response: Section 160.402(c), as proposed and adopted, provides 
that a covered entity is liable for the acts of an agent acting 
``within the scope of the agency.'' This provision necessarily implies 
that a covered entity is not liable for its agent's acts outside the 
scope of the agency (as determined under the federal common law of 
agency). With regard to the comments that suggest that unauthorized 
conduct by an agent is outside the scope of the agency, the Federal 
common law of agency will be applied to the facts of each case to 
determine whether the covered entity is liable for the conduct, even 
though it was unauthorized.
    Comment: Two comments expressed concern with the role of a Privacy 
Officer and his or her liability under this part and the covered 
entity's liability for the actions of a Privacy Officer who is a 
business associate. One comment suggested that the Privacy Officer 
should not incur any additional liability merely by being designated 
the Privacy Officer. The other comment requested clarification as to a 
covered entity's liability when the covered entity directly controls a 
Privacy Officer, if the Privacy Officer is a business associate.
    Response: As stated above, the facts of each case will determine 
the liability of covered entities for wrongful conduct of its agents 
under the HIPAA rules. As a general matter, we think that a Privacy 
Officer is an officer of a covered entity for the purposes of the 
Privacy Rule and, thus, will likely be the covered entity's agent. As 
stated in Sec.  160.402, a covered entity is liable for the acts of its 
agent acting within the scope of its agency and, thus, is liable for 
any penalties that result from those acts. However, if a Privacy 
Officer is a business associate of the covered entity, the liability 
exception in Sec.  160.402(c) may apply. A covered entity that is in 
compliance with the business associate provisions of the Privacy and 
Security Rules will not be liable for a violation of those rules by the 
business associate.
2. Section 160.404--Amount of a Civil Money Penalty
    Proposed rule: Under proposed Sec.  160.404(a), the penalty amount 
would be determined through the method provided for in proposed Sec.  
160.406, using the factors set forth in proposed Sec.  160.408, and 
subject to the statutory caps reflected in proposed Sec.  160.404(b) 
and any reduction under proposed Sec.  160.412. The proposed regulation 
would not establish minimum penalties. Proposed Sec.  160.404 would 
follow the language of the statute and establish the maximum penalties 
for a violation and for violations of an identical requirement or 
prohibition during a calendar year, as set forth in the statute--up to 
$100 per violation and up to $25,000 for violations of an identical 
requirement or prohibition in a calendar year. Proposed Sec.  
160.404(b) provided that the term ``calendar year'' means the period 
from January 1 through the following December 31.
    Under proposed Sec.  160.404(b)(2), a violation of a more specific 
requirement or prohibition, such as one contained within an 
implementation specification, could not also be counted, for purposes 
of determining civil money penalties, as an automatic violation of a 
broader requirement or prohibition that entirely encompasses the more 
specific one. That is, the Secretary could impose a civil money penalty 
for violation of either the general or the specific requirement, but 
not both. Proposed Sec.  160.404(b)(2) would not apply where a covered 
entity's action results in violations of multiple, differing 
requirements or prohibitions within the same HIPAA rule or in 
violations of more than one HIPAA rule. Proposed Sec.  160.404(b)(2) 
also would not preclude assessing civil money penalties for multiple 
violations of an identical requirement or prohibition, up to the 
statutory cap.
    Final rule: The final rule adopts the provisions of the proposed 
rule. Changes to the provisions referenced in this section are 
discussed in connection with those provisions.
    Comment: While most comments that addressed proposed Sec.  
160.404(b)(2) supported it, several comments suggested that a single 
set of facts or single activity should not result in the finding of 
more than one violation, even of different subparts. According to the 
comments, covered entities should not be assessed penalties for 
violating more than one provision if all violations arise out of the 
same facts or incident. One comment suggested that penalties should not 
be doubly assessed for overlapping provisions in other subparts unless 
gross misconduct or willful negligence was involved.
    Response: We do not count an act that violates overlapping 
provisions of a subpart as more than one violation because provisions 
that are duplicative in a subpart were written that way as a drafting 
convenience and were not intended to establish separate legal 
obligations. This rationale, however, does not apply where the legal 
obligations are found in different subparts. Further, the different 
subparts implement different statutory standards and, thus, impose 
separate legal obligations. For example, where a covered entity re-
sells its used computers without scrubbing the hard drives that contain 
protected health information, this act may violate several separate 
legal obligations under the Security and Privacy Rules: (1) The media 
re-use requirement of Sec.  164.310(d)(2)(ii); (2) the safeguards 
requirement of Sec.  164.530(c); and (3) to the extent that the 
protected health

[[Page 8405]]

information on the drives is accessible by persons to whom it could not 
permissibly be disclosed, Sec. Sec.  164.308(a)(4)(i) and 164.502(a). 
In such a situation, the act has violated requirements or prohibitions 
of different rules promulgated pursuant to different provisions of the 
statute, and it is appropriate that such violations be treated 
separately. Thus, we decline to extend Sec.  160.404(b)(2) as 
suggested.
    Further, the same facts may evidence noncompliance with more than 
one non-overlapping provision of a subpart and, thus, may result in 
multiple violations for which a penalty may be assessed. For example, a 
covered entity that makes an impermissible use of protected health 
information may also, by virtue of the impermissible use, have violated 
the Privacy Rule's minimum necessary and/or reasonable safeguard 
provisions.
    We also note that, in some cases, a violation of one requirement or 
prohibition may produce consequential violations, and such cases would 
not come within Sec.  160.404(b)(2). For example, Sec.  164.308(a) 
requires covered entities to conduct security risk analyses. The 
security risk analysis is the foundation of the covered entity's 
security risk management plan and is one of the bases which it must 
take into account in deciding not to implement addressable 
implementation specifications under the Security Rule. If a covered 
entity does not do a security risk analysis, it has no basis for not 
implementing the addressable implementation specifications under the 
Security Rule, and any failure to implement such specifications could, 
thus, be considered a violation. Thus, while the failure to conduct the 
security risk analysis would be a violation, albeit a continuing one, 
of just one provision, it would necessarily result in other violations, 
to the extent the covered entity failed to implement the addressable 
implementation specifications of the Security Rule.
    Comment: One comment suggested that the costs incurred by the 
covered entity as a result of the violation should be considered in 
calculating the amount of the penalty.
    Response: We do not adopt this suggestion for several reasons. 
First, we are not certain what costs the comment is suggesting be 
considered--the costs associated with committing the violation, the 
costs associated with correcting the violation, or both. Second, the 
factors to be considered in determining the amount of the penalty for a 
violation are set out at section 1128A(d) and are implemented in this 
rule by Sec.  160.408. ``Costs incurred by the covered entity as a 
result of the violation'' is not a concept that fits squarely within 
any of the statutory factors. Third, to the extent consideration of 
such costs is reasonable, it would seem to be relevant only to the 
criterion for waiver under Sec.  160.412 (``the extent that payment of 
the penalty would be excessive relative to the violation''); insofar as 
that criterion weighs the seriousness of the effect of the violation, 
costs associated with correcting the violation might in certain 
circumstances be a relevant factor to be considered.
3. Section 160.406--Number of Violations
    Proposed rule: Proposed Sec.  160.406 would establish the general 
rule that the Secretary will determine the number of violations of an 
identical requirement or prohibition by a covered entity by applying 
any of the variables of action, person, or time, as follows: (1) The 
number of times the covered entity failed to engage in required conduct 
or engaged in a prohibited act; (2) the number of persons involved in, 
or affected by, the violation; or (3) the duration of the violation, 
counted in days. Paragraph (a) of this section would require the 
Secretary to determine the appropriate variable or variables for 
counting the number of violations based on the specific facts and 
circumstances related to the violation, and take into consideration the 
underlying purpose of the particular HIPAA rule that is violated. More 
than one variable could be used to determine the number of violations 
(for example, the number of people affected multiplied by the time 
(number of days) over which the violation occurred). The Secretary 
would have discretion in determining which variable or variables were 
appropriate for determining the number of violations. The preamble to 
the proposed rule noted that, under this proposal, the policy for 
determining which variable(s) to use for which type of violation would 
be developed in the context of specific cases rather than established 
by regulation and that subsequent cases would be decided consistently 
with prior similar cases.
    Final rule: The final rule eliminates the provision for variables 
and provides that the number of violations of an identical requirement 
or prohibition (termed ``identical violations'') will be determined 
based on the nature of the covered entity's obligation to act or not 
act under the provision violated, such as its obligation to act in a 
certain manner, or within a certain time, or with respect to certain 
persons. With respect to continuing violations, a separate violation 
will be deemed to occur on each day such a violation continues.
    Comment: While two comments supported the proposal, many comments 
challenged the variable approach of proposed Sec.  160.406 to 
determining the number of violations. In particular, several comments 
expressed concern over the broad discretion provided to the Secretary 
to determine the number of violations, particularly in light of the 
fact that the proposed rule would have prohibited the ALJ from 
reviewing the Secretary's choice of variable(s). Further, some comments 
were concerned that the Secretary could use multiple variables to 
determine the number of violations. It was argued that the proposed 
approach was unfair in that it (1) did not allow covered entities to 
predict the amount of a civil money penalty that would result from a 
violation, and (2) could maximize the penalty to the statutory cap in 
virtually any case, which could result in very harsh penalties for 
relatively minor offenses. Other comments argued that the variable 
approach was inconsistent with the policy of proposed Sec.  
160.404(b)(2), prohibiting the double counting of overlapping 
regulatory requirements, or was inconsistent with HHS's general 
approach to voluntary compliance. It was suggested, for example, that 
HHS instead could establish one particular calculation method for each 
HIPAA rule or specify the types of violations for which HHS would use a 
particular method.
    Comments also criticized the variable approach as inconsistent with 
the definition of ``violation,'' arguing that the person and time 
variables have no logical relationship to a failure to comply, and 
thus, would not be appropriate for counting violations. Specifically, 
it was argued that since a ``violation'' is defined as a failure to 
comply with a requirement or prohibition, by definition a violation is 
a failure to take a required action or a failure to refrain from doing 
a prohibited act, and, thus, is not defined by the period of time 
during which such action or inaction occurs or by the number of people 
who may be affected by it. Further, several comments argued that the 
action/inaction variable was the only one that was consistent with the 
statute, so that penalizing covered entities by using other variables 
would be penalizing them for violations that, by definition, do not 
exist, which would be inconsistent with Congressional intent, as 
expressed in section 1176(a), and inappropriate as a matter of public 
policy. It was also argued that the time and person variables look at 
qualitative issues and attempt to measure the

[[Page 8406]]

importance of an act or omission; they do not measure where an act is 
quantitatively extensive--i.e., repeated or prolonged. It was argued 
that qualitative considerations are treated, under the statute, as 
aggravating or mitigating factors, not as questions of the quantity of 
violations, as is done under the variable approach.
    Response: It was not our intent to suggest that the variables we 
proposed would be employed in a manner unrelated to the nature of the 
underlying violation, as assumed by many of the comments. However, 
since we agree that the manner in which the number of identical 
violations should be determined will depend on the nature of the 
provision violated, and the provision for variables was confusing and 
susceptible to misinterpretation, we have eliminated the explicit 
requirement to use the person, time, and action variables. The final 
rule instead makes clear that the Secretary will determine the number 
of identical violations based on the nature of the obligation of the 
covered entity to act (or not act) under the provision violated. While 
we agree, in principle, that the definition of ``violation'' looks to 
an action or a failure to act as the essence of a violation, defining 
what particular act or failure to act constitutes the specific 
violation in question will necessarily require looking at the 
substantive provision involved and determining what the covered entity 
was legally obligated to do. We do not agree, in this regard, that the 
elements of ``people'' and ``time'' are always irrelevant to a failure 
to comply or that consideration of these elements would result in 
double counting of violations. Rather, the precise nature of the 
covered entity's obligation will, as discussed below, in many cases be 
a function of to whom the obligation is owed or the manner in which it 
must be performed or other elements. Thus, we include in the regulation 
examples of elements that should be considered, as appropriate, in 
construing a provision to determine a covered entity's obligation 
thereunder. We believe that this approach, under which the number of 
violations is grounded in the language of the provision violated, is 
wholly consistent with the statutory scheme.
    In many cases, applying this principle should not be difficult. For 
example, the Privacy Rule requires that covered entities have contracts 
or other arrangements in place with its business associates to assure 
the privacy of protected health information, and specifies what must 
(and may not) be included in the contract or other arrangement to do 
so. See Sec.  164.504(e). Two such provisions are that the contract may 
not authorize the business associate to use or further disclose the 
information in a manner that would violate the Privacy Rule, if done by 
the covered entity, and that the contract must provide that the 
business associate will use appropriate safeguards to prevent use or 
disclosure of the information other than as provided for by the 
contract. See Sec.  164.504(e)(2)(i) and 164.504(e)(2)(ii)(B). If a 
covered entity enters into five contracts with business associates that 
authorize the business associates to use protected health information 
in a manner not permitted by the Privacy Rule and that do not require 
the business associates to use appropriate safeguards to protect the 
information, the covered entity will have committed five violations of 
each of the two separate requirements. Similarly, the Transactions Rule 
prohibits covered entities from entering into trading partner 
agreements that would change the use of a data element in a standard or 
add data elements not contained in the standard. See Sec.  162.915(a), 
(b). If a health plan were, by trading partner agreement, to require 
200 providers to use a data element in a given transaction in a manner 
that was inconsistent with the standard, and also required the use of 
another data element that was not part of the standard, we would view 
each inconsistent requirement in the trading partner agreement as a 
separate violation. The regulation prohibits the adoption of certain 
terms in trading partner agreements, so each noncompliant term in each 
agreement would constitute a separate violation, resulting in 200 
violations of each of these requirements.
    With respect to the transactions standards themselves, however, we 
anticipate defining the requirement violated to be the requirement to 
conduct a standard transaction. While one could view each required data 
element in a transaction as a separate requirement, because the 
Implementation Guide for each transaction is incorporated by reference 
into the regulation, one could also view the underlying Implementation 
Guides as functioning simply to describe what constitutes compliance in 
a particular case, rather than establishing separate compliance 
requirements. While we believe that either interpretation of the 
Transactions Rule is permissible, we expect to take the latter view of 
the Rule, to facilitate the predictability of determining violations 
under that Rule. Thus, we would count each noncompliant transaction as 
a single violation, regardless of the number of missing data elements. 
For example, if a health plan is found to have conducted 200 
eligibility transactions which are missing several required data 
elements, the health plan would have committed 200 violations of one 
identical requirement (i.e., the requirement at Sec.  162.923(a) to 
conduct a covered transaction as a standard (i.e., compliant) 
transaction).
    In some cases, determining how many times a provision has been 
violated will be a function of the number of individuals or other 
entities affected, because the covered entity's obligation is to act in 
a certain manner with respect to certain persons. We include the term 
``persons'' in the list of examples in Sec.  160.406 to make clear that 
such consideration may be appropriate. It may include not only 
individuals, but also other covered entities, their workforce members, 
or trading partners, where the obligation in question relates to such 
types of persons. For example, assume that a covered entity 
impermissibly allows a workforce member to access the protected health 
information of 20 patients whose information is stored on a computer 
file. The question is whether this set of facts constitutes one 
violation or 20 violations of Sec.  164.502(a), which prohibits 
impermissible uses or disclosures of protected health information. 
Since the covered entity has an obligation with respect to each patient 
to protect his or her protected health information, the sharing of the 
20 patients' protected health information with the employee constitutes 
a separate impermissible use, or violation, of Sec.  164.502(a) with 
respect to each patient.
    Some provisions embody a requirement or prohibition that is of an 
ongoing nature or for which timeliness is an element of compliance. We 
characterize violations of such a requirement or prohibition as 
continuing violations. In such cases, the covered entity's obligation 
to act continues over time, and, if it fails to take the required 
action, that failure to comply also continues over time. Thus, there 
needs to be a way of determining how such compliance failures are 
measured. We have decided to count such failures in days, as each day 
represents a new opportunity to correct the compliance failure. 
Accordingly, we have included, in the second sentence of Sec.  160.406, 
language that establishes that continuing violations will be counted by 
days for purposes of determining how many violations of an identical 
requirement or prohibition occurred.

[[Page 8407]]

    For example, the Security Rule requires covered entities to 
implement many types of policies and procedures. Under Sec.  
164.308(a)(4)(i), for example, a covered entity is required to 
implement policies and procedures for authorizing access to electronic 
protected health information that are consistent with the applicable 
requirements of the Privacy Rule. The implementation of such policies 
and procedures is an ongoing obligation and, thus, any failure to adopt 
them is a continuing violation. As another example, a covered entity 
generally is required by Sec.  164.524 to act on a request by an 
individual for access to his or her protected health information no 
later than 30 days after the request is received. Thus, each day beyond 
the 30-day period a covered entity fails to provide such access would 
be a separate violation.
    In contrast, situations in which the violation is a discrete act 
would not be continuing violations. The transaction example above 
illustrates violations that are discrete acts. Similarly, where a 
health plan violates Sec.  162.925(a)(2) by rejecting transactions 
because they are standard transactions, each rejection would constitute 
a discrete act. The example above of the workforce member who 
impermissibly accesses protected health information likewise is an 
example of violations that are discrete acts.
    As explained above, determining the number of violations in a 
particular case will depend, necessarily, on the precise provision 
violated and a covered entity's obligations thereunder. The examples 
above should assist covered entities in understanding their potential 
liability. These examples also illustrate that determining the number 
of violations may implicate a number of elements depending on the 
underlying provision violated, such as whether a covered entity had an 
obligation with respect to each person, or the amount of time that had 
elapsed with respect to a continuing violation, or a combination of 
these or other elements. While the final rule does not adopt the 
variable approach of the proposed rule, it does not preclude 
consideration of multiple elements in determining what constitutes the 
violation and, thus, the number of violations.
    Comment: Several comments challenged the preamble statement that 
future cases would be decided consistently with prior similar cases. 
One comment suggested that giving HHS discretion to determine the 
variables used in counting violations, yet saying that future cases 
will be consistent with past use of variable in similar violations, 
creates conflict. Other comments asked whether and how a covered entity 
would be able to challenge the selection of variable(s) based on the 
variables used in similar cases, if the facts of prior cases were not 
publicized, so that covered entities could determine how prior 
violations had been counted. Thus, comments requested that tracking of 
decided cases and the use of variables for each provision be assigned 
to a central entity within HHS, or that this information be made 
available to covered entities via the HHS Web sites.
    Response: With respect to the comments regarding the preamble 
statement in the proposed rule that future cases would be decided 
consistently with prior similar cases, we clarify that the number of 
violations of a particular provision will be determined in a similar 
manner each time a case presents a violation of that particular 
provision, with due regard to the individual facts and circumstances of 
the case. In addition, as discussed below, the final rule eliminates 
the prohibition on ALJ review of the Secretary's choice of variable. 
Thus, under the final rule, the ALJ may review the Secretary's method 
of determining the number of violations for consistency or other 
purposes. With respect to a covered entity's ability to challenge the 
Secretary's method of determining the number of violations, HHS will 
make available for public inspection and copying final decisions 
imposing civil money penalties and may publish such decisions on its 
HIPAA Web sites. (This is discussed below in connection with Sec.  
160.426.) Thus, covered entities will be able to ascertain the 
application of the penalty provisions where penalties are imposed.
    Comment: One comment suggested that there be a limit on the number 
of violations determined based upon the monetary impact the fine will 
have on the covered entity.
    Response: A change is not necessary, as the statute and regulation 
already provide two points at which the financial impact of a civil 
money penalty on a covered entity may be considered--in connection with 
(1) the statutory factors (section 1128A(d), implemented in this rule 
by Sec.  160.408) and (2) waiver (section 1176(b)(4), implemented in 
this rule by Sec.  160.412).
    Comment: Two comments suggested that the Secretary should consider 
whether or not the covered entity has enacted and completed a 
corrective action plan when determining the number of violations.
    Response: Completion of a corrective action plan does not relate to 
determining the number of occurrences of a violation, so we do not 
include it as part of Sec.  160.406. However, HHS would consider any 
such action prior to imposition of a civil money penalty for purposes 
of determining whether there is a basis for informal resolution of the 
complaint. In addition, this fact is taken into account in determining 
whether the penalty should be imposed at all, insofar as it pertains to 
the ``reasonable cause'' defense under section 1176(b)(3) and Sec.  
160.410(b)(3), since an element of that defense is whether the 
``failure to comply'' has been corrected.
4. Section 160.408--Factors Considered in Determining the Amount of a 
Civil Money Penalty
    Proposed rule: Section 1176(a)(2) states that, with some 
exceptions, the provisions of section 1128A of the Act shall apply to 
the imposition of a civil money penalty under section 1176 ``in the 
same manner as'' such provisions apply to the imposition of a civil 
money penalty under section 1128A. Section 1128A(d) requires that--

    In determining the amount of * * * any penalty, * * * the 
Secretary shall take into account--
    (1) The nature of the claims and the circumstances under which 
they were presented,
    (2) The degree of culpability, history of prior offenses and 
financial condition of the person presenting the claims, and
    (3) Such other matters as justice may require.

    While the factors listed in section 1128A(d) were drafted to apply 
to violations involving claims for payment under federally funded 
health programs, HIPAA violations usually will not concern claims. 
Thus, we proposed to tailor the section 1128A(d) factors to the HIPAA 
rules and break them into their component elements for ease of 
understanding and application, as follows: (1) The nature of the 
violation; (2) the circumstances under which the violation occurred; 
(3) degree of culpability; (4) history of prior offenses; (5) financial 
condition of the covered entity; and (6) such other matters as justice 
may require. Proposed Sec.  160.408 provided detailed factors, within 
the categories stated above, to consider in determining the amount of a 
civil money penalty. However, the proposed rule would not label any of 
these factors as aggravating or mitigating. Rather, proposed Sec.  
160.408 listed factors that could be considered either as aggravating 
or mitigating in determining the amount of the civil money penalty. The 
proposed approach would allow the Secretary to choose whether to 
consider a particular factor and how to consider each factor as 
appropriate in each

[[Page 8408]]

situation to avoid unfair or inappropriate results. It also would leave 
to the Secretary's discretion the decision regarding when aggravating 
and mitigating factors will be taken into account in determining the 
amount of the civil money penalty.
    Final rule: The final rule adopts the provisions of the proposed 
rule, with a minor clarification. Section 160.408(d) is revised to 
clarify that the prior history to be considered relates to prior 
compliance with, and violations of, the administrative simplification 
provisions.
    Comment: A number of comments supported the provision for 
mitigating factors and urged that it be retained in the final rule.
    Response: We agree and have done so. See Sec.  160.408 below.
    Comment: A number of comments raised concerns or recommendations 
related to a covered entity's history of compliance. For example, 
several urged that HHS consider as a factor whether the covered entity 
has initiated correction action, and whether such action was performed 
independently and prior to contact from HHS. Some comments also 
requested that HHS consider any evidence of a covered entity's good 
faith attempts to comply with the administrative simplification 
requirements or that HHS take into consideration a history of prior 
controls. One comment stated that the phrase ``history of prior 
offenses'' in proposed Sec.  160.408(d) was vague and requested that 
HHS revise the provision to clarify that it refers only to prior 
violations by a covered entity of the HIPAA rules, and not to prior 
offenses unrelated to the HIPAA rules. Another comment expressed 
concern with the provision at proposed Sec.  160.408(d)(4), which would 
allow HHS to consider as a factor in determining the amount of a civil 
money penalty how the covered entity has responded to prior complaints, 
as well as the preamble statement that such factor could include 
complaints raised by individuals directly to the covered entity. The 
comment argued that the manner in which a covered entity responded to 
previous complaints about matters unrelated to the violation at issue, 
or to complaints raised by individuals, may be irrelevant and unfairly 
prejudicial.
    Response: With respect to corrective action by a covered entity, 
HHS would consider any such action prior to imposition of a civil money 
penalty for purposes of determining whether there is a basis for 
informal resolution of a complaint. In addition, corrective actions of 
the covered entity are taken into account in determining whether the 
covered entity has established an affirmative defense to the violation 
as provided for under Sec.  160.410(b)(3). Nonetheless, where the 
corrective action is taken in response to a complaint from an 
individual, the final rule at Sec.  160.408(d)(4) provides the 
Secretary with authority to consider such corrective action as a factor 
in determining a civil money penalty.
    With respect to a covered entity's good faith attempt to comply 
with the HIPAA provisions and rules, we agree that such actions could 
be mitigating factors depending on the circumstances and, thus, have 
revised the rule to clarify that a covered entity's history of prior 
compliance generally may be considered, which could include, as 
appropriate, prior violations, as well as prior compliance efforts. In 
addition, we agree that Sec.  160.408(d) should apply only to 
violations of the HIPAA rules, and not to offenses of other provisions 
of law. Accordingly, we have revised the language of Sec.  160.408(d) 
to substitute the term ``violations''--which is defined at Sec.  
160.302 as a failure to comply with an administrative simplification 
provision--for the term ``offenses'' in the proposed rule.
    Finally, we disagree that only those prior violations that are 
relevant to the issue at hand should be considered. While greater 
attention may be given to those violations that are similar in nature 
to the violation at issue, a covered entity's history of HIPAA 
compliance generally is relevant to determining whether the amount of a 
civil money penalty should be increased or decreased.
    Comment: One comment urged that the size of the covered entity not 
be used as a factor in determining the amount of a civil money penalty, 
arguing that larger covered entities should not be subject to greater 
penalties for violations identical to those of smaller entities. The 
comment stated that, depending on the way the number of violations is 
calculated, larger covered entities are already subject to greater risk 
since more patients potentially could be affected by one act or 
omission. Another comment asked what financial information would be 
required of a respondent to make a showing of its financial condition 
and whether, given that section 1128A provides that the Secretary shall 
take into account financial condition, the burden is on HHS to do so 
even if the respondent does not. Another comment asked how the 
financial condition of a covered entity is to be assessed.
    Response: With respect to the first comment, no change is made in 
the final rule. The size of the covered entity is relevant in 
considering, under Sec.  160.408(e)(1), whether a covered entity 
experienced financial difficulties affecting its ability to comply, and 
under Sec.  160.408(e)(2), whether the imposition of a civil money 
penalty would jeopardize a covered entity's ability to provide or pay 
for health care. In response to the second comment, the showing that a 
covered entity must make of its financial condition will vary depending 
on the circumstances. However, a respondent may provide whatever 
information it believes relevant to such a determination should it 
desire that HHS consider the entity's financial condition as a 
mitigating factor. Should a respondent fail to raise financial 
condition as a mitigating factor (or any other mitigating factor), 
however, HHS is under no obligation to raise the issue. See Sec.  
160.534(b)(1)(ii).
    With respect to how financial condition is assessed, the 
Departmental Appeals Board (Board) has considered this issue in other 
cases litigated under section 1128A. The Board has said that an inquiry 
into a provider's financial condition should be focused on whether the 
provider can pay the civil money penalty without being put out of 
business. See Milpitas Care Center, DAB No. 1864 (2003). In Capitol 
Hill Community Rehabilitation and Specialty Care Center, DAB CR 469 
(1997), aff'd, DAB No. 1629 (1997), the Board construed a regulation 
(42 CFR 488.438(f)(2)) that lists a facility's ``financial condition'' 
as one of the factors that must be considered in deciding the amounts 
of civil money penalties. The Board stated that, while the term 
``financial condition'' is not defined in the regulations, the plain 
meaning of the term is that a facility's ``financial condition'' is its 
overall financial health. Thus, the relevant question to be considered 
in deciding whether a facility's financial condition would permit it to 
pay civil money penalties is whether the penalty amounts would 
jeopardize the facility's ability to survive as a business entity.
    Comment: One comment argued that proposed Sec.  160.408 should 
establish that HHS can only consider mitigating factors to determine 
the amount of the civil money penalty and not as a basis for waiving 
the penalty altogether. The comment stated that proposed Sec.  160.410 
already establishes circumstances under which HHS may not impose a 
fine, and it would be unreasonable to extend those circumstances.
    Response: The final rule does not expand the circumstances under 
which the Secretary is prohibited from imposing, or may waive, a civil 
money penalty under Sec. Sec.  160.410 and 160.412,

[[Page 8409]]

respectively. The factors in Sec.  160.408 may be applied to determine, 
as appropriate, whether to increase or decrease the amount of a civil 
money penalty.
    Comment: One comment expressed concern that the overlap of certain 
variables in proposed Sec.  160.406 with factors in proposed Sec.  
160.408 (e.g., the variable for the duration of the violation counted 
in days versus the factor for the time period during which the 
violation occurred) could result in compounding the penalty.
    Response: We disagree that providing for both counting continuing 
violations in days and taking time into account under Sec.  160.408 is 
inappropriate. The provision for counting continuing violations in days 
relates to determining how many times violation of an identical 
provision occurred; the provision for considering the time period of 
the violation is one element, among others, that may constitute a 
mitigating or aggravating factor in determining the amount of a civil 
money penalty. While it is true that length of time will tend to 
operate in the same direction (i.e., to reduce or enlarge the penalty) 
with respect to each of these elements of the penalty calculation, 
these two elements are different in nature, and time is relevant to 
both.
    Comment: One comment that supported the list of factors in proposed 
Sec.  160.408 nonetheless recommended that we better describe the 
factors in the preamble. Another comment requested examples of what may 
be included in the factor of ``[s]uch other matters as justice may 
require'' proposed at Sec.  160.408(f).
    Response: With respect to the first comment, the factors themselves 
are particularized and, thus, are fairly self-explanatory. However, 
where questions about the factors were raised in the public comments, 
we have provided further guidance in our responses in this preamble. 
With respect to the ``such matters as justice may require'' factor, 
many different circumstances have been cited for consideration in prior 
cases in other areas in which this factor applies. For example, ALJs 
have been asked to consider the following types of circumstances under 
this factor: the respondent's trustworthiness, the respondent's lack of 
veracity and remorse, measurable damages to the government, indirect or 
intangible damages to the government, the effect of the penalty on 
respondent's rehabilitation, and unprompted diligence in correcting 
violations.
5. Section 160.410--Affirmative Defenses to the Imposition of a Civil 
Money Penalty
    Section 160.410 implements sections 1176(b)(1)-(3) of the Act. 
These sections specify certain limitations on when civil money 
penalties may be imposed. Paragraphs (1), (2), and (3) of section 
1176(b) each state that, if the conditions described in those 
paragraphs are met, a penalty may not be imposed under subsection (a) 
of section 1176. Under section 1176(b)(1), a civil money penalty may 
not be imposed with respect to an act if the act constitutes a criminal 
offense punishable under section 1177 of the Act. Under section 
1176(b)(2), a civil money penalty may not be imposed if it is 
established to the satisfaction of the Secretary that the person who 
would be liable for the penalty did not know, and by exercising 
reasonable diligence would not have known, that such person violated 
the provision. Under section 1176(b)(3), a civil money penalty may not 
be imposed if the failure to comply was due to reasonable cause and not 
to willful neglect and is corrected within a certain period. The period 
of time to correct a failure to comply may be extended as determined 
appropriate by the Secretary based on the nature and extent of the 
failure to comply.
    Proposed rule: Proposed Sec.  160.410 would characterize the 
limitations under section 1176(b)(1), (2), and (3) as ``affirmative 
defenses,'' to make clear that they must be raised in the first 
instance by the respondent. In order not to preclude the raising of 
affirmative defenses that could legitimately be raised, the 
introductory text of proposed Sec.  160.410 would permit a respondent 
to offer affirmative defenses other than those provided in section 
1176(b).
    Under proposed Sec.  160.410(a), several terms relevant to the 
affirmative defenses would be defined: ``Reasonable cause,'' 
``reasonable diligence,'' and ``willful neglect.'' ``Reasonable cause'' 
would be defined as ``circumstances that make it unreasonable for the 
covered entity, despite the exercise of ordinary business care and 
prudence, to comply with the administrative simplification provision 
violated.'' ``Reasonable diligence'' would be defined as ``the business 
care and prudence expected from a person seeking to satisfy a legal 
requirement under similar circumstances.'' ``Willful neglect'' would be 
defined as ``conscious, intentional failure or reckless indifference to 
the obligation to comply with the administrative simplification 
provision violated.''
    Proposed Sec.  160.410(b)(1) simply referred to section 1177.\2\ 
Proposed Sec.  160.410(b)(2) generally tracked the statutory language, 
but also provided that whether or not a covered entity possesses the 
requisite knowledge to make this affirmative defense inapplicable would 
be ``determined by the federal common law of agency.'' The text of 
proposed Sec.  160.410(b)(3) used the defined term ``reasonable 
diligence'' and, thus, would build on the analysis conducted under 
proposed Sec.  160.410(b)(2). Proposed Sec.  160.410(b)(3)(ii)(B) would 
follow the statutory language and would permit the Secretary to use the 
full discretion provided by the statute in extending the statutory cure 
period.
---------------------------------------------------------------------------

    \2\ Section 1177(a) provides that a person who knowingly and in 
violation of this part uses or causes to be used a unique health 
identifier, obtains individually identifiable health information 
relating to an individual, or discloses individually identifiable 
health information relating to another person shall be punished as 
provided in subsection (b). Section 1177(b) sets out three levels of 
penalties that vary depending on the circumstances under which the 
offense was committed.
---------------------------------------------------------------------------

    Final rule: The final rule adopts the provisions of the proposed 
rule. A related change is made to Sec.  160.504(c), as discussed below.
a. Section 160.410(b)--General Rule
    Comment: One comment asked whether a covered entity could challenge 
in a hearing the reasonableness of the Secretary's finding that an 
affirmative defense has not been sufficiently established.
    Response: A respondent may challenge in a hearing the finding in a 
notice of proposed determination that an affirmative defense has not 
been established. See Sec.  160.534(b)(1)(i), which provides that the 
respondent bears the burden of proof with respect to affirmative 
defenses.
    Comment: Two comments noted that the preamble to the proposed rule 
(70 FR 20237) would allow a covered entity to raise affirmative 
defenses in addition to those listed under Sec.  160.410(b), but that 
the text of the proposed rule would not allow for additional defenses. 
They asked that the final rule be revised to allow a covered entity to 
present affirmative defenses not expressly listed in Sec.  160.410(b). 
One comment contended, however, that Sec.  160.410 would allow covered 
entities too many opportunities to avoid a penalty.
    Response: The introductory text of Sec.  160.410(b) permits other 
affirmative defenses to be raised by using the phrase ``including the 
following.'' While we do not delineate what additional affirmative 
defenses might be raised, the ``[e]xcept as provided in subsection 
(b)''

[[Page 8410]]

language of section 1176(a)(1) suggests that they are limited. 
Nonetheless, the statute clearly contemplates at least one defense 
other than the limitations set out at section 1176(b)--the statute of 
limitations provision at section 1128A(h). Statutes of limitations 
defenses are typically treated as affirmative defenses, see Fed. R. 
Civ. P. 8(c). (28 U.S.C. Appendix). Thus, we believe that provision for 
other affirmative defenses that may be fairly implied from the HIPAA 
provisions or section 1128A must be made and, accordingly, have done 
so.
    We do not eliminate the affirmative defenses that may be raised and 
that are provided for by Sec.  160.410, as suggested by the final 
comment above. We have no authority to eliminate a limitation that the 
statute imposes on our authority to impose civil money penalties, 
whether or not it has the effect complained of.
    Comment: One comment suggested that Sec.  160.410(b) should be 
revised to state that the Secretary ``shall not'' impose a civil money 
penalty. The comment stated that if a covered entity establishes an 
affirmative defense, the Secretary should not have discretion to impose 
a penalty as indicated by the current wording ``may not impose.''
    Response: We do not make the suggested change, because the present 
wording accomplishes what the comment urges. The phrase ``may not 
impose'' means, in this context, ``is not permitted to impose.'' We do 
not change the language here, as it is consistent with the usage in the 
HIPAA rules generally, and we do not wish to suggest an inconsistency 
or a different meaning for similar prohibitions in other HIPAA rules.
b. Section 160.410(b)(1)--``Criminal Offense'' Affirmative Defense
    Comment: Several comments expressed concern that covered entities 
are being forced to incriminate themselves if they raise the 
affirmative defense under Sec.  160.410(b)(1) in the request for 
hearing under Sec.  160.504. These comments stated that covered 
entities should be able to raise this defense after a case has been 
referred to the Department of Justice, on the theory that section 
1176(b)(1) operates as a jurisdictional bar to the imposition of a 
civil money penalty. One comment cited the Memorandum for Alex M. Azar 
II and Timothy J. Coleman from Stephen G. Bradbury, Re: Scope of 
Criminal Enforcement Under 42 U.S.C. 1320d-6 (June 1, 2005) (Justice 
Memorandum). The Justice Memorandum is available at http://www.usdoj.gov/olc/hipaa_final.htm. The comment cited the Justice 
Memorandum for the proposition that this section of the statute 
operates as an absolute bar to imposition of a civil money penalty, 
rather than as an affirmative defense. Several comments argued that the 
burden of establishing that the limitation of section 1176(b)(1) 
applied should be on HHS, not on the respondent, as a matter of 
fairness.
    Response: We continue to be of the view that the statute is 
structured to make the limitation of section 1176(b)(1) a defense that 
must be raised by the respondent. The fact that meeting the condition 
described in this subsection operates to bar the imposition of a civil 
money penalty does not distinguish it from the limitations provided for 
by sections 1176(b)(2) and 1176(b)(3), and those sections of the 
statute clearly are defenses which the respondent should raise. 
Moreover, the burden of establishing that section 1176(b)(1) applied 
could never be on HHS, as that would require HHS to carry the burden of 
proving a fact that would defeat its claim; it is the respondent, not 
HHS, who, in the context of the hearing, will be the proponent of the 
claim that the act for which a civil money penalty is sought is a 
criminal offense.
    However, we recognize that section 1176(b)(1) could potentially 
present a situation of some difficulty for a respondent, where the 
Department of Justice is considering a referral related to the 
violations on which the civil money penalty action has been brought. 
While the requirement that civil money penalties be authorized by the 
Department of Justice before they are brought should prevent such 
situations from arising, we cannot assume that they will never arise. 
Accordingly, we provide that, unlike the other affirmative defenses, 
which are waived if not raised in the request for hearing, this 
affirmative defense may be raised at any time during the administrative 
proceedings, to permit respondents to better manage such legal risks, 
should they ever arise. Provision for this is made in Sec.  160.504(c), 
and a conforming change is made to Sec.  160.548(e).
    Comment: One comment stated that the fact of referral to the 
Department of Justice should constitute conclusive evidence that the 
act is one ``punishable'' under section 1177, even if the Department of 
Justice declines to prosecute (so that the act is not ``punished'' 
under section 1177).
    Response: We do not agree. Referral to the Department of Justice 
constitutes, at most, our preliminary assessment that the act in 
question may be subject to criminal prosecution. The Department of 
Justice may not agree with our preliminary assessment and may return 
the case to us for administrative action.
    Comment: One comment requested that knowledge under section 1177 be 
defined.
    Response: ``Knowingly'' is the term used in section 1177 of the Act 
(``A person who knowingly and in violation of this part * * * ''). 
According to the Office of Legal Counsel of the United States 
Department of Justice, `` `the term `knowingly' merely requires proof 
of knowledge of the facts that constitute the offense.' '' Justice 
Memorandum, at 11, quoting U.S. v. Bryan, 524 U.S. 184, 193 (1998).
c. Section 160.410(b)(2)--``Lack of Knowledge'' Affirmative Defense
    Comment: One comment asks HHS to clarify the definition of 
knowledge required for a civil money penalty to be imposed.
    Response: Under section 1176(b)(2), a civil money penalty may not 
be imposed for a violation ``if it is established to the satisfaction 
of the Secretary that the person liable for the penalty did not know * 
* * that such person violated the provision.'' As we observed at 70 FR 
20237--

    This language on its face suggests that the knowledge involved 
must be knowledge that a ``violation'' has occurred, not just 
knowledge of the facts constituting the violation. * * * We, thus, 
interpret this knowledge requirement to mean that the covered entity 
must have knowledge that a violation has occurred, not just 
knowledge of the facts underlying the violation.

    Comment: One comment asked whether, if a covered entity were found 
not to be liable because the knowledge of an agent could not be imputed 
to it, the individual committing the violation would be held liable for 
the penalty.
    Response: The Enforcement Rule provides that only a covered entity 
is liable for a civil money penalty under section 1176. See Sec.  
160.402(a) and the definition of ``respondent'' at Sec.  160.302.
    Comment: One comment contended that the phrase ``to the 
satisfaction of the Secretary'' should be stricken from proposed Sec.  
160.410(b)(2). The comment stated that this phrase would preclude the 
covered entity from raising an argument before the ALJ that the 
Secretary did not properly consider their affirmative defenses before 
imposing a penalty. Another comment asked whether this phrase makes the 
finding totally discretionary and, thus, unreviewable by the ALJ.
    Response: This language is statutory, as may be seen at section 
1176(b)(2), set out above. Further, as discussed above, a respondent 
may raise affirmative defenses in a hearing. Where so raised,

[[Page 8411]]

the ALJ's decision as to whether the covered entity lacked knowledge 
would become the decision of the Secretary, unless reversed on 
subsequent appeal.
    Comment: One comment asked, with respect to imputing knowledge to 
the covered entity, who would be considered to be a ``responsible 
officer or manager'' and whether a Privacy Officer is considered a 
``responsible officer or manager.''
    Response: With respect to who would be considered to be a 
responsible officer or manager and whether a Privacy Officer would be 
considered a responsible officer or manager, see the discussion above 
under Sec.  160.402(c).
    Comment: One comment asked whether, if a Privacy Officer mitigates 
or corrects a violation, that action would satisfy the requirement that 
a responsible officer or manager be made aware of the violation.
    Response: We are unsure what the precise concern of this comment 
is, as the issue of knowledge typically would arise in the context of 
the ``lack of knowledge'' affirmative defense. That defense requires, 
for its application, that the covered entity not have actual or 
constructive knowledge of the violation. If the violation has been 
corrected, as the comment suggests, one would normally presume that the 
covered entity knew of the violation, making the lack of knowledge 
defense unavailable. Under the scenario posed by the comment, as we 
understand it, the issue would be whether the elements of the 
``reasonable cause'' affirmative defense were present.
d. Section 160.410(b)(3)--``Reasonable Cause'' Affirmative Defense
    Comment: One comment asked that the word ``corrected'' in Sec.  
160.410(b)(3)(ii) be changed to ``mitigated,'' because not all 
violations can be fully corrected.
    Response: We agree with the comment that not all violations of the 
HIPAA rules can be fully corrected, in the sense of being undone or 
fully remediated. However, we do not agree that the term ``corrected,'' 
which is the term used by the statute, need be read so narrowly. 
Rather, the statute speaks of the ``failure to comply'' being 
corrected. Thus, the term ``corrected,'' as used in the statute, could 
include correction of a covered entity's noncompliant procedure by 
making the procedure compliant. In any event, since the term 
``corrected'' is the term used in the statute, we employ it in the rule 
below.
    Comment: One comment requested clarification as to how a covered 
entity could ask for an extension of time to cure a violation under 
Sec.  160.410(b)(3)(ii)(B).
    Response: The covered entity should make this request in writing 
to, as applicable, CMS or OCR. The request should state when the 
violation will be corrected and the reasons that support the need for 
additional time.
    Comment: One comment asked that the 30-day cure period be extended 
by an additional 30 days.
    Response: The initial cure period is, by statute, 30 days. However, 
section 1176(b)(3)(B)(i) permits the Secretary to extend the initial 
cure period ``as determined appropriate by the Secretary based on the 
nature and extent of the failure to comply.'' Section 
160.410(b)(3)(ii)(B) adopts, and does not expand upon, this statutory 
language. Thus, HHS could extend the cure period for an additional 30 
days (or some greater or lesser period), if it were determined 
appropriate to do so.
6. Section 160.412--Waiver
    Section 1176(b)(4) of the Act provides for waiver of a civil money 
penalty in certain circumstances. Section 1176(b)(4) provides that, if 
the failure to comply is ``due to reasonable cause and not to willful 
neglect,'' a penalty that has not already been waived under section 
1176(b)(3) ``may be waived to the extent that the payment of such 
penalty would be excessive relative to the compliance failure 
involved.'' If there is reasonable cause and no willful neglect and the 
violation has been timely corrected, the imposition of the civil money 
penalty would be precluded by section 1176(b)(3). Therefore, waiver 
under this section would be available only where there was reasonable 
cause for the violation and no willful neglect, but the violation was 
not timely corrected.
    Proposed rule: Proposed Sec.  160.412 did not propose to elaborate 
on the statute in any material way. This provision would provide the 
Secretary with the flexibility to utilize the discretion provided by 
the statutory language as necessary.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment suggested that this section be removed 
entirely. The comment stated that section 1176(b)(4) authorizes, but 
does not compel, the Secretary to allow for waiver of civil money 
penalties. The comment argued that waiver is an unnecessary avenue for 
covered entities to avoid penalties, as the statute and the proposed 
rule would provide so many other avenues by which a covered entity 
could avoid being penalized for violations.
    Response: As was more fully discussed at 70 FR 20239, the statute, 
in our view, creates a statutory right for covered entities to request 
a waiver, where a violation is due to reasonable cause and not willful 
neglect, but has not been corrected within the statutory cure period 
(including any extensions thereof). While the grant of a waiver is 
within the agency's discretion, the statute clearly contemplates that 
covered entities may request a waiver in such circumstances and that 
HHS must consider the request. Accordingly, we do not make the change 
suggested.
7. Section 160.414--Limitations
    Proposed rule: Proposed Sec.  160.414 was adopted by the April 17, 
2003 interim final rule as Sec.  160.522. We proposed to move this 
section, which sets forth the six-year limitation period provided for 
in section 1128A(c)(1), from subpart E to subpart D, because this 
provision applies generally to the imposition of civil money penalties 
and is not dependent on whether a hearing is requested. We also 
proposed to change the language of this provision so that the date of 
the occurrence of the violation is the date from which the limitation 
is determined.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment requested clarification of record retention 
requirements and their interaction with the time limitation on bringing 
an enforcement action.
    Response: The issue raised by this comment is discussed in 
connection with Sec.  160.310 above.
    Comment: One comment suggested shortening the time period to two 
years in the interest of accomplishing compliance faster and making 
record-keeping less burdensome for covered entities.
    Response: The six-year limitations period of Sec.  160.414 is 
provided for by statute (section 1128A(c)(1) of the Act), and, thus, is 
not within our power to change by regulation. Insofar as this comment 
suggests changing the record retention requirements of the Privacy and 
Security Rules, the requested change is outside the scope of this 
rulemaking.
8. Section 160.416--Authority To Settle
    Proposed rule: Proposed Sec.  160.416 was adopted by the April 17, 
2003 interim final rule as Sec.  160.510. We proposed to move this 
section, which addresses the authority of the Secretary to settle any 
issue or case or to compromise any penalty imposed on a covered entity, 
from subpart E to subpart D, because this provision

[[Page 8412]]

applies generally to the imposition of civil money penalties, and is 
not dependent on whether a hearing is requested. No change was proposed 
to the text of the provision.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment expressed concern that this provision does not 
provide for alternative dispute resolution. The comment urged HHS to 
remain committed to the informal resolution process.
    Response: We provide in the rule that HHS will attempt to resolve 
compliance issues informally, for the reasons discussed above and in 
the preamble to the proposed rule. Where this process is insufficient 
to resolve the matter, the statute requires provision of a formal 
hearing process, if a hearing is requested. We note that under their 
current procedures, the ALJ and/or the Departmental Appeals Board 
routinely afford parties the opportunity to engage in alternative 
dispute resolution.
    Comment: Two comments suggested removing Sec.  160.416 from the 
final rule, on the ground that it is inappropriate to give the 
Secretary this authority without oversight.
    Response: We do not adopt this suggestion. The statute explicitly 
gives the Secretary the authority to compromise penalties, which would 
typically be done through settlement of the case. See section 1128A(f).
9. Section 160.420--Notice of Proposed Determination
    Proposed rule: The text of proposed Sec.  160.420 was adopted by 
the April 17, 2003 interim final rule as Sec.  160.514. We proposed to 
move this section from subpart E, which sets out the procedures and 
rights of the parties to a hearing, to subpart D, because the notice 
provided for in this section must be given whenever a civil money 
penalty is proposed, regardless of whether a hearing is requested. No 
changes, other than conforming changes, were proposed to paragraphs 
(a)(1) and (a)(3), (a)(4), or to paragraph (b). We proposed to revise 
paragraph (a)(2) by adding that, in the event the Secretary employs 
statistical sampling techniques under Sec.  160.536, the sample relied 
upon and the methodology employed must be generally described in the 
notice of proposed determination. A new paragraph (a)(5) would require 
the notice to describe any circumstances described in Sec.  160.408 
that were considered in determining the amount of the proposed penalty; 
this provision would correspond to Sec.  1003.109(a)(5) of the OIG 
regulations. Paragraph (a)(5) of Sec.  160.514 of the April 17, 2003 
interim final rule would be renumbered as Sec.  160.420(a)(6).
    Final rule: We adopt the section as proposed, except that, where 
HHS bases the proposed penalty in part on statistical sampling, a copy 
of the report of the agency's statistical expert, rather than just a 
description of the study and the sampling technique used, must be 
provided with the notice of proposed determination.
    Comment: One comment requested clarification as to whether the 
notice of proposed determination serves as the notice required by the 
statute.
    Response: Yes, the notice provided for by Sec.  160.420--the notice 
of proposed determination--implements the requirement for notice of 
section 1128A(c)(1).
    Comment: One comment recommended that the final rule retain Sec.  
160.420(a)(5) to ensure that covered entities have sufficient 
information as to why the penalty was imposed.
    Response: This has been done. See Sec.  160.420(a)(5) below.
    Comment: Several comments requested that the rule specify that the 
notice of proposed determination will be sent to the covered entity's 
Privacy Officer or another designated officer.
    Response: This issue is discussed below in connection with Sec.  
160.504.
    Comment: Several comments stated that, if HHS bases its proposed 
penalty on statistical sampling, the notice of proposed determination 
should include a copy of the study relied upon, so that a covered 
entity has adequate notice and time to prepare its defense.
    Response: We agree and have made the requested change.
10. Section 160.422--Failure To Request a Hearing
    Proposed rule: The text of proposed Sec.  160.422 was adopted by 
the April 17, 2003 interim final rule as Sec.  160.516. We proposed to 
add language (``and the matter is not settled pursuant to Sec.  
160.416'') to recognize that the Secretary and the respondent may agree 
to a settlement after the Secretary has issued a notice of proposed 
determination. We also proposed that the penalty be final upon receipt 
of the penalty notice, to make clear when subsequent actions, such as 
collection, may commence.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: Several comments suggested that a provision should be 
added allowing the time frame to request a hearing to be extended when 
the notice of proposed determination is not received by the appropriate 
person within the covered entity.
    Response: This issue is discussed in connection with Sec.  160.504 
below.
11. Section 160.424--Collection of Penalty
    Proposed rule: The text of Sec.  160.424 was adopted by the April 
17, 2003 interim final rule as Sec.  160.518. We proposed to move this 
section, which addresses how a final penalty is collected, from subpart 
E to subpart D, because this provision applies generally to the 
imposition of civil money penalties and is not dependent upon whether a 
hearing is requested. The rule provides that once a proposed penalty 
becomes final, it will be collected by the Secretary, unless 
compromised. The Secretary may bring a collection action in the Federal 
district court for the district in which the respondent resides, is 
found, or is located. The penalty amount, as finally determined, may be 
collected by means of offset from Federal funds or state funds owing to 
the respondent. Matters that were, or could have been, raised in a 
hearing or in an appeal to the U.S. Circuit Court of Appeals may not be 
raised as a defense to the collection action.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment asked what interest rate will accrue, if a 
penalty is not paid promptly by the covered entity.
    Response: Under the Federal Claims Collection rules, interest is 
calculated as provided by 31 U.S.C. 3717. See 31 CFR 901.9.
    Comment: One comment asked whether, if a penalty is assessed 
against a hybrid entity, the part of the entity responsible for the 
violation would pay the penalty or the entire hybrid entity would pay 
the penalty.
    Response: As noted above, a hybrid entity is, by definition, a 
single legal entity. Where a penalty is assessed against a covered 
entity that has designated itself as a hybrid entity, the legal entity 
that is the covered entity is responsible for payment of the penalty. 
How the covered entity allocates the penalty payment as a matter of 
internal accounting is a business decision of the covered entity.
    Comment: One comment asked whether, if an agency with the same 
structure as a Medicaid agency is assessed a penalty, federal dollars 
can be withheld in lieu of payment of the penalty.
    Response: Yes. Section 1128A(f) provides for setoff of penalty 
amounts against Federal or state agency funds then or later owing to 
the person penalized.
    Comment: One comment suggests that the Secretary does not have the

[[Page 8413]]

authority to preclude issues from being raised in a civil action in 
federal court. The comment suggests removing Sec.  160.424(d) from the 
final rule.
    Response: Section 160.424(d) merely states the well-recognized 
principle that, where an administrative remedy exists, a plaintiff must 
exhaust that remedy as a precondition to raising the issue in question 
in court.
12. Section 160.426--Notification of the Public and Other Agencies
    Proposed rule: We proposed to require notification of the public 
generally whenever a proposed penalty became final, in order to make 
the information available to anyone who must make decisions with 
respect to covered entities. The regulatory language would provide for 
notification in such manner as the Secretary deems appropriate, which 
would include posting to an HHS Web site and/or the periodic 
publication of a notice in the Federal Register.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: Several comments argued that the provision for 
notification of the public in proposed Sec.  160.426 would extend 
beyond the scope of the Secretary's statutory authority under section 
1128A(h), since section 1128A(h) specifies only that certain types of 
organizations and agencies to be notified. They urged that the 
requirement be eliminated.
    Response: We disagree that the requirement for public notification 
is unauthorized. It is true that Sec.  160.426 establishes the means by 
which HHS may carry out its obligation to notify various agencies and 
organizations under section 1128A(h). However, the basis for the public 
notice portion of Sec.  160.426 lies not in section 1128A(h), as the 
comments assumed, but in the Freedom of Information Act (FOIA), 5 
U.S.C. 552.
    FOIA requires final opinions and orders made in adjudication cases 
to be made available for public inspection and copying. See 5 U.S.C. 
552(a)(2)(A). The adjudicatory process \3\ set forth in the Enforcement 
Rule begins with the service upon the respondent of a notice of 
proposed determination under Sec.  160.420. This proposed penalty 
becomes final if the respondent fails to contest it in the time and 
manner provided in Sec.  160.504(b). If the respondent does contest the 
proposed penalty, the final agency order is the decision of the ALJ, or 
the Board, as the case may be. While it is true that section 1128A(h) 
does not require that such notice be given to the public, neither does 
it prohibit such wider dissemination of that information, and nothing 
in section 1128A(h) suggests that it modifies the Secretary's 
obligations under FOIA. FOIA requires making final orders or opinions 
available for public inspection and copying by ``computer 
telecommunication * * * or other electronic means,'' which would 
encompass putting them up on the Department's Web site, and further 
provides that, absent actual and timely notice, in order for the 
Department to rely upon final opinions that affect a member of the 
public or to cite them as precedent against a party, the opinions or 
orders must be indexed and made available electronically. See 5 U.S.C. 
552(a)(2).
---------------------------------------------------------------------------

    \3\ Under the Administrative Procedure Act, ``adjudication means 
agency process for the formulation of an order.'' 5 U.S.C. 551(7). 
An ``order means the whole or part of a final disposition * * * of 
an agency in a matter other than rule making * * *''. 5 U.S.C. 
551(6).
---------------------------------------------------------------------------

    Comment: Many comments objected to the requirement for public 
notice. Comments argued that since final decisions of the Departmental 
Appeals Board are available under FOIA, there is no need for further 
notice to the public. Further, it was stated that many HIPAA 
violations, particularly of the Transactions Rule, are very technical 
in nature and the public may be unable to understand the nature of such 
violations. Accordingly, public notification may injure the reputation 
of covered entities and cause them to lose business, while the 
reputational injury attendant on public notification may be wholly 
disproportionate to the violations involved. Also, comments argued that 
entities that are members of an affiliated covered entity and that are 
held liable for the actions of others under Sec.  160.402(b) may be 
unfairly labeled as noncompliant. Finally, comments stated that covered 
entities may have to expend additional resources to fight complaints, 
because the public notification provision would give competitors an 
incentive to use the complaint process to gain an unfair business 
advantage.
    Response: Final decisions of the ALJs and the Departmental Appeals 
Board are made public via the Board's Web site. See http://www.hhs.gov/dab/search.html. Such postings, however, would not include penalties 
that become final because a request for hearing was not filed under 
Sec.  160.422. Notices of proposed determination under Sec.  160.420 
that become final because a hearing has not been timely requested, 
would likewise be made available for such public inspection and copying 
as final orders. By making the entire final opinion or order available 
to the public, the facts underlying the penalty determination and the 
law applied to those facts will be apparent. Given that information, 
the public may discern the nature and extent of the violation as well 
as the basis for imposition of the civil money penalty on the covered 
entity. Finally, the process established for the review and 
investigation of complaints should identify those without merit, or 
over which HHS has no jurisdiction under the HIPAA provisions, but, in 
any event, we doubt that the notification provisions of this section 
will increase the likelihood that complaints will be filed.
    Comment: One comment suggested that, rather than mandating the 
provision of notice to the public, the rule should give the Secretary 
discretion to determine when public notification is prudent, as doing 
so may not be appropriate in all instances--for example, where there is 
an ongoing investigation or a technical failure is involved. A number 
of comments urged HHS to publish violations of HIPAA without the name 
of the covered entity. They argued that this approach would enable 
covered entities to understand how OCR and CMS apply the HIPAA rules in 
particular circumstances and would, thus, encourage voluntary 
compliance.
    Response: As noted, under FOIA, we must make final orders and 
opinions available for public inspection and copying. FOIA permits the 
Secretary to withhold information whose release could, for instance, 
reasonably be expected to interfere with prospective or ongoing law 
enforcement proceedings, but such exemption does not apply where, as in 
the case of such final opinions and orders, they are made after the 
conclusion of such proceedings. See 5 U.S.C. 552(b)(7)(A). While FOIA 
permits the deletion of identifying details to prevent a clearly 
unwarranted invasion of personal privacy, identifying the name(s) of 
the covered entities against whom penalties are imposed would not be 
such an invasion of personal privacy.
    Comment: One comment suggested that the rule be revised to require 
covered entities to notify the Secretary and potentially affected 
individuals when there is a suspected breach of the Privacy Rule. The 
comment also suggested that HHS make available a list of violations 
organized by entity, including the number of persons affected by each 
violation. One comment asked that all final decisions of the ALJ or the 
Board, including those to not assess a penalty, be made public,

[[Page 8414]]

so that covered entities could present a better defense in the future 
based on past decisions to not impose a penalty in a similar situation. 
Another comment supported the proposal to notify the public of final 
penalties, on the ground that the public should be aware of violations, 
particularly of the Privacy Rule. Another comment suggested that 
complainants should be notified when a penalty is imposed.
    Response: As noted, final opinions or orders imposing penalties 
will be made available to the public for inspection and copying. Given 
that this information will be public, we do not accept the other 
comments above.
    Comment: One comment stated that the public notification rule 
should not apply to, or include, matters referred to the Department of 
Justice. Another comment asked that HHS confirm that the public 
notification provision would not apply to informal resolutions.
    Response: In neither of the above situations has a final order on a 
penalty proposed under Sec.  160.420 been entered. Consequently, 
neither situation would come within the public notification requirement 
of Sec.  160.426.
    Comment: Several comments expressed concern that publication of a 
penalty could occur prematurely, before all of the covered entity's 
appeals had been exhausted. They requested clarification as to when a 
penalty is considered final for purposes of notification. A couple of 
comments stated that the penalty should be considered to be final, for 
purposes of the public notification, when all court appeals have been 
exhausted.
    Response: A civil money penalty is considered to be final, for 
purposes of notification, when it is a final agency action--i.e., the 
time for administrative appeal has run or the adverse administrative 
finding has otherwise become final. The final opinion or order that is 
subject to the notification provisions of this section is the notice of 
proposed determination, if a request for hearing is not timely filed, 
the decision of the ALJ, if that is not appealed, or the final decision 
of the Board.

D. Subpart E--Procedures for Hearings

    As previously explained, the provisions of section 1128A of the Act 
apply to the imposition of a civil money penalty under section 1176 
``in the same manner as'' they apply to the imposition of civil money 
penalties under section 1128A itself. The provisions of subpart E are, 
as a consequence, based in large part upon, and are in many respects 
the same as, the OIG regulations implementing section 1128A. We adapt, 
re-order, or combine the language of the OIG regulations in a number of 
places for clarity of presentation or to reflect concepts unique to the 
HIPAA provisions or rules. To avoid confusion, we also employ certain 
language usages in order to be consistent with the usages in the other 
HIPAA rules (for example, for mandatory duties, ``must'' or ``will'' 
instead of ``shall'' is used; for discretionary duties, ``may'' instead 
of ``has the authority to'' is used).
    Subpart E, as adopted by the April 17, 2003 interim final rule, 
adopted provisions relating to investigational inquiries and subpoenas 
and certain definitions that have now been moved to subpart C. It also 
adopted a number of provisions that relate to all civil money penalties 
that have now been moved to subpart D. Subpart E, as revised below, 
addresses only the administrative hearing phase of the enforcement 
process.
    General comment: Several comments argued that the proposed 
Enforcement Rule, as a whole, would give the government an unfair 
advantage and seriously compromise the ability of covered entities to 
defend themselves before an ALJ and on an appeal to the Board. It was 
argued that the following provisions, in combination, would ``stack the 
deck'' in the government's favor:

    (1) The severely restricted ability of covered entities to rebut 
the statistical sampling report; (2) the ``extraordinary 
circumstances'' standard for failure to timely exchange exhibits and 
witness statements; (3) the inability to depose prior to the hearing 
or question at the hearing the government's statistical sampling 
expert; (4) the ability of the * * * ALJ * * * to admit prior 
evidence of witnesses which were not subject to cross examination by 
the covered entity; (5) the requirements regarding hearing requests; 
(6) the limited nature of discovery and the lack of obligation to 
share exculpatory evidence; (7) the ALJ's discretion about applying 
the Federal Rules of Evidence; (8) the very broad harmless error 
rule which significantly restricts a covered entity's appeal rights; 
and (9) the limited authority of the ALJ and correspondingly broad 
discretion provided to the Secretary.

    Response: While we also discuss the above provisions individually, 
we provide the following general response. We do not agree that the 
proposed rule would have given HHS an unfair advantage or compromised 
the ability of covered entities to defend themselves. Most of the 
provisions cited should operate even-handedly, providing no greater 
advantage to the government than to the respondent. For example, the 
limitation on depositions will also mean that the governmental party 
cannot depose any statistical expert of the respondent; similarly, the 
other limitations on discovery should operate similarly for both 
parties, as should the ALJ's discretion with respect to the application 
of the Federal Rules of Evidence and the application of the harmless 
error rule.
    In any event, we have changed several of the provisions cited. We 
have required the government's statistical study to be provided with 
the notice of proposed determination, we have clarified the conditions 
for the admission of written statements, and we have eliminated the 
restriction on the ALJ's authority to review the method by which the 
number of violations is determined. We believe that the final rule 
strikes an appropriate balance and should ensure that neither party has 
a procedural advantage.
1. Section 160.504--Hearing Before an ALJ
    Proposed rule: The proposed rule proposed few changes to this 
section, which was Sec.  160.526 of the April 17, 2003 interim final 
rule. Section 160.526(a)(2) of the April 17, 2003 interim final rule 
stated that the Departmental party in a hearing is ``the Secretary.'' 
The term ``Secretary'' is defined at Sec.  160.103 of the HIPAA rules 
as ``the Secretary of Health and Human Services or any other officer or 
employee of HHS to whom the authority involved has been delegated.'' 
However, in light of the multiple roles of the Secretary in the context 
of a hearing (OCR and/or CMS would be a party, while the ALJ or the 
Board would be the adjudicator), we proposed to clarify in Sec.  
160.504(a)(2) which part of HHS acts as the ``party'' in the hearing. 
Because which component of HHS will be the ``party'' in a particular 
case will depend on which rule is alleged to have been violated, and 
because a particular case could involve more than one HIPAA rule, we 
proposed to define the Secretarial party generically, by reference to 
the component with the delegated enforcement authority. Under the 
proposed provision, the Secretarial party could consist of more than 
one officer or employee, so that it is possible for both CMS and OCR to 
be the Secretarial party in a particular case.
    Proposed Sec.  160.504(b) provided that the request for a hearing 
must be mailed within 60 days, via certified mail, return receipt 
requested, to the address specified in the notice of proposed 
determination. The last sentence of proposed Sec.  160.504(b) provided 
that the date of receipt of the notice of proposed determination is 
presumed to be five days after the date of the notice unless the 
respondent makes a reasonable

[[Page 8415]]

showing to the contrary. This showing may be made even where the notice 
is sent by mail and is not precluded by the computation of time rule of 
proposed Sec.  160.526(c), establishing a five-day allowance for 
mailing.
    Proposed Sec.  160.504(c) would require that the request for 
hearing clearly and directly admit, deny, or explain each of the 
findings of fact contained in the notice of proposed determination with 
respect to which the respondent has knowledge and must also state the 
circumstances or arguments that the respondent alleges constitute the 
grounds for any defense and the factual and legal basis for opposing 
the penalty. Proposed Sec.  160.504(d)(1) would require the ALJ to 
dismiss a hearing request where ``[t]he respondent's hearing request is 
not filed as required by paragraphs (b) and (c) of this section.'' 
Proposed Sec. Sec.  160.504(d)(2)-(4) would require dismissal where the 
hearing request was, respectively, withdrawn, abandoned, or raised no 
issue that could properly be addressed in a hearing.
    Final rule: Section 160.504 below revises the proposed rule in 
several respects. The proposed 60-day time limit for filing a request 
for hearing is extended to 90 days. See Sec.  160.504(b). Section 
160.504(c) provides that an affirmative defense under Sec.  
160.410(b)(1) may be raised at any time. Section 160.504(d)(1) provides 
that a dismissal on the grounds stated in that paragraph may only be 
made on motion of the Secretary, and the ground for dismissal under 
paragraph (b) is limited to the respondent's failure to comply with the 
timely filing requirement of paragraph (b).
    Comment: A number of comments objected to the 60-day time limit of 
proposed Sec.  160.504(b) as unreasonably short and unfair, given the 
detailed showing the covered entity is required to provide in its 
request for hearing and the severe consequences, under proposed Sec.  
160.504(d)(1), of failing to meet this requirement. A couple of 
comments also objected that this provision is not necessary and does 
not follow the OIG regulation in this respect. Comments suggested 
several changes: (1) That the required specificity of the request for 
hearing be eliminated, (2) that the time for response be lengthened, 
and/or (3) that there be a provision to excuse an untimely request for 
hearing based on good cause.
    Response: We accommodate the concerns raised in the public comment 
by extending the period for filing a request for hearing from 60 to 90 
days. We note that, as so revised, the rule does not parallel the 
analogous provision of the OIG regulations (42 CFR 1005.2(c)) in two 
respects: (1) It requires more specificity in the hearing request; and 
(2) it provides the respondent more time in which to file the hearing 
request. We are of the view, however, that the compromise in Sec.  
160.504(b), as revised, will promote the conduct of the hearing in an 
efficient manner by clarifying at an early stage of the process the 
issues in dispute and the basis for those disputes. We retain the 
requirement of proposed Sec.  160.504(c) that the request for hearing 
clearly and directly admit, deny, or explain each of the findings of 
fact and state the circumstances or arguments that the respondent 
alleges constitute the grounds for any defense and the factual and 
legal basis for opposing the penalty. (However, the respondent need not 
provide its statistical study, assuming it has one, until 30 days 
before the scheduled hearing. See Sec.  160.518.) This requirement will 
facilitate narrowing and refining the issues in dispute, thereby 
expediting the conduct of the hearing.
    Comment: One comment suggested that, if the 60-day time period for 
response were retained, HHS be required to send a reminder to the 
covered entity on the 45th day.
    Response: We do not adopt this suggestion. The need for the 
suggested change is obviated by our decision to extend the 60-day 
period.
    Comment: Several comments suggested that the rule does not properly 
take into account the possibility of notices being delivered to the 
wrong official in a covered entity or getting lost in a covered 
entity's internal mail system. They recommended that the rule specify 
the official(s) in the covered entity to whom the notice of proposed 
determination must be sent, so that the covered entity does not lose 
time needed to prepare its defense. A few comments suggested that the 
notice of proposed determination be sent to the Privacy Officer. It was 
suggested that the covered entity be able to show good cause for 
failing to respond in a timely manner in such cases, or that the 60-day 
time period be tolled.
    Response: We do not think it is necessary or feasible to identify 
the person(s) to whom the notice of proposed determination should be 
addressed. Fed. R. Civ. P. 4 (28 U.S.C. Appendix), which applies under 
section 1128A(c), establishes who may be served and applies without 
need for further regulatory action. Because the size and other 
organizational circumstances of covered entities vary greatly, a rule 
that further limited or defined who must be served would most likely be 
inappropriate for some covered entities. Further, it is likely that a 
notice of proposed determination would be issued after significant 
prior contact with the covered entity, so we anticipate that our 
investigators would be able to ascertain which officer would be the 
appropriate recipient of the notice.
    In any event, a respondent can raise the issues of concern raised 
by the comments--e.g., failure to reach the appropriate official or the 
official to whom the notice of proposed determination was addressed due 
to problems in the entity's mail system--under Sec.  160.504(b). Under 
that section, if the respondent makes ``a reasonable showing'' to the 
ALJ that the mailed notice of proposed determination was not properly 
received by the covered entity or by a proper official within the 
covered entity, the ALJ can extend the 90-day period to the extent he 
or she considers appropriate.
    Comment: One comment asked whether findings of fact that are not 
contested or about which the claim is made of insufficient knowledge to 
respond in the hearing request are deemed admitted.
    Response: Section 160.504(c) provides respondents with two choices 
with respect to denying findings of fact: (1) The respondent may deny 
them; or (2) the respondent may claim a lack of knowledge, in which 
case the finding in question is ``deemed denied.'' Since the regulation 
deems a finding of fact denied only where lack of knowledge is claimed, 
if the respondent has neither denied nor asserted lack of knowledge 
with respect to the finding, the finding must be deemed admitted.
    Comment: One comment stated that dismissal of a hearing request on 
the grounds described in proposed Sec.  160.504(d)(1)-(3) should be 
made permissive, not mandatory, and Sec.  160.504(d)(4) (dismissal 
where the respondent fails to state an issue that may properly be 
addressed in a hearing) should be eliminated, to ensure that covered 
entities are provided a fair opportunity to request a hearing and 
develop an appropriate defense.
    Response: We revise proposed Sec.  160.504(d)(1) to require 
dismissal on the ground of failure to comply with paragraph (b) to be 
limited to failure to comply with the requirement of the paragraph for 
timely filing of the request for hearing. We revise proposed Sec.  
160.504(d)(1) to provide that dismissal on this ground may occur only 
if the Secretary moves for dismissal on this ground. If the Secretarial 
party--OCR, CMS, or both--does not believe that the hearing should be 
dismissed due to the insufficiency of the respondent's request

[[Page 8416]]

for hearing, and so does not challenge the timeliness or sufficiency of 
the request for hearing under paragraph (b) or (c), respectively, the 
hearing should go forward. The revision to paragraph (d)(1) would 
permit this to occur.
    Like its counterparts in other rules issued pursuant to section 
1128A, Sec.  160.504(d)(1)-(3) mandates dismissal so that the limited 
resources of the government and of respondents are not expended on 
hearing requests that fail to comply with the straightforward 
requirements of this section or that have been withdrawn or abandoned 
by the respondent. We believe that considerations of economy and 
efficiency require the dismissal of cases that fall within the 
descriptions of these subsections. However, in response to the 
comments, we have added a requirement to Sec.  160.504(d)(1) that the 
Secretary must file a motion for dismissal of a hearing request rather 
than permit an automatic dismissal by the ALJ. The filing of such a 
motion will require the Secretary to enunciate the reasons a hearing 
request is deficient under paragraphs (b) and (c) of this section and 
allow the respondent the opportunity to answer those charges. We do not 
add such a requirement to Sec.  160.504(d)(2)-(3), because we think 
that the ALJ should have authority to dismiss such cases for reasons of 
withdrawal or abandonment by the respondent without being requested to 
do so by the Secretary.
    Section 160.504(d)(4) provides the administrative review channel 
leading to judicial review of claims that may not be reviewed 
administratively, such as constitutional claims. This subsection is 
necessary so that there is no confusion about how respondents can 
efficiently exhaust the administrative process for such claims. We, 
thus, decline to eliminate this subsection.
2. Section 160.508--Authority of the ALJ
    Proposed rule: The text of proposed Sec.  160.508 was adopted by 
the April 17, 2003 interim final rule as Sec.  160.530. No changes to 
paragraphs (a) and (b) were proposed. We proposed to revise paragraph 
(c) by adding paragraphs (c)(1) and (c)(5) to the list of limitations 
on the authority of the ALJ. Proposed paragraph (c)(1) would require 
the ALJ to follow Federal statutes, regulations, and Secretarial 
delegations of authority, and to give deference to published guidance 
to the extent not inconsistent with statute or regulation; the preamble 
to the proposed rule indicated that by ``published guidance'' we meant 
guidance that has been publicly disseminated, including posting on the 
CMS or OCR Web site. Proposed paragraph (c)(5) would clarify that ALJs 
may not review the Secretary's exercise of discretion whether to grant 
an extension or to provide technical assistance under section 
1176(b)(3)(B) of the Act or the Secretary's exercise of discretion in 
the choice of variable(s) under proposed Sec.  160.406.
    Final rule: The final rule adopts the provisions of the proposed 
rule, except for proposed Sec.  160.508(c)(5)(ii), which is eliminated. 
A conforming change is made to Sec.  160.508(c)(5).
a. Section 160.508(b)
    Comment: One comment stated that this provision should be amended 
to add a provision requiring that a requested hearing be conducted 
within a time certain, not to exceed 90 days from receipt of the 
request for a hearing. Another comment suggested that the ALJ should 
notify a respondent of the date and time for the hearing no later than 
90 days after the request for hearing is filed.
    Response: It would not be reasonable or appropriate to impose a 
fixed deadline by which hearings must be scheduled, and we decline to 
do so. In a complicated case, the time for discovery and pre-hearing 
motions may take more than 90 days, and, thus, imposing such a deadline 
may circumscribe the parties' ability to prepare their cases. Moreover, 
the ALJs have other cases on their dockets, and we cannot assume that 
they will in all cases be able to begin a hearing on a civil money 
penalty within 90 days. The scheduling of the hearing is best left to 
the ALJs, in consultation with the parties.
b. Section 160.508(c)
    Comment: A number of comments opposed proposed Sec.  160.508(c), on 
the ground that it would significantly limit the ALJ's authority to 
rule on pertinent issues. They stated that it was questionable under 
this section whether the ALJ would have the authority to review the 
determination of the number of violations, or imposition of joint and 
several liability, since they may be addressed in published guidance to 
which the ALJ must give deference. It was suggested that this 
limitation would be a problem under proposed Sec.  160.424(d), since 
those are issues that a respondent would be unable to raise at the 
administrative level.
    Response: We do not agree. We believe that it is of importance to 
covered entities that ALJ and Board decisions, as components of HHS, be 
consistent with one another and with the published compliance guidance 
HHS provides to covered entities. Accordingly, we require ALJs and the 
Board to follow guidance which has been publicly disseminated, unless 
the ALJ or Board finds the guidance to be inconsistent with statute or 
regulation. In the examples cited, any published guidance related to 
the determination of the number of violations, or when joint and 
several liability is appropriate must be consistent with applicable 
statute and regulation, matters upon which the ALJ may rule. See 
section 1176 and Sec. Sec.  160.402(b)(2), 160.406, and 160.508. While 
deference to such published guidance is required of the ALJs and DAB, 
as components of HHS, similar deference is not necessarily afforded 
such guidance in any judicial review of an adverse final agency 
determination sought by a respondent. Section 160.424(d) should not 
present a problem, since challenges related to published guidance may 
be raised during administrative and judicial reviews of the proposed 
penalty.
    Comment: One comment stated that ALJs should be allowed to consider 
affirmative defenses during a hearing, even if they relate to issues 
committed to the Secretary's discretion. The comment argued that an 
inability to raise affirmative defenses before the ALJ might impact a 
covered entity's ability to subsequently pursue legal remedies under 
Sec.  160.424(d).
    Response: We agree that the ALJ is allowed to consider affirmative 
defenses during a hearing. See the discussion of Sec.  160.410 above.
    Comment: A couple of comments agreed that ALJs should have the 
authority to evaluate whether there was a violation in the first place 
and asked that this provision be retained in the final rule.
    Response: We agree and have done so.
c. Section 160.508(c)(1)
    Comment: One comment asked, if a guidance in effect at the time a 
violation occurred were changed before the date of the hearing, which 
version of the guidance the ALJ would have to follow.
    Response: The guidance in effect at the time the violation occurred 
would govern.
    Comment: One comment expressed concern with Sec.  160.508(c)(1), 
insofar as it would include in ``published guidance'' FAQs published on 
the CMS and OCR Web sites. According to the comment, FAQs have never 
been designated in the HIPAA regulations as having the force of 
regulations themselves. According to the comment, many covered entities 
are not aware of these postings and the industry is unaware that they 
will have the same

[[Page 8417]]

force and effect as regulations. The comment further stated that if 
FAQs are to have the force of regulation, then the questions and 
responses should be organized for such use, and the HIPAA regulation 
should specifically designate that covered entities will be held 
accountable for compliance with these responses or ``published 
guidance.'' Another comment suggested that proposed Sec.  160.508(c)(1) 
should be revised to require the ALJ to give consideration to published 
guidance and consider whether the covered entity reasonably relied on 
such guidance, as is done in the regulations relating to hearings by 
the Provider Reimbursement Review Board (PRRB), citing to 42 CFR 
405.1867.
    Response: The ``published guidances'', including FAQs, inform 
covered entities of the approach HHS is taking in the enforcement of 
the HIPAA rules. The guidances do not have the force and effect of a 
regulation, as the comment suggests, and are not controlling upon the 
courts, as would be the case with a regulation. As previously 
explained, HHS seeks to provide consistent compliance guidance to 
covered entities and, to the extent possible, to render decisions in 
the adjudicative process that are both consistent with other 
adjudicated cases and with the policy decisions of the Secretary 
expressed in HHS rules and guidances. The consistency sought within HHS 
is achieved by requiring the ALJ and the Board, which are components of 
HHS, to defer to such published guidances, if they are consistent with 
statute and regulation. This is consistent with, and recognizes the 
effect of, the existing delegations of authority by the Secretary, 
which delegate to the programs the Secretary's authority to establish 
policy. Requiring that only consideration be given to such published 
guidances, as in PRRB hearings, rather than deference, would not 
achieve the desired result.
    Comment: One comment argued that proposed Sec.  160.508(c)(1) 
should be changed to add ``and does not establish requirements in 
addition to those specified in the applicable statute or regulation,'' 
on the ground that covered entities should not be penalized for not 
complying with requirements that exceed the plain language of the 
statute.
    Response: It is not clear what the comment is suggesting, but if 
the comment is suggesting that guidance merely parrot what is in the 
statute and regulations, guidance would be both unnecessary and 
unhelpful. If, however, the comment is suggesting that guidance not 
exceed any explicit limits imposed by the statute or regulations, the 
language is likewise unnecessary, as the current language would permit 
the ALJ or the Board to disregard guidance that was not consistent with 
statute or regulations.
d. Section 160.508(c)(5)
    Comment: Proposed Sec.  160.508(c)(5)(ii) would have made the 
Secretary's selection of the variable under Sec.  160.406 unreviewable 
by the ALJ. It was criticized by several commenters as unfair and 
inconsistent with the statute on the grounds that the whole purpose of 
the hearing before an ALJ is to review the Secretary's assessment of a 
penalty. It was argued that, if a covered entity has a reasonable 
argument as to why the use of variables or a particular variable was 
not appropriate, it should be allowed to present the argument during 
the ALJ hearing to which it is entitled by statute. It was also argued 
that, since proposed Sec.  160.406 would include a factual 
determination of the number of times a covered entity may have failed 
to engage in required conduct, or may have engaged in a prohibited act, 
each of the parties should be authorized to address, and the ALJ to 
consider at a hearing, that factual determination. One comment asked 
whether, even if the ALJ lacks authority to directly question the 
variable(s) selected, a challenge to the variable could be made through 
a claim that ``justice required'' selection of a different variable.
    Response: Section 1128A(c)(2) establishes the right to a hearing on 
the record for any person who has been given an adverse determination 
by the Secretary. In a proceeding under section 1176, the adverse 
determination by the Secretary is the civil money penalty proposed in 
the notice of proposed determination under Sec.  160.420. Upon review 
of the comments regarding proposed Sec.  160.508(c)(5)(ii), we agree 
that the count of violations is an integral part of a civil money 
penalty and should be reviewable by the ALJ. Thus, we have deleted 
proposed subparagraph (ii) from Sec.  160.508(c)(5) in the final rule. 
As a conforming change, we have integrated subparagraph (i) into the 
text of Sec.  160.508(c)(5).
3. Section 160.512--Prehearing Conferences
    Proposed rule: Proposed Sec.  160.512 would adopt Sec.  160.534, as 
added by the April 17, 2003 interim final rule, with two changes. 
Proposed Sec.  160.512 would revise paragraph (a) to establish a 
minimum amount of notice (not less than 14 business days) that must be 
provided to the parties in the scheduling of prehearing conferences. 
Proposed Sec.  160.512 would also revise paragraph (b)(11) to include 
the issue of the protection of individually identifiable health 
information as a matter that may be discussed at the prehearing 
conference, if appropriate.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment recommended that a provision be added to Sec.  
160.512 to require the ALJ to schedule a prehearing conference within 
30 days of a request for a hearing, unless both parties agree to a 
later date.
    Response: The scheduling of a prehearing conference will depend, in 
part, on the scheduling of the hearing. For the reasons discussed under 
Sec.  160.508(b) above, we do not agree that it is advisable to so 
circumscribe the ALJ's flexibility to set the hearing calendar.
    Comment: A couple of comments objected that the time frame for 
notice of a pre-hearing conference provided for by proposed Sec.  
160.512 is inadequate to permit all necessary parties involved to 
prepare a response. One comment stated that the rule should extend the 
time frame to 25 business days, while the other suggested that the rule 
should require at least a 30-day notice of a pre-hearing conference.
    Response: Section 160.512 does not prescribe 14 days as the amount 
of notice of a pre-hearing conference that must be given; rather, it 
simply establishes 14 days as the minimum amount of notice that is 
``reasonable.'' In our experience, 14 days should in most cases be 
sufficient for the parties to prepare for the conference adequately; 
however, nothing in the rule prohibits a party from requesting a longer 
period of time to prepare for a pre-hearing conference or the ALJ from 
granting such a request.
4. Section 160.516--Discovery
    Proposed rule: Proposed Sec.  160.516 would adopt Sec.  160.538 of 
the April 17, 2003 interim final rule. As relevant here, proposed Sec.  
160.516 would permit requests for production of documents, but would 
not permit other forms of discovery, such as interrogatories, requests 
for admission, and depositions. Proposed paragraph (d) states that this 
section ``may not be construed to require the disclosure of interview 
reports or statements obtained by any party, or on behalf of any party, 
of persons who will not be called as witnesses by that party, or 
analyses and summaries prepared in conjunction with the investigation 
or litigation of the case, or any otherwise privileged documents.''

[[Page 8418]]

    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: Several comments recommended that proposed Sec.  160.516 
should be revised to allow requests for admissions, depositions, and 
written interrogatories in the discovery process. It was argued that 
permitting these forms of discovery would ensure that covered entities 
are able to mount a proper defense. It also was asserted that expert 
testimony will be necessary to establish both the alleged violation(s) 
and any affirmative defenses. Allowing such discovery would, it was 
asserted, help to produce a record, make appeals less likely, and 
potentially decrease the length of administrative hearings.
    Response: We believe that the level of detail provided to a covered 
entity in the notice of proposed determination (including, where 
applicable, a copy of HHS's statistical expert's study), coupled with a 
right to request the production of documents for copying and 
inspection, provides the covered entity with the information reasonably 
required to mount its challenge to the proposed civil money penalty or 
to determine whether an affirmative defense applies. The additional 
discovery mentioned in the comments would result in delays and costs. 
Experience with the OIG regulation at 42 CFR 1005.7, which likewise 
does not authorize other types of discovery, has demonstrated that the 
discovery provided for is appropriate and sufficient.
    Comment: Several comments argued that, at a minimum, depositions 
should be permitted at least with regard to expert witnesses, including 
the government's statistical expert. They asserted that, because 
depositions would not be permitted, covered entities would lose another 
potential opportunity to question the government's statistician in an 
effort to understand and defend against the conclusion and assumptions 
made in establishing the proposed civil money penalty, which would be 
prejudicial to the covered entity.
    Response: We do not agree that depositions are necessary. Under 
Sec.  160.420(a)(2), as adopted in this final rule, the study of HHS's 
statistical expert must be provided to the respondent with the notice 
of proposed determination.
    Comment: A couple of comments criticized the proposed rule for not 
requiring that OCR and/or CMS hand over potentially exculpatory 
information to the entity being investigated. The obligation to provide 
exculpatory evidence should include handing over exculpatory interview 
reports or statements obtained by the government of persons who will 
not be called as witnesses by that party. It was recommended that this 
obligation be added to the final rule.
    Response: The obligation to provide exculpatory evidence to an 
accused, which applies in criminal proceedings, is inapplicable in a 
HIPAA administrative simplification enforcement case.
    Comment: One comment contended that Sec.  160.516 should be revised 
to treat personal health information as privileged information not 
subject to discovery, since hearings are open to the public under 
proposed Sec.  160.534.
    Response: A covered entity concerned with potential public access 
to protected health information may raise the issue before the ALJ and 
seek a protective order under Sec.  160.512(b)(11). Depending on the 
circumstances, an ALJ may require the information to be de-identified 
or direct identifiers to be stripped to protect the privacy of 
individuals or order other protections routinely afforded to similarly 
confidential information within the litigation forum, such as 
protective orders on the use of the information in public portions of 
the proceedings. In addition, the ALJ may, for good cause shown, order 
appropriate redactions made to the record after hearing. See Sec.  
160.542(d).
5. Section 160.518--Exchange of Witness Lists, Witness Statements, and 
Exhibits
    Proposed rule: Proposed Sec.  160.518 would carry forward Sec.  
160.540, as adopted by the April 17, 2003 interim final rule, with one 
substantive change. It would revise paragraph (a) to provide time 
limits within which the exchange of witness lists, statements, and 
exhibits must occur prior to a hearing. Under proposed Sec.  
160.518(a), these items must be exchanged not more than 60, but not 
less than 15, days prior to the scheduled hearing.
    Final rule: The final rule revises this provision to require that, 
where a respondent retains a statistical expert for the purpose of 
challenging the Secretary's statistical sampling, a report by the 
respondent's expert be provided to the Secretarial party not less than 
30 days prior to the hearing.
    Comment: Several comments criticized the time frames of proposed 
Sec.  160.518 as problematic in light of the anticipated use of 
statistical sampling. They argued that, if HHS uses statistical 
sampling to determine the number of violations and to establish its 
prima facie case against a covered entity, the covered entity must have 
a fair opportunity to rebut this evidence. That fair opportunity should 
permit the addition of rebuttal witnesses, statements and exhibits 
after the 15-day period and/or requiring the government to provide more 
detailed information to the covered entity regarding its statistical 
sampling calculations, methodology and assumptions at a time that is 
sufficiently prior to the 15-day deadline. The comments requested that 
the time frames listed in the regulation be increased to allow a 
covered entity adequate time to prepare for a hearing. Specifically, 
the comments urged that witness lists, statements, and exhibits for a 
hearing be exchanged by the parties not more than 60 days and not less 
than 30 days before a scheduled hearing date.
    Response: We have accommodated the concern that the details of 
HHS's statistical study will not be made available early enough in the 
proceeding to allow a fair opportunity for rebuttal by requiring in 
Sec.  160.420(a)(2) that a copy of the study be given to the respondent 
with the notice of proposed determination. Accordingly, under such 
circumstances, there should not be a problem identifying who respondent 
should call as a rebuttal witness within the time frames set out in 
this section.
    We revise Sec.  160.518(a) to require the respondent to provide to 
HHS a copy of the report of its statistical expert not less than 30 
days before the scheduled hearing. This will give the Secretarial party 
adequate time to prepare the statistical part of its case and is 
reasonable in light of the fact that the respondent is given HHS's 
statistical study at the commencement of the proceeding.
    Comment: With respect to proposed Sec.  160.518(b)(2), one comment 
asked what would constitute extraordinary circumstances. The comment 
stated that this standard seems unnecessarily high and that ``good 
cause'' would be a more reasonable and fairer standard, given the need 
for covered entities to rebut the evidence of a statistical expert 
whose information they will not receive until the exchange of witnesses 
and exhibits.
    Response: The decision concerning what is sufficient to convince 
the ALJ that extraordinary circumstances exist will be case-specific. 
The justification for lowering the standard no longer applies, given 
our change to Sec.  160.420. Accordingly, we retain the ``extraordinary 
circumstances'' standard to emphasize the importance of observing the 
time frame for the exchange of such information.

[[Page 8419]]

6. Section 160.520--Subpoenas for Attendance at Hearing
    Proposed rule: Proposed Sec.  160.520 would carry forward Sec.  
160.542, as adopted by the April 17, 2003 interim final rule, mainly 
unchanged. Proposed Sec.  160.520 would clarify that when a subpoena is 
served on HHS, the Secretary may comply with the subpoena by 
designating any knowledgeable representative to testify. Proposed Sec.  
160.520(d) would require a party seeking a subpoena to file a written 
motion not less than 30 days before the scheduled hearing, unless 
otherwise allowed by the ALJ for good cause shown; the paragraph 
specified what such a motion must contain.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment asked that the language in proposed Sec.  
160.520(c) be modified to provide that, if a respondent subpoenas a 
particular employee or official with specific knowledge of the case at 
hand, the identified employee or official would be required to testify. 
While acknowledging that it was reasonable for HHS to be able to 
substitute a witness if a respondent subpoenas an employee or official 
with no knowledge of the case (such as the Secretary), the comment 
argued that HHS should not have such discretion if the employee or 
official who is subpoenaed has specific knowledge of the case.
    Response: We retain the provision as proposed, because it is 
necessary to permit the smooth conduct of government business. We do 
not agree that the provision will damage a respondent's ability to 
litigate his case, as the provision requires that, although the 
Secretary may designate an HHS representative, the person so designated 
must be ``knowledgeable.'' That person may be the employee or official 
upon whom the subpoena was first served, if the Secretary determines 
that such person is the appropriate witness, possessed of the requisite 
knowledge to testify upon the issues which are the subject of the 
subpoena.
    Comment: One comment stated concerns with the interplay of proposed 
Sec.  160.538 with proposed Sec.  160.520(d). Under proposed Sec.  
160.538(b), if a party seeks to admit the testimony of a witness in the 
form of a written statement, that statement must be provided to the 
other party ``in a manner that allows sufficient time for the other 
party to subpoena the witness for cross-examination at the hearing.'' 
Under proposed Sec.  160.520(d), ``a party seeking a subpoena must file 
a written motion not less than 30 days before the date fixed for the 
hearing, unless otherwise allowed by the ALJ for good cause shown.'' 
The comment argued that a party that wanted to subpoena a person whose 
written statement was being offered by the opposing party should not 
have the burden of showing good cause for moving for a subpoena less 
than 30 days before the hearing date. Instead, the party seeking to 
admit the written statement should be required to provide that 
statement to the other party more than 30 days before the hearing, so 
that the other party will have an opportunity to subpoena that witness 
under the procedures established by these regulations.
    Response: We believe that the rules adequately provide for such a 
contingency, and so do not revise Sec.  160.520 as requested. The party 
that seeks to introduce testimony, other than expert testimony, in the 
form of a written statement must provide the other party with a copy of 
the statement and the address of the witness in sufficient time to 
allow that other party to subpoena that witness for cross examination. 
Since Sec.  160.520(d) requires that motions seeking a subpoena be 
filed not less than 30 days before the hearing, the witness statement 
and address should be provided in sufficient time to allow a timely 
motion to be made. In the event that such statement and/or address is 
not provided in sufficient time to allow for a timely motion, good 
cause for permitting the motion for subpoena to be made on fewer than 
30 days notice would exist.
7. Section 160.522--Fees
    Proposed rule: The proposed rule proposed in Sec.  160.522 to carry 
forward unchanged Sec.  160.544 of the April 17, 2003 interim final 
rule. The provision requires the party subpoenaing a witness to pay the 
cost of fees and mileage. Where the respondent is the party subpoenaing 
the witness, the check for such fees and mileage must accompany the 
subpoena when served, but the check is not required to accompany the 
subpoena where the party subpoenaing the witness is the Secretary.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment requested clarification of this provision. 
Observing that proposed Sec.  160.522 would require a check for 
specific fees to accompany the subpoena except when HHS issues such a 
subpoena, the comment questioned whether this meant that HHS would be 
required to reimburse someone they subpoenaed or whether the HHS 
reimbursement would come at a later date. Further, if it was the case 
that HHS was not required to reimburse such fees, the comment asked why 
this is the case, since any other party would be required to reimburse 
those fees.
    Response: HHS is required to, and will, pay to a subpoenaed witness 
the fees provided for in this section. The payment, however, need not 
accompany the subpoena. This policy is consistent with the usual 
procedure when the federal government is a party. See, e.g., Fed. R. 
Civ. P. 45(b)(1). (28 U.S.C. Appendix).
8. Section 160.534--The Hearing
    Proposed rule: The text of proposed Sec.  160.534 was adopted by 
the April 17, 2003 interim final rule as Sec.  160.554. No changes to 
paragraphs (a) and (c) were proposed. However, it was proposed to add a 
new paragraph (b) allocating the burden of proof at the hearing. Under 
proposed Sec.  160.534(b), the respondent would bear the burden of 
proof with respect to: (1) Any affirmative defense, including those set 
out in section 1176(b) of the Act, as implemented by proposed Sec.  
160.410; (2) any challenge to the amount or scope of a proposed penalty 
under section 1128A(d), as implemented by proposed Sec. Sec.  160.404-
160.408, including mitigating factors; and (3) any contention that a 
proposed penalty should be reduced or waived under section 1176(b)(4), 
as implemented by Sec.  160.412. The Secretary would have the burden of 
proof with respect to all other issues, including issues of liability 
and the factors considered as aggravating factors under proposed Sec.  
160.408 in determining the amount of penalties to be imposed. The 
burden of persuasion would be judged by a preponderance of the evidence 
(i.e., it is more likely than not that the position advocated is true).
    We also proposed a new Sec.  160.534(d), which would provide that 
any party may present items or information, during its case in chief, 
that were discovered after the date of the notice of proposed 
determination or request for a hearing, as applicable. The 
admissibility of such proffered evidence would be governed generally by 
the provisions of proposed Sec.  160.540, and be subject to the 15-day 
rule for the exchange of trial exhibits, witness lists and statements 
set out at proposed Sec.  160.518(a). If any such evidence is offered 
by the Secretary, it would not be admissible, unless relevant and 
material to the findings of fact set forth in the notice of proposed 
determination, including circumstances that may increase such penalty. 
If any such evidence is offered by the respondent, it would not be 
admissible unless relevant and material to a

[[Page 8420]]

specific admission, denial, or explanation of a finding of fact, or to 
a specific circumstance or argument expressly stated in the 
respondent's request for hearing that are alleged to constitute grounds 
for any defense or the factual and legal basis for opposing or reducing 
the penalty.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment recommended that proposed Sec.  
160.534(b)(1)(ii) (placing the burden of proof on the respondent with 
respect to any challenge to the amount of a proposed penalty pursuant 
to Sec.  160.404-160.408, including mitigating factors) be deleted. It 
was argued that due process requires that HHS sustain the burden of 
going forward with evidence proving the amount of a proposed penalty 
and the burden of persuasion. It was also noted that this section would 
place on the respondent the burden of proof with respect to an issue 
that is unreviewable under proposed Sec.  160.508(c)(5)--the selection 
of variables under Sec.  160.406.
    Response: We disagree that Sec.  160.534(b)(1)(ii) violates the due 
process clause. Rather, it is consistent with the normal allocation of 
the burden of proof, in which the proponent of a fact or argument has 
the burden of proving it. Our change to Sec.  160.508(c)(5) renders the 
remainder of the comment moot.
    Comment: One comment suggested that Sec.  160.534(c) be revised to 
require the ALJ, upon the request of either party, to close a public 
hearing that could result in disclosure of privacy or security 
information that should not be made public and seal the records.
    Response: We agree that protecting protected health information is 
important and is an issue about which all parties and the ALJ should be 
concerned. However, administrative hearings are, in general, required 
to be open to the public. See, e.g., Detroit Free Press v. Ashcroft, 
303 F.3d 681, 700 (6th Cir. 2002) (stating that INS deportation 
hearings and similar administrative proceedings are traditionally open 
to the public). An ALJ has means by which he can protect the privacy of 
protected health information to be introduced into evidence, if he 
determines that this should be done, including requiring redaction of 
identifying information and closing part of the hearing. In our view, 
the ALJ will be in the best position to balance the competing interests 
of the public's right to information and the privacy interests 
associated with any protected health information. Accordingly, we do 
not mandate closure of the hearing on request.
9. Section 160.536--Statistical Sampling
    Proposed rule: Proposed Sec.  160.536 would permit the Secretary to 
introduce the results of a statistical sampling study as evidence of 
the number of violations under proposed Sec.  160.406(b), or, where 
appropriate, any factor considered in determining the amount of the 
civil money penalty under proposed Sec.  160.408. If the estimation is 
based upon an appropriate sampling and employs valid statistical 
methods, it would constitute prima facie evidence of the number of 
violations or amount of the penalty sought that is a part of the 
Secretary's burden of proof. Such a showing would cause the burden of 
going forward to shift to the respondent, although the burden of 
persuasion would remain with the Secretary.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: Several comments argued that the proposed rule would 
significantly limit a covered entity's ability to challenge HHS's 
statistical evidence. Although proposed Sec.  160.420(a)(2) would 
require HHS, in the notice of proposed determination, to describe the 
sampling technique used by the Secretary, it is unclear what 
constitutes a ``brief'' description, and a brief description will most 
likely be insufficient to provide the covered entity with enough 
information to mount an adequate challenge. Because the covered entity 
may not receive a copy of the actual statistical study until 15 days 
before the hearing, it would have a very short period of time in which 
to review, investigate, critique, and/or rebut the statistical study. 
Because proposed Sec.  160.516 would prohibit the taking of 
depositions, there would be no way to subject the HHS's statistical 
expert to adverse examination until the hearing, if then. The comments 
requested that proposed Sec.  160.536 be deleted or, alternatively, the 
rule be revised to permit depositions of HHS's statistical expert and 
require HHS to give covered entities more detail of the technique 
utilized in sufficient time to allow entities to provide a meaningful 
defense and rebuttal.
    Response: We recognize the concern that to make an effective 
challenge to the Secretary's introduction of the results of a 
statistical study, a covered entity should be provided with the details 
of that study early in the proceeding. Accordingly, we have revised 
proposed Sec.  160.420(a)(2) to require HHS to provide a copy of the 
study relied upon to the respondent with the notice of proposed 
determination. Further, we have revised proposed Sec.  160.504(b) to 
enlarge the time within which a respondent seeking a hearing before an 
ALJ must mail its request for hearing from 60 to 90 days. We do not 
agree that depositions, which are expensive and time consuming, are 
required; the statistical study relied upon will be given to respondent 
with the notice of proposed determination, allowing an adequate amount 
of time to prepare any opposition thereto.
    Comment: Several comments contended that permitting proof of 
violations by statistical sampling violates basic notions of due 
process and fundamental fairness, in that either a violation is 
provable or it is not. The comments raised the following specific 
objections on this ground. Statistical sampling merely estimates the 
number of violations that could have occurred and should not be used as 
a ``short cut'' for appropriate investigation and review. The 
determination of any variable used to calculate the number of 
violations should be based on an objective standard. The proposed 
approach would not treat all covered entities the same. The following 
example was provided to illustrate this latter concern. Suppose that a 
dentist had 3,000 patients of record, and that seven percent of those 
patients, or 210, did not receive a Notice of Privacy Practices. 
Suppose that a sample of 100 of the 3,000 patients was examined by HHS, 
and it was determined that 15 did not receive a notice. A statistical 
inference from this sample would estimate that 600, or 15 percent of 
all patients of record, did not receive a notice, even though in fact 
only 210 had not received a notice. Under Sec.  160.536, the provider 
could be charged for 600 violations. While, on average, the sampling 
approach would yield the correct estimate of all providers, it would 
not necessarily be correct for any specific provider, which would be 
unfair to the individual providers involved.
    Response: The use of sampling and statistical methods is recognized 
under Fed. R. Evid. 702 and under 42 CFR 1003.133 of the OIG rules, 
upon which the language of this section is based. The respondent may 
challenge whether the estimation offered by the Secretary is based upon 
a valid sample and employs valid statistical methods or may otherwise 
rebut the statistical evidence submitted. In the example cited by the 
comment, the respondent also could rebut the results with evidence that 
the actual number of violations is less than the estimate derived from 
the statistical sample.
    With respect to the concerns regarding the fairness and 
appropriateness of using statistical

[[Page 8421]]

sampling to determine the number of violations, HHS will use sampling 
methods which follow recognized scientific guidelines for statistical 
validity and precision. These methods would be applicable to all types 
of covered entities and will objectively measure the number of 
violations by a covered entity or the number of occurrences of a 
particular aggravating circumstance. Because of the wide range of 
possible violations, however, we cannot at this time present specific 
sampling designs or levels of acceptable precision. However, the 
methodology employed will be documented and made available in the 
statistical sampling study provided with the notice of proposed 
determination.
    Comment: Several comments argued that the use of statistical 
sampling is inappropriate to determine violations of the HIPAA rules. A 
couple of comments argued that, because of the many variables and 
discretionary considerations that can go into determining that a 
violation has occurred, and because many complaints or investigations 
will relate to individual circumstances, using statistical sampling to 
determine the number of violations is not appropriate. Another comment 
gave as an example of this problem Privacy Rule violations involving 
disclosure of protected health information beyond the ``minimum 
necessary;'' it asserted that the number of such violations cannot be 
adequately assessed through a statistical sample. Use of statistical 
sampling in such a case could preclude a covered entity from asserting 
its fact-based affirmative defenses. It was argued that statistical 
sampling is appropriate for use in estimating averages, but is not 
appropriate for determining the number of violations by a specific 
covered entity.
    Response: As noted above, statistical sampling is recognized under 
the Federal Rules of Evidence and other HHS regulations. See, e.g., 42 
CFR 1003.133. The results, if based upon an appropriate sampling and 
computed by valid statistical methods, are only prima facie evidence of 
the number of violations or the existence of factors material to the 
proposed civil money penalty. The respondent may challenge the adequacy 
or size of the sample or the statistical methods employed, and may 
offer other evidence to rebut the results derived through the 
statistical methodology.
    We do not agree that statistical methods are, per se, inappropriate 
for determining the number of violations that have occurred. For 
example, suppose that a health plan with a large volume of electronic 
claims is found to have required providers to include on such claims a 
data element which is not part of the standard. A sample of the claims 
would be selected, and the percentage of claims found to be in 
violation of the standard would be computed from the sample and 
projected to the universe of claims for the year to establish the total 
number of violations of the standard in the calendar year. Of course, 
HHS's statistical methods would have to pass muster, and a respondent 
could challenge the statistical results, on normal statistical grounds, 
e.g., that the sample size was insufficient, that the sample was not 
representative, and so on.
    Comment: Several comments contended that, by allowing statistical 
sampling to be introduced at a hearing, proposed Sec.  160.536 directly 
contradicts the language of Sec.  160.508, which does not allow an ALJ 
to review issues under the Secretary's discretion, which includes 
calculating the number of violations. Other comments stated that, in 
the event that statistical sampling is used by HHS to determine the 
number of violations, it should be subject to ALJ review and that 
insulating it from review would increase the potential for abuse 
exponentially.
    Response: Proposed Sec.  160.508(c) has been revised to permit the 
ALJ to review the Secretary's calculation of the number of violations 
of an identical administrative simplification provision under Sec.  
160.406. If statistical sampling is employed to determine the number of 
violations, the results are subject to challenge before the ALJ.
    Comment: The provision of proposed Sec.  160.536 limiting 
statistical studies to those ``based upon an appropriate sampling and 
computed by valid statistical methods'' was criticized. It was noted 
that no criteria for validity are given, even though the comments by 
the agency specifically acknowledge the danger of extrapolating from 
small sample sizes. It also was argued that the appropriateness and 
validity of such sampling techniques are left to the discretion of the 
Secretary, who will employ criteria known only to the Secretary. It was 
recommended that statistical sampling not be permitted without clearer 
guidelines or more flexibility to challenge the study at an early 
stage, before significant investment of resources.
    Response: By requiring that appropriate sampling and valid 
statistical methods be employed, HHS is mirroring the standard by which 
the reliability of such expert testimony is assessed under Fed. R. 
Evid. 702. If statistical sampling is employed to determine the number 
of violations of an administrative simplification provision in a 
calendar year, such determination is subject to review by the ALJ. With 
respect to a respondent's ability to challenge the study at an earlier 
stage, under Sec.  160.420(a)(2), a copy of the study relied upon will 
be provided to the respondent with the notice of proposed 
determination.
10. Section 160.538--Witnesses
    Proposed rule: Proposed Sec.  160.538 would carry forward unchanged 
Sec.  160.556, as adopted by the April 17, 2003 interim final rule. As 
relevant here, paragraph (b) provides that, at the discretion of the 
ALJ and subject to certain conditions, testimony of witnesses other 
than the testimony of expert witnesses may be admitted in the form of a 
written statement and the ALJ may, at his discretion, admit prior sworn 
testimony of experts that has been subject to adverse examination.
    Final rule: The final rule adopts the provisions of the proposed 
rule, except that the fourth sentence of proposed Sec.  160.538(b) is 
placed before the second sentence of proposed Sec.  160.538(b).
    Comment: One comment stated that it was unclear whether the 
government's statistician could even be required to testify; rather, it 
appeared that the government could rely solely on the expert's prior 
testimony in other cases and/or the expert's report. Because 
depositions are not allowed, this provision must mean that testimony 
from experts in other cases may be used. It was argued that this would 
be prejudicial, because the covered entity will not have had an 
opportunity to subject the testimony to adverse examination and the 
facts of different cases would likely not be identical. Therefore, the 
expert testimony in one case may not be appropriate for use in a 
different case. It was recommended that this section be revised to 
require, at the covered entity's request, the testimony at the hearing 
of the government's statistical expert and prohibit the use of prior 
sworn testimony of experts unless from the specific case at issue.
    Response: HHS expects that its statistical expert will testify at 
the hearing. Moreover, the respondent may move the ALJ to subpoena 
HHS's statistical expert to appear and testify at the hearing. See 
Sec.  160.520.
    Comment: One comment stated that, when Sec. Sec.  160.538 and 
160.516(b) are read together, they would permit an expert's testimony, 
taken under oath in a different case, to be admitted into

[[Page 8422]]

evidence, leaving the respondent with no chance to question the expert.
    Response: We recognize the concern raised, which we believe arises 
out of an inadvertent transposition of a sentence in the text of 
proposed Sec.  160.538(b). We intended that the subsection's text 
mirror that of the OIG regulation at 45 CFR 1005.16(b) by ending with 
the following: ``Any such written statement must be provided to the 
other party, along with the last known address of the witness, in a 
manner that allows sufficient time for the other party to subpoena the 
witness for cross-examination at the hearing. Prior written statements 
of witnesses proposed to testify at the hearing must be exchanged as 
provided in Sec.  160.518.'' We have corrected this error. As the rule 
now reads, the prior sworn testimony of an expert will be treated like 
any other witness's statement that a party proposes to offer in lieu of 
testimony at the hearing: a copy must be provided to the other party 
along with the witness's address in sufficient time to permit such 
other party to subpoena and question that witness at the hearing.
11. Section 160.540--Evidence
    Proposed rule: Proposed Sec.  160.540 would carry forward unchanged 
Sec.  160.558, which was adopted by the April 17, 2003 interim final 
rule. Paragraph (b) of this section provides that the ALJ is not bound 
by the Federal Rules of Evidence, except as provided in the subpart.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment argued that proposed Sec.  160.540(b) should 
be revised. The comment stated that the optional use of the Federal 
Rules of Evidence is insufficient and would not allow entities to know 
what evidence will be admissible at the hearing or what rules of 
evidence will apply. At a minimum, it was argued, the use of hearsay 
should be prohibited except pursuant to the hearsay exceptions of the 
Federal Rules of Evidence.
    Response: The Administrative Procedure Act does not require HHS to 
apply the Federal Rules of Evidence to limit the discretion of ALJs to 
admit evidence at hearings. See 5 U.S.C. 556(d). To be admissible, 
evidence need only be relevant, material, reliable, and probative. 
However, the ALJ may apply the Federal Rules of Evidence, where 
appropriate. Examples of situations where use of the Federal Rules of 
Evidence might be appropriate would include to exclude unreliable 
evidence, to weigh the probative value of evidence against the risks 
attending its admission, to determine whether a Federal privilege 
exists, or to determine whether the evidence relates to an offered 
compromise and settlement, which would be inadmissible under Fed. R. 
Evid. 408.
    Comment: One comment argued that proposed Sec.  160.540(g) should 
be deleted. It was argued that this provision is inconsistent with the 
six-year time limit in Sec.  160.414, in that it permits admission at 
the hearing of ``crimes, wrongs or acts'' without limit as to when they 
may have occurred. The comment stated that acts or other behaviors that 
are not the subject of civil money penalties are not relevant factors 
in determining the penalties that should be imposed, nor are they proof 
that the prohibited activity occurred. The Secretary is not required in 
a civil administrative proceeding to prove intent or mens rea.
    Response: We believe that evidence of prior bad acts, admitted for 
the purposes listed (which are consistent with Fed. R. Evid. 404(b)) 
may be relevant and material in particular cases and, thus, should not 
be categorically excluded, as suggested. For instance, such evidence 
may be relevant and material to proving a covered entity's knowledge of 
the violation or aggravating circumstances affecting the amount of the 
civil money penalty imposed. In the latter case, for example, the 
evidence would be admitted to prove the aggravating circumstances and 
not the actual violations at issue; thus, the statute of limitations 
would not apply with respect to the bad acts. (We note, however, that 
prior bad acts unrelated to the covered entity's compliance with the 
HIPAA provisions or rules would not be admissible to prove aggravating 
circumstances under Sec.  160.408(d).) Comment: Another comment argued 
that proposed Sec.  160.540(g) should be deleted, but if retained, such 
evidence should be reviewable under the other criteria for 
admissibility of proposed Sec.  160.540, and HHS should be required to 
provide advance notice of its intent to present such evidence.
    Response: Evidence of prior bad acts would be subject to the same 
criteria for admissibility as other evidence offered at the hearing--
for instance, whether the probative value of such evidence is 
substantially outweighed by its potential for prejudice. Such evidence 
is also subject to the rules regarding notice that apply to other 
evidence; see, e.g., Sec. Sec.  160.420(a)(5), 160.516, and 160.518.
12. Section 160.542--The Record
    Proposed rule: This section would carry forward unchanged Sec.  
160.560, adopted by the April 17, 2003 interim final rule. Since the 
section provides that the record of the proceedings be transcribed, we 
proposed to add to paragraph (a) of this section a requirement that the 
cost of transcription of the record be borne equally by the parties, in 
the interest of fairness.
    Final rule: The final rule adopts the provisions of the proposed 
rule, except that paragraph (a) is revised to clarify that if a party 
requests a copy of the transcript of the hearing proceedings it must 
pay the cost of such transcript, unless such payment is waived by the 
ALJ or the Board for good cause shown.
    Comment: One comment recommended that this fee be assessed at the 
end of the investigation and assumed by the responsible party based on 
the outcome of the investigation. Another comment requested that HHS 
bear the cost of the court reporter's appearance (as opposed to the 
cost of copies).
    Response: We acknowledge that the language of proposed paragraph 
(a) suggested that there is a fee or cost for a court reporter's 
appearance, in addition to the cost of obtaining a copy of the 
transcript of the hearing proceedings. As there is no such additional 
cost, we have revised paragraph (a) to state that a party that requests 
a copy of the transcript of hearing is required to pay the cost of 
preparing such transcript. We have also added a provision that will 
permit the ALJ or the Board, for good cause shown, to waive the cost of 
obtaining the transcript.
13. Section 160.546--ALJ Decision
    Proposed rule: The proposed rule proposed that the ALJ decision 
would be the initial decision of the Secretary, rather than the final 
decision of the Secretary as set forth in Sec.  160.564(d) of the April 
17, 2003 interim final rule. Thus, we proposed to revise paragraph (d) 
to provide that the decision of the ALJ will be final and binding on 
the parties 60 days from the date of service of the ALJ decision, 
unless it is timely appealed by either party.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment requested that the section be revised to 
provide that the ALJ could not increase a penalty beyond the statutory 
cap of section 1176(a)(1).
    Response: The ALJ is bound by both the statute and the regulations, 
which both explicitly address this issue. Section 1176(a)(1) states 
that ``the total amount imposed on the person for all violations of an 
identical requirement or prohibition during a calendar year may not 
exceed $25,000.'' Section

[[Page 8423]]

160.404(b)(1)(ii) states that the Secretary may not impose a civil 
money penalty in excess of $25,000 for identical violations during a 
calendar year.
    In light of these explicit provisions, we do not agree that the 
suggested change is necessary.
14. Section 160.548--Appeal of the ALJ Decision
    Proposed rule: Proposed Sec.  160.548 would provide that any party 
may appeal the initial decision of the ALJ to the Board within 30 days 
of the date of service of the ALJ initial decision, unless extended for 
good cause. The appealing party must file a written brief specifying 
its exceptions to the initial decision. The opposing party may file an 
opposition brief, which is limited to the exceptions raised in the 
brief accompanying notice of appeal and any relevant issues not 
addressed in said exceptions and must be filed within 30 days of 
receiving the appealing party's notice of appeal and brief. The 
appealing party may, if permitted by the Board, file a reply brief. 
These briefs may be the only means that the parties will have to 
present their case to the Board, since there is no right to appear 
personally before the Board. The proposed rule provided that if a party 
demonstrates that additional evidence is material and relevant and 
there are reasonable grounds why such evidence was not introduced at 
the ALJ hearing, the Board may remand the case to the ALJ for 
consideration of the additional evidence. In an appeal to the Board, 
the standard of review on a disputed issue of fact would be whether the 
ALJ's initial decision is supported by substantial evidence on the 
record as a whole; on a disputed issue of law, the standard of review 
is whether the ALJ's initial decision is erroneous. The Board could 
decline review, affirm, increase, reduce, or reverse any penalty, or 
remand a penalty determination to the ALJ.
    Under proposed Sec.  160.548(i), the Board must serve its decision 
on the parties within 60 days after final briefs are filed. The 
decision of the Board becomes the final decision of the Secretary 60 
days after service of the decision, except where the decision is to 
remand to the ALJ or a party requests reconsideration before the 
decision becomes final. Proposed Sec.  160.548(j) provides that a party 
may request reconsideration of the Board's decision, provides a 
reconsideration process, and provides that the Board's reconsideration 
decision becomes final on service. The decision of the Board 
constitutes the final decision of the Secretary from which a petition 
for judicial review may be filed by a respondent aggrieved by the 
Board's decision. Proposed Sec.  160.548(k) provides for a petition for 
judicial review of a final decision of the Secretary.
    Final rule: The final rule adopts the provisions of the proposed 
rule, except that paragraph (e) is revised to make it consistent with 
the revision to Sec.  160.504(c). The revision would permit the Board 
to consider an affirmative defense under Sec.  160.410(b)(1) that is 
raised for the first time before the Board. Thus, under paragraph (f) 
of this section, the Board could, but would not be required to, remand 
the case to the ALJ for consideration of any evidence adduced with 
respect to such defense.
    Comment: One comment was received on this section. It requested 
that the section be revised to provide that the Board could not 
increase a penalty beyond the statutory cap of section 1176(a)(1).
    Response: We do not agree that such a provision is necessary, for 
the reasons discussed in the preceding section.
15. Section 160.552--Harmless Error
    Proposed rule: Proposed Sec.  160.552 proposed to adopt the 
``harmless error'' rule that applies to civil litigation in Federal 
courts. The provision would provide, in general, that the ALJ and the 
Board at every stage of the proceeding will disregard any error or 
defect in the proceeding that does not affect the substantial rights of 
the parties.
    Final rule: The final rule adopts the provisions of the proposed 
rule.
    Comment: One comment asked for further guidance on, and 
clarification of, this provision. Another comment stated that the 
provision was far too broad, particularly given the limited discovery 
available to covered entities. Concern was expressed that the rule 
would severely limit a covered entity's ability to appeal an adverse 
ruling.
    Response: The proposed rule was modeled after Fed. R. Civ. P. 61 
and 42 CFR 1005.23 of the OIG regulations. It is a common provision in 
procedural rules that govern civil and administrative adjudications and 
is intended to promote efficiency in the resolution of disputes. If a 
respondent seeks an appeal because of an error that affects the party's 
substantive rights or the case's outcome, this section would not be 
applicable. Thus, we do not agree that it would severely limit a 
covered entity's ability to appeal an adverse ruling, and we adopt the 
section as proposed.

IV. Impact Statement and Other Required Analyses

    Comment: Only one comment was received on the impact and other 
required analyses of the proposed rule (see 70 FR 20247-49). The 
comment asserted that HHS was declaring itself exempt from complying 
with the Paperwork Reduction Act, the Regulatory Flexibility Act, the 
Unfunded Mandates Reform Act of 1995, the Small Business Regulatory 
Enforcement and Fairness Act, and Executive Order 13132, and that an 
effort to compute vigorously the range of potential effects is needed 
to assure agency accountability.
    Response: The comment misstates the position HHS took in the 
proposed rules concerning these laws. HHS does not consider itself, or 
the Enforcement Rule, exempt from these laws. However, each of these 
laws covers only certain types of rules and agency actions. For the 
reasons stated in the proposed rule and summarized below, those laws do 
not apply to the particular actions taken with respect to this rule. 
The comment provides no substantive grounds for altering our prior 
conclusions with respect to these laws.

A. Paperwork Reduction Act

    We reviewed this final rule to determine whether it raises issues 
that would subject it to the Paperwork Reduction Act (PRA). Since the 
final rule comes within the exemption of 5 CFR 1320.4(a), as it deals 
entirely with administrative investigations and actions against 
specific individuals or entities, it need not be reviewed by the Office 
of Management and Budget under the authority of the PRA.

B. Executive Order 12866; Regulatory Flexibility Act; Unfunded Mandates 
Reform Act of 1995; Small Business Regulatory Enforcement Fairness Act 
of 1996; Executive Order 13132

    We have examined the impacts of this final rule as required by 
Executive Order 12866 (September 1993, Regulatory Planning and Review), 
the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-
354), the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), the 
Small Business Regulatory Enforcement and Fairness Act, 5 U.S.C. 801, 
et seq., and Executive Order 13132.
1. Executive Order 12866
    Executive Order 12866 (as amended by Executive Order 13258, which 
merely reassigns responsibility of duties) directs agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is

[[Page 8424]]

necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects, distributive impacts, and equity). Executive Order 12866 
defines, at section 3(f), several categories of ``significant 
regulatory actions.'' One category is ``economically significant'' 
rules, which are defined in section 3(f)(1) of the Order as rules that 
may ``have an annual effect on the economy of $100 million or more, or 
adversely affect in a material way the economy, productivity, 
competition, jobs, the environment, public health or safety, or State, 
local, or tribal governments or communities.'' Another category, under 
section 3(f)(4) of the Order, consists of rules that are ``significant 
regulatory actions'' because they ``raise novel legal or policy issues 
arising out of legal mandates, the President's priorities, or the 
principles set forth in this Executive Order.'' Executive Order 12866 
requires a full economic impact analysis only for ``economically 
significant'' rules under section 3(f)(1). For the reasons stated at 70 
FR 20248-49, we have concluded that this rule should be treated as a 
``significant regulatory action'' within the meaning of section 3(f)(4) 
of Executive Order 12866, but that the impact of this rule is not such 
that it reaches the economically significant threshold under section 
3(f)(1) of the Order.
    We note, with regard to our prior analysis, that our ongoing 
experiences with HIPAA complaints bears out our experience to July 
2004, which was discussed at 70 FR 20248. As of October 31, 2005, OCR 
had received and initiated review of over 16,000 complaints and had 
closed 68 percent of the complaints; at the same time, CMS had received 
and initiated review of 413 complaints and closed 67 percent of the 
complaints. Thus, we continue to be of the view that the costs 
attributable to the provisions of this rule will, in most cases that 
are opened, be low. We likewise continue to believe, for the reasons 
stated at 70 FR 20249, that the value of the benefits brought by the 
HIPAA provisions are sufficient to warrant appropriate enforcement 
efforts and that the benefits of these protections far outweigh the 
costs of this enforcement regulation.
    Thus, in most cases, if covered entities comply with the various 
HIPAA rules, they should not incur any significant additional costs as 
a result of the Enforcement Rule. This is based on the fact the costs 
intrinsic to most of the HIPAA rules and operating directions against 
which compliance is evaluated have been scored independently of this 
rule, and those requirements are not changed by this rule. We recognize 
that the specific requirements against which compliance is evaluated 
are not yet well known and may evolve with experience under HIPAA, but 
we expect that covered entities have both the ability and expectation 
to maintain compliance, especially given our commitment to encouraging 
and facilitating voluntary compliance. While not straightforward to 
project, it seems likely that the number of times in which the full 
civil money penalty enforcement process will be invoked will be 
extremely small, based on the evidence to date.
2. Other Analyses
    We also examined the impact of this rule as required by the 
Regulatory Flexibility Act (RFA). The RFA requires agencies to 
determine whether a rule will have a significant economic impact on a 
substantial number of small entities. For purposes of the RFA, small 
entities include small businesses, nonprofit organizations, and 
government jurisdictions; for health care entities, the size standard 
for a ``small'' entity ranges from $6 million to $29 million in 
revenues in any one year. For the reasons discussed at 70 FR 20249, the 
Secretary certifies that this rule will not have a significant economic 
impact on a substantial number of small entities.
    Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 
1531 et seq., also requires that agencies assess anticipated costs and 
benefits before issuing any rule that may result in expenditure in any 
one year by State, local, or tribal governments, in the aggregate, or 
by the private sector, of $100 million, adjusted for inflation. The 
Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), 5 
U.S.C. 801, et seq., requires that rules that will have an impact on 
the economy of $100 million or more per annum be submitted for 
Congressional review. For the reasons discussed above and at 70 FR 
20248-49, this rule will not impose a burden large enough to require a 
section 202 statement under the Unfunded Mandates Reform Act of 1995 or 
Congressional review under SBREFA.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it adopts a final rule that imposes substantial 
direct requirement costs on State and local governments, preempts State 
law, or otherwise has Federalism implications. This final rule does not 
have ``Federalism implications, `` as it will not have ``substantial 
direct effects on the States, on the relationship between the national 
government and the States, or on the distribution of power and 
responsibilities among the various levels of government,'' nor, for the 
reasons previously explained, will it have substantial economic effects 
would not be substantial, while any preemption of State law that could 
occur would be a function of the underlying HIPAA rules, not this rule. 
Therefore, the Enforcement Rule is not subject to Executive Order 13132 
(Federalism).

    Dated: December 20, 2005.
Michael O. Leavitt,
Secretary.

List of Subjects

45 CFR Part 160

    Administrative practice and procedure, Computer technology, 
Electronic transactions, Employer benefit plan, Health, Health care, 
Health facilities, Health insurance, Health records, Hospitals, 
Investigations, Medicaid, Medical research, Medicare, Penalties, 
Privacy, Reporting and record keeping requirements, Security.

45 CFR Part 164

    Administrative practice and procedure, Electronic information 
system, Electronic transactions, Employer benefit plan, Health, Health 
care, Health facilities, Health Insurance, Health records, Hospitals, 
Medicaid, Medical research, Medicare, Privacy, Reporting and record 
keeping requirements, Security.

0
For the reasons set forth in the preamble, the Department of Health and 
Human Services amends 45 CFR subtitle A, subchapter C, parts 160 and 
164, as set forth below.

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation for part 160 is revised to read as follows:

    Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d--1320d-8, sec. 264 
of Pub. L.104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)), 
and 5 U.S.C. 552.


0
2. Add to Sec.  160.103 in alphabetical order the definition of 
``Person'' to read as follows:


Sec.  160.103  Definitions.

* * * * *
    ``Person'' means a natural person, trust or estate, partnership, 
corporation, professional association or corporation, or other entity, 
public or private.
* * * * *

0
3. Revise subpart C to read as follows:

[[Page 8425]]

Subpart C--Compliance and Investigations

Sec.
160.300 Applicability.
160.302 Definitions.
160.304 Principles for achieving compliance.
160.306 Complaints to the Secretary.
160.308 Compliance reviews.
160.310 Responsibilities of covered entities.
160.312 Secretarial action regarding complaints and compliance 
reviews.
160.314 Investigational subpoenas and inquiries.
160.316 Refraining from intimidation or retaliation.


Sec.  160.300  Applicability.

    This subpart applies to actions by the Secretary, covered entities, 
and others with respect to ascertaining the compliance by covered 
entities with, and the enforcement of, the applicable provisions of 
this part 160 and parts 162 and 164 of this subchapter.


Sec.  160.302  Definitions.

    As used in this subpart and subparts D and E of this part, the 
following terms have the following meanings:
    Administrative simplification provision means any requirement or 
prohibition established by:
    (1) 42 U.S.C. 1320d--1320d-4, 1320d-7, and 1320d-8;
    (2) Section 264 of Pub. L. 104-191; or
    (3) This subchapter.
    ALJ means Administrative Law Judge.
    Civil money penalty or penalty means the amount determined under 
Sec.  160.404 of this part and includes the plural of these terms.
    Respondent means a covered entity upon which the Secretary has 
imposed, or proposes to impose, a civil money penalty.
    Violation or violate means, as the context may require, failure to 
comply with an administrative simplification provision.


Sec.  160.304  Principles for achieving compliance.

    (a) Cooperation. The Secretary will, to the extent practicable, 
seek the cooperation of covered entities in obtaining compliance with 
the applicable administrative simplification provisions.
    (b) Assistance. The Secretary may provide technical assistance to 
covered entities to help them comply voluntarily with the applicable 
administrative simplification provisions.


Sec.  160.306  Complaints to the Secretary.

    (a) Right to file a complaint. A person who believes a covered 
entity is not complying with the administrative simplification 
provisions may file a complaint with the Secretary.
    (b) Requirements for filing complaints. Complaints under this 
section must meet the following requirements:
    (1) A complaint must be filed in writing, either on paper or 
electronically.
    (2) A complaint must name the person that is the subject of the 
complaint and describe the acts or omissions believed to be in 
violation of the applicable administrative simplification provision(s).
    (3) A complaint must be filed within 180 days of when the 
complainant knew or should have known that the act or omission 
complained of occurred, unless this time limit is waived by the 
Secretary for good cause shown.
    (4) The Secretary may prescribe additional procedures for the 
filing of complaints, as well as the place and manner of filing, by 
notice in the Federal Register.
    (c) Investigation. The Secretary may investigate complaints filed 
under this section. Such investigation may include a review of the 
pertinent policies, procedures, or practices of the covered entity and 
of the circumstances regarding any alleged violation. At the time of 
initial written communication with the covered entity about the 
complaint, the Secretary will describe the act(s) and/or omission(s) 
that are the basis of the complaint.


Sec.  160.308  Compliance reviews.

    The Secretary may conduct compliance reviews to determine whether 
covered entities are complying with the applicable administrative 
simplification provisions.


Sec.  160.310  Responsibilities of covered entities.

    (a) Provide records and compliance reports. A covered entity must 
keep such records and submit such compliance reports, in such time and 
manner and containing such information, as the Secretary may determine 
to be necessary to enable the Secretary to ascertain whether the 
covered entity has complied or is complying with the applicable 
administrative simplification provisions.
    (b) Cooperate with complaint investigations and compliance reviews. 
A covered entity must cooperate with the Secretary, if the Secretary 
undertakes an investigation or compliance review of the policies, 
procedures, or practices of the covered entity to determine whether it 
is complying with the applicable administrative simplification 
provisions.
    (c) Permit access to information. (1) A covered entity must permit 
access by the Secretary during normal business hours to its facilities, 
books, records, accounts, and other sources of information, including 
protected health information, that are pertinent to ascertaining 
compliance with the applicable administrative simplification 
provisions. If the Secretary determines that exigent circumstances 
exist, such as when documents may be hidden or destroyed, a covered 
entity must permit access by the Secretary at any time and without 
notice.
    (2) If any information required of a covered entity under this 
section is in the exclusive possession of any other agency, 
institution, or person and the other agency, institution, or person 
fails or refuses to furnish the information, the covered entity must so 
certify and set forth what efforts it has made to obtain the 
information.
    (3) Protected health information obtained by the Secretary in 
connection with an investigation or compliance review under this 
subpart will not be disclosed by the Secretary, except if necessary for 
ascertaining or enforcing compliance with the applicable administrative 
simplification provisions, or if otherwise required by law.


Sec.  160.312  Secretarial action regarding complaints and compliance 
reviews.

    (a) Resolution when noncompliance is indicated. (1) If an 
investigation of a complaint pursuant to Sec.  160.306 or a compliance 
review pursuant to Sec.  160.308 indicates noncompliance, the Secretary 
will attempt to reach a resolution of the matter satisfactory to the 
Secretary by informal means. Informal means may include demonstrated 
compliance or a completed corrective action plan or other agreement.
    (2) If the matter is resolved by informal means, the Secretary will 
so inform the covered entity and, if the matter arose from a complaint, 
the complainant, in writing.
    (3) If the matter is not resolved by informal means, the Secretary 
will--
    (i) So inform the covered entity and provide the covered entity an 
opportunity to submit written evidence of any mitigating factors or 
affirmative defenses for consideration under Sec. Sec.  160.408 and 
160.410 of this part. The covered entity must submit any such evidence 
to the Secretary within 30 days (computed in the same manner as 
prescribed under Sec.  160.526 of this part) of receipt of such 
notification; and
    (ii) If, following action pursuant to paragraph (a)(3)(i) of this 
section, the

[[Page 8426]]

Secretary finds that a civil money penalty should be imposed, inform 
the covered entity of such finding in a notice of proposed 
determination in accordance with Sec.  160.420 of this part.
    (b) Resolution when no violation is found. If, after an 
investigation pursuant to Sec.  160.306 or a compliance review pursuant 
to Sec.  160.308, the Secretary determines that further action is not 
warranted, the Secretary will so inform the covered entity and, if the 
matter arose from a complaint, the complainant, in writing.


Sec.  160.314  Investigational subpoenas and inquiries.

    (a) The Secretary may issue subpoenas in accordance with 42 U.S.C. 
405(d) and (e), 1320a-7a(j), and 1320d-5 to require the attendance and 
testimony of witnesses and the production of any other evidence during 
an investigation or compliance review pursuant to this part. For 
purposes of this paragraph, a person other than a natural person is 
termed an ``entity.''
    (1) A subpoena issued under this paragraph must--
    (i) State the name of the person (including the entity, if 
applicable) to whom the subpoena is addressed;
    (ii) State the statutory authority for the subpoena;
    (iii) Indicate the date, time, and place that the testimony will 
take place;
    (iv) Include a reasonably specific description of any documents or 
items required to be produced; and
    (v) If the subpoena is addressed to an entity, describe with 
reasonable particularity the subject matter on which testimony is 
required. In that event, the entity must designate one or more natural 
persons who will testify on its behalf, and must state as to each such 
person that person's name and address and the matters on which he or 
she will testify. The designated person must testify as to matters 
known or reasonably available to the entity.
    (2) A subpoena under this section must be served by--
    (i) Delivering a copy to the natural person named in the subpoena 
or to the entity named in the subpoena at its last principal place of 
business; or
    (ii) Registered or certified mail addressed to the natural person 
at his or her last known dwelling place or to the entity at its last 
known principal place of business.
    (3) A verified return by the natural person serving the subpoena 
setting forth the manner of service or, in the case of service by 
registered or certified mail, the signed return post office receipt, 
constitutes proof of service.
    (4) Witnesses are entitled to the same fees and mileage as 
witnesses in the district courts of the United States (28 U.S.C. 1821 
and 1825). Fees need not be paid at the time the subpoena is served.
    (5) A subpoena under this section is enforceable through the 
district court of the United States for the district where the 
subpoenaed natural person resides or is found or where the entity 
transacts business.
    (b) Investigational inquiries are non-public investigational 
proceedings conducted by the Secretary.
    (1) Testimony at investigational inquiries will be taken under oath 
or affirmation.
    (2) Attendance of non-witnesses is discretionary with the 
Secretary, except that a witness is entitled to be accompanied, 
represented, and advised by an attorney.
    (3) Representatives of the Secretary are entitled to attend and ask 
questions.
    (4) A witness will have the opportunity to clarify his or her 
answers on the record following questioning by the Secretary.
    (5) Any claim of privilege must be asserted by the witness on the 
record.
    (6) Objections must be asserted on the record. Errors of any kind 
that might be corrected if promptly presented will be deemed to be 
waived unless reasonable objection is made at the investigational 
inquiry. Except where the objection is on the grounds of privilege, the 
question will be answered on the record, subject to objection.
    (7) If a witness refuses to answer any question not privileged or 
to produce requested documents or items, or engages in conduct likely 
to delay or obstruct the investigational inquiry, the Secretary may 
seek enforcement of the subpoena under paragraph (a)(5) of this 
section.
    (8) The proceedings will be recorded and transcribed. The witness 
is entitled to a copy of the transcript, upon payment of prescribed 
costs, except that, for good cause, the witness may be limited to 
inspection of the official transcript of his or her testimony.
    (9)(i) The transcript will be submitted to the witness for 
signature.
    (A) Where the witness will be provided a copy of the transcript, 
the transcript will be submitted to the witness for signature. The 
witness may submit to the Secretary written proposed corrections to the 
transcript, with such corrections attached to the transcript. If the 
witness does not return a signed copy of the transcript or proposed 
corrections within 30 days (computed in the same manner as prescribed 
under Sec.  160.526 of this part) of its being submitted to him or her 
for signature, the witness will be deemed to have agreed that the 
transcript is true and accurate.
    (B) Where, as provided in paragraph (b)(8) of this section, the 
witness is limited to inspecting the transcript, the witness will have 
the opportunity at the time of inspection to propose corrections to the 
transcript, with corrections attached to the transcript. The witness 
will also have the opportunity to sign the transcript. If the witness 
does not sign the transcript or offer corrections within 30 days 
(computed in the same manner as prescribed under Sec.  160.526 of this 
part) of receipt of notice of the opportunity to inspect the 
transcript, the witness will be deemed to have agreed that the 
transcript is true and accurate.
    (ii) The Secretary's proposed corrections to the record of 
transcript will be attached to the transcript.
    (c) Consistent with Sec.  160.310(c)(3), testimony and other 
evidence obtained in an investigational inquiry may be used by HHS in 
any of its activities and may be used or offered into evidence in any 
administrative or judicial proceeding.


Sec.  160.316  Refraining from intimidation or retaliation.

    A covered entity may not threaten, intimidate, coerce, harass, 
discriminate against, or take any other retaliatory action against any 
individual or other person for--
    (a) Filing of a complaint under Sec.  160.306;
    (b) Testifying, assisting, or participating in an investigation, 
compliance review, proceeding, or hearing under this part; or
    (c) Opposing any act or practice made unlawful by this subchapter, 
provided the individual or person has a good faith belief that the 
practice opposed is unlawful, and the manner of opposition is 
reasonable and does not involve a disclosure of protected health 
information in violation of subpart E of part 164 of this subchapter.

0
4. Add a new subpart D to read as follows:

Subpart D--Imposition of Civil Money Penalties

160.400 Applicability.
160.402 Basis for a civil money penalty.
160.404 Amount of a civil money penalty.
160.406 Violations of an identical requirement or prohibition.
160.408 Factors considered in determining the amount of a civil 
money penalty.
160.410 Affirmative defenses.
160.412 Waiver.
160.414 Limitations.
160.416 Authority to settle.
160.418 Penalty not exclusive.

[[Page 8427]]

160.420 Notice of proposed determination.
160.422 Failure to request a hearing.
160.424 Collection of penalty.
160.426 Notification of the public and other agencies.


Sec.  160.400  Applicability.

    This subpart applies to the imposition of a civil money penalty by 
the Secretary under 42 U.S.C. 1320d-5.


Sec.  160.402  Basis for a civil money penalty.

    (a) General rule. Subject to Sec.  160.410, the Secretary will 
impose a civil money penalty upon a covered entity if the Secretary 
determines that the covered entity has violated an administrative 
simplification provision.
    (b) Violation by more than one covered entity. (1) Except as 
provided in paragraph (b)(2) of this section, if the Secretary 
determines that more than one covered entity was responsible for a 
violation, the Secretary will impose a civil money penalty against each 
such covered entity.
    (2) A covered entity that is a member of an affiliated covered 
entity, in accordance with Sec.  164.105(b) of this subchapter, is 
jointly and severally liable for a civil money penalty for a violation 
of part 164 of this subchapter based on an act or omission of the 
affiliated covered entity, unless it is established that another member 
of the affiliated covered entity was responsible for the violation.
    (c) Violation attributed to a covered entity. A covered entity is 
liable, in accordance with the federal common law of agency, for a 
civil money penalty for a violation based on the act or omission of any 
agent of the covered entity, including a workforce member, acting 
within the scope of the agency, unless--
    (1) The agent is a business associate of the covered entity;
    (2) The covered entity has complied, with respect to such business 
associate, with the applicable requirements of Sec. Sec.  164.308(b) 
and 164.502(e) of this subchapter; and
    (3) The covered entity did not--
    (i) Know of a pattern of activity or practice of the business 
associate, and
    (ii) Fail to act as required by Sec. Sec.  164.314(a)(1)(ii) and 
164.504(e)(1)(ii) of this subchapter, as applicable.


Sec.  160.404  Amount of a civil money penalty.

    (a) The amount of a civil money penalty will be determined in 
accordance with paragraph (b) of this section and Sec. Sec.  160.406, 
160.408, and 160.412.
    (b) The amount of a civil money penalty that may be imposed is 
subject to the following limitations:
    (1) The Secretary may not impose a civil money penalty--
    (i) In the amount of more than $100 for each violation; or
    (ii) In excess of $25,000 for identical violations during a 
calendar year (January 1 through the following December 31).
    (2) If a requirement or prohibition in one administrative 
simplification provision is repeated in a more general form in another 
administrative simplification provision in the same subpart, a civil 
money penalty may be imposed for a violation of only one of these 
administrative simplification provisions.


Sec.  160.406  Violations of an identical requirement or prohibition.

    The Secretary will determine the number of violations of an 
administrative simplification provision based on the nature of the 
covered entity's obligation to act or not act under the provision that 
is violated, such as its obligation to act in a certain manner, or 
within a certain time, or to act or not act with respect to certain 
persons. In the case of continuing violation of a provision, a separate 
violation occurs each day the covered entity is in violation of the 
provision.


Sec.  160.408  Factors considered in determining the amount of a civil 
money penalty.

    In determining the amount of any civil money penalty, the Secretary 
may consider as aggravating or mitigating factors, as appropriate, any 
of the following:
    (a) The nature of the violation, in light of the purpose of the 
rule violated.
    (b) The circumstances, including the consequences, of the 
violation, including but not limited to:
    (1) The time period during which the violation(s) occurred;
    (2) Whether the violation caused physical harm;
    (3) Whether the violation hindered or facilitated an individual's 
ability to obtain health care; and
    (4) Whether the violation resulted in financial harm.
    (c) The degree of culpability of the covered entity, including but 
not limited to:
    (1) Whether the violation was intentional; and
    (2) Whether the violation was beyond the direct control of the 
covered entity.
    (d) Any history of prior compliance with the administrative 
simplification provisions, including violations, by the covered entity, 
including but not limited to:
    (1) Whether the current violation is the same or similar to prior 
violation(s);
    (2) Whether and to what extent the covered entity has attempted to 
correct previous violations;
    (3) How the covered entity has responded to technical assistance 
from the Secretary provided in the context of a compliance effort; and
    (4) How the covered entity has responded to prior complaints.
    (e) The financial condition of the covered entity, including but 
not limited to:
    (1) Whether the covered entity had financial difficulties that 
affected its ability to comply;
    (2) Whether the imposition of a civil money penalty would 
jeopardize the ability of the covered entity to continue to provide, or 
to pay for, health care; and
    (3) The size of the covered entity.
    (f) Such other matters as justice may require.


Sec.  160.410  Affirmative defenses.

    (a) As used in this section, the following terms have the following 
meanings:
    Reasonable cause means circumstances that would make it 
unreasonable for the covered entity, despite the exercise of ordinary 
business care and prudence, to comply with the administrative 
simplification provision violated.
    Reasonable diligence means the business care and prudence expected 
from a person seeking to satisfy a legal requirement under similar 
circumstances.
    Willful neglect means conscious, intentional failure or reckless 
indifference to the obligation to comply with the administrative 
simplification provision violated.
    (b) The Secretary may not impose a civil money penalty on a covered 
entity for a violation if the covered entity establishes that an 
affirmative defense exists with respect to the violation, including the 
following:
    (1) The violation is an act punishable under 42 U.S.C. 1320d-6;
    (2) The covered entity establishes, to the satisfaction of the 
Secretary, that it did not have knowledge of the violation, determined 
in accordance with the federal common law of agency, and, by exercising 
reasonable diligence, would not have known that the violation occurred; 
or
    (3) The violation is--
    (i) Due to reasonable cause and not willful neglect; and
    (ii) Corrected during either:
    (A) The 30-day period beginning on the date the covered entity 
liable for the penalty knew, or by exercising reasonable diligence 
would have known, that the violation occurred; or

[[Page 8428]]

    (B) Such additional period as the Secretary determines to be 
appropriate based on the nature and extent of the failure to comply.


Sec.  160.412  Waiver.

    For violations described in Sec.  160.410(b)(3)(i) that are not 
corrected within the period described in Sec.  160.410(b)(3)(ii), the 
Secretary may waive the civil money penalty, in whole or in part, to 
the extent that payment of the penalty would be excessive relative to 
the violation.


Sec.  160.414  Limitations.

    No action under this subpart may be entertained unless commenced by 
the Secretary, in accordance with Sec.  160.420, within 6 years from 
the date of the occurrence of the violation.


Sec.  160.416  Authority to settle.

    Nothing in this subpart limits the authority of the Secretary to 
settle any issue or case or to compromise any penalty.


Sec.  160.418  Penalty not exclusive.

    Except as otherwise provided by 42 U.S.C. 1320d-5(b)(1), a penalty 
imposed under this part is in addition to any other penalty prescribed 
by law.


Sec.  160.420  Notice of proposed determination.

    (a) If a penalty is proposed in accordance with this part, the 
Secretary must deliver, or send by certified mail with return receipt 
requested, to the respondent, written notice of the Secretary's intent 
to impose a penalty. This notice of proposed determination must 
include--
    (1) Reference to the statutory basis for the penalty;
    (2) A description of the findings of fact regarding the violations 
with respect to which the penalty is proposed (except that, in any case 
where the Secretary is relying upon a statistical sampling study in 
accordance with Sec.  160.536 of this part, the notice must provide a 
copy of the study relied upon by the Secretary);
    (3) The reason(s) why the violation(s) subject(s) the respondent to 
a penalty;
    (4) The amount of the proposed penalty;
    (5) Any circumstances described in Sec.  160.408 that were 
considered in determining the amount of the proposed penalty; and
    (6) Instructions for responding to the notice, including a 
statement of the respondent's right to a hearing, a statement that 
failure to request a hearing within 90 days permits the imposition of 
the proposed penalty without the right to a hearing under Sec.  160.504 
or a right of appeal under Sec.  160.548 of this part, and the address 
to which the hearing request must be sent.
    (b) The respondent may request a hearing before an ALJ on the 
proposed penalty by filing a request in accordance with Sec.  160.504 
of this part.


Sec.  160.422  Failure to request a hearing.

    If the respondent does not request a hearing within the time 
prescribed by Sec.  160.504 of this part and the matter is not settled 
pursuant to Sec.  160.416, the Secretary will impose the proposed 
penalty or any lesser penalty permitted by 42 U.S.C. 1320d-5. The 
Secretary will notify the respondent by certified mail, return receipt 
requested, of any penalty that has been imposed and of the means by 
which the respondent may satisfy the penalty, and the penalty is final 
on receipt of the notice. The respondent has no right to appeal a 
penalty under Sec.  160.548 of this part with respect to which the 
respondent has not timely requested a hearing.


Sec.  160.424  Collection of penalty.

    (a) Once a determination of the Secretary to impose a penalty has 
become final, the penalty will be collected by the Secretary, subject 
to the first sentence of 42 U.S.C. 1320a-7a(f).
    (b) The penalty may be recovered in a civil action brought in the 
United States district court for the district where the respondent 
resides, is found, or is located.
    (c) The amount of a penalty, when finally determined, or the amount 
agreed upon in compromise, may be deducted from any sum then or later 
owing by the United States, or by a State agency, to the respondent.
    (d) Matters that were raised or that could have been raised in a 
hearing before an ALJ, or in an appeal under 42 U.S.C. 1320a-7a(e), may 
not be raised as a defense in a civil action by the United States to 
collect a penalty under this part.


Sec.  160.426  Notification of the public and other agencies.

    Whenever a proposed penalty becomes final, the Secretary will 
notify, in such manner as the Secretary deems appropriate, the public 
and the following organizations and entities thereof and the reason it 
was imposed: the appropriate State or local medical or professional 
organization, the appropriate State agency or agencies administering or 
supervising the administration of State health care programs (as 
defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and 
quality control peer review organization, and the appropriate State or 
local licensing agency or organization (including the agency specified 
in 42 U.S.C. 1395aa(a), 1396a(a)(33)).

0
5. Revise subpart E of this part to read as follows:

Subpart E--Procedures for Hearings

Sec.
160.500 Applicability.
160.502 Definitions.
160.504 Hearing before an ALJ.
160.506 Rights of the parties.
160.508 Authority of the ALJ.
160.510 Ex parte contacts.
160.512 Prehearing conferences.
160.514 Authority to settle.
160.516 Discovery.
160.518 Exchange of witness lists, witness statements, and exhibits.
160.520 Subpoenas for attendance at hearing.
160.522 Fees.
160.524 Form, filing, and service of papers.
160.526 Computation of time.
160.528 Motions.
160.530 Sanctions.
160.532 Collateral estoppel.
160.534 The hearing.
160.536 Statistical sampling.
160.538 Witnesses.
160.540 Evidence.
160.542 The record.
160.544 Post hearing briefs.
160.546 ALJ's decision.
160.548 Appeal of the ALJ's decision.
160.550 Stay of the Secretary's decision.
160.552 Harmless error.


Sec.  160.500  Applicability.

    This subpart applies to hearings conducted relating to the 
imposition of a civil money penalty by the Secretary under 42 U.S.C. 
1320d-5.


Sec.  160.502  Definitions.

    As used in this subpart, the following term has the following 
meaning:
    Board means the members of the HHS Departmental Appeals Board, in 
the Office of the Secretary, who issue decisions in panels of three.


Sec.  160.504  Hearing before an ALJ.

    (a) A respondent may request a hearing before an ALJ. The parties 
to the hearing proceeding consist of--
    (1) The respondent; and
    (2) The officer(s) or employee(s) of HHS to whom the enforcement 
authority involved has been delegated.
    (b) The request for a hearing must be made in writing signed by the 
respondent or by the respondent's attorney and sent by certified mail, 
return receipt requested, to the address specified in the notice of 
proposed determination. The request for a hearing must be mailed within 
90 days after notice of the proposed determination is received by the 
respondent. For purposes of this section, the

[[Page 8429]]

respondent's date of receipt of the notice of proposed determination is 
presumed to be 5 days after the date of the notice unless the 
respondent makes a reasonable showing to the contrary to the ALJ.
    (c) The request for a hearing must clearly and directly admit, 
deny, or explain each of the findings of fact contained in the notice 
of proposed determination with regard to which the respondent has any 
knowledge. If the respondent has no knowledge of a particular finding 
of fact and so states, the finding shall be deemed denied. The request 
for a hearing must also state the circumstances or arguments that the 
respondent alleges constitute the grounds for any defense and the 
factual and legal basis for opposing the penalty, except that a 
respondent may raise an affirmative defense under Sec.  160.410(b)(1) 
at any time.
    (d) The ALJ must dismiss a hearing request where--
    (1) On motion of the Secretary, the ALJ determines that the 
respondent's hearing request is not timely filed as required by 
paragraphs (b) or does not meet the requirements of paragraph (c) of 
this section;
    (2) The respondent withdraws the request for a hearing;
    (3) The respondent abandons the request for a hearing; or
    (4) The respondent's hearing request fails to raise any issue that 
may properly be addressed in a hearing.


Sec.  160.506  Rights of the parties.

    (a) Except as otherwise limited by this subpart, each party may--
    (1) Be accompanied, represented, and advised by an attorney;
    (2) Participate in any conference held by the ALJ;
    (3) Conduct discovery of documents as permitted by this subpart;
    (4) Agree to stipulations of fact or law that will be made part of 
the record;
    (5) Present evidence relevant to the issues at the hearing;
    (6) Present and cross-examine witnesses;
    (7) Present oral arguments at the hearing as permitted by the ALJ; 
and
    (8) Submit written briefs and proposed findings of fact and 
conclusions of law after the hearing.
    (b) A party may appear in person or by a representative. Natural 
persons who appear as an attorney or other representative must conform 
to the standards of conduct and ethics required of practitioners before 
the courts of the United States.
    (c) Fees for any services performed on behalf of a party by an 
attorney are not subject to the provisions of 42 U.S.C. 406, which 
authorizes the Secretary to specify or limit their fees.


Sec.  160.508  Authority of the ALJ.

    (a) The ALJ must conduct a fair and impartial hearing, avoid delay, 
maintain order, and ensure that a record of the proceeding is made.
    (b) The ALJ may--
    (1) Set and change the date, time and place of the hearing upon 
reasonable notice to the parties;
    (2) Continue or recess the hearing in whole or in part for a 
reasonable period of time;
    (3) Hold conferences to identify or simplify the issues, or to 
consider other matters that may aid in the expeditious disposition of 
the proceeding;
    (4) Administer oaths and affirmations;
    (5) Issue subpoenas requiring the attendance of witnesses at 
hearings and the production of documents at or in relation to hearings;
    (6) Rule on motions and other procedural matters;
    (7) Regulate the scope and timing of documentary discovery as 
permitted by this subpart;
    (8) Regulate the course of the hearing and the conduct of 
representatives, parties, and witnesses;
    (9) Examine witnesses;
    (10) Receive, rule on, exclude, or limit evidence;
    (11) Upon motion of a party, take official notice of facts;
    (12) Conduct any conference, argument or hearing in person or, upon 
agreement of the parties, by telephone; and
    (13) Upon motion of a party, decide cases, in whole or in part, by 
summary judgment where there is no disputed issue of material fact. A 
summary judgment decision constitutes a hearing on the record for the 
purposes of this subpart.
    (c) The ALJ--
    (1) May not find invalid or refuse to follow Federal statutes, 
regulations, or Secretarial delegations of authority and must give 
deference to published guidance to the extent not inconsistent with 
statute or regulation;
    (2) May not enter an order in the nature of a directed verdict;
    (3) May not compel settlement negotiations;
    (4) May not enjoin any act of the Secretary; or
    (5) May not review the exercise of discretion by the Secretary with 
respect to whether to grant an extension under Sec.  
160.410(b)(3)(ii)(B) of this part or to provide technical assistance 
under 42 U.S.C. 1320d-5(b)(3)(B).


Sec.  160.510  Ex parte contacts.

    No party or person (except employees of the ALJ's office) may 
communicate in any way with the ALJ on any matter at issue in a case, 
unless on notice and opportunity for both parties to participate. This 
provision does not prohibit a party or person from inquiring about the 
status of a case or asking routine questions concerning administrative 
functions or procedures.


Sec.  160.512  Prehearing conferences.

    (a) The ALJ must schedule at least one prehearing conference, and 
may schedule additional prehearing conferences as appropriate, upon 
reasonable notice, which may not be less than 14 business days, to the 
parties.
    (b) The ALJ may use prehearing conferences to discuss the 
following--
    (1) Simplification of the issues;
    (2) The necessity or desirability of amendments to the pleadings, 
including the need for a more definite statement;
    (3) Stipulations and admissions of fact or as to the contents and 
authenticity of documents;
    (4) Whether the parties can agree to submission of the case on a 
stipulated record;
    (5) Whether a party chooses to waive appearance at an oral hearing 
and to submit only documentary evidence (subject to the objection of 
the other party) and written argument;
    (6) Limitation of the number of witnesses;
    (7) Scheduling dates for the exchange of witness lists and of 
proposed exhibits;
    (8) Discovery of documents as permitted by this subpart;
    (9) The time and place for the hearing;
    (10) The potential for the settlement of the case by the parties; 
and
    (11) Other matters as may tend to encourage the fair, just and 
expeditious disposition of the proceedings, including the protection of 
privacy of individually identifiable health information that may be 
submitted into evidence or otherwise used in the proceeding, if 
appropriate.
    (c) The ALJ must issue an order containing the matters agreed upon 
by the parties or ordered by the ALJ at a prehearing conference.


Sec.  160.514  Authority to settle.

    The Secretary has exclusive authority to settle any issue or case 
without the consent of the ALJ.


Sec.  160.516  Discovery.

    (a) A party may make a request to another party for production of 
documents for inspection and copying

[[Page 8430]]

that are relevant and material to the issues before the ALJ.
    (b) For the purpose of this section, the term ``documents'' 
includes information, reports, answers, records, accounts, papers and 
other data and documentary evidence. Nothing contained in this section 
may be interpreted to require the creation of a document, except that 
requested data stored in an electronic data storage system must be 
produced in a form accessible to the requesting party.
    (c) Requests for documents, requests for admissions, written 
interrogatories, depositions and any forms of discovery, other than 
those permitted under paragraph (a) of this section, are not 
authorized.
    (d) This section may not be construed to require the disclosure of 
interview reports or statements obtained by any party, or on behalf of 
any party, of persons who will not be called as witnesses by that 
party, or analyses and summaries prepared in conjunction with the 
investigation or litigation of the case, or any otherwise privileged 
documents.
    (e)(1) When a request for production of documents has been 
received, within 30 days the party receiving that request must either 
fully respond to the request, or state that the request is being 
objected to and the reasons for that objection. If objection is made to 
part of an item or category, the part must be specified. Upon receiving 
any objections, the party seeking production may then, within 30 days 
or any other time frame set by the ALJ, file a motion for an order 
compelling discovery. The party receiving a request for production may 
also file a motion for protective order any time before the date the 
production is due.
    (2) The ALJ may grant a motion for protective order or deny a 
motion for an order compelling discovery if the ALJ finds that the 
discovery sought--
    (i) Is irrelevant;
    (ii) Is unduly costly or burdensome;
    (iii) Will unduly delay the proceeding; or
    (iv) Seeks privileged information.
    (3) The ALJ may extend any of the time frames set forth in 
paragraph (e)(1) of this section.
    (4) The burden of showing that discovery should be allowed is on 
the party seeking discovery.


Sec.  160.518  Exchange of witness lists, witness statements, and 
exhibits.

    (a) The parties must exchange witness lists, copies of prior 
written statements of proposed witnesses, and copies of proposed 
hearing exhibits, including copies of any written statements that the 
party intends to offer in lieu of live testimony in accordance with 
Sec.  160.538, not more than 60, and not less than 15, days before the 
scheduled hearing, except that if a respondent intends to introduce the 
evidence of a statistical expert, the respondent must provide the 
Secretarial party with a copy of the statistical expert's report not 
less than 30 days before the scheduled hearing.
    (b)(1) If, at any time, a party objects to the proposed admission 
of evidence not exchanged in accordance with paragraph (a) of this 
section, the ALJ must determine whether the failure to comply with 
paragraph (a) of this section should result in the exclusion of that 
evidence.
    (2) Unless the ALJ finds that extraordinary circumstances justified 
the failure timely to exchange the information listed under paragraph 
(a) of this section, the ALJ must exclude from the party's case-in-
chief--
    (i) The testimony of any witness whose name does not appear on the 
witness list; and
    (ii) Any exhibit not provided to the opposing party as specified in 
paragraph (a) of this section.
    (3) If the ALJ finds that extraordinary circumstances existed, the 
ALJ must then determine whether the admission of that evidence would 
cause substantial prejudice to the objecting party.
    (i) If the ALJ finds that there is no substantial prejudice, the 
evidence may be admitted.
    (ii) If the ALJ finds that there is substantial prejudice, the ALJ 
may exclude the evidence, or, if he or she does not exclude the 
evidence, must postpone the hearing for such time as is necessary for 
the objecting party to prepare and respond to the evidence, unless the 
objecting party waives postponement.
    (c) Unless the other party objects within a reasonable period of 
time before the hearing, documents exchanged in accordance with 
paragraph (a) of this section will be deemed to be authentic for the 
purpose of admissibility at the hearing.


Sec.  160.520  Subpoenas for attendance at hearing.

    (a) A party wishing to procure the appearance and testimony of any 
person at the hearing may make a motion requesting the ALJ to issue a 
subpoena if the appearance and testimony are reasonably necessary for 
the presentation of a party's case.
    (b) A subpoena requiring the attendance of a person in accordance 
with paragraph (a) of this section may also require the person (whether 
or not the person is a party) to produce relevant and material evidence 
at or before the hearing.
    (c) When a subpoena is served by a respondent on a particular 
employee or official or particular office of HHS, the Secretary may 
comply by designating any knowledgeable HHS representative to appear 
and testify.
    (d) A party seeking a subpoena must file a written motion not less 
than 30 days before the date fixed for the hearing, unless otherwise 
allowed by the ALJ for good cause shown. That motion must--
    (1) Specify any evidence to be produced;
    (2) Designate the witnesses; and
    (3) Describe the address and location with sufficient particularity 
to permit those witnesses to be found.
    (e) The subpoena must specify the time and place at which the 
witness is to appear and any evidence the witness is to produce.
    (f) Within 15 days after the written motion requesting issuance of 
a subpoena is served, any party may file an opposition or other 
response.
    (g) If the motion requesting issuance of a subpoena is granted, the 
party seeking the subpoena must serve it by delivery to the person 
named, or by certified mail addressed to that person at the person's 
last dwelling place or principal place of business.
    (h) The person to whom the subpoena is directed may file with the 
ALJ a motion to quash the subpoena within 10 days after service.
    (i) The exclusive remedy for contumacy by, or refusal to obey a 
subpoena duly served upon, any person is specified in 42 U.S.C. 405(e).


Sec.  160.522  Fees.

    The party requesting a subpoena must pay the cost of the fees and 
mileage of any witness subpoenaed in the amounts that would be payable 
to a witness in a proceeding in United States District Court. A check 
for witness fees and mileage must accompany the subpoena when served, 
except that, when a subpoena is issued on behalf of the Secretary, a 
check for witness fees and mileage need not accompany the subpoena.


Sec.  160.524  Form, filing, and service of papers.

    (a) Forms. (1) Unless the ALJ directs the parties to do otherwise, 
documents filed with the ALJ must include an original and two copies.
    (2) Every pleading and paper filed in the proceeding must contain a 
caption setting forth the title of the action, the case number, and a 
designation of the paper, such as motion to quash subpoena.

[[Page 8431]]

    (3) Every pleading and paper must be signed by and must contain the 
address and telephone number of the party or the person on whose behalf 
the paper was filed, or his or her representative.
    (4) Papers are considered filed when they are mailed.
    (b) Service. A party filing a document with the ALJ or the Board 
must, at the time of filing, serve a copy of the document on the other 
party. Service upon any party of any document must be made by 
delivering a copy, or placing a copy of the document in the United 
States mail, postage prepaid and addressed, or with a private delivery 
service, to the party's last known address. When a party is represented 
by an attorney, service must be made upon the attorney in lieu of the 
party.
    (c) Proof of service. A certificate of the natural person serving 
the document by personal delivery or by mail, setting forth the manner 
of service, constitutes proof of service.


Sec.  160.526  Computation of time.

    (a) In computing any period of time under this subpart or in an 
order issued thereunder, the time begins with the day following the 
act, event or default, and includes the last day of the period unless 
it is a Saturday, Sunday, or legal holiday observed by the Federal 
Government, in which event it includes the next business day.
    (b) When the period of time allowed is less than 7 days, 
intermediate Saturdays, Sundays, and legal holidays observed by the 
Federal Government must be excluded from the computation.
    (c) Where a document has been served or issued by placing it in the 
mail, an additional 5 days must be added to the time permitted for any 
response. This paragraph does not apply to requests for hearing under 
Sec.  160.504.


Sec.  160.528  Motions.

    (a) An application to the ALJ for an order or ruling must be by 
motion. Motions must state the relief sought, the authority relied upon 
and the facts alleged, and must be filed with the ALJ and served on all 
other parties.
    (b) Except for motions made during a prehearing conference or at 
the hearing, all motions must be in writing. The ALJ may require that 
oral motions be reduced to writing.
    (c) Within 10 days after a written motion is served, or such other 
time as may be fixed by the ALJ, any party may file a response to the 
motion.
    (d) The ALJ may not grant a written motion before the time for 
filing responses has expired, except upon consent of the parties or 
following a hearing on the motion, but may overrule or deny the motion 
without awaiting a response.
    (e) The ALJ must make a reasonable effort to dispose of all 
outstanding motions before the beginning of the hearing.


Sec.  160.530  Sanctions.

    The ALJ may sanction a person, including any party or attorney, for 
failing to comply with an order or procedure, for failing to defend an 
action or for other misconduct that interferes with the speedy, orderly 
or fair conduct of the hearing. The sanctions must reasonably relate to 
the severity and nature of the failure or misconduct. The sanctions may 
include--
    (a) In the case of refusal to provide or permit discovery under the 
terms of this part, drawing negative factual inferences or treating the 
refusal as an admission by deeming the matter, or certain facts, to be 
established;
    (b) Prohibiting a party from introducing certain evidence or 
otherwise supporting a particular claim or defense;
    (c) Striking pleadings, in whole or in part;
    (d) Staying the proceedings;
    (e) Dismissal of the action;
    (f) Entering a decision by default;
    (g) Ordering the party or attorney to pay the attorney's fees and 
other costs caused by the failure or misconduct; and
    (h) Refusing to consider any motion or other action that is not 
filed in a timely manner.


Sec.  160.532  Collateral estoppel.

    When a final determination that the respondent violated an 
administrative simplification provision has been rendered in any 
proceeding in which the respondent was a party and had an opportunity 
to be heard, the respondent is bound by that determination in any 
proceeding under this part.


Sec.  160.534  The hearing.

    (a) The ALJ must conduct a hearing on the record in order to 
determine whether the respondent should be found liable under this 
part.
    (b) (1) The respondent has the burden of going forward and the 
burden of persuasion with respect to any:
    (i) Affirmative defense pursuant to Sec.  160.410 of this part;
    (ii) Challenge to the amount of a proposed penalty pursuant to 
Sec. Sec.  160.404-160.408 of this part, including any factors raised 
as mitigating factors; or
    (iii) Claim that a proposed penalty should be reduced or waived 
pursuant to Sec.  160.412 of this part.
    (2) The Secretary has the burden of going forward and the burden of 
persuasion with respect to all other issues, including issues of 
liability and the existence of any factors considered as aggravating 
factors in determining the amount of the proposed penalty.
    (3) The burden of persuasion will be judged by a preponderance of 
the evidence.
    (c) The hearing must be open to the public unless otherwise ordered 
by the ALJ for good cause shown.
    (d)(1) Subject to the 15-day rule under Sec.  160.518(a) and the 
admissibility of evidence under Sec.  160.540, either party may 
introduce, during its case in chief, items or information that arose or 
became known after the date of the issuance of the notice of proposed 
determination or the request for hearing, as applicable. Such items and 
information may not be admitted into evidence, if introduced--
    (i) By the Secretary, unless they are material and relevant to the 
acts or omissions with respect to which the penalty is proposed in the 
notice of proposed determination pursuant to Sec.  160.420 of this 
part, including circumstances that may increase penalties; or
    (ii) By the respondent, unless they are material and relevant to an 
admission, denial or explanation of a finding of fact in the notice of 
proposed determination under Sec.  160.420 of this part, or to a 
specific circumstance or argument expressly stated in the request for 
hearing under Sec.  160.504, including circumstances that may reduce 
penalties.
    (2) After both parties have presented their cases, evidence may be 
admitted in rebuttal even if not previously exchanged in accordance 
with Sec.  160.518.


Sec.  160.536  Statistical sampling.

    (a) In meeting the burden of proof set forth in Sec.  160.534, the 
Secretary may introduce the results of a statistical sampling study as 
evidence of the number of violations under Sec.  160.406 of this part, 
or the factors considered in determining the amount of the civil money 
penalty under Sec.  160.408 of this part. Such statistical sampling 
study, if based upon an appropriate sampling and computed by valid 
statistical methods, constitutes prima facie evidence of the number of 
violations and the existence of factors material to the proposed civil 
money penalty as described in Sec. Sec.  160.406 and 160.408.
    (b) Once the Secretary has made a prima facie case, as described in 
paragraph (a) of this section, the burden of going forward shifts to 
the respondent

[[Page 8432]]

to produce evidence reasonably calculated to rebut the findings of the 
statistical sampling study. The Secretary will then be given the 
opportunity to rebut this evidence.


Sec.  160.538  Witnesses.

    (a) Except as provided in paragraph (b) of this section, testimony 
at the hearing must be given orally by witnesses under oath or 
affirmation.
    (b) At the discretion of the ALJ, testimony of witnesses other than 
the testimony of expert witnesses may be admitted in the form of a 
written statement. The ALJ may, at his or her discretion, admit prior 
sworn testimony of experts that has been subject to adverse 
examination, such as a deposition or trial testimony. Any such written 
statement must be provided to the other party, along with the last 
known address of the witness, in a manner that allows sufficient time 
for the other party to subpoena the witness for cross-examination at 
the hearing. Prior written statements of witnesses proposed to testify 
at the hearing must be exchanged as provided in Sec.  160.518.
    (c) The ALJ must exercise reasonable control over the mode and 
order of interrogating witnesses and presenting evidence so as to:
    (1) Make the interrogation and presentation effective for the 
ascertainment of the truth;
    (2) Avoid repetition or needless consumption of time; and
    (3) Protect witnesses from harassment or undue embarrassment.
    (d) The ALJ must permit the parties to conduct cross-examination of 
witnesses as may be required for a full and true disclosure of the 
facts.
    (e) The ALJ may order witnesses excluded so that they cannot hear 
the testimony of other witnesses, except that the ALJ may not order to 
be excluded--
    (1) A party who is a natural person;
    (2) In the case of a party that is not a natural person, the 
officer or employee of the party appearing for the entity pro se or 
designated as the party's representative; or
    (3) A natural person whose presence is shown by a party to be 
essential to the presentation of its case, including a person engaged 
in assisting the attorney for the Secretary.


Sec.  160.540  Evidence.

    (a) The ALJ must determine the admissibility of evidence.
    (b) Except as provided in this subpart, the ALJ is not bound by the 
Federal Rules of Evidence. However, the ALJ may apply the Federal Rules 
of Evidence where appropriate, for example, to exclude unreliable 
evidence.
    (c) The ALJ must exclude irrelevant or immaterial evidence.
    (d) Although relevant, evidence may be excluded if its probative 
value is substantially outweighed by the danger of unfair prejudice, 
confusion of the issues, or by considerations of undue delay or 
needless presentation of cumulative evidence.
    (e) Although relevant, evidence must be excluded if it is 
privileged under Federal law.
    (f) Evidence concerning offers of compromise or settlement are 
inadmissible to the extent provided in Rule 408 of the Federal Rules of 
Evidence.
    (g) Evidence of crimes, wrongs, or acts other than those at issue 
in the instant case is admissible in order to show motive, opportunity, 
intent, knowledge, preparation, identity, lack of mistake, or existence 
of a scheme. This evidence is admissible regardless of whether the 
crimes, wrongs, or acts occurred during the statute of limitations 
period applicable to the acts or omissions that constitute the basis 
for liability in the case and regardless of whether they were 
referenced in the Secretary's notice of proposed determination under 
Sec.  160.420 of this part.
    (h) The ALJ must permit the parties to introduce rebuttal witnesses 
and evidence.
    (i) All documents and other evidence offered or taken for the 
record must be open to examination by both parties, unless otherwise 
ordered by the ALJ for good cause shown.


Sec.  160.542  The record.

    (a) The hearing must be recorded and transcribed. Transcripts may 
be obtained following the hearing from the ALJ. A party that requests a 
transcript of hearing proceedings must pay the cost of preparing the 
transcript unless, for good cause shown by the party, the payment is 
waived by the ALJ or the Board, as appropriate.
    (b) The transcript of the testimony, exhibits, and other evidence 
admitted at the hearing, and all papers and requests filed in the 
proceeding constitute the record for decision by the ALJ and the 
Secretary.
    (c) The record may be inspected and copied (upon payment of a 
reasonable fee) by any person, unless otherwise ordered by the ALJ for 
good cause shown.
    (d) For good cause, the ALJ may order appropriate redactions made 
to the record.


Sec.  160.544  Post hearing briefs.

    The ALJ may require the parties to file post-hearing briefs. In any 
event, any party may file a post-hearing brief. The ALJ must fix the 
time for filing the briefs. The time for filing may not exceed 60 days 
from the date the parties receive the transcript of the hearing or, if 
applicable, the stipulated record. The briefs may be accompanied by 
proposed findings of fact and conclusions of law. The ALJ may permit 
the parties to file reply briefs.


Sec.  160.546  ALJ's decision.

    (a) The ALJ must issue a decision, based only on the record, which 
must contain findings of fact and conclusions of law.
    (b) The ALJ may affirm, increase, or reduce the penalties imposed 
by the Secretary.
    (c) The ALJ must issue the decision to both parties within 60 days 
after the time for submission of post-hearing briefs and reply briefs, 
if permitted, has expired. If the ALJ fails to meet the deadline 
contained in this paragraph, he or she must notify the parties of the 
reason for the delay and set a new deadline.
    (d) Unless the decision of the ALJ is timely appealed as provided 
for in Sec.  160.548, the decision of the ALJ will be final and binding 
on the parties 60 days from the date of service of the ALJ's decision.


Sec.  160.548  Appeal of the ALJ's decision.

    (a) Any party may appeal the decision of the ALJ to the Board by 
filing a notice of appeal with the Board within 30 days of the date of 
service of the ALJ decision. The Board may extend the initial 30 day 
period for a period of time not to exceed 30 days if a party files with 
the Board a request for an extension within the initial 30 day period 
and shows good cause.
    (b) If a party files a timely notice of appeal with the Board, the 
ALJ must forward the record of the proceeding to the Board.
    (c) A notice of appeal must be accompanied by a written brief 
specifying exceptions to the initial decision and reasons supporting 
the exceptions. Any party may file a brief in opposition to the 
exceptions, which may raise any relevant issue not addressed in the 
exceptions, within 30 days of receiving the notice of appeal and the 
accompanying brief. The Board may permit the parties to file reply 
briefs.
    (d) There is no right to appear personally before the Board or to 
appeal to the Board any interlocutory ruling by the ALJ.

[[Page 8433]]

    (e) Except for an affirmative defense under Sec.  160.410(b)(1) of 
this part, the Board may not consider any issue not raised in the 
parties' briefs, nor any issue in the briefs that could have been 
raised before the ALJ but was not.
    (f) If any party demonstrates to the satisfaction of the Board that 
additional evidence not presented at such hearing is relevant and 
material and that there were reasonable grounds for the failure to 
adduce such evidence at the hearing, the Board may remand the matter to 
the ALJ for consideration of such additional evidence.
    (g) The Board may decline to review the case, or may affirm, 
increase, reduce, reverse or remand any penalty determined by the ALJ.
    (h) The standard of review on a disputed issue of fact is whether 
the initial decision of the ALJ is supported by substantial evidence on 
the whole record. The standard of review on a disputed issue of law is 
whether the decision is erroneous.
    (i) Within 60 days after the time for submission of briefs and 
reply briefs, if permitted, has expired, the Board must serve on each 
party to the appeal a copy of the Board's decision and a statement 
describing the right of any respondent who is penalized to seek 
judicial review.
    (j)(1) The Board's decision under paragraph (i) of this section, 
including a decision to decline review of the initial decision, becomes 
the final decision of the Secretary 60 days after the date of service 
of the Board's decision, except with respect to a decision to remand to 
the ALJ or if reconsideration is requested under this paragraph.
    (2) The Board will reconsider its decision only if it determines 
that the decision contains a clear error of fact or error of law. New 
evidence will not be a basis for reconsideration unless the party 
demonstrates that the evidence is newly discovered and was not 
previously available.
    (3) A party may file a motion for reconsideration with the Board 
before the date the decision becomes final under paragraph (j)(1) of 
this section. A motion for reconsideration must be accompanied by a 
written brief specifying any alleged error of fact or law and, if the 
party is relying on additional evidence, explaining why the evidence 
was not previously available. Any party may file a brief in opposition 
within 15 days of receiving the motion for reconsideration and the 
accompanying brief unless this time limit is extended by the Board for 
good cause shown. Reply briefs are not permitted.
    (4) The Board must rule on the motion for reconsideration not later 
than 30 days from the date the opposition brief is due. If the Board 
denies the motion, the decision issued under paragraph (i) of this 
section becomes the final decision of the Secretary on the date of 
service of the ruling. If the Board grants the motion, the Board will 
issue a reconsidered decision, after such procedures as the Board 
determines necessary to address the effect of any error. The Board's 
decision on reconsideration becomes the final decision of the Secretary 
on the date of service of the decision, except with respect to a 
decision to remand to the ALJ.
    (5) If service of a ruling or decision issued under this section is 
by mail, the date of service will be deemed to be 5 days from the date 
of mailing.
    (k)(1) A respondent's petition for judicial review must be filed 
within 60 days of the date on which the decision of the Board becomes 
the final decision of the Secretary under paragraph (j) of this 
section.
    (2) In compliance with 28 U.S.C. 2112(a), a copy of any petition 
for judicial review filed in any U.S. Court of Appeals challenging the 
final decision of the Secretary must be sent by certified mail, return 
receipt requested, to the General Counsel of HHS. The petition copy 
must be a copy showing that it has been time-stamped by the clerk of 
the court when the original was filed with the court.
    (3) If the General Counsel of HHS received two or more petitions 
within 10 days after the final decision of the Secretary, the General 
Counsel will notify the U.S. Judicial Panel on Multidistrict Litigation 
of any petitions that were received within the 10 day period.


Sec.  160.550  Stay of the Secretary's decision.

    (a) Pending judicial review, the respondent may file a request for 
stay of the effective date of any penalty with the ALJ. The request 
must be accompanied by a copy of the notice of appeal filed with the 
Federal court. The filing of the request automatically stays the 
effective date of the penalty until such time as the ALJ rules upon the 
request.
    (b) The ALJ may not grant a respondent's request for stay of any 
penalty unless the respondent posts a bond or provides other adequate 
security.
    (c) The ALJ must rule upon a respondent's request for stay within 
10 days of receipt.


Sec.  160.552  Harmless error.

    No error in either the admission or the exclusion of evidence, and 
no error or defect in any ruling or order or in any act done or omitted 
by the ALJ or by any of the parties is ground for vacating, modifying 
or otherwise disturbing an otherwise appropriate ruling or order or 
act, unless refusal to take such action appears to the ALJ or the Board 
inconsistent with substantial justice. The ALJ and the Board at every 
stage of the proceeding must disregard any error or defect in the 
proceeding that does not affect the substantial rights of the parties.

PART 164--SECURITY AND PRIVACY

0
1. The authority citation for part 164 is revised to read as follows:

    Authority: 42 U.S.C. 1320d-1320d-8 and sec. 264, Pub. L. No. 
104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).

0
2. In Sec.  164.530, revise paragraph (g) to read as follows:


Sec.  164.530  Administrative requirements.

* * * * *
    (g) Standard: refraining from intimidating or retaliatory acts. A 
covered entity--
    (1) May not intimidate, threaten, coerce, discriminate against, or 
take other retaliatory action against any individual for the exercise 
by the individual of any right established, or for participation in any 
process provided for by this subpart, including the filing of a 
complaint under this section; and
    (2) Must refrain from intimidation and retaliation as provided in 
Sec.  160.316 of this subchapter.
* * * * *
[FR Doc. 06-1376 Filed 2-10-06; 2:59 pm]
BILLING CODE 4153-01-P