Enforcement Rule--Final RuleFR Doc 06-1376[Federal Register: February 16, 2006 (Volume 71, Number 32)]
[Rules and Regulations]
[Page 8389-8433]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr16fe06-11]
[[Page 8389]]
-----------------------------------------------------------------------
Part III
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
HIPAA Administrative Simplification: Enforcement; Final Rule
[[Page 8390]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB29
HIPAA Administrative Simplification: Enforcement
AGENCY: Office of the Secretary, HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Secretary of Health and Human Services is adopting rules
for the imposition of civil money penalties on entities that violate
rules adopted by the Secretary to implement the Administrative
Simplification provisions of the Health Insurance Portability and
Accountability Act of 1996, Public Law 104-191 (HIPAA). The final rule
amends the existing rules relating to the investigation of
noncompliance to make them apply to all of the HIPAA Administrative
Simplification rules, rather than exclusively to the privacy standards.
It also amends the existing rules relating to the process for
imposition of civil money penalties. Among other matters, the final
rule clarifies and elaborates upon the investigation process, bases for
liability, determination of the penalty amount, grounds for waiver,
conduct of the hearing, and the appeal process.
DATES: This final rule is effective on March 16, 2006.
FOR FURTHER INFORMATION CONTACT: Carol C. Conrad, (202) 690-1840.
SUPPLEMENTARY INFORMATION: On April 18, 2005, the Department of Health
and Human Services (HHS) published a Notice of Proposed Rulemaking
(proposed rule) proposing to revise the existing rules relating to
compliance with, and enforcement of, the Administrative Simplification
regulations (HIPAA rules) adopted by the Secretary of Health and Human
Services (Secretary) under subtitle F of Title II of HIPAA (HIPAA
provisions). 70 FR 20224. The proposed rule also proposed the adoption
of new provisions relating to the imposition of civil money penalties
on covered entities that violate a HIPAA provision or HIPAA rule. The
comment period on the proposed rule closed on June 17, 2005. Forty-nine
comments, principally from health care organizations, were received
during the comment period.
In this final rule, HHS revises existing rules that relate to
compliance with, and enforcement of, the HIPAA rules. These rules are
codified at 45 CFR part 160, subparts C and E. In addition, this final
rule adds a new subpart D to part 160. The new subpart D contains
additional rules relating to the imposition by the Secretary of civil
money penalties on covered entities that violate the HIPAA rules. The
full set of rules to be codified at subparts C, D, and E of 45 CFR part
160 is collectively referred to in this final rule as the ``Enforcement
Rule.'' Finally, HHS makes minor and conforming changes to subpart A of
part 160 and subpart E of part 164.
The statutory and regulatory background of the final rule is set
out below. A description of the provisions of the proposed rule, the
public comments, and HHS's responses to the comments follows. The
preamble concludes with HHS's analyses of impact and other issues under
applicable law.
I. Background
A. Statutory Background
Subtitle F of Title II of HIPAA, entitled ``Administrative
Simplification,'' requires the Secretary to adopt national standards
for certain information-related activities of the health care industry.
Under section 1173 of the Social Security Act (Act), 42 U.S.C. 1320d-2,
the Secretary is required to adopt national standards for certain
financial and administrative transactions, code sets, the security of
health information, and certain unique health identifiers. In addition,
section 264 of HIPAA, 42 U.S.C. 1320d-2 note, requires the Secretary to
promulgate standards to protect the privacy of certain health
information. Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a),
the provisions of Subtitle F apply only to--
The following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information
in electronic form in connection with a transaction referred to in
section 1173(a)(1).
These entities are collectively known as ``covered entities.'' \1\
---------------------------------------------------------------------------
\1\ An additional category of covered entities was added by the
Medicare Prescription Drug, Improvement, and Modernization Act of
2003 (Pub. L. 108-173) (MMA). As added by MMA, section 1860D-
31(h)(6)(A) of the Act, 42 U.S.C. 1395w-141(h)(6)(A), provides that
a prescription drug card sponsor is a covered entity for purposes of
applying part C of title XI and all regulatory provisions
promulgated thereunder, including regulations (relating to privacy)
adopted pursuant to the authority of the Secretary under section
264(c) of the Health Insurance Portability and Accountability Act of
1996 (42 U.S.C. 1320d-2 note).
---------------------------------------------------------------------------
HIPAA requires certain consultations with industry as a predicate
to the issuance of the HIPAA standards and provides that most covered
entities have up to 2 years (small health plans have up to 3 years) to
come into compliance with the standards, once adopted. Act, sections
1172(c) (42 U.S.C. 1320d-1(c)), 1175(b) (42 U.S.C. 1320d-4(b)). The
statute establishes civil money penalties and criminal penalties for
violations. Act, sections 1176 (42 U.S.C. 1320d-5), 1177 (42 U.S.C.
1320d-6). HHS enforces the civil money penalties, while the U.S.
Department of Justice enforces the criminal penalties.
HIPAA's civil money penalty provision, section 1176(a) of the Act,
42 U.S.C. 1320d-5(a), authorizes the Secretary to impose a civil money
penalty, as follows:
(1) IN GENERAL. Except as provided in subsection (b), the
Secretary shall impose on any person who violates a provision of
this part [42 U.S.C. 1320d, et seq.] a penalty of not more than $100
for each such violation, except that the total amount imposed on the
person for all violations of an identical requirement or prohibition
during a calendar year may not exceed $25,000.
(2) PROCEDURES. The provisions of section 1128A [42 U.S.C.
1320a-7a] (other than subsections (a) and (b) and the second
sentence of subsection (f)) shall apply to the imposition of a civil
money penalty under this subsection in the same manner as such
provisions apply to the imposition of a penalty under such section
1128A.
For simplicity, we refer throughout this preamble to this provision,
the related provisions at section 1128A of the Act, and other related
provisions of the Act, by their Social Security Act citations, rather
than by their U.S. Code citations.
Subsection (b) of section 1176 sets out limitations on the
Secretary's authority to impose civil money penalties and also provides
authority for waiving such penalties. Under section 1176(b)(1), a civil
money penalty may not be imposed with respect to an act that
``constitutes an offense punishable'' under the related criminal
penalty provision, section 1177 of the Act. Under section 1176(b)(2), a
civil money penalty may not be imposed ``if it is established to the
satisfaction of the Secretary that the person liable for the penalty
did not know, and by exercising reasonable diligence would not have
known, that such person violated the provision.'' Under section
1176(b)(3), a civil money penalty may not be imposed if the failure to
comply was due ``to reasonable cause and not to willful neglect'' and
is corrected within a certain time. Finally, under section 1176(b)(4),
a civil money penalty may be reduced or entirely waived ``to the extent
that the payment of such penalty would be excessive relative to the
compliance failure involved.''
As noted above, section 1176(a) incorporates by reference certain
[[Page 8391]]
provisions of section 1128A of the Act. Those provisions, as relevant
here, establish a number of requirements with respect to the imposition
of civil money penalties. Under section 1128A(c)(1), the Secretary may
not initiate a civil money penalty action ``later than six years after
the date'' of the occurrence that forms the basis for the civil money
penalty. Under section 1128A(c)(2), a person upon whom the Secretary
seeks to impose a civil money penalty must be given written notice and
an opportunity for a determination to be made ``on the record after a
hearing at which the person is entitled to be represented by counsel,
to present witnesses, and to cross-examine witnesses against the
person.'' Section 1128A also provides, at subsections (c), (e), and
(j), respectively, requirements for: Service of the notice and
authority for sanctions which the hearing officer may impose for
misconduct in connection with the civil money penalty proceeding;
judicial review of the Secretary's determination in the United States
Court of Appeals for the circuit in which the person resides or
maintains his/its principal place of business; and the issuance and
enforcement of subpoenas by the Secretary. In addition, section 1128A
of the Act contains provisions relating to liability for civil money
penalties and what measures must be taken once they are imposed. For
example, section 1128A(d) provides that the Secretary must take into
account certain factors ``in determining the amount * * * of any
penalty''; section 1128A(h) requires certain notifications once a civil
money penalty is imposed; and section 1128A(l) makes a principal liable
for penalties ``for the actions of the principal's agent acting within
the scope of the agency.'' These provisions are discussed more fully
below.
B. Regulatory Background
As noted above, section 1173 of the Act and section 264 of HIPAA
require the Secretary to adopt a number of national standards to
facilitate the exchange, and protect the privacy and security, of
certain health information. The Secretary has already adopted many of
these HIPAA standards by regulation. These regulations consist of the
following: Health Insurance Reform: Standards for Electronic
Transactions (Transactions Rule); Standards for Privacy of Individually
Identifiable Health Information (Privacy Rule); Health Insurance
Reform: Standard Unique Employer Identifier (EIN Rule); Health
Insurance Reform: Security Standards (Security Rule); and HIPAA
Administrative Simplification: Standard Unique Health Identifier for
Health Care Providers (NPI Rule). Proposed standards for certain claims
attachments were published on September 23, 2005 (70 FR 55990) and
proposed standards for health plan identifiers are under development.
The history of these and related rules is described in a proposed rule
published on April 18, 2005 at 70 FR 20225-20226.
An interim final rule promulgating procedural requirements for
imposition of civil money penalties, Civil Money Penalties: Procedures
for Investigations, Imposition of Penalties, and Hearings (April 17,
2003 interim final rule), was published on April 17, 2003 (68 FR
18895), and was effective on May 19, 2003, with a sunset date of
September 16, 2004 (as corrected at 68 FR 22453, April 28, 2003). The
April 17, 2003 interim final rule adopted a new subpart E of part 160.
The sunset date of the April 17, 2003 interim final rule was extended
to September 16, 2005 on September 15, 2004 (69 FR 55515) and was
further extended to March 16, 2006 on September 14, 2005 (70 FR 54293).
The authority for administering and enforcing compliance with the
Privacy Rule has been delegated to the HHS Office for Civil Rights
(OCR). 65 FR 82381 (December 28, 2000). The authority for administering
and enforcing compliance with the non-privacy HIPAA rules has been
delegated to the HHS Centers for Medicare & Medicaid Services (CMS). 68
FR 60694 (October 23, 2003).
II. Overview of the Proposed and Final Rules
A. The Proposed Rule
In the proposed rule, we proposed to bring together and adopt rules
governing the implementation of the civil money penalty authority of
section 1176 of the Act for all of the HIPAA rules. As previously
noted, parts of the Enforcement Rule are already in place: subpart C of
part 160 establishes certain investigative procedures for the Privacy
Rule, and subpart E establishes interim procedures for investigations
and for the imposition, and challenges to the imposition, of civil
money penalties for all of the HIPAA rules. The proposed rule would
complete the Enforcement Rule by (1) making subpart C applicable to all
of the HIPAA rules; (2) adopting on a permanent basis most of the
provisions of subpart E; and (3) addressing, among other issues, our
policies for determining violations and calculating civil money
penalties, how we will address the statutory limitations on the
imposition of civil money penalties, and various procedural issues,
such as provisions for appellate review within HHS of a hearing
decision, burden of proof, and notification of other agencies of the
imposition of a civil money penalty.
Several fundamental considerations shaped the proposed rule. First,
there is one statutory provision for imposing civil money penalties on
covered entities that violate the HIPAA rules; thus, the proposed rule
sought to establish a uniform enforcement and compliance policy for all
of the HIPAA rules to minimize the potential for confusion and burden
and maximize the potential for fairness and consistency in enforcement.
Second, the proposed rule sought to facilitate the movement from
noncompliance to compliance by covered entities by extending to all of
the HIPAA rules the regulatory commitment to promoting and encouraging
voluntary compliance with the HIPAA rules that currently applies to the
Privacy Rule, subpart C of part 160. Third, the proposed rule sought to
minimize confusion with the procedures for investigations and hearings
by building upon pre-existing Departmental procedures for
investigations and hearings under section 1128A of the Act--the civil
money penalty regulations of the Office of the Inspector General, which
are codified at 42 CFR parts 1003, 1005, and 1006 (OIG regulations).
Fourth, the proposed rule was intended to be clear and easy to
understand. Finally, the proposed rule sought to provide the Secretary
with reasonable discretion, particularly in areas where the exercise of
judgment is called for by the statute or rules, and to avoid being
overly prescriptive in areas where it would be helpful to gain
experience with the practical impact of the HIPAA rules, to avoid
unintended adverse effects.
We proposed to amend subpart A of part 160, which contains general
provisions, to include a definition of ``person.'' With respect to
subpart C of part 160, we proposed to incorporate several provisions
currently found in subpart E and to make subpart C applicable to the
non-privacy HIPAA rules. We also proposed to add to part 160 a new
subpart D, which would establish rules relating to the imposition of
civil money penalties, including those which apply whether or not there
is a hearing. We also proposed to incorporate into subpart D several
provisions currently found in subpart E. Proposed subpart E addressed
the pre-hearing and hearing phases of the enforcement process. Many of
the provisions of proposed subpart E were adopted by the April 17, 2003
interim final rule; we did not propose to change them substantively,
although we
[[Page 8392]]
proposed to renumber them. Finally, a conforming change to the privacy
standards in subpart E of part 164 was proposed.
B. The Final Rule
While the final rule adopts most of the provisions of the proposed
rule without change, several significant changes to certain provisions
of the proposed rule have been made in response to comments. We do not
list variables in the final rule, as was proposed, to count the number
of violations of an identical requirement or prohibition; rather, the
final rule clarifies that the method for determining the number of such
violations is grounded in the substantive requirement or prohibition
violated. In addition, the ALJ will be able to review the number of
violations determined as part of his or her review of the proposed
civil money penalty. The provision for joint and several liability of
the members of an affiliated covered entity is retained, unless it is
established that another member of the affiliated covered entity was
responsible for the violation. While we continue to treat section
1176(b)(1) as an affirmative defense, we provide that it may be raised
at any time. We retain the provision for statistical sampling, but we
provide that, where statistical sampling is used, HHS must provide a
copy of the study on which its statistical findings are based with the
notice of proposed determination. As a corollary, we provide that a
respondent who intends to introduce evidence of its statistical expert
at the hearing must provide the study prepared by its expert to HHS at
least 30 days prior to the scheduled hearing. We also provide that a
respondent will have 90, rather than 60, days in which to file its
request for hearing. Other changes made by the final rule are described
below.
The Enforcement Rule does not adopt standards, as that term is
defined and interpreted under Subtitle F of Title II of HIPAA. Thus,
the requirement for industry consultations in section 1172(c) of the
Act does not apply. For the same reason, the statute's time frames for
compliance, set forth in section 1175 of the Act, do not apply to the
Enforcement Rule. Accordingly, the Enforcement Rule is effective on
March 16, 2006.
III. Section-by-Section Description of the Final Rule and Response to
Comments
We received 49 comments on the proposed rule. Many of these
comments were from associations or interest groups involved in the
health care industry. We also received comments from covered entities,
a state agency, a law school class, and a number of individuals.
While the comments addressed most of the provisions of the proposed
rule, the following 14 sections of the proposed rule received no
comment: proposed Sec. Sec. 160.400, 160.418, 160.500, 160.502,
160.506, 160.510, 160.514, 160.524, 160.526, 160.528, 160.530, 160.532,
160.544, and 160.550. We have, accordingly, not changed these sections
in the final rule from what was proposed, and we do not discuss them
below. The basis and purpose of sections that are unchanged from the
proposed rule and are not discussed below are set out in the proposed
rule published on April 18, 2005 at 70 FR 20240-20247 and, in certain
cases, in the interim final rule published on April 17, 2003 at 68 FR
18895-18901.
A number of comments also expressed support for particular
provisions. In most cases, we do not discuss these comments, with which
we generally agree, below. Finally, certain comments raised issues
concerning other HIPAA rules, such as allegations that a particular
entity had violated the Privacy Rule or that particular provisions of a
HIPAA rule create a hardship. Such issues are outside the scope of this
rulemaking and, accordingly, are not addressed here.
A. Subpart A
Subpart A of the final rule adopts a new definition of the term
``person.'' This definition is placed in Sec. 160.103, which contains
definitions that apply to all of the HIPAA rules. Thus, the new
definition of ``person'' applies to all of the HIPAA rules.
Proposed rule: We proposed to amend Sec. 160.103 to add a
definition of the term ``person'' to replace the definition of that
term adopted by the April 17, 2003 interim final rule. We proposed to
define the term ``person'' as ``a natural person, trust or estate,
partnership, corporation, professional association or corporation, or
other entity, public or private.'' As more fully explained at 70 FR
20227-20228, the proposed definition clarified, consistent with the
HIPAA provisions, that the term includes States and other public
entities.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: We received one comment on this section, endorsing its
application to all of the HIPAA rules.
Response: The definition of ``person'' in the final rule remains
the same as proposed.
B. Subpart C--Compliance and Investigations
We amend subpart C to make the compliance and investigation
provisions of the subpart--which at present apply only to the Privacy
Rule--apply to all of the HIPAA rules. In addition, we include in
subpart C the definitions that apply to subparts C, D, and E. We move
to subpart C from subpart E the provisions relating to investigational
subpoenas and inquiries. We also add to subpart C provisions
prohibiting intimidation or retaliation that are currently found in the
Privacy Rule but not in the other HIPAA rules. We change the title of
this subpart to reflect the focus of this subpart within the larger
Enforcement Rule. Aside from a change to Sec. 160.306 and certain
minor and conforming changes to Sec. Sec. 160.300, 160.312, 160.314,
and 160.316, we do not change the substance of the existing provisions
of subpart C.
1. Section 160.300--Applicability
Proposed rule: We proposed to amend Sec. 160.300 (along with Sec.
160.304--Principles for achieving compliance; Sec. 160.306--Complaints
to the Secretary; Sec. 160.308--Compliance reviews; and Sec.
160.310--Responsibilities of covered entities) to make the provisions
of subpart C applicable to all of the HIPAA rules, instead of
applicable only to the Privacy Rule. The proposed rule would accomplish
this by changing the present references in these sections from
``subpart E of part 164'' to the more inclusive, defined term,
``administrative simplification provision'' or ``administrative
simplification provisions,'' as appropriate. As explained at 70 FR
20228, the purpose of this proposed change was to simplify and make
uniform the compliance and enforcement process for the HIPAA rules.
Final rule: The final rule streamlines the provisions of the
proposed rule by substituting the term ``provisions'' for the
references to standards, requirements, and implementation
specifications in Sec. 160.300.
Comment: A number of comments endorsed the approach of having
uniform compliance and enforcement provisions for the HIPAA rules, and
no comments disagreed with this approach.
Response: The final rule retains the policy of the proposed rule,
consistent with the expression of support for this approach in the
public comment, but streamlines the language of the section.
Comment: A couple of comments asked whether ``affiliated entities''
were the same as ``hybrid entities,'' in terms of applying the rule.
[[Page 8393]]
Response: As described at Sec. 164.105(b)(2)(i)(A), an affiliated
covered entity consists of ``[l]egally separate covered entities [that]
designate themselves (including any health care component of such
covered entity) as a single affiliated covered entity * * * [where] all
of the covered entities designated are under common ownership or
control.'' Thus, an affiliated covered entity is comprised of more than
one covered entity. By contrast, a hybrid entity is defined at Sec.
164.103 as ``a single legal entity: (1) That is a covered entity; (2)
Whose business activities include both covered and non-covered
functions; and (3) That designates health care components in accordance
with [the regulation].'' The Privacy and Security Rules apply to any
covered entity in either arrangement. The issue of liability for a
particular violation with respect to covered entities in an affiliated
covered entity is discussed in connection with Sec. 160.402(b) below.
2. Section 160.302--Definitions
Proposed rule: We proposed to move to Sec. 160.302 three
definitions that were adopted in the April 17, 2003 interim final rule
at Sec. 160.502: ``ALJ'' (Administrative Law Judge), ``civil money
penalty or penalty'', and ``respondent.'' We also proposed to add to
Sec. 160.302 two terms which are used throughout subparts C, D, and E:
``administrative simplification provision'' and ``violation'' or ``to
violate.'' We proposed to define the term ``administrative
simplification provision'' in Sec. 160.302 to mean any requirement or
prohibition established by the HIPAA provisions or HIPAA rules: ``* * *
any requirement or prohibition established by: (1) 42 U.S.C. 1320d-
1320d-4, 1320d-7, and 1320d-8; (2) Section 264 of Public Law 104-191;
or (3) This subchapter.'' We proposed to define a ``violation'' (or
``to violate'') to mean a ``failure to comply with an administrative
simplification provision.'' As more fully explained at 70 FR 20228-
20229, both definitions derive directly from the statutory language,
and both definitions function consistently and fairly across the
various HIPAA rules.
Final rule: The final rule adopts the provisions of the proposed
rule.
a. ``Administrative Simplification Provision''
Comment: One comment expressed general support for the definitions.
Another comment stated that the definition of ``administrative
simplification provision'' should be revised to include only standards.
The comment argued that this approach would be more consistent with the
statute, which provides that covered entities must comply with
standards, not requirements, prohibitions, or other restrictions set
forth in the HIPAA rules.
Response: No change is made to the definition of ``administrative
simplification provision.'' With respect to the second comment above,
we do not agree that the definition of this term should be limited to
standards. As discussed at 70 FR 20229, limiting the elements of the
HIPAA rules that could be violated to those designated as standards
would have the effect of, among other things, insulating from
enforcement explicit statutory requirements and prohibitions (e.g., the
prohibitions at section 1175(a) of the Act, which the statute terms
``requirements'' and which the Transactions Rule treats as requirements
but not standards). We do not agree that Congress intended such an
effect. We note, moreover, that the statute explicitly provides for the
adoption of implementation specifications. See section 1172(d) of the
Act. Furthermore, we disagree with the contention that the statute does
not contemplate that violations may be tied to requirements and
prohibitions: section 1176(a)(1) speaks of ``violations of an identical
requirement or prohibition.''
Comment: Several comments argued that this definition could lead to
multiple violations from a single act and lead to more liability than
covered entities could reasonably expect. It also was argued that this
definition would render almost meaningless the statutory $25,000 cap on
liability for violations of an identical provision in a calendar year.
Response: No examples were supplied to illustrate the concern as to
how this definition would increase the anticipated liability of covered
entities, so we can only respond generally. The prohibition in Sec.
160.404(b)(2) on counting overlapping requirements twice should
minimize any such effect. As for violations that might be implicated in
a single act and not be insulated by Sec. 160.404(b)(2), we see no
reason why they should not be considered as separate violations, since
covered entities must comply with all applicable requirements and
prohibitions of the HIPAA provisions and rules. Also, the definition
does not render the statutory cap meaningless; rather, the
``requirement or prohibition'' language of the definition is taken
directly from the part of section 1176(a) that establishes the $25,000
statutory cap (``the total amount imposed on the person for all
violations of an identical requirement or prohibition for a calendar
year may not exceed $25,000''). Furthermore, for the reasons explained
in the preamble to the proposed rule, none of the other possible
formulations of what constitutes a ``provision of this part'' works
uniformly and fairly across the HIPAA rules. Thus, we retain the
definition of ``administrative simplification provision'' as proposed.
b. ``Violation'' or ``Violate''
Comment: One comment asked how the definition of ``violation''
would work with the addressable components of the Security Rule.
Response: With respect to the issue of how this term would apply to
the addressable implementation specifications of the Security Rule, we
provide the following guidance. Under Sec. 164.306(d)(3)(ii), a
covered entity must implement an addressable implementation
specification if doing so is ``reasonable and appropriate.'' Where that
condition is met, the addressable implementation specification is a
requirement, and failure to implement the addressable implementation
specification would, accordingly, constitute a violation. Where that
condition is not met, the covered entity must document why it would not
be reasonable and appropriate to implement the implementation
specification and implement ``an equivalent alternative measure if
reasonable and appropriate.'' In this latter situation, creating the
documentation referred to is a requirement, and implementing an
alternative measure is also a requirement, if doing so is reasonable
and appropriate in the covered entity's circumstances; failure to take
either required action would, accordingly, constitute a violation.
3. Section 160.304--Principles for Achieving Compliance
Proposed rule: We proposed to amend Sec. 160.304 to make it
applicable to all of the HIPAA rules; otherwise, we proposed to leave
the rule substantively unchanged. Section 160.304 provides that the
Secretary will, to the extent practicable, seek the cooperation of
covered entities in obtaining compliance. Section 160.304 also provides
that the Secretary may provide technical assistance to help covered
entities voluntarily comply with the HIPAA rules.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: Many comments supported HHS's approach to voluntary
compliance and the use of a complaint-based process to identify and
correct
[[Page 8394]]
noncompliance, on the grounds that it is the most efficient and
effective way of obtaining compliance and realizing the benefits of the
HIPAA rules. In addition, some contended that, given the confusion of
many covered entities with many of the rules' requirements, it is an
appropriate approach. However, one comment criticized HHS's reliance on
voluntary compliance and informal resolution of complaints on the
ground that the statute contemplates that violations of the HIPAA rules
should be pursued in the same manner as fraud and abuse cases, that is,
through the formal, adversarial process provided for by section
1128A(c). Another comment stated that HHS's reliance on voluntary
compliance has led to lax enforcement and that reliance on a complaint-
based system is a fundamentally flawed approach, particularly with
respect to enforcement of the Privacy Rule, because HHS has provided
insufficient education to consumers, and it is impossible for consumers
to complain about a law about which they know very little. Several
comments urged that OCR and CMS continue to provide educational
materials and guidance to help covered entities comply with the HIPAA
rules and to educate consumers about their rights under the Privacy
Rule.
Response: We agree that encouraging voluntary compliance is the
most effective and quickest way of obtaining compliance in most cases.
We do not agree that encouraging voluntary compliance and seeking
informal resolution of complaints in individual cases constitutes lax
enforcement or that such an approach is inconsistent with our statutory
obligations. Our experience to date with privacy complaints illustrates
the effectiveness of our enforcement approach. As of October 31, 2005,
OCR had received and initiated reviews of over 16,000 privacy
complaints from health care consumers and others across the country.
These complaints are widespread and diverse, not only geographically,
but also with respect to the type of entity complained against, as well
as the Privacy Rule issues raised by the complaints. Complaints are
filed against all sizes and types of covered entities, from solo
practitioners to hospitals and pharmacy chains, and from health
insurance issuers to group health plans, for example. In addition, the
complaints implicate a full range of Privacy Rule issues, from uses and
disclosures of protected health information to individual rights to
administrative requirements. The variation and expansiveness of the
complaints provide HHS with a much broader approach to compliance than
would a compliance review system, which likely would need to be
targeted to larger institutions and/or a smaller set of concerns.
Further, our experience with these cases--68 percent have been resolved
or otherwise closed to date--indicates that generally we are receiving
good cooperation from covered entities in quickly addressing compliance
problems. Such resolutions bring the benefits of the HIPAA rules to
consumers far more quickly than would a formalized, adversarial
process, which would also be time-consuming and costly for both sides.
We also do not agree that the statute contemplates only a
formalized, adversarial process; rather, it only requires such a
process where a proposed civil money penalty is contested. It is
important to note, moreover, that section 1176 contemplates that we
would work with covered entities to help them achieve compliance, even
when there is an allegation that the covered entity is in violation of
the rules. Section 1176 provides that a civil money penalty may not be
imposed if the failure to comply was due to reasonable cause and not
willful neglect and is corrected within a certain period of time after
the covered entity knew or should have known of the compliance failure,
and that the Secretary may, in some circumstances, provide technical
assistance to the covered entity during that period. Further, an
approach that is primarily complaint-based does not limit our ability
to perform compliance reviews when appropriate, and this has, in fact,
occurred. We will continue to review the effectiveness of our
enforcement approach and revise it, if needed. Notwithstanding our
above approach, however, we will resort to civil money penalties, as
needed, for matters that cannot be resolved by informal means.
Further, we disagree that persons affected by the Privacy Rule and
the other HIPAA rules are unaware of their rights, as evidenced by the
large number of complaints that HHS has received from consumers and
covered and other entities. HHS has an ongoing program of providing
information to the public and guidance to covered entities through the
Internet, public speaking and educational events, and toll-free call-in
lines. The millions of hits to our Web sites--http://www.hhs.gov/ocr/hipaa for the Privacy Rule and http://www.cms.gov/hipaa/hipaa2 for the
he
other HIPAA rules--suggest that covered entities and the public are
increasingly aware of the application of the HIPAA rules to their
business activities and lives, respectively, and are able to access the
information we have made available. In addition, the American Health
Information Management Association issued the results of their latest
compliance survey in a report entitled ``The State of HIPAA Privacy and
Security Compliance, April 2005,'' which indicated, with respect to the
Privacy Rule, that over two-thirds of all hospital and health system
patients had some or a complete understanding of their rights and the
facility's responsibilities. Nonetheless, while such evidence is
encouraging, we recognize that HHS must remain active in providing
outreach and public education. We are committed to doing so, and thus,
continue to develop educational material for consumers and industry
guidance for covered entities.
Comment: One comment suggested that the Secretary commit to
providing technical assistance to covered entities.
Response: We do not agree that the provision of technical
assistance should be mandated. The statute (at section
1176(b)(3)(B)(ii)) makes the provision of technical assistance
discretionary if the Secretary determines that the compliance failure
was due to the covered entity's inability to comply. While OCR and CMS
provide technical assistance in many cases, it is not necessary in all
instances to provide such assistance in order to obtain compliance.
Thus, it is inappropriate to mandate the provision of technical
assistance.
Comment: One comment suggested amending Sec. 160.304(b) to require
ongoing reporting of complaints and resolutions to the healthcare
industry. The goal in requiring reporting would be to educate covered
entities regarding complaints that are found to be actual violations
and encourage them to review their compliance. The comment stated that
the current reports made by OCR to the National Committee on Vital and
Health Statistics are not helpful since they only report the volume of
complaints, not the nature of the complaints or whether a violation
occurred.
Response: We do not believe mandatory reporting of complaints and
resolutions is necessary. Both CMS and OCR currently have the ability
to report to the public, including the healthcare industry, about
complaints and their resolutions, and do so in summary form. We
continue to present summaries of actions on complaints in various fora,
including in public presentations, testimony, and in written documents.
Our enforcement experience also informs our development of FAQs and
guidance documents to explain certain
[[Page 8395]]
provisions and how to comply with them. In any event, covered entities
should use their own internal complaint processes and experience to
assess and improve their compliance and ability to serve the needs of
their customers.
Comment: One comment suggested that the informal resolution process
should allow HHS to render opinions on a covered entity's
interpretation of the HIPAA rules. The comment expressed concern that a
covered entity would not be able to resolve a compliance issue during
the informal resolution process if it made a good faith, but incorrect,
interpretation of a HIPAA rule. The comment suggested allowing HHS to
render an opinion on the entity's interpretation to facilitate the
informal resolution of compliance problems.
Response: As a general matter, we do not issue advisory opinions,
but the informal resolution process will provide covered entities with
information about HHS's interpretation of the HIPAA rules. Covered
entities may also find guidance as to the proper interpretation of a
HIPAA rule in the FAQs posted on the HHS website and technical
assistance offered to the covered entities by HHS. Covered entities may
also submit questions to HHS for consideration with respect to future
FAQs and guidance.
4. Section 160.306--Complaints to the Secretary
Proposed rule: Section 160.306 provides for investigations of
covered entities by the Secretary. It also outlines the procedure and
requirements for filing a complaint against a covered entity. For
example, it provides that a complaint must name the person that is the
subject of the complaint and describe the acts or omissions believed to
be violations. It also requires that complaints be filed within 180
days of when the complainant knew or should have known that the act or
omission occurred, unless this time limit is waived for good cause. The
proposed rule would have amended this section to apply it to all of the
HIPAA rules, rather than exclusively to the Privacy Rule, but otherwise
proposed no substantive changes to the section.
Final rule: The final rule adopts the provisions of the proposed
rule, except that proposed Sec. 160.306(c) is revised to require the
Secretary to describe the basis of the complaint in the first written
communication with the covered entity about the complaint.
Comment: One comment asked for clarification on when a complaint
will be considered to have been timely filed in situations when a
complainant should have known of the violation, thus triggering the
180-day time period for filing a complaint.
Response: Deciding whether or not a complaint was properly filed
within the 180-day period will need to be determined in each case. For
example, an individual who is informed through an accounting of
disclosures that his or her health information was impermissibly
disclosed would be considered to know of the violation at the time the
individual receives the accounting. In any event, however, the 180-day
period can be waived for good cause shown.
Comment: Two comments suggested that HHS be required to inform a
covered entity of the specific basis for an investigation or compliance
review. These comments suggested the best way to accomplish this goal
would be to send a copy of the complaint to the covered entity. The
comments stated that, without specific information as to the basis of
the complaint, a covered entity will not be able to properly respond to
the agency's request for information.
Response: Both CMS and OCR currently provide the basis for an
investigation in the first written communication with a covered entity
about a complaint. This policy will continue to be followed, and the
final rule is revised to require it. It should be noted that provision
of a description of the basis for the complaint does not circumscribe
the investigation, if the investigation subsequently uncovers other
compliance issues with respect to the covered entity.
We disagree that sending a copy of the complaint is necessary for a
covered entity to adequately respond to the Secretary's inquiries. As
noted above, covered entities receive a description of the basis for
the complaint. Other information contained in the complaint, such as
the complainant's identity, is not always relevant to the
investigation. In some cases, in fact, it may be necessary to withhold
such information to, for example, protect the complainant's privacy. In
instances where it is necessary to provide the complainant's identity
in order for the covered entity to properly respond to the
investigation, the complainant is so informed before this information
is released to the covered entity.
Comment: One comment suggested that the rule be revised to require
that a complaint include the name of the covered entity that is the
subject of the complaint.
Response: The rule, both as proposed and as adopted below, already
requires that a complaint ``name the person that is the subject of the
complaint.'' See Sec. 160.306(b)(2).
Comment: In one comment, a covered entity complained that it had
expended a great deal of time and money defending itself against what
turned out to be a false allegation and asked that HHS put more effort
into gathering detailed information from complainants and helping
covered entities respond to complaints. Another comment criticized the
rule for providing no way of sanctioning a person bringing a negligent
or malicious complaint.
Response: We understand that it may take time and effort to
establish that an allegation is unfounded. When complaints are
received, we make every effort to determine if the complaint is
legitimate, so as not to place undue burdens on covered entities.
Further, covered entities are encouraged promptly to contact the OCR or
CMS investigators handling their complaints to discuss the allegations
once notice of an investigation is received by the covered entity.
Doing so should help a covered entity avoid the expenditure of
unnecessary time and funds on defending itself against baseless
complaints. The statute provides no basis for our penalizing a person
for bringing a negligent or malicious complaint, although remedies may
exist at common law. However, as discussed below in connection with
Sec. 160.316, lack of good faith would typically be a matter that is
looked at in the course of investigating a complaint.
Comment: One comment suggested that only individuals or personal
representatives should have standing to file a complaint. The comment
takes the position that one covered entity should not be able to bring
a complaint against another.
Response: We disagree. The purpose of the complaint process is to
bring violations to the attention of HHS, so that any noncompliance
with the HIPAA rules may be corrected. Particularly with respect to the
Transactions Rule, the persons or entities that are likely to be
disadvantaged by the noncompliance of a covered entity are other
covered entities. It would, accordingly, be inconsistent with the
purpose of the complaint process to exclude such entities from it.
Comment: Two comments suggested that HHS be required to notify
covered entities of a complaint within a specified time-frame.
Response: OCR and CMS make every effort to notify covered entities
of complaints on a timely basis. However, we do not include a specific
deadline for notifying covered entities of
[[Page 8396]]
complaints in the rule. The time needed to determine whether a
complaint states issues that should be investigated can vary greatly,
while fluctuations in the volume of complaints and other workload
demands may also make meeting a specific deadline problematic.
Comment: One comment suggested that Sec. 160.306(a)(2) should be
amended to require that ``uses or disclosures'' be described in the
complaint rather than ``acts or omissions.''
Response: The suggested change would not be appropriate. The
provisions of this rule apply to all of the HIPAA rules, not just the
Privacy Rule; the other HIPAA rules regulate actions other than uses
and disclosures of protected health information. Moreover, even under
the Privacy Rule, a violation may occur where no impermissible use or
disclosure of protected health information has occurred. Failure to
comply with a notice requirement under Sec. 164.520 is an example of a
violation that does not involve a use or disclosure of protected health
information.
Comment: One comment suggested that the Secretary should be
required to investigate all complaints and that failure to do so is
inconsistent with section 1176(a) of the Act, which compels the
Secretary to impose penalties for violations unless a statutory
limitation applies. Imposing a deadline for beginning investigations
was also suggested.
Response: The decision to investigate a complaint is based on the
facts presented. Not all complaints need to be investigated. For
example, in our experience, a substantial percentage of privacy
complaints allege facts that fall outside of OCR's jurisdiction under
HIPAA--e.g., an action prior to the compliance date of the Privacy Rule
or an action by an entity not covered by the Rule. Revising the rule to
require the Secretary to investigate all complaints would be
counterproductive and lead to an inefficient allocation of enforcement
resources. Similarly, imposing a deadline for beginning an
investigation is unrealistic: Some investigations may turn out to be
more time-consuming than anticipated, delaying the start of other
investigations. It is necessary to provide OCR and CMS with the
flexibility to deal with variations in circumstances and resource
constraints.
5. Section 160.308--Compliance Reviews
Proposed rule: The proposed rule provided that the Secretary may
conduct compliance reviews to determine whether covered entities are
complying with the applicable administrative simplification provisions.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: Several comments asked HHS to outline the circumstances
under which a compliance review would be undertaken or asked that the
compliance review provision be eliminated from the rule. One comment
suggested that compliance reviews be limited to evidence-based reviews.
These comments expressed concern that the rule does not specifically
define when a compliance review will be undertaken.
Response: Compliance reviews are conducted at the discretion of the
Secretary. Outlining specific instances in which a compliance review
will be conducted could have the counterproductive effect of skewing
compliance efforts toward those aspects of compliance that had been
identified as likely to result in a compliance review. It also does not
seem advisable to limit, by rule, the circumstances under which such
reviews may be conducted at this early stage of the enforcement
program, when our knowledge of the types of violations that may arise
is necessarily limited. We also do not agree that the provision for
compliance reviews should be eliminated. There are situations where
instances of potential noncompliance come to HHS's attention outside of
the complaint process (e.g., where media reports suggest that a
violation has occurred), and HHS must have clear authority to
investigate such situations.
Comment: A number of comments suggested that HHS detail the
compliance review process and rules for notification of covered
entities when they are being reviewed.
Response: The rule already contains procedures to be followed, and
requirements to be met, that apply to compliance reviews. See
Sec. Sec. 160.304, 160.310, 160.312, 160.314, and 160.316. It is
unnecessary to establish procedures comparable to the complaint filing
procedures of Sec. 160.306 for compliance reviews, since they are
initiated by HHS. The concerns expressed by most of the comments on
this topic--that HHS would undertake a compliance review without notice
to the covered entity and without specifying the basis for, or the
focus of, the review--are misplaced. Section 160.312 requires HHS to
attempt to resolve violations found in a compliance review by informal
means and to inform the covered entity in writing if a compliance
review is or is not resolved by informal means. Failing to notify the
covered entity of a compliance review or the basis for such a review is
not consistent with our practice generally and would be unlikely to
yield much information of use, resulting in an ineffective use of the
covered entity's and the agency's resources.
Comment: One comment suggests that compliance reviews should be
mandatory and should be initiated within a specified time period.
Response: The rule, as proposed and adopted, does not preclude
establishing a compliance review program or schedule, but it does not
require it either. One purpose of compliance reviews is to permit
investigation when allegations or situations warranting investigation
come to our attention outside of the complaint process. The necessity
for a compliance review in a particular case or a program of scheduled
compliance reviews is inherently unpredictable, and it is important to
retain the administrative flexibility to address such situations.
Mandating compliance reviews on a fixed basis or schedule would be an
inefficient allocation of limited enforcement resources and would
hamper the agency's ability to target resources at actual noncompliance
problems as they arise.
Comment: One comment suggested that the rule contain provisions
outlining the coordination and cooperation between CMS and OCR when a
compliance review under more than one rule occurs.
Response: As with complaint-based investigations, CMS and OCR will
coordinate and allocate responsibility for compliance reviews based
upon the HIPAA provisions involved and the facts of the case. We do not
consider it advisable to specify detailed rules in this regard, as the
allocation of function and responsibility will depend on the facts of
each case and the resources available at the time.
6. Section 160.310--Responsibilities of Covered Entities
Proposed rule: Section 160.310 addresses the responsibilities of a
covered entity, such as providing records and compliance reports to the
Secretary and cooperating during a compliance review or complaint
investigation. Section 160.310(c) provides that a covered entity must
permit HHS to have access during normal business hours to its
facilities, books, records, and other information necessary to
determine compliance, but provides that if the Secretary determines
that ``exigent circumstances exist, such as when documents may be
hidden or destroyed,'' the covered entity must permit access at any
time without
[[Page 8397]]
notice. Section 160.310 also requires that the Secretary may not
disclose protected health information obtained by the Secretary in the
course of an investigation or compliance review except when necessary
to ascertaining or enforcing compliance or as otherwise required by
law. The proposed rule would amend this section to apply it to all of
the HIPAA rules, rather than exclusively to the Privacy Rule, but
otherwise proposed no substantive changes to the section.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: A couple of comments asked HHS either to further define
``exigent circumstances,'' such as by limiting it to situations
involving national security or by inserting specific examples of
exigent circumstances in Sec. 160.310(c)(1). One comment suggested
that the rule be revised to require that the Secretary's determination
that ``exigent circumstances'' exist be a ``reasonable'' one.
Response: The determination of what constitutes ``exigent
circumstances'' will inevitably be fact-dependent. Specific language
defining ``exigent circumstances'' is unnecessary, as the rule already
provides a clarifying example and the principle underlying the
provision is reasonably universal. We note that limiting the provision
to situations where matters of national security are involved would
most likely not cover the types of situations the provision is intended
to cover--situations in which it is likely that the covered entity will
seek to conceal or destroy evidence of noncompliance that HHS needs to
carry out its statutory obligation to enforce the HIPAA rules.
Comment: Two comments asked for further guidance and notice of
record retention requirements and another comment expressed concerns
with the record retention requirements of the Privacy Rule.
Response: Record retention requirements applicable to the Privacy
and Security Rules are spelled out in those rules; see, Sec.
164.530(j) and Sec. 164.316(b), respectively. We do not address these
record retention requirements here, as this topic lies outside the
scope of this rule.
The other HIPAA rules do not contain explicit record retention
requirements, as such. However, it is likely that the documentation
that would be relevant to showing compliance with those rules--such as
health plan instructions to providers, software documentation,
contracts, and systems processes--is kept as part of normal business
practices. Covered entities should consider any other applicable laws,
such as state law, in making such decisions.
7. Section 160.312--Secretarial Action Regarding Complaints and
Compliance Reviews
Proposed rule: We proposed to revise Sec. 160.312(a) to require
that, where noncompliance is indicated, the Secretary would seek to
reach by informal means a resolution of the matter that is satisfactory
to the Secretary. Informal means could include demonstrated compliance,
or a completed corrective action plan or other agreement. We proposed
to revise Sec. 160.312(a)(2) to require, where noncompliance is
indicated and the matter is resolved by informal means, that HHS notify
the covered entity in writing and, if the matter arose from a
complaint, the complainant. Where noncompliance is indicated and the
matter is not resolved by informal means, proposed Sec.
160.312(a)(3)(i) would require the Secretary to so inform the covered
entity and provide the covered entity an opportunity to submit, within
30 days of receipt of such notification, written evidence of any
mitigating factors or affirmative defenses. To avoid confusion with the
notice of proposed determination process provided for at proposed Sec.
160.420, proposed Sec. 160.312(a)(3)(ii) provided that, where the
matter is not resolved by informal means and the Secretary finds that
imposition of a civil money penalty is warranted, the formal finding
would be contained in the notice of proposed determination issued under
proposed Sec. 160.420. We proposed to leave Sec. 160.312(b)
substantively unchanged.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment suggested that covered entities should be able
to appeal the Secretary's findings during the informal resolution
process and that the Secretary's decision to resolve a matter
informally should not preclude the respondent from questioning the
Secretary's interpretation or application of the rule in question.
Response: The purpose of the informal resolution process described
in Sec. 160.312 is to bring closure at an early stage to a matter
where compliance is in issue and, thus, to obviate the need to issue a
notice of proposed determination. Section 160.312 recognizes, however,
that informal resolutions will not always be achieved. Where the agency
and the covered entity are not able to resolve the matter informally,
HHS (through OCR and/or CMS) will make a finding of noncompliance
pursuant to Sec. 160.420, which the covered entity may then challenge
through the applicable procedures of subparts D and E. Nothing in the
rule compels the covered entity to challenge the finding of
noncompliance under Sec. 160.420, but if the covered entity wishes to
challenge such a finding, including the agency's interpretation or
application of a rule, it must do so through the procedural avenue
provided by subparts D and E. These procedures implement the
requirement of section 1128A(c) of the Act that the Secretary may not
make an adverse determination against a person until the person has
been given written notice and an opportunity for a hearing on the
record on the adverse determination.
Comment: One comment asked how informal resolution is possible,
given HHS's position that, where a violation is found, a CMP must be
imposed. Another comment expressed concern that the informal resolution
process would allow covered entities to skirt penalties and the
consequences of noncompliance with the HIPAA rules and suggested that
the Secretary should not be compelled to reach a resolution through
informal processes.
Response: These comments misunderstand our position as to the
mandatory nature of the statute. The Secretary must impose a civil
money penalty where a formal determination of a violation is made.
However, many opportunities exist prior to this determination that
allow the Secretary to exercise his discretion to not impose a penalty.
This issue is discussed more fully in connection with Sec. 160.402
below.
The second comment above also misconstrues Sec. 160.312. Nothing
in that section compels OCR or CMS to resolve matters informally.
Indeed, Sec. 160.312(a)(3) describes the actions to be taken ``[i]f
the matter is not resolved by informal means * * *''.
Comment: One comment suggested that HHS and the covered entity
should be required to put the informal resolution in writing.
Response: Both Sec. 160.312(a)(2) and Sec. 160.312(b) require
that the resolutions contemplated in those sections be ``in writing.''
CMS and OCR currently document informal resolutions.
Comment: One comment suggested that the 30-day time period for a
covered entity to submit to the Secretary evidence of mitigating
factors or affirmative defenses should be extended.
Response: Thirty days should be sufficient for a covered entity to
submit such evidence. The opportunity to provide additional evidence
comes at
[[Page 8398]]
the end of investigation, and the covered entity should be gathering
any evidence of mitigating factors or affirmative defenses during the
investigation. In addition, the covered entity will have the
opportunity to present such evidence to the ALJ if it chooses to appeal
the Secretary's findings. Accordingly, we do not change this provision.
Comment: One comment suggested that a deadline should be imposed
for HHS to notify the covered entity of its findings after an
investigation.
Response: The time needed to finalize the agency's findings will
depend on the complexity of the case, its outcome, and workload
considerations. As these factors are inherently variable and
unpredictable, we do not believe it would be advisable to impose fixed
deadlines for taking the actions described in Sec. 160.312.
Comment: One comment requested clarification of proposed Sec.
160.312(a)(3)(ii), with respect to what action is referred to and the
associated time frame.
Response: The action referred to is HHS's notification of the
covered entity of its finding of noncompliance when it determines that
the matter cannot be resolved informally. Section 160.312(a)(3)(ii)
provides that, if HHS decides to impose a civil money penalty, it will
send a notice of proposed determination to the covered entity pursuant
to Sec. 160.420. Thus, the intent of this provision is to clarify
that, once OCR and/or CMS, as applicable, has determined that a
violation has occurred, the matter cannot be resolved informally in a
manner that is satisfactory to OCR and/or CMS, and a civil money
penalty should be imposed, the agency's next step is to provide the
formal notice required by section 1128A(c)(1), which in this rule is
the notice of proposed determination under Sec. 160.420. The rule
imposes no specific deadline on the agency for sending this notice.
However, it should be noted that if the notice is not sent within six
years of the violation, pursuit of the civil money penalty would be
precluded by section 1128A(c)(1), which is implemented in this rule by
Sec. 160.414.
Comment: One comment requested that Sec. 160.312(a)(3) be revised
to afford complainants the opportunity to express, in writing, the
impact of the violation.
Response: The suggested change is unnecessary, since nothing in the
rule precludes a complainant from providing such information to the
agency at any point in the process. Complainants frequently describe,
in their complaints or in the course of OCR's or CMS's initial contacts
with the complainants, the impact of the alleged violation. HHS also
may request such information from the complainant where, for example,
it bears on the amount of the penalty to be imposed.
8. Section 160.314--Investigational Subpoenas and Inquiries
Proposed rule: The text of proposed Sec. 160.314 was adopted by
the April 17, 2003 interim final rule as Sec. 160.504. We proposed to
move this section to subpart C, consistent with our overall approach of
organizing subparts C, D, and E to reflect the stages of the
enforcement process. We proposed to include in the introductory
language of proposed Sec. 160.314(a) a sentence which states that, for
the purposes of paragraph (a), a person other than a natural person is
termed an ``entity.'' We proposed not to modify Sec. 160.314(b)(1),
(2) and (8) from the provisions of the April 17, 2003 interim final
rule at paragraphs (b)(1)-(3) of Sec. 160.504. However, we proposed to
add new paragraphs (3) through (7) and (9) to Sec. 160.314(b) and also
to add a new paragraph (c). The proposed new paragraphs at Sec. Sec.
160.314(b)(3)-(b)(7) would permit representatives of HHS to attend and
ask questions at the inquiry, give a witness the opportunity to clarify
his answers on the record after being questioned by HHS, require any
objections or claims of privilege to be asserted on the record, and
permit HHS to seek enforcement of the subpoena through the federal
district court if a witness refuses to answer non-privileged questions
or produce requested documents or items. Further, proposed Sec.
160.314(c) provided that, consistent with Sec. 160.310, testimony and
other evidence obtained in an investigational inquiry may be used by
HHS in any of its activities and may be used or offered into evidence
in any administrative or judicial proceeding. Together, these additions
would clarify the manner in which investigational inquiries will be
conducted, and how testimony given, and evidence obtained, during such
an investigation may be used.
Final rule: The final rule adopts the provisions of the proposed
rule, except that paragraph (a) is revised to clarify that
investigational subpoenas may issue when a compliance review is
conducted.
Comment: A few comments requested that this section provide for the
protection of privileged documents when subpoenaed by the Secretary.
Comments also suggested that covered entities should have the ability
to challenge a subpoena issued by the Secretary.
Response: The rule, as proposed and adopted, provides a process for
a subpoenaed witness to challenge the subpoena and/or assert privilege.
Under section 205(e) of the Act, made applicable by section 1128A(j)(1)
of the Act, the federal district court in which a person charged with
contumacy or refusal to obey a subpoena resides or transacts business
has jurisdiction upon application of HHS. As provided in Sec.
160.314(a)(5), HHS may seek to enforce the subpoena in such cases
through action in the relevant federal district court, which would
presumably hear the basis for the witness's refusal to obey or claim of
privilege in connection with a motion to quash under Fed. R. Civ. P.
45(c)(3). (28 U.S.C. Appendix).
Comment: Several comments requested that the scope of the subpoenas
issued by the Secretary be limited to the investigation and that the
Secretary not be allowed to pursue open-ended inquiries.
Response: Section 205(d) of the Act, which is made applicable by
section 1128A(j)(1), provides that a subpoena may issue for ``the
production of any evidence that relates to any matter under
investigation or in question before [the Secretary].'' Moreover, the
federal courts subject the exercise of an agency's administrative
subpoena authority to a reasonableness analysis. In U.S. v. Powell, 397
U.S. 481 (1964), the holding of which was extended to all
administrative subpoena authorities in Securities and Exchange
Commission v. Jerry T. O'Brien, Inc., 467 U.S. 735, 741-42 (1984), the
U.S. Supreme Court articulated a standard for the judicial review of
administrative subpoenas that requires that the investigation be
conducted pursuant to a legitimate purpose and that the information
requested under the subpoena is relevant to that purpose. HHS is
required to comply with this standard in the exercise of the subpoena
authority under this section.
Comment: One comment asked that covered entities be given notice of
investigational inquiries directed at them.
Response: In general, we would expect that an investigational
subpoena would be used where a covered entity has failed to respond to
HHS's requests for information in the course of an investigation
conducted under Sec. 160.306. In such a case, the covered entity will
have been previously notified of the investigation pursuant to Sec.
160.306(c). Similarly, a subpoena would typically be issued in
connection with a compliance review under Sec. 160.308 where the
covered entity had
[[Page 8399]]
failed to respond to HHS's prior requests for information. Thus, we do
not expect the element of surprise to be present, which appears to be
the concern underlying these comments. We clarify in Sec. 160.314(a)
that this section also applies to compliance reviews.
Comment: One comment suggested that Sec. 160.314(a) be revised to
state that the admissibility of written statements obtained by HHS
during an investigational inquiry is subject to 45 CFR 160.518 and
160.538.
Response: We do not consider the suggested language necessary.
Sections 160.518 and 160.538 apply to the exchange and admission of
written statements. Should OCR or CMS seek to have written statements
obtained during an investigation admitted into evidence, those
statements would be subject to the requirements of Sec. Sec. 160.518
and 160.538.
Comment: One comment asked for clarification as to who may amend a
transcript and whether the Secretary has the discretion to limit a
witness's amendment of his or her testimony transcript.
Response: Under Sec. 160.314(b)(9), both sides may propose
corrections to the transcript, and any proposed corrections are
attached to the transcript; the transcript itself is not altered.
Section 160.314(b)(9)(i) provides that, if a witness is provided with a
copy of the transcript, the witness may submit written proposed
corrections to the transcript, or, if the witness is afforded only the
opportunity to inspect the transcript, the witness may propose
corrections to the transcript at the time of inspection. In either
case, the witness's proposed corrections are attached to the
transcript. Similarly, under Sec. 160.314(b)(9)(ii), the Secretary's
proposed corrections are attached to the transcript. The purpose of the
proposed corrections is to make the transcript ``true and accurate.''
See Sec. 160.314(b)(9)(i). Under this process, then, HHS would not be
changing the witness's proposed corrections; HHS would, at most, be
proposing different corrections.
Comment: One comment suggested that Sec. 160.314 be revised to
require HHS to provide for the same protection of protected health
information that is required of covered entities when HHS receives
protected health information during an investigation.
Response: Section 160.310(c)(3) explicitly protects the
confidentiality of protected health information received by HHS ``in
connection with an investigation or compliance review under this
subpart.'' Although these protections are not the same as those
required of covered entities with respect to protected health
information, in some respects they are more stringent, given the
limited circumstances for which the information may be disclosed under
this provision. Because Sec. 160.314 is now part of the subpart, the
restriction of Sec. 160.310(c)(3) applies to protected health
information received during an investigational inquiry. See Sec.
160.314(c), which provides that testimony and other evidence obtained
in an investigational inquiry may only be used ``[c]onsistent with
Sec. 160.310(c)(3) * * *''.
Comment: One comment asked for clarification of the ``good cause''
limitation on a witness's ability to inspect the official transcript of
their testimony.
Response: This provision derives from the Administrative Procedure
Act, which requires, at 5 U.S.C. 555(c), that ``[a] person compelled to
submit data or evidence is entitled to retain or, on payment of
lawfully prescribed costs, procure a copy or transcript thereof, except
that in a nonpublic investigatory proceeding the witness may for good
cause be limited to inspection of the official transcript of his
testimony.'' The ``good cause'' language of this provision has been
explained as follows:
The * * * grant[] to agencies of the right to inhibit access to
testimony in nonpublic investigatory proceedings were in recognition
that such investigations, ``like those of a grand jury, might be
thwarted in certain cases if not kept secret, and that if witnesses
were given a copy of their transcript, suspected violators would be
in a better position to tailor their own testimony to that of the
previous testimony, and to threaten witness about to testify with
economic or other reprisals.''
LaMorte v. Mansfield, 438 F.2d 448, 451 (2d Cir. 1971) (quoting
Commercial Capital Corp. v. S.E.C., 360 F.2d 856, 858 (7th Cir. 1966)).
Comment: Several comments suggested that evidence obtained during
an investigation by HHS should be used only within the scope of that
investigation, not for other matters, as provided for by Sec.
160.314(c).
Response: Section 160.314(c) mirrors the OIG rule. The concept that
HHS may use evidence obtained in an investigation for matters outside
the scope of the investigation is not novel. While we would expect to
be careful in using such information for other purposes, we are legally
obligated to take appropriate action if we obtain clear evidence of
wrongdoing.
9. Section 160.316--Refraining From Intimidation or Retaliation
Proposed rule: Proposed Sec. 160.316, which was taken from Sec.
164.530(g)(2) of the Privacy Rule, would prohibit covered entities from
threatening, intimidating, coercing, discriminating against, or taking
any other retaliatory action against individuals or other persons
(including other covered entities) who complain to HHS or otherwise
assist or cooperate in the enforcement processes created by this rule.
The intent of this addition to subpart C was to make these non-
retaliation provisions applicable to all of the HIPAA rules, not just
the Privacy Rule. A conforming change to Sec. 164.530(g) of the
Privacy Rule was proposed, to cross-reference proposed Sec. 160.316.
Final rule: The final rule adopts the provisions of the proposed
rule, except that the verb ``harass'' is inserted in the introductory
language of this section. The related revision to Sec. 164.530(g) is
adopted without change.
Comment: Two comments asked HHS to strengthen the prohibition on
retaliation and intimidation. The comments express concern that the
current provision is not a sufficient deterrence to covered entities,
particularly payers. One comment suggested that the language be revised
to read in pertinent part as follows: ``A covered entity may not
threaten * * * including not threaten to reduce or eliminate payment,
intimidate, coerce, harass, discriminate against, or take any other
retaliatory action against any individual or other person * * *
including suspending or terminating participation in a Medicaid program
and/or in any other program or network or reducing or eliminating
payment for * * *''. Another comment suggested that persons who engage
in prohibited retaliation or intimidation should be considered to have
``knowingly'' violated the statute and be subject to criminal penalties
under section 1177 of the Act.
Response: We agree with the comment that the actions covered in the
suggested language would constitute intimidation or retaliation under
the appropriate facts, but we think that such claims may be made under
the existing language. However, while harassment is encompassed by the
phrase ``other retaliatory action'' in this section, since harassment
is a form of pressure that is sufficiently different from, and as
objectionable as, the other intimidating or retaliatory acts that are
specifically mentioned, we clarify the section by including it in the
text of the regulation;
[[Page 8400]]
the text of the final rule is revised accordingly.
The statute does not make retaliation or intimidation the subject
of a criminal penalty under section 1177, and we cannot expand the
scope of the criminal provision by regulation. Accordingly, we do not
adopt this suggestion.
Comment: One comment suggested amending the section to require that
a complaint be filed in good faith under Sec. 160.306 and that the
same change be made to the remaining language in proposed Sec.
164.530(g). The comment stated that covered entities should not be
prohibited from firing employees who file false complaints and that
covered health care providers should not be prohibited from terminating
the provider-patient relationship where the patient files a false
complaint.
Response: The good faith of a complainant is currently evaluated by
OCR to the extent it bears upon determining whether a compliance
failure appears to have occurred and the extent to which the complaint
should be investigated. We do not read the rule as prohibiting the
firing of an employee or the termination of a provider-patient
relationship where other legitimate grounds for such action exist;
whether such grounds exist would be a matter to be ascertained in the
course of the investigation.
Comment: Two comments asked HHS to provide examples of retaliation
and/or outline procedures or criteria for how the occurrence of
retaliation will be investigated and determined. One comment asked that
the rule stipulate that an act be considered to be one of retaliation
or intimidation only if it occurred after the filing of a complaint.
Response: Complaints regarding retaliation or intimidation will be
handled in the same manner as investigations regarding other possible
violations of the HIPAA rule, as Sec. 160.316 is considered an
administrative simplification provision for the purposes of imposing a
civil money penalty. Because such situations are likely to be quite
varied and factually complex, we are reluctant to preclude
consideration of events prior to the filing of a complaint that may be
relevant to a claim of retaliation or intimidation. We, thus, retain
the language as proposed.
C. Subpart D--Imposition of Civil Money Penalties
Subpart D of the final rule addresses the issuance of a notice of
proposed determination to impose a civil money penalty and other
actions that are relevant thereafter, whether or not a hearing is
requested following the issuance of the notice of proposed
determination. It also contains provisions on identifying violations,
calculating civil money penalties for such violations, and establishing
affirmative defenses to the imposition of civil money penalties. It,
thus, implements the provisions of section 1176, as well as related
provisions of section 1128A. As noted above, many provisions of subpart
D are based in large part upon the OIG regulations, but we adapt the
language of the OIG regulations to reflect issues presented by, or the
authority underlying, the HIPAA rules.
1. Section 160.402--Basis for a Civil Money Penalty
Section 160.402 sets forth the rules concerning the basis for
liability for a civil money penalty. It includes the rules for
determining liability if more than one covered entity is responsible
for a violation and where an agent of a covered entity is responsible
for a violation.
a. Section 160.402(a)--General Rule
Proposed rule: Proposed Sec. 160.402(a) would require the
Secretary to impose a civil money penalty on any covered entity which
the Secretary determines has violated an administrative simplification
provision, unless the covered entity establishes that an affirmative
defense, as provided for by Sec. 160.410, exists. This provision is
based on the language in section 1176(a) that ''* * * the Secretary
shall impose on any person who violates a provision of this part a
penalty * * * ''. A ``provision of this part'' is considered to be a
requirement or prohibition of the HIPAA statute or rules. See the
discussion of ``administrative simplification provision'' under Sec.
160.302 above.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: A number of comments suggested that the words ``the
Secretary will impose a civil money penalty * * * '' are too strict.
Some comments expressed concern that this language could jeopardize
HHS's ability to resolve a matter informally; other comments questioned
how this language was consistent with the provisions for voluntary
compliance (Sec. 160.304), informal resolution (Sec. 160.312), and
settlement (Sec. 160.416). Most of these comments suggested that the
rule give the Secretary discretion to impose a civil money penalty
instead of making it mandatory.
Response: Section 160.402(a) states the general rule of section
1176(a): If the Secretary determines that a covered entity has violated
an administrative simplification provision, he will impose a civil
money penalty unless a basis for not imposing a penalty under section
1176(b) exists. The use of the words ``shall impose'' in section
1176(a) is more than the mere conveyance of authority to the Secretary
to exercise his discretion where he has made a formal determination
that a covered entity has violated an administrative simplification
provision. Under the procedures set forth in this final rule, the
formal determination is proposed in a notice of proposed determination
under Sec. 160.420. A covered entity may request administrative review
by an administrative law judge of this determination. If the covered
entity does not so request, the proposed determination becomes final.
Many opportunities will precede a determination of a violation,
however, that will permit the Secretary to exercise his discretion to
not impose a penalty. As set forth in Sec. 160.304, the principle for
achieving compliance is to seek voluntary compliance by covered
entities. To implement this principle in complaints and compliance
reviews, Sec. 160.312 provides that the Secretary will attempt to
reach resolution by informal means prior to proposing a determination
under Sec. 160.420 that a covered entity has violated an
administrative simplification provision. If resolution satisfactory to
the Secretary is reached by informal means, the Secretary may exercise
his discretion to close the matter without formally proposing a
determination under Sec. 160.420. The Secretary is also authorized by
section 1128A(f) of the Act, which is incorporated by reference in
section 1176, to exercise discretion to settle any matter. Thus, under
Sec. Sec. 160.416 and 160.514, settlements of civil money penalties
which have been proposed or are being challenged through the
administrative hearing process are possible. The Secretary also has
discretion to waive civil money penalties, in whole or in part, in
certain cases under Sec. 160.412.
The general rule stated in Sec. 160.402(a) that the Secretary will
impose a civil money penalty upon a covered entity if the Secretary
determines that the covered entity has violated an administrative
simplification provision is not at odds with the Secretary's authority
to exercise his discretion pursuant to Sec. Sec. 160.304, 160.312,
160.412, 160.416, and 160.514. However, these exercises of Secretarial
discretion require actions by covered entities. When a covered entity
acts, or fails to act, in ways that do not allow the exercise of
Secretarial discretion not to
[[Page 8401]]
impose a penalty, the Secretary will impose a civil money penalty upon
the covered entity if the Secretary determines that the covered entity
has violated an administrative simplification provision.
Comment: One comment complained that Sec. 160.402(a) does not
allow for early termination of frivolous complaints. The comment stated
that covered entities are locked into paying a civil money penalty or
initiating an expensive and elaborate defense to the complaint.
Response: It is our expectation that complaints that are frivolous
will be resolved at an early stage of the informal resolution process
under Sec. 160.312. A covered entity can facilitate this process by
cooperating with the OCR or CMS investigators on a timely basis.
Comment: One comment suggested that Sec. 160.402(a) be revised to
require HHS to issue a finding that informal resolution is not
sufficient and that a civil money penalty is necessary.
Response: The provision suggested would be redundant. The notice of
proposed determination under Sec. 160.420 essentially fulfills this
function, in that it must state the grounds upon which the Secretary
has decided to impose the penalty.
b. Section 160.402(b)--Violations by More Than One Covered Entity
Proposed rule: Proposed Sec. 160.402(b) provided that, except with
respect to covered entities that are members of an affiliated covered
entity, if the Secretary determines that more than one covered entity
was responsible for violating an administrative simplification
provision, the Secretary will impose a civil money penalty against each
such covered entity. Based on the statutory language in section
1176(a), which states that the Secretary ``* * * shall impose a penalty
* * *'' when there is a determination that an entity has violated a
HIPAA provision, this provision would apply to any two or more covered
entities (other than members of an affiliated covered entity, discussed
below), including, but not limited to, those that are part of a joint
arrangement, such as an organized health care arrangement. The preamble
to the proposed rule noted that the determination of whether or not an
entity is responsible for the violation would be based on the facts and
that, while simply being part of a joint arrangement would not, in and
of itself, make a covered entity responsible for a violation by another
entity in the joint arrangement, it could be a factor considered in the
analysis. See 70 FR 20231.
Proposed Sec. 160.402(b)(2) provided that each covered entity that
is a member of an affiliated covered entity would be jointly and
severally liable for a civil money penalty for a violation by the
affiliated covered entity. An affiliated covered entity is a group of
covered entities under common ownership or control, which have elected
to be treated as if they were one covered entity for purposes of
compliance with the Security and Privacy Rules. See Sec. 164.105(b).
Final rule: The final rule provides that a member of an affiliated
covered entity is jointly and severally liable for a violation by the
affiliated covered entity, unless it is established that another member
of the affiliated covered entity was responsible for the violation.
Comment: Proposed Sec. 160.402(b) was opposed by many on the
ground that it was unfair to make one covered entity liable for a
violation committed by another covered entity. A number of comments
stated that this provision was particularly unfair, when coupled with
the requirement of proposed Sec. 160.426 that the public be notified
of civil money penalties imposed, in that a covered entity that was not
responsible for the violation in question could bear the reputational
injury associated with such notification, due to the operation of
proposed Sec. 160.402(b). One comment pointed out that violations may
not be system-wide, but may be limited to one member of the affiliated
covered entity; in such a situation, it would not be fair to penalize
the other members of the affiliated covered entity.
Response: We agree with these comments to a certain extent and have
changed the final rule accordingly. We agree that, if responsibility
for a violation can be shown to lie with one member of an affiliated
covered entity, that member should be held liable for the violation.
Thus, we have provided that a covered entity member of an affiliated
covered entity may avoid liability if it is established that another
member was responsible for the violation. We suspect that in most
cases, which member was responsible for the violation will be clear--
for example, if four of five members of a covered entity distributed
privacy notices but the fifth member did not, the violations of the
notice distribution requirement of Sec. 164.520 would be attributed to
the fifth member. In such cases, the objections to publication
described above are beside the point, because liability follows
responsibility.
However, we do not agree that the inability to assign specific
responsibility for a violation to one or more members of an affiliated
covered entity should shield all of its members from liability. We
doubt that such situations will arise often, but they may arise where
the affiliated covered entity has failed to take a required act--for
example, where the affiliated covered entity has failed to appoint a
privacy officer. In such a case, all of the members of the affiliated
covered entity bear a share of the responsibility for the failure to
act, since any of them could have presumably taken action to bring the
group, as a whole, into compliance. It is, thus, not unreasonable that
all members of the affiliated covered entity should be jointly and
severally liable for the consequent penalty. Moreover, absent joint and
several liability, each member of the affiliated covered entity would
be separately liable for the penalty for the violation, e.g., the
failure to appoint a privacy officer. Thus, the removal of joint and
several liability may result in greater liability for the members of an
affiliated covered entity in some cases.
Comment: Several comments argued that there is no statutory
authority for holding the members of an affiliated covered entity
jointly and severally liable, in that the statute requires that the
penalty ``shall be imposed on any person who violates a provision * *
*'' and, thus, does not authorize imposition of a penalty on a person
who has not violated a provision of the statute or rules. One comment
argued that proposed Sec. 160.402(b) would violate the due process
clause by imposing liability on entities not responsible for a
violation.
Response: These objections are misplaced. Where, as will usually be
the case, responsibility for the violation is evident and the
responsible party is charged with the violation, they are obviously not
relevant. In the case of other violations, where the responsibility for
the violation is shared by the members of the affiliated covered
entity, as in where the affiliated covered entity fails to take
required actions, they are likewise not relevant. Since each covered
entity member of the affiliated covered entity is responsible for
complying with the rule in question, responsibility for the failure to
act may be properly imputed to each member. Moreover, since an
affiliated covered entity is a type of joint undertaking, it is
reasonable to impute responsibility to the members of the affiliated
covered entity, as is typically done with joint ventures.
Comment: Several comments argued that proposed Sec. 160.402(b)
uses a legal fiction of the Privacy and Security Rules to create
liability where liability would not otherwise exist and substitutes
this fiction for the corporate form and structure that establish the
basis for enterprise liability under U.S. law.
[[Page 8402]]
Another comment stated that this section is inconsistent with the
provision of the HIPAA rules (Sec. 160.105(b)) that defines an
affiliated covered entity as an entity comprised of ``legally
separate'' entities.
Response: We disagree. The affiliated covered entity concept is
more than a legal fiction. It is an operational approach to discharging
certain compliance responsibilities. When covered entities create an
affiliated covered entity, they mutually agree to conduct their
business in a certain manner and hold themselves out to the world as a
joint undertaking. While the Privacy and Security Rules do not
prescribe detailed requirements for how an affiliated covered entity
must be organized, the level of cooperation such an undertaking
necessitates, the requirement for designation, and the requirement of
common ownership or control mean that the participating members will
have entered into an agreement of some sort, whether formal or
informal. We, thus, think that it is properly viewed as a joint
venture.
The fact that an affiliated covered entity is composed of ``legally
separate'' entities is beside the point. Joint and several liability,
as a concept, is imposed on legally separate entities. See, e.g.,
Black's Law Dictionary (8th ed. 2004), liability.
Comment: A number of comments argued that the provision for joint
and several liability would discourage covered entities from setting up
affiliated covered entities. One comment stated that proposed Sec.
160.402(b) represents a change in position by HHS, in that the preamble
to the Privacy Rule, on which many covered entities relied, stated that
covered entities that formed an affiliated covered entity are
``separately subject to liability under this rule.''
Response: Section 160.402(b), as adopted, should allay the concerns
expressed by these comments with respect to the potential exposure to
liability for the members of affiliated covered entities. We think
that, in most cases, which member of an affiliated covered entity is
responsible for a violation will be obvious; where this is the case,
HHS would seek to impose the civil money penalties on that member. Even
if it is not obvious from the violation itself who the responsible
party is, a covered entity may adduce evidence to establish that
responsibility for the violation lies elsewhere, and, if this is shown,
avoid liability. In any event, the establishment of an affiliated
covered entity is not mandated by either the Privacy Rule or the
Security Rule. Rather, establishing an affiliated covered entity is a
business decision to be made by the covered entities involved. The
affiliated covered entity arrangement carries with it certain benefits
for the member entities; any increased exposure to potential liability
under this rule, assuming there is one, should be part of the business
calculus.
In addition, we do not agree that Sec. 160.402(b) is inconsistent
with the position taken in the preamble to the Privacy Rule. Our prior
statement was intended to provide notice that liability for violations
by an affiliated covered entity would devolve onto the member covered
entities of an affiliated covered entity, rather than being attributed
to the affiliated covered entity itself, so that member covered
entities could not avoid liability by arguing that the affiliated
covered entity had committed the violation in question. It was not
intended to indicate the bases upon which that liability would be
determined, which is the purpose of Sec. 160.402(b).
Comment: A couple of comments supported the policy of holding the
members of an affiliated covered entity jointly and severally liable.
One comment supported holding all covered entities in an affiliated
covered entity liable for the violations of one as an efficient
mechanism for highlighting the seriousness of violations of the HIPAA
rules.
Response: For the reasons set forth above, we have not adopted this
policy in the final rule, insofar as responsibility for a violation can
be determined.
Comment: Two comments requested clarification of the maximum amount
of the penalty that will be assessed against an affiliated covered
entity when one of its members has been found noncompliant.
Response: Where responsibility for a violation is allocated to
individual covered entities, each covered entity determined to be
responsible for the violation would be liable for violations of an
identical requirement or prohibition in a calendar year up to the
statutory maximum of $25,000. If responsibility for particular
violations cannot be determined, so that the members of the affiliated
covered entity are jointly and severally liable for the violation, the
maximum that would be imposed for violations of an identical
requirement or prohibition in a calendar year would be $25,000.
Comment: Several comments requested clarification of the statement
in the preamble to the proposed rule that membership in an organized
health care arrangement ``could be a factor considered in the
analysis'' in determining the liability of a member of such arrangement
for a violation. Of particular concern was the potential liability of a
hospital for the actions of physicians with privileges; one comment
noted that the hospital exercises little control over medical staff in
such situations. One comment requested that the final rule clarify that
membership in an organized health care arrangement would not increase a
covered entity's exposure to liability.
Response: As we noted in the preamble to the proposed rule, the
members of an organized health care arrangement would be individually--
not jointly and severally--liable for any violation of the HIPAA rules.
What our preamble statement intended to indicate was that HHS might
have to look carefully at how the organized health care arrangement
operated in determining which member(s) of the organized health care
arrangement was responsible for a particular violation, if that was not
clear at the outset.
c. Section 160.402(c)--Violations Attributed to a Covered Entity
Proposed rule: Proposed Sec. 160.402(c) provided that a covered
entity can be held liable for a civil money penalty based on the
actions of any agent, including a workforce member, acting within the
scope of the agency. This provision derives from section 1128A(l) of
the Act, which is made applicable to HIPAA by section 1176(a)(2) of the
Act. Section 1128A(l) states that ``a principal is liable for penalties
* * * under this section for the actions of the principal's agents
acting within the scope of the agency.'' Under the proposed rule, a
covered entity could be liable for a civil money penalty for a
violation by any agent acting within the scope of the agency, including
a workforce member. (``Workforce'' is defined at Sec. 160.103 as
``employees, volunteers, trainees, or other persons whose conduct in
the performance of work for a covered entity is under the direct
control of such entity, whether or not they are paid by the covered
entity.'') The proposed rule excepted covered entities from liability
for actions of a business associate agent that violate the HIPAA rules,
if the covered entity was in compliance with the HIPAA rules governing
business associates at Sec. Sec. 164.308(b) and 164.502(e). Proposed
Sec. 160.402(c) also provided that the Federal common law of agency
would apply to determine agency issues under this provision.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: A number of comments supported the provision of proposed
Sec. 160.402(c) relating to business
[[Page 8403]]
associates and requested that it be retained in the final rule.
Response: We agree and have done so.
Comment: One comment requested clarification of the liability of a
covered entity for a violation committed by a non-covered entity who is
not a business associate or workforce member, such as researchers,
medical device vendors, and non-covered providers who have treatment
privileges and access to protected health information at a covered
entity's facility. The comment argued that, depending on the
circumstances, such persons may or may not be considered agents.
Response: In general, a ``violation'' cannot occur, if the act in
question is not done by a covered entity or its agent, because only
covered entities are subject to the HIPAA rules. For example, if a
permitted or required disclosure of protected health information is
made by a covered entity to a person or entity that is not a workforce
member or business associate, the covered entity would not generally be
responsible for that person's or entity's subsequent use or disclosure
of the information. Thus, if a hospital that is a covered entity
discloses protected health information to a non-covered health care
provider with privileges for treatment of a patient, the hospital would
not be liable for a subsequent use or disclosure by that provider, as
long as the hospital is not also involved in that use or disclosure. If
the provider is an agent of the hospital, however, the hospital's
liability will be determined in accordance with Sec. 160.402(c).
Comment: We requested comment in the proposed rule on whether there
are categories of workforce members whom it would be inappropriate to
treat as agents under Sec. 160.402(c). A number of comments suggested
that independent contractors, volunteers, and students under the
supervision of an academic institution be excluded from the definition
of an agent for whose acts the covered entity could be liable, provided
that the covered entity has given the requisite training to such
persons. The comments indicated that generally covered entities have
less control over such persons than they have over employees.
Response: Whether a person is sufficiently under the control of a
covered entity and acting within the scope of the agency has to be
determined on the facts of each situation, but Sec. 160.402(c) creates
a presumption that a workforce member is an agent of the covered entity
for the member's conduct under the HIPAA rules, such as using and
disclosing protected health information. With regard to whether an
independent contractor is a member of the covered entity's workforce,
the question would be whether the covered entity had direct control
over the independent contractor in the performance of its work for the
covered entity. See Sec. 160.103 (definition of ``workforce''). If the
covered entity does not have direct control over such persons, they do
not fall within the definition of ``workforce.'' Where persons, such as
independent contractors, who are not under the direct control of the
covered entity perform a function or activity that involves the use or
disclosure of individually identifiable health information or a
function or activity regulated by this subchapter on behalf of a
covered entity, such persons would fall within the definition of
``business associate,'' and the covered entity would be required to
comply with the business associate provisions of the Privacy and
Security Rules with regard to such persons. Because of the direct
control requirement in the definition of workforce, we think it is
appropriate for a covered entity to be liable for a violative act of an
independent contractor who is a member of the workforce, that is, who
is under the direct control of the covered entity.
With respect to volunteers and trainees, we note that, while
covered entities may have less control over these persons, they do
control their performance of activities that are governed by the HIPAA
rules, such as access to protected health information. In regard to
privacy, a covered entity is required to train these categories of
workforce members as necessary and appropriate for these volunteers and
trainees to carry out their functions within the covered entity. 45 CFR
164.530(b). This requirement allows a covered entity to adapt its
training to a volunteer's or trainee's scope of duties. For example, a
volunteer who files laboratory results in a medical record will require
training that is different and more extensive than the training given
to a volunteer in the lobby gift shop of a hospital. Section 160.402(c)
is consistent with these distinctions. The acts of volunteers and
trainees will be examined on a case-by-case basis to determine if they
are acting as agents within the scope of their agency. Thus, we think
that it is appropriate to treat volunteers and trainees as persons for
whose acts a covered entity may be liable, if they act as agents for
the covered entity and violate the HIPAA rules within the scope of
their agency.
Comment: One comment recommended that the rule be revised to make
covered entities liable for violations committed by business
associates. The comment suggested that, if a covered entity is not
liable for the actions of its business associates, covered entities
will outsource the handling of protected health information to avoid
liability.
Response: We included the business associate exception in proposed
Sec. 160.402(c)(1)-(3) to make this rule consistent with the business
associate provisions in the Privacy and Security Rules. Changing the
business associate provisions in the Privacy and Security Rules is
outside the scope of this rulemaking. (See the extensive discussion
about business associates in the Privacy Rule and Security Rule
preambles at 65 FR 82503-82507 and 82640-82645, 67 FR 53251-53253, and
68 FR 8358-8361). The satisfactory assurances that are required in
written contracts or arrangements between covered entities and their
business associates are intended to protect the confidentiality of
protected health information handled by business associates. If a
covered entity fails to comply with the business associate provisions
in the Privacy and Security Rules, such as by not entering into the
requisite contracts or arrangements, or by not taking reasonable steps
to cure a breach or end a violation that is known to the covered
entity, the covered entity may be liable for the actions of a business
associate agent. We, therefore, decline to follow the recommendation.
Comment: Two comments suggested that HHS limit its use of the
Federal common law of agency because its application may make a covered
entity liable for the actions of a person, such as an independent
contractor, for whom the covered entity is not liable under state law.
Response: As we stated above, covered entities must comply with the
business associate provisions of the Privacy and Security Rules for
independent contractors who are not under the direct control of the
covered entity and who perform a function or activity that involves the
use or disclosure of individually identifiable health information or a
function or activity regulated by ``this subchapter'' (i.e., the HIPAA
rules) on behalf of a covered entity. If a covered entity complies with
the business associate provisions, the exception from liability in
Sec. 160.402(c) will be applicable. The purpose of establishing the
Federal common law of agency to determine when a covered entity is
vicariously liable for the acts of its agents is to achieve nationwide
uniformity in the implementation of the HIPAA rules by covered entities
and nationwide
[[Page 8404]]
consistency in the enforcement of these rules by HHS. The comments
reinforced our conclusion that reliance on state law could introduce
inconsistency in the implementation of the HIPAA rules by covered
entities in different states. Thus, we retain the Federal common law of
agency as the standard by which agency questions in specific cases will
be determined.
Comment: Two comments requested clarification of how this section
will apply to insurance agents, brokers, and consultants.
Response: Insurance agents, brokers, and consultants who are not
members of the covered entity's workforce but with whom the covered
entity shares protected health information will generally fall within
the definition of ``business associate'' at Sec. 160.103. A covered
entity that complies with the business associate provisions of the
Privacy and Security Rules would not be liable for a violation of those
rules by the business associate pursuant to the liability exception in
Sec. 160.402(c). It is also possible that the insurance agent, broker,
or consultant may be the covered entity's agent in some, but not all,
of his or her activities. An agent or broker may be working on behalf
of an employer to arrange insurance coverage for its employees and not
on behalf of the health insurance issuer that is a covered entity. In
cases where the liability exception for business associates is not
available or not met, the determination of whether an insurance agent,
broker, or consultant is an agent of a covered entity and was acting
within the scope of the agency will be made based on the facts of each
situation.
Comment: One comment argued that covered entities should not be
liable for acts of employees outside the scope of their employment.
Another comment suggested that covered entities should not be liable
for the actions of agents who have been informed of the covered
entity's HIPAA compliance policies, yet act contrary to them. Another
suggested that a covered entity should not be liable for the acts of
agents who, although authorized to disclose protected health
information, disclose it for purposes of sale or with intent to do
harm.
Response: Section 160.402(c), as proposed and adopted, provides
that a covered entity is liable for the acts of an agent acting
``within the scope of the agency.'' This provision necessarily implies
that a covered entity is not liable for its agent's acts outside the
scope of the agency (as determined under the federal common law of
agency). With regard to the comments that suggest that unauthorized
conduct by an agent is outside the scope of the agency, the Federal
common law of agency will be applied to the facts of each case to
determine whether the covered entity is liable for the conduct, even
though it was unauthorized.
Comment: Two comments expressed concern with the role of a Privacy
Officer and his or her liability under this part and the covered
entity's liability for the actions of a Privacy Officer who is a
business associate. One comment suggested that the Privacy Officer
should not incur any additional liability merely by being designated
the Privacy Officer. The other comment requested clarification as to a
covered entity's liability when the covered entity directly controls a
Privacy Officer, if the Privacy Officer is a business associate.
Response: As stated above, the facts of each case will determine
the liability of covered entities for wrongful conduct of its agents
under the HIPAA rules. As a general matter, we think that a Privacy
Officer is an officer of a covered entity for the purposes of the
Privacy Rule and, thus, will likely be the covered entity's agent. As
stated in Sec. 160.402, a covered entity is liable for the acts of its
agent acting within the scope of its agency and, thus, is liable for
any penalties that result from those acts. However, if a Privacy
Officer is a business associate of the covered entity, the liability
exception in Sec. 160.402(c) may apply. A covered entity that is in
compliance with the business associate provisions of the Privacy and
Security Rules will not be liable for a violation of those rules by the
business associate.
2. Section 160.404--Amount of a Civil Money Penalty
Proposed rule: Under proposed Sec. 160.404(a), the penalty amount
would be determined through the method provided for in proposed Sec.
160.406, using the factors set forth in proposed Sec. 160.408, and
subject to the statutory caps reflected in proposed Sec. 160.404(b)
and any reduction under proposed Sec. 160.412. The proposed regulation
would not establish minimum penalties. Proposed Sec. 160.404 would
follow the language of the statute and establish the maximum penalties
for a violation and for violations of an identical requirement or
prohibition during a calendar year, as set forth in the statute--up to
$100 per violation and up to $25,000 for violations of an identical
requirement or prohibition in a calendar year. Proposed Sec.
160.404(b) provided that the term ``calendar year'' means the period
from January 1 through the following December 31.
Under proposed Sec. 160.404(b)(2), a violation of a more specific
requirement or prohibition, such as one contained within an
implementation specification, could not also be counted, for purposes
of determining civil money penalties, as an automatic violation of a
broader requirement or prohibition that entirely encompasses the more
specific one. That is, the Secretary could impose a civil money penalty
for violation of either the general or the specific requirement, but
not both. Proposed Sec. 160.404(b)(2) would not apply where a covered
entity's action results in violations of multiple, differing
requirements or prohibitions within the same HIPAA rule or in
violations of more than one HIPAA rule. Proposed Sec. 160.404(b)(2)
also would not preclude assessing civil money penalties for multiple
violations of an identical requirement or prohibition, up to the
statutory cap.
Final rule: The final rule adopts the provisions of the proposed
rule. Changes to the provisions referenced in this section are
discussed in connection with those provisions.
Comment: While most comments that addressed proposed Sec.
160.404(b)(2) supported it, several comments suggested that a single
set of facts or single activity should not result in the finding of
more than one violation, even of different subparts. According to the
comments, covered entities should not be assessed penalties for
violating more than one provision if all violations arise out of the
same facts or incident. One comment suggested that penalties should not
be doubly assessed for overlapping provisions in other subparts unless
gross misconduct or willful negligence was involved.
Response: We do not count an act that violates overlapping
provisions of a subpart as more than one violation because provisions
that are duplicative in a subpart were written that way as a drafting
convenience and were not intended to establish separate legal
obligations. This rationale, however, does not apply where the legal
obligations are found in different subparts. Further, the different
subparts implement different statutory standards and, thus, impose
separate legal obligations. For example, where a covered entity re-
sells its used computers without scrubbing the hard drives that contain
protected health information, this act may violate several separate
legal obligations under the Security and Privacy Rules: (1) The media
re-use requirement of Sec. 164.310(d)(2)(ii); (2) the safeguards
requirement of Sec. 164.530(c); and (3) to the extent that the
protected health
[[Page 8405]]
information on the drives is accessible by persons to whom it could not
permissibly be disclosed, Sec. Sec. 164.308(a)(4)(i) and 164.502(a).
In such a situation, the act has violated requirements or prohibitions
of different rules promulgated pursuant to different provisions of the
statute, and it is appropriate that such violations be treated
separately. Thus, we decline to extend Sec. 160.404(b)(2) as
suggested.
Further, the same facts may evidence noncompliance with more than
one non-overlapping provision of a subpart and, thus, may result in
multiple violations for which a penalty may be assessed. For example, a
covered entity that makes an impermissible use of protected health
information may also, by virtue of the impermissible use, have violated
the Privacy Rule's minimum necessary and/or reasonable safeguard
provisions.
We also note that, in some cases, a violation of one requirement or
prohibition may produce consequential violations, and such cases would
not come within Sec. 160.404(b)(2). For example, Sec. 164.308(a)
requires covered entities to conduct security risk analyses. The
security risk analysis is the foundation of the covered entity's
security risk management plan and is one of the bases which it must
take into account in deciding not to implement addressable
implementation specifications under the Security Rule. If a covered
entity does not do a security risk analysis, it has no basis for not
implementing the addressable implementation specifications under the
Security Rule, and any failure to implement such specifications could,
thus, be considered a violation. Thus, while the failure to conduct the
security risk analysis would be a violation, albeit a continuing one,
of just one provision, it would necessarily result in other violations,
to the extent the covered entity failed to implement the addressable
implementation specifications of the Security Rule.
Comment: One comment suggested that the costs incurred by the
covered entity as a result of the violation should be considered in
calculating the amount of the penalty.
Response: We do not adopt this suggestion for several reasons.
First, we are not certain what costs the comment is suggesting be
considered--the costs associated with committing the violation, the
costs associated with correcting the violation, or both. Second, the
factors to be considered in determining the amount of the penalty for a
violation are set out at section 1128A(d) and are implemented in this
rule by Sec. 160.408. ``Costs incurred by the covered entity as a
result of the violation'' is not a concept that fits squarely within
any of the statutory factors. Third, to the extent consideration of
such costs is reasonable, it would seem to be relevant only to the
criterion for waiver under Sec. 160.412 (``the extent that payment of
the penalty would be excessive relative to the violation''); insofar as
that criterion weighs the seriousness of the effect of the violation,
costs associated with correcting the violation might in certain
circumstances be a relevant factor to be considered.
3. Section 160.406--Number of Violations
Proposed rule: Proposed Sec. 160.406 would establish the general
rule that the Secretary will determine the number of violations of an
identical requirement or prohibition by a covered entity by applying
any of the variables of action, person, or time, as follows: (1) The
number of times the covered entity failed to engage in required conduct
or engaged in a prohibited act; (2) the number of persons involved in,
or affected by, the violation; or (3) the duration of the violation,
counted in days. Paragraph (a) of this section would require the
Secretary to determine the appropriate variable or variables for
counting the number of violations based on the specific facts and
circumstances related to the violation, and take into consideration the
underlying purpose of the particular HIPAA rule that is violated. More
than one variable could be used to determine the number of violations
(for example, the number of people affected multiplied by the time
(number of days) over which the violation occurred). The Secretary
would have discretion in determining which variable or variables were
appropriate for determining the number of violations. The preamble to
the proposed rule noted that, under this proposal, the policy for
determining which variable(s) to use for which type of violation would
be developed in the context of specific cases rather than established
by regulation and that subsequent cases would be decided consistently
with prior similar cases.
Final rule: The final rule eliminates the provision for variables
and provides that the number of violations of an identical requirement
or prohibition (termed ``identical violations'') will be determined
based on the nature of the covered entity's obligation to act or not
act under the provision violated, such as its obligation to act in a
certain manner, or within a certain time, or with respect to certain
persons. With respect to continuing violations, a separate violation
will be deemed to occur on each day such a violation continues.
Comment: While two comments supported the proposal, many comments
challenged the variable approach of proposed Sec. 160.406 to
determining the number of violations. In particular, several comments
expressed concern over the broad discretion provided to the Secretary
to determine the number of violations, particularly in light of the
fact that the proposed rule would have prohibited the ALJ from
reviewing the Secretary's choice of variable(s). Further, some comments
were concerned that the Secretary could use multiple variables to
determine the number of violations. It was argued that the proposed
approach was unfair in that it (1) did not allow covered entities to
predict the amount of a civil money penalty that would result from a
violation, and (2) could maximize the penalty to the statutory cap in
virtually any case, which could result in very harsh penalties for
relatively minor offenses. Other comments argued that the variable
approach was inconsistent with the policy of proposed Sec.
160.404(b)(2), prohibiting the double counting of overlapping
regulatory requirements, or was inconsistent with HHS's general
approach to voluntary compliance. It was suggested, for example, that
HHS instead could establish one particular calculation method for each
HIPAA rule or specify the types of violations for which HHS would use a
particular method.
Comments also criticized the variable approach as inconsistent with
the definition of ``violation,'' arguing that the person and time
variables have no logical relationship to a failure to comply, and
thus, would not be appropriate for counting violations. Specifically,
it was argued that since a ``violation'' is defined as a failure to
comply with a requirement or prohibition, by definition a violation is
a failure to take a required action or a failure to refrain from doing
a prohibited act, and, thus, is not defined by the period of time
during which such action or inaction occurs or by the number of people
who may be affected by it. Further, several comments argued that the
action/inaction variable was the only one that was consistent with the
statute, so that penalizing covered entities by using other variables
would be penalizing them for violations that, by definition, do not
exist, which would be inconsistent with Congressional intent, as
expressed in section 1176(a), and inappropriate as a matter of public
policy. It was also argued that the time and person variables look at
qualitative issues and attempt to measure the
[[Page 8406]]
importance of an act or omission; they do not measure where an act is
quantitatively extensive--i.e., repeated or prolonged. It was argued
that qualitative considerations are treated, under the statute, as
aggravating or mitigating factors, not as questions of the quantity of
violations, as is done under the variable approach.
Response: It was not our intent to suggest that the variables we
proposed would be employed in a manner unrelated to the nature of the
underlying violation, as assumed by many of the comments. However,
since we agree that the manner in which the number of identical
violations should be determined will depend on the nature of the
provision violated, and the provision for variables was confusing and
susceptible to misinterpretation, we have eliminated the explicit
requirement to use the person, time, and action variables. The final
rule instead makes clear that the Secretary will determine the number
of identical violations based on the nature of the obligation of the
covered entity to act (or not act) under the provision violated. While
we agree, in principle, that the definition of ``violation'' looks to
an action or a failure to act as the essence of a violation, defining
what particular act or failure to act constitutes the specific
violation in question will necessarily require looking at the
substantive provision involved and determining what the covered entity
was legally obligated to do. We do not agree, in this regard, that the
elements of ``people'' and ``time'' are always irrelevant to a failure
to comply or that consideration of these elements would result in
double counting of violations. Rather, the precise nature of the
covered entity's obligation will, as discussed below, in many cases be
a function of to whom the obligation is owed or the manner in which it
must be performed or other elements. Thus, we include in the regulation
examples of elements that should be considered, as appropriate, in
construing a provision to determine a covered entity's obligation
thereunder. We believe that this approach, under which the number of
violations is grounded in the language of the provision violated, is
wholly consistent with the statutory scheme.
In many cases, applying this principle should not be difficult. For
example, the Privacy Rule requires that covered entities have contracts
or other arrangements in place with its business associates to assure
the privacy of protected health information, and specifies what must
(and may not) be included in the contract or other arrangement to do
so. See Sec. 164.504(e). Two such provisions are that the contract may
not authorize the business associate to use or further disclose the
information in a manner that would violate the Privacy Rule, if done by
the covered entity, and that the contract must provide that the
business associate will use appropriate safeguards to prevent use or
disclosure of the information other than as provided for by the
contract. See Sec. 164.504(e)(2)(i) and 164.504(e)(2)(ii)(B). If a
covered entity enters into five contracts with business associates that
authorize the business associates to use protected health information
in a manner not permitted by the Privacy Rule and that do not require
the business associates to use appropriate safeguards to protect the
information, the covered entity will have committed five violations of
each of the two separate requirements. Similarly, the Transactions Rule
prohibits covered entities from entering into trading partner
agreements that would change the use of a data element in a standard or
add data elements not contained in the standard. See Sec. 162.915(a),
(b). If a health plan were, by trading partner agreement, to require
200 providers to use a data element in a given transaction in a manner
that was inconsistent with the standard, and also required the use of
another data element that was not part of the standard, we would view
each inconsistent requirement in the trading partner agreement as a
separate violation. The regulation prohibits the adoption of certain
terms in trading partner agreements, so each noncompliant term in each
agreement would constitute a separate violation, resulting in 200
violations of each of these requirements.
With respect to the transactions standards themselves, however, we
anticipate defining the requirement violated to be the requirement to
conduct a standard transaction. While one could view each required data
element in a transaction as a separate requirement, because the
Implementation Guide for each transaction is incorporated by reference
into the regulation, one could also view the underlying Implementation
Guides as functioning simply to describe what constitutes compliance in
a particular case, rather than establishing separate compliance
requirements. While we believe that either interpretation of the
Transactions Rule is permissible, we expect to take the latter view of
the Rule, to facilitate the predictability of determining violations
under that Rule. Thus, we would count each noncompliant transaction as
a single violation, regardless of the number of missing data elements.
For example, if a health plan is found to have conducted 200
eligibility transactions which are missing several required data
elements, the health plan would have committed 200 violations of one
identical requirement (i.e., the requirement at Sec. 162.923(a) to
conduct a covered transaction as a standard (i.e., compliant)
transaction).
In some cases, determining how many times a provision has been
violated will be a function of the number of individuals or other
entities affected, because the covered entity's obligation is to act in
a certain manner with respect to certain persons. We include the term
``persons'' in the list of examples in Sec. 160.406 to make clear that
such consideration may be appropriate. It may include not only
individuals, but also other covered entities, their workforce members,
or trading partners, where the obligation in question relates to such
types of persons. For example, assume that a covered entity
impermissibly allows a workforce member to access the protected health
information of 20 patients whose information is stored on a computer
file. The question is whether this set of facts constitutes one
violation or 20 violations of Sec. 164.502(a), which prohibits
impermissible uses or disclosures of protected health information.
Since the covered entity has an obligation with respect to each patient
to protect his or her protected health information, the sharing of the
20 patients' protected health information with the employee constitutes
a separate impermissible use, or violation, of Sec. 164.502(a) with
respect to each patient.
Some provisions embody a requirement or prohibition that is of an
ongoing nature or for which timeliness is an element of compliance. We
characterize violations of such a requirement or prohibition as
continuing violations. In such cases, the covered entity's obligation
to act continues over time, and, if it fails to take the required
action, that failure to comply also continues over time. Thus, there
needs to be a way of determining how such compliance failures are
measured. We have decided to count such failures in days, as each day
represents a new opportunity to correct the compliance failure.
Accordingly, we have included, in the second sentence of Sec. 160.406,
language that establishes that continuing violations will be counted by
days for purposes of determining how many violations of an identical
requirement or prohibition occurred.
[[Page 8407]]
For example, the Security Rule requires covered entities to
implement many types of policies and procedures. Under Sec.
164.308(a)(4)(i), for example, a covered entity is required to
implement policies and procedures for authorizing access to electronic
protected health information that are consistent with the applicable
requirements of the Privacy Rule. The implementation of such policies
and procedures is an ongoing obligation and, thus, any failure to adopt
them is a continuing violation. As another example, a covered entity
generally is required by Sec. 164.524 to act on a request by an
individual for access to his or her protected health information no
later than 30 days after the request is received. Thus, each day beyond
the 30-day period a covered entity fails to provide such access would
be a separate violation.
In contrast, situations in which the violation is a discrete act
would not be continuing violations. The transaction example above
illustrates violations that are discrete acts. Similarly, where a
health plan violates Sec. 162.925(a)(2) by rejecting transactions
because they are standard transactions, each rejection would constitute
a discrete act. The example above of the workforce member who
impermissibly accesses protected health information likewise is an
example of violations that are discrete acts.
As explained above, determining the number of violations in a
particular case will depend, necessarily, on the precise provision
violated and a covered entity's obligations thereunder. The examples
above should assist covered entities in understanding their potential
liability. These examples also illustrate that determining the number
of violations may implicate a number of elements depending on the
underlying provision violated, such as whether a covered entity had an
obligation with respect to each person, or the amount of time that had
elapsed with respect to a continuing violation, or a combination of
these or other elements. While the final rule does not adopt the
variable approach of the proposed rule, it does not preclude
consideration of multiple elements in determining what constitutes the
violation and, thus, the number of violations.
Comment: Several comments challenged the preamble statement that
future cases would be decided consistently with prior similar cases.
One comment suggested that giving HHS discretion to determine the
variables used in counting violations, yet saying that future cases
will be consistent with past use of variable in similar violations,
creates conflict. Other comments asked whether and how a covered entity
would be able to challenge the selection of variable(s) based on the
variables used in similar cases, if the facts of prior cases were not
publicized, so that covered entities could determine how prior
violations had been counted. Thus, comments requested that tracking of
decided cases and the use of variables for each provision be assigned
to a central entity within HHS, or that this information be made
available to covered entities via the HHS Web sites.
Response: With respect to the comments regarding the preamble
statement in the proposed rule that future cases would be decided
consistently with prior similar cases, we clarify that the number of
violations of a particular provision will be determined in a similar
manner each time a case presents a violation of that particular
provision, with due regard to the individual facts and circumstances of
the case. In addition, as discussed below, the final rule eliminates
the prohibition on ALJ review of the Secretary's choice of variable.
Thus, under the final rule, the ALJ may review the Secretary's method
of determining the number of violations for consistency or other
purposes. With respect to a covered entity's ability to challenge the
Secretary's method of determining the number of violations, HHS will
make available for public inspection and copying final decisions
imposing civil money penalties and may publish such decisions on its
HIPAA Web sites. (This is discussed below in connection with Sec.
160.426.) Thus, covered entities will be able to ascertain the
application of the penalty provisions where penalties are imposed.
Comment: One comment suggested that there be a limit on the number
of violations determined based upon the monetary impact the fine will
have on the covered entity.
Response: A change is not necessary, as the statute and regulation
already provide two points at which the financial impact of a civil
money penalty on a covered entity may be considered--in connection with
(1) the statutory factors (section 1128A(d), implemented in this rule
by Sec. 160.408) and (2) waiver (section 1176(b)(4), implemented in
this rule by Sec. 160.412).
Comment: Two comments suggested that the Secretary should consider
whether or not the covered entity has enacted and completed a
corrective action plan when determining the number of violations.
Response: Completion of a corrective action plan does not relate to
determining the number of occurrences of a violation, so we do not
include it as part of Sec. 160.406. However, HHS would consider any
such action prior to imposition of a civil money penalty for purposes
of determining whether there is a basis for informal resolution of the
complaint. In addition, this fact is taken into account in determining
whether the penalty should be imposed at all, insofar as it pertains to
the ``reasonable cause'' defense under section 1176(b)(3) and Sec.
160.410(b)(3), since an element of that defense is whether the
``failure to comply'' has been corrected.
4. Section 160.408--Factors Considered in Determining the Amount of a
Civil Money Penalty
Proposed rule: Section 1176(a)(2) states that, with some
exceptions, the provisions of section 1128A of the Act shall apply to
the imposition of a civil money penalty under section 1176 ``in the
same manner as'' such provisions apply to the imposition of a civil
money penalty under section 1128A. Section 1128A(d) requires that--
In determining the amount of * * * any penalty, * * * the
Secretary shall take into account--
(1) The nature of the claims and the circumstances under which
they were presented,
(2) The degree of culpability, history of prior offenses and
financial condition of the person presenting the claims, and
(3) Such other matters as justice may require.
While the factors listed in section 1128A(d) were drafted to apply
to violations involving claims for payment under federally funded
health programs, HIPAA violations usually will not concern claims.
Thus, we proposed to tailor the section 1128A(d) factors to the HIPAA
rules and break them into their component elements for ease of
understanding and application, as follows: (1) The nature of the
violation; (2) the circumstances under which the violation occurred;
(3) degree of culpability; (4) history of prior offenses; (5) financial
condition of the covered entity; and (6) such other matters as justice
may require. Proposed Sec. 160.408 provided detailed factors, within
the categories stated above, to consider in determining the amount of a
civil money penalty. However, the proposed rule would not label any of
these factors as aggravating or mitigating. Rather, proposed Sec.
160.408 listed factors that could be considered either as aggravating
or mitigating in determining the amount of the civil money penalty. The
proposed approach would allow the Secretary to choose whether to
consider a particular factor and how to consider each factor as
appropriate in each
[[Page 8408]]
situation to avoid unfair or inappropriate results. It also would leave
to the Secretary's discretion the decision regarding when aggravating
and mitigating factors will be taken into account in determining the
amount of the civil money penalty.
Final rule: The final rule adopts the provisions of the proposed
rule, with a minor clarification. Section 160.408(d) is revised to
clarify that the prior history to be considered relates to prior
compliance with, and violations of, the administrative simplification
provisions.
Comment: A number of comments supported the provision for
mitigating factors and urged that it be retained in the final rule.
Response: We agree and have done so. See Sec. 160.408 below.
Comment: A number of comments raised concerns or recommendations
related to a covered entity's history of compliance. For example,
several urged that HHS consider as a factor whether the covered entity
has initiated correction action, and whether such action was performed
independently and prior to contact from HHS. Some comments also
requested that HHS consider any evidence of a covered entity's good
faith attempts to comply with the administrative simplification
requirements or that HHS take into consideration a history of prior
controls. One comment stated that the phrase ``history of prior
offenses'' in proposed Sec. 160.408(d) was vague and requested that
HHS revise the provision to clarify that it refers only to prior
violations by a covered entity of the HIPAA rules, and not to prior
offenses unrelated to the HIPAA rules. Another comment expressed
concern with the provision at proposed Sec. 160.408(d)(4), which would
allow HHS to consider as a factor in determining the amount of a civil
money penalty how the covered entity has responded to prior complaints,
as well as the preamble statement that such factor could include
complaints raised by individuals directly to the covered entity. The
comment argued that the manner in which a covered entity responded to
previous complaints about matters unrelated to the violation at issue,
or to complaints raised by individuals, may be irrelevant and unfairly
prejudicial.
Response: With respect to corrective action by a covered entity,
HHS would consider any such action prior to imposition of a civil money
penalty for purposes of determining whether there is a basis for
informal resolution of a complaint. In addition, corrective actions of
the covered entity are taken into account in determining whether the
covered entity has established an affirmative defense to the violation
as provided for under Sec. 160.410(b)(3). Nonetheless, where the
corrective action is taken in response to a complaint from an
individual, the final rule at Sec. 160.408(d)(4) provides the
Secretary with authority to consider such corrective action as a factor
in determining a civil money penalty.
With respect to a covered entity's good faith attempt to comply
with the HIPAA provisions and rules, we agree that such actions could
be mitigating factors depending on the circumstances and, thus, have
revised the rule to clarify that a covered entity's history of prior
compliance generally may be considered, which could include, as
appropriate, prior violations, as well as prior compliance efforts. In
addition, we agree that Sec. 160.408(d) should apply only to
violations of the HIPAA rules, and not to offenses of other provisions
of law. Accordingly, we have revised the language of Sec. 160.408(d)
to substitute the term ``violations''--which is defined at Sec.
160.302 as a failure to comply with an administrative simplification
provision--for the term ``offenses'' in the proposed rule.
Finally, we disagree that only those prior violations that are
relevant to the issue at hand should be considered. While greater
attention may be given to those violations that are similar in nature
to the violation at issue, a covered entity's history of HIPAA
compliance generally is relevant to determining whether the amount of a
civil money penalty should be increased or decreased.
Comment: One comment urged that the size of the covered entity not
be used as a factor in determining the amount of a civil money penalty,
arguing that larger covered entities should not be subject to greater
penalties for violations identical to those of smaller entities. The
comment stated that, depending on the way the number of violations is
calculated, larger covered entities are already subject to greater risk
since more patients potentially could be affected by one act or
omission. Another comment asked what financial information would be
required of a respondent to make a showing of its financial condition
and whether, given that section 1128A provides that the Secretary shall
take into account financial condition, the burden is on HHS to do so
even if the respondent does not. Another comment asked how the
financial condition of a covered entity is to be assessed.
Response: With respect to the first comment, no change is made in
the final rule. The size of the covered entity is relevant in
considering, under Sec. 160.408(e)(1), whether a covered entity
experienced financial difficulties affecting its ability to comply, and
under Sec. 160.408(e)(2), whether the imposition of a civil money
penalty would jeopardize a covered entity's ability to provide or pay
for health care. In response to the second comment, the showing that a
covered entity must make of its financial condition will vary depending
on the circumstances. However, a respondent may provide whatever
information it believes relevant to such a determination should it
desire that HHS consider the entity's financial condition as a
mitigating factor. Should a respondent fail to raise financial
condition as a mitigating factor (or any other mitigating factor),
however, HHS is under no obligation to raise the issue. See Sec.
160.534(b)(1)(ii).
With respect to how financial condition is assessed, the
Departmental Appeals Board (Board) has considered this issue in other
cases litigated under section 1128A. The Board has said that an inquiry
into a provider's financial condition should be focused on whether the
provider can pay the civil money penalty without being put out of
business. See Milpitas Care Center, DAB No. 1864 (2003). In Capitol
Hill Community Rehabilitation and Specialty Care Center, DAB CR 469
(1997), aff'd, DAB No. 1629 (1997), the Board construed a regulation
(42 CFR 488.438(f)(2)) that lists a facility's ``financial condition''
as one of the factors that must be considered in deciding the amounts
of civil money penalties. The Board stated that, while the term
``financial condition'' is not defined in the regulations, the plain
meaning of the term is that a facility's ``financial condition'' is its
overall financial health. Thus, the relevant question to be considered
in deciding whether a facility's financial condition would permit it to
pay civil money penalties is whether the penalty amounts would
jeopardize the facility's ability to survive as a business entity.
Comment: One comment argued that proposed Sec. 160.408 should
establish that HHS can only consider mitigating factors to determine
the amount of the civil money penalty and not as a basis for waiving
the penalty altogether. The comment stated that proposed Sec. 160.410
already establishes circumstances under which HHS may not impose a
fine, and it would be unreasonable to extend those circumstances.
Response: The final rule does not expand the circumstances under
which the Secretary is prohibited from imposing, or may waive, a civil
money penalty under Sec. Sec. 160.410 and 160.412,
[[Page 8409]]
respectively. The factors in Sec. 160.408 may be applied to determine,
as appropriate, whether to increase or decrease the amount of a civil
money penalty.
Comment: One comment expressed concern that the overlap of certain
variables in proposed Sec. 160.406 with factors in proposed Sec.
160.408 (e.g., the variable for the duration of the violation counted
in days versus the factor for the time period during which the
violation occurred) could result in compounding the penalty.
Response: We disagree that providing for both counting continuing
violations in days and taking time into account under Sec. 160.408 is
inappropriate. The provision for counting continuing violations in days
relates to determining how many times violation of an identical
provision occurred; the provision for considering the time period of
the violation is one element, among others, that may constitute a
mitigating or aggravating factor in determining the amount of a civil
money penalty. While it is true that length of time will tend to
operate in the same direction (i.e., to reduce or enlarge the penalty)
with respect to each of these elements of the penalty calculation,
these two elements are different in nature, and time is relevant to
both.
Comment: One comment that supported the list of factors in proposed
Sec. 160.408 nonetheless recommended that we better describe the
factors in the preamble. Another comment requested examples of what may
be included in the factor of ``[s]uch other matters as justice may
require'' proposed at Sec. 160.408(f).
Response: With respect to the first comment, the factors themselves
are particularized and, thus, are fairly self-explanatory. However,
where questions about the factors were raised in the public comments,
we have provided further guidance in our responses in this preamble.
With respect to the ``such matters as justice may require'' factor,
many different circumstances have been cited for consideration in prior
cases in other areas in which this factor applies. For example, ALJs
have been asked to consider the following types of circumstances under
this factor: the respondent's trustworthiness, the respondent's lack of
veracity and remorse, measurable damages to the government, indirect or
intangible damages to the government, the effect of the penalty on
respondent's rehabilitation, and unprompted diligence in correcting
violations.
5. Section 160.410--Affirmative Defenses to the Imposition of a Civil
Money Penalty
Section 160.410 implements sections 1176(b)(1)-(3) of the Act.
These sections specify certain limitations on when civil money
penalties may be imposed. Paragraphs (1), (2), and (3) of section
1176(b) each state that, if the conditions described in those
paragraphs are met, a penalty may not be imposed under subsection (a)
of section 1176. Under section 1176(b)(1), a civil money penalty may
not be imposed with respect to an act if the act constitutes a criminal
offense punishable under section 1177 of the Act. Under section
1176(b)(2), a civil money penalty may not be imposed if it is
established to the satisfaction of the Secretary that the person who
would be liable for the penalty did not know, and by exercising
reasonable diligence would not have known, that such person violated
the provision. Under section 1176(b)(3), a civil money penalty may not
be imposed if the failure to comply was due to reasonable cause and not
to willful neglect and is corrected within a certain period. The period
of time to correct a failure to comply may be extended as determined
appropriate by the Secretary based on the nature and extent of the
failure to comply.
Proposed rule: Proposed Sec. 160.410 would characterize the
limitations under section 1176(b)(1), (2), and (3) as ``affirmative
defenses,'' to make clear that they must be raised in the first
instance by the respondent. In order not to preclude the raising of
affirmative defenses that could legitimately be raised, the
introductory text of proposed Sec. 160.410 would permit a respondent
to offer affirmative defenses other than those provided in section
1176(b).
Under proposed Sec. 160.410(a), several terms relevant to the
affirmative defenses would be defined: ``Reasonable cause,''
``reasonable diligence,'' and ``willful neglect.'' ``Reasonable cause''
would be defined as ``circumstances that make it unreasonable for the
covered entity, despite the exercise of ordinary business care and
prudence, to comply with the administrative simplification provision
violated.'' ``Reasonable diligence'' would be defined as ``the business
care and prudence expected from a person seeking to satisfy a legal
requirement under similar circumstances.'' ``Willful neglect'' would be
defined as ``conscious, intentional failure or reckless indifference to
the obligation to comply with the administrative simplification
provision violated.''
Proposed Sec. 160.410(b)(1) simply referred to section 1177.\2\
Proposed Sec. 160.410(b)(2) generally tracked the statutory language,
but also provided that whether or not a covered entity possesses the
requisite knowledge to make this affirmative defense inapplicable would
be ``determined by the federal common law of agency.'' The text of
proposed Sec. 160.410(b)(3) used the defined term ``reasonable
diligence'' and, thus, would build on the analysis conducted under
proposed Sec. 160.410(b)(2). Proposed Sec. 160.410(b)(3)(ii)(B) would
follow the statutory language and would permit the Secretary to use the
full discretion provided by the statute in extending the statutory cure
period.
---------------------------------------------------------------------------
\2\ Section 1177(a) provides that a person who knowingly and in
violation of this part uses or causes to be used a unique health
identifier, obtains individually identifiable health information
relating to an individual, or discloses individually identifiable
health information relating to another person shall be punished as
provided in subsection (b). Section 1177(b) sets out three levels of
penalties that vary depending on the circumstances under which the
offense was committed.
---------------------------------------------------------------------------
Final rule: The final rule adopts the provisions of the proposed
rule. A related change is made to Sec. 160.504(c), as discussed below.
a. Section 160.410(b)--General Rule
Comment: One comment asked whether a covered entity could challenge
in a hearing the reasonableness of the Secretary's finding that an
affirmative defense has not been sufficiently established.
Response: A respondent may challenge in a hearing the finding in a
notice of proposed determination that an affirmative defense has not
been established. See Sec. 160.534(b)(1)(i), which provides that the
respondent bears the burden of proof with respect to affirmative
defenses.
Comment: Two comments noted that the preamble to the proposed rule
(70 FR 20237) would allow a covered entity to raise affirmative
defenses in addition to those listed under Sec. 160.410(b), but that
the text of the proposed rule would not allow for additional defenses.
They asked that the final rule be revised to allow a covered entity to
present affirmative defenses not expressly listed in Sec. 160.410(b).
One comment contended, however, that Sec. 160.410 would allow covered
entities too many opportunities to avoid a penalty.
Response: The introductory text of Sec. 160.410(b) permits other
affirmative defenses to be raised by using the phrase ``including the
following.'' While we do not delineate what additional affirmative
defenses might be raised, the ``[e]xcept as provided in subsection
(b)''
[[Page 8410]]
language of section 1176(a)(1) suggests that they are limited.
Nonetheless, the statute clearly contemplates at least one defense
other than the limitations set out at section 1176(b)--the statute of
limitations provision at section 1128A(h). Statutes of limitations
defenses are typically treated as affirmative defenses, see Fed. R.
Civ. P. 8(c). (28 U.S.C. Appendix). Thus, we believe that provision for
other affirmative defenses that may be fairly implied from the HIPAA
provisions or section 1128A must be made and, accordingly, have done
so.
We do not eliminate the affirmative defenses that may be raised and
that are provided for by Sec. 160.410, as suggested by the final
comment above. We have no authority to eliminate a limitation that the
statute imposes on our authority to impose civil money penalties,
whether or not it has the effect complained of.
Comment: One comment suggested that Sec. 160.410(b) should be
revised to state that the Secretary ``shall not'' impose a civil money
penalty. The comment stated that if a covered entity establishes an
affirmative defense, the Secretary should not have discretion to impose
a penalty as indicated by the current wording ``may not impose.''
Response: We do not make the suggested change, because the present
wording accomplishes what the comment urges. The phrase ``may not
impose'' means, in this context, ``is not permitted to impose.'' We do
not change the language here, as it is consistent with the usage in the
HIPAA rules generally, and we do not wish to suggest an inconsistency
or a different meaning for similar prohibitions in other HIPAA rules.
b. Section 160.410(b)(1)--``Criminal Offense'' Affirmative Defense
Comment: Several comments expressed concern that covered entities
are being forced to incriminate themselves if they raise the
affirmative defense under Sec. 160.410(b)(1) in the request for
hearing under Sec. 160.504. These comments stated that covered
entities should be able to raise this defense after a case has been
referred to the Department of Justice, on the theory that section
1176(b)(1) operates as a jurisdictional bar to the imposition of a
civil money penalty. One comment cited the Memorandum for Alex M. Azar
II and Timothy J. Coleman from Stephen G. Bradbury, Re: Scope of
Criminal Enforcement Under 42 U.S.C. 1320d-6 (June 1, 2005) (Justice
Memorandum). The Justice Memorandum is available at http://www.usdoj.gov/olc/hipaa_final.htm.
The comment cited the Justice
Memorandum for the proposition that this section of the statute
operates as an absolute bar to imposition of a civil money penalty,
rather than as an affirmative defense. Several comments argued that the
burden of establishing that the limitation of section 1176(b)(1)
applied should be on HHS, not on the respondent, as a matter of
fairness.
Response: We continue to be of the view that the statute is
structured to make the limitation of section 1176(b)(1) a defense that
must be raised by the respondent. The fact that meeting the condition
described in this subsection operates to bar the imposition of a civil
money penalty does not distinguish it from the limitations provided for
by sections 1176(b)(2) and 1176(b)(3), and those sections of the
statute clearly are defenses which the respondent should raise.
Moreover, the burden of establishing that section 1176(b)(1) applied
could never be on HHS, as that would require HHS to carry the burden of
proving a fact that would defeat its claim; it is the respondent, not
HHS, who, in the context of the hearing, will be the proponent of the
claim that the act for which a civil money penalty is sought is a
criminal offense.
However, we recognize that section 1176(b)(1) could potentially
present a situation of some difficulty for a respondent, where the
Department of Justice is considering a referral related to the
violations on which the civil money penalty action has been brought.
While the requirement that civil money penalties be authorized by the
Department of Justice before they are brought should prevent such
situations from arising, we cannot assume that they will never arise.
Accordingly, we provide that, unlike the other affirmative defenses,
which are waived if not raised in the request for hearing, this
affirmative defense may be raised at any time during the administrative
proceedings, to permit respondents to better manage such legal risks,
should they ever arise. Provision for this is made in Sec. 160.504(c),
and a conforming change is made to Sec. 160.548(e).
Comment: One comment stated that the fact of referral to the
Department of Justice should constitute conclusive evidence that the
act is one ``punishable'' under section 1177, even if the Department of
Justice declines to prosecute (so that the act is not ``punished''
under section 1177).
Response: We do not agree. Referral to the Department of Justice
constitutes, at most, our preliminary assessment that the act in
question may be subject to criminal prosecution. The Department of
Justice may not agree with our preliminary assessment and may return
the case to us for administrative action.
Comment: One comment requested that knowledge under section 1177 be
defined.
Response: ``Knowingly'' is the term used in section 1177 of the Act
(``A person who knowingly and in violation of this part * * * '').
According to the Office of Legal Counsel of the United States
Department of Justice, `` `the term `knowingly' merely requires proof
of knowledge of the facts that constitute the offense.' '' Justice
Memorandum, at 11, quoting U.S. v. Bryan, 524 U.S. 184, 193 (1998).
c. Section 160.410(b)(2)--``Lack of Knowledge'' Affirmative Defense
Comment: One comment asks HHS to clarify the definition of
knowledge required for a civil money penalty to be imposed.
Response: Under section 1176(b)(2), a civil money penalty may not
be imposed for a violation ``if it is established to the satisfaction
of the Secretary that the person liable for the penalty did not know *
* * that such person violated the provision.'' As we observed at 70 FR
20237--
This language on its face suggests that the knowledge involved
must be knowledge that a ``violation'' has occurred, not just
knowledge of the facts constituting the violation. * * * We, thus,
interpret this knowledge requirement to mean that the covered entity
must have knowledge that a violation has occurred, not just
knowledge of the facts underlying the violation.
Comment: One comment asked whether, if a covered entity were found
not to be liable because the knowledge of an agent could not be imputed
to it, the individual committing the violation would be held liable for
the penalty.
Response: The Enforcement Rule provides that only a covered entity
is liable for a civil money penalty under section 1176. See Sec.
160.402(a) and the definition of ``respondent'' at Sec. 160.302.
Comment: One comment contended that the phrase ``to the
satisfaction of the Secretary'' should be stricken from proposed Sec.
160.410(b)(2). The comment stated that this phrase would preclude the
covered entity from raising an argument before the ALJ that the
Secretary did not properly consider their affirmative defenses before
imposing a penalty. Another comment asked whether this phrase makes the
finding totally discretionary and, thus, unreviewable by the ALJ.
Response: This language is statutory, as may be seen at section
1176(b)(2), set out above. Further, as discussed above, a respondent
may raise affirmative defenses in a hearing. Where so raised,
[[Page 8411]]
the ALJ's decision as to whether the covered entity lacked knowledge
would become the decision of the Secretary, unless reversed on
subsequent appeal.
Comment: One comment asked, with respect to imputing knowledge to
the covered entity, who would be considered to be a ``responsible
officer or manager'' and whether a Privacy Officer is considered a
``responsible officer or manager.''
Response: With respect to who would be considered to be a
responsible officer or manager and whether a Privacy Officer would be
considered a responsible officer or manager, see the discussion above
under Sec. 160.402(c).
Comment: One comment asked whether, if a Privacy Officer mitigates
or corrects a violation, that action would satisfy the requirement that
a responsible officer or manager be made aware of the violation.
Response: We are unsure what the precise concern of this comment
is, as the issue of knowledge typically would arise in the context of
the ``lack of knowledge'' affirmative defense. That defense requires,
for its application, that the covered entity not have actual or
constructive knowledge of the violation. If the violation has been
corrected, as the comment suggests, one would normally presume that the
covered entity knew of the violation, making the lack of knowledge
defense unavailable. Under the scenario posed by the comment, as we
understand it, the issue would be whether the elements of the
``reasonable cause'' affirmative defense were present.
d. Section 160.410(b)(3)--``Reasonable Cause'' Affirmative Defense
Comment: One comment asked that the word ``corrected'' in Sec.
160.410(b)(3)(ii) be changed to ``mitigated,'' because not all
violations can be fully corrected.
Response: We agree with the comment that not all violations of the
HIPAA rules can be fully corrected, in the sense of being undone or
fully remediated. However, we do not agree that the term ``corrected,''
which is the term used by the statute, need be read so narrowly.
Rather, the statute speaks of the ``failure to comply'' being
corrected. Thus, the term ``corrected,'' as used in the statute, could
include correction of a covered entity's noncompliant procedure by
making the procedure compliant. In any event, since the term
``corrected'' is the term used in the statute, we employ it in the rule
below.
Comment: One comment requested clarification as to how a covered
entity could ask for an extension of time to cure a violation under
Sec. 160.410(b)(3)(ii)(B).
Response: The covered entity should make this request in writing
to, as applicable, CMS or OCR. The request should state when the
violation will be corrected and the reasons that support the need for
additional time.
Comment: One comment asked that the 30-day cure period be extended
by an additional 30 days.
Response: The initial cure period is, by statute, 30 days. However,
section 1176(b)(3)(B)(i) permits the Secretary to extend the initial
cure period ``as determined appropriate by the Secretary based on the
nature and extent of the failure to comply.'' Section
160.410(b)(3)(ii)(B) adopts, and does not expand upon, this statutory
language. Thus, HHS could extend the cure period for an additional 30
days (or some greater or lesser period), if it were determined
appropriate to do so.
6. Section 160.412--Waiver
Section 1176(b)(4) of the Act provides for waiver of a civil money
penalty in certain circumstances. Section 1176(b)(4) provides that, if
the failure to comply is ``due to reasonable cause and not to willful
neglect,'' a penalty that has not already been waived under section
1176(b)(3) ``may be waived to the extent that the payment of such
penalty would be excessive relative to the compliance failure
involved.'' If there is reasonable cause and no willful neglect and the
violation has been timely corrected, the imposition of the civil money
penalty would be precluded by section 1176(b)(3). Therefore, waiver
under this section would be available only where there was reasonable
cause for the violation and no willful neglect, but the violation was
not timely corrected.
Proposed rule: Proposed Sec. 160.412 did not propose to elaborate
on the statute in any material way. This provision would provide the
Secretary with the flexibility to utilize the discretion provided by
the statutory language as necessary.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment suggested that this section be removed
entirely. The comment stated that section 1176(b)(4) authorizes, but
does not compel, the Secretary to allow for waiver of civil money
penalties. The comment argued that waiver is an unnecessary avenue for
covered entities to avoid penalties, as the statute and the proposed
rule would provide so many other avenues by which a covered entity
could avoid being penalized for violations.
Response: As was more fully discussed at 70 FR 20239, the statute,
in our view, creates a statutory right for covered entities to request
a waiver, where a violation is due to reasonable cause and not willful
neglect, but has not been corrected within the statutory cure period
(including any extensions thereof). While the grant of a waiver is
within the agency's discretion, the statute clearly contemplates that
covered entities may request a waiver in such circumstances and that
HHS must consider the request. Accordingly, we do not make the change
suggested.
7. Section 160.414--Limitations
Proposed rule: Proposed Sec. 160.414 was adopted by the April 17,
2003 interim final rule as Sec. 160.522. We proposed to move this
section, which sets forth the six-year limitation period provided for
in section 1128A(c)(1), from subpart E to subpart D, because this
provision applies generally to the imposition of civil money penalties
and is not dependent on whether a hearing is requested. We also
proposed to change the language of this provision so that the date of
the occurrence of the violation is the date from which the limitation
is determined.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment requested clarification of record retention
requirements and their interaction with the time limitation on bringing
an enforcement action.
Response: The issue raised by this comment is discussed in
connection with Sec. 160.310 above.
Comment: One comment suggested shortening the time period to two
years in the interest of accomplishing compliance faster and making
record-keeping less burdensome for covered entities.
Response: The six-year limitations period of Sec. 160.414 is
provided for by statute (section 1128A(c)(1) of the Act), and, thus, is
not within our power to change by regulation. Insofar as this comment
suggests changing the record retention requirements of the Privacy and
Security Rules, the requested change is outside the scope of this
rulemaking.
8. Section 160.416--Authority To Settle
Proposed rule: Proposed Sec. 160.416 was adopted by the April 17,
2003 interim final rule as Sec. 160.510. We proposed to move this
section, which addresses the authority of the Secretary to settle any
issue or case or to compromise any penalty imposed on a covered entity,
from subpart E to subpart D, because this provision
[[Page 8412]]
applies generally to the imposition of civil money penalties, and is
not dependent on whether a hearing is requested. No change was proposed
to the text of the provision.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment expressed concern that this provision does not
provide for alternative dispute resolution. The comment urged HHS to
remain committed to the informal resolution process.
Response: We provide in the rule that HHS will attempt to resolve
compliance issues informally, for the reasons discussed above and in
the preamble to the proposed rule. Where this process is insufficient
to resolve the matter, the statute requires provision of a formal
hearing process, if a hearing is requested. We note that under their
current procedures, the ALJ and/or the Departmental Appeals Board
routinely afford parties the opportunity to engage in alternative
dispute resolution.
Comment: Two comments suggested removing Sec. 160.416 from the
final rule, on the ground that it is inappropriate to give the
Secretary this authority without oversight.
Response: We do not adopt this suggestion. The statute explicitly
gives the Secretary the authority to compromise penalties, which would
typically be done through settlement of the case. See section 1128A(f).
9. Section 160.420--Notice of Proposed Determination
Proposed rule: The text of proposed Sec. 160.420 was adopted by
the April 17, 2003 interim final rule as Sec. 160.514. We proposed to
move this section from subpart E, which sets out the procedures and
rights of the parties to a hearing, to subpart D, because the notice
provided for in this section must be given whenever a civil money
penalty is proposed, regardless of whether a hearing is requested. No
changes, other than conforming changes, were proposed to paragraphs
(a)(1) and (a)(3), (a)(4), or to paragraph (b). We proposed to revise
paragraph (a)(2) by adding that, in the event the Secretary employs
statistical sampling techniques under Sec. 160.536, the sample relied
upon and the methodology employed must be generally described in the
notice of proposed determination. A new paragraph (a)(5) would require
the notice to describe any circumstances described in Sec. 160.408
that were considered in determining the amount of the proposed penalty;
this provision would correspond to Sec. 1003.109(a)(5) of the OIG
regulations. Paragraph (a)(5) of Sec. 160.514 of the April 17, 2003
interim final rule would be renumbered as Sec. 160.420(a)(6).
Final rule: We adopt the section as proposed, except that, where
HHS bases the proposed penalty in part on statistical sampling, a copy
of the report of the agency's statistical expert, rather than just a
description of the study and the sampling technique used, must be
provided with the notice of proposed determination.
Comment: One comment requested clarification as to whether the
notice of proposed determination serves as the notice required by the
statute.
Response: Yes, the notice provided for by Sec. 160.420--the notice
of proposed determination--implements the requirement for notice of
section 1128A(c)(1).
Comment: One comment recommended that the final rule retain Sec.
160.420(a)(5) to ensure that covered entities have sufficient
information as to why the penalty was imposed.
Response: This has been done. See Sec. 160.420(a)(5) below.
Comment: Several comments requested that the rule specify that the
notice of proposed determination will be sent to the covered entity's
Privacy Officer or another designated officer.
Response: This issue is discussed below in connection with Sec.
160.504.
Comment: Several comments stated that, if HHS bases its proposed
penalty on statistical sampling, the notice of proposed determination
should include a copy of the study relied upon, so that a covered
entity has adequate notice and time to prepare its defense.
Response: We agree and have made the requested change.
10. Section 160.422--Failure To Request a Hearing
Proposed rule: The text of proposed Sec. 160.422 was adopted by
the April 17, 2003 interim final rule as Sec. 160.516. We proposed to
add language (``and the matter is not settled pursuant to Sec.
160.416'') to recognize that the Secretary and the respondent may agree
to a settlement after the Secretary has issued a notice of proposed
determination. We also proposed that the penalty be final upon receipt
of the penalty notice, to make clear when subsequent actions, such as
collection, may commence.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: Several comments suggested that a provision should be
added allowing the time frame to request a hearing to be extended when
the notice of proposed determination is not received by the appropriate
person within the covered entity.
Response: This issue is discussed in connection with Sec. 160.504
below.
11. Section 160.424--Collection of Penalty
Proposed rule: The text of Sec. 160.424 was adopted by the April
17, 2003 interim final rule as Sec. 160.518. We proposed to move this
section, which addresses how a final penalty is collected, from subpart
E to subpart D, because this provision applies generally to the
imposition of civil money penalties and is not dependent upon whether a
hearing is requested. The rule provides that once a proposed penalty
becomes final, it will be collected by the Secretary, unless
compromised. The Secretary may bring a collection action in the Federal
district court for the district in which the respondent resides, is
found, or is located. The penalty amount, as finally determined, may be
collected by means of offset from Federal funds or state funds owing to
the respondent. Matters that were, or could have been, raised in a
hearing or in an appeal to the U.S. Circuit Court of Appeals may not be
raised as a defense to the collection action.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment asked what interest rate will accrue, if a
penalty is not paid promptly by the covered entity.
Response: Under the Federal Claims Collection rules, interest is
calculated as provided by 31 U.S.C. 3717. See 31 CFR 901.9.
Comment: One comment asked whether, if a penalty is assessed
against a hybrid entity, the part of the entity responsible for the
violation would pay the penalty or the entire hybrid entity would pay
the penalty.
Response: As noted above, a hybrid entity is, by definition, a
single legal entity. Where a penalty is assessed against a covered
entity that has designated itself as a hybrid entity, the legal entity
that is the covered entity is responsible for payment of the penalty.
How the covered entity allocates the penalty payment as a matter of
internal accounting is a business decision of the covered entity.
Comment: One comment asked whether, if an agency with the same
structure as a Medicaid agency is assessed a penalty, federal dollars
can be withheld in lieu of payment of the penalty.
Response: Yes. Section 1128A(f) provides for setoff of penalty
amounts against Federal or state agency funds then or later owing to
the person penalized.
Comment: One comment suggests that the Secretary does not have the
[[Page 8413]]
authority to preclude issues from being raised in a civil action in
federal court. The comment suggests removing Sec. 160.424(d) from the
final rule.
Response: Section 160.424(d) merely states the well-recognized
principle that, where an administrative remedy exists, a plaintiff must
exhaust that remedy as a precondition to raising the issue in question
in court.
12. Section 160.426--Notification of the Public and Other Agencies
Proposed rule: We proposed to require notification of the public
generally whenever a proposed penalty became final, in order to make
the information available to anyone who must make decisions with
respect to covered entities. The regulatory language would provide for
notification in such manner as the Secretary deems appropriate, which
would include posting to an HHS Web site and/or the periodic
publication of a notice in the Federal Register.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: Several comments argued that the provision for
notification of the public in proposed Sec. 160.426 would extend
beyond the scope of the Secretary's statutory authority under section
1128A(h), since section 1128A(h) specifies only that certain types of
organizations and agencies to be notified. They urged that the
requirement be eliminated.
Response: We disagree that the requirement for public notification
is unauthorized. It is true that Sec. 160.426 establishes the means by
which HHS may carry out its obligation to notify various agencies and
organizations under section 1128A(h). However, the basis for the public
notice portion of Sec. 160.426 lies not in section 1128A(h), as the
comments assumed, but in the Freedom of Information Act (FOIA), 5
U.S.C. 552.
FOIA requires final opinions and orders made in adjudication cases
to be made available for public inspection and copying. See 5 U.S.C.
552(a)(2)(A). The adjudicatory process \3\ set forth in the Enforcement
Rule begins with the service upon the respondent of a notice of
proposed determination under Sec. 160.420. This proposed penalty
becomes final if the respondent fails to contest it in the time and
manner provided in Sec. 160.504(b). If the respondent does contest the
proposed penalty, the final agency order is the decision of the ALJ, or
the Board, as the case may be. While it is true that section 1128A(h)
does not require that such notice be given to the public, neither does
it prohibit such wider dissemination of that information, and nothing
in section 1128A(h) suggests that it modifies the Secretary's
obligations under FOIA. FOIA requires making final orders or opinions
available for public inspection and copying by ``computer
telecommunication * * * or other electronic means,'' which would
encompass putting them up on the Department's Web site, and further
provides that, absent actual and timely notice, in order for the
Department to rely upon final opinions that affect a member of the
public or to cite them as precedent against a party, the opinions or
orders must be indexed and made available electronically. See 5 U.S.C.
552(a)(2).
---------------------------------------------------------------------------
\3\ Under the Administrative Procedure Act, ``adjudication means
agency process for the formulation of an order.'' 5 U.S.C. 551(7).
An ``order means the whole or part of a final disposition * * * of
an agency in a matter other than rule making * * *''. 5 U.S.C.
551(6).
---------------------------------------------------------------------------
Comment: Many comments objected to the requirement for public
notice. Comments argued that since final decisions of the Departmental
Appeals Board are available under FOIA, there is no need for further
notice to the public. Further, it was stated that many HIPAA
violations, particularly of the Transactions Rule, are very technical
in nature and the public may be unable to understand the nature of such
violations. Accordingly, public notification may injure the reputation
of covered entities and cause them to lose business, while the
reputational injury attendant on public notification may be wholly
disproportionate to the violations involved. Also, comments argued that
entities that are members of an affiliated covered entity and that are
held liable for the actions of others under Sec. 160.402(b) may be
unfairly labeled as noncompliant. Finally, comments stated that covered
entities may have to expend additional resources to fight complaints,
because the public notification provision would give competitors an
incentive to use the complaint process to gain an unfair business
advantage.
Response: Final decisions of the ALJs and the Departmental Appeals
Board are made public via the Board's Web site. See http://www.hhs.gov/dab/search.html.
Such postings, however, would not include penalties
that become final because a request for hearing was not filed under
Sec. 160.422. Notices of proposed determination under Sec. 160.420
that become final because a hearing has not been timely requested,
would likewise be made available for such public inspection and copying
as final orders. By making the entire final opinion or order available
to the public, the facts underlying the penalty determination and the
law applied to those facts will be apparent. Given that information,
the public may discern the nature and extent of the violation as well
as the basis for imposition of the civil money penalty on the covered
entity. Finally, the process established for the review and
investigation of complaints should identify those without merit, or
over which HHS has no jurisdiction under the HIPAA provisions, but, in
any event, we doubt that the notification provisions of this section
will increase the likelihood that complaints will be filed.
Comment: One comment suggested that, rather than mandating the
provision of notice to the public, the rule should give the Secretary
discretion to determine when public notification is prudent, as doing
so may not be appropriate in all instances--for example, where there is
an ongoing investigation or a technical failure is involved. A number
of comments urged HHS to publish violations of HIPAA without the name
of the covered entity. They argued that this approach would enable
covered entities to understand how OCR and CMS apply the HIPAA rules in
particular circumstances and would, thus, encourage voluntary
compliance.
Response: As noted, under FOIA, we must make final orders and
opinions available for public inspection and copying. FOIA permits the
Secretary to withhold information whose release could, for instance,
reasonably be expected to interfere with prospective or ongoing law
enforcement proceedings, but such exemption does not apply where, as in
the case of such final opinions and orders, they are made after the
conclusion of such proceedings. See 5 U.S.C. 552(b)(7)(A). While FOIA
permits the deletion of identifying details to prevent a clearly
unwarranted invasion of personal privacy, identifying the name(s) of
the covered entities against whom penalties are imposed would not be
such an invasion of personal privacy.
Comment: One comment suggested that the rule be revised to require
covered entities to notify the Secretary and potentially affected
individuals when there is a suspected breach of the Privacy Rule. The
comment also suggested that HHS make available a list of violations
organized by entity, including the number of persons affected by each
violation. One comment asked that all final decisions of the ALJ or the
Board, including those to not assess a penalty, be made public,
[[Page 8414]]
so that covered entities could present a better defense in the future
based on past decisions to not impose a penalty in a similar situation.
Another comment supported the proposal to notify the public of final
penalties, on the ground that the public should be aware of violations,
particularly of the Privacy Rule. Another comment suggested that
complainants should be notified when a penalty is imposed.
Response: As noted, final opinions or orders imposing penalties
will be made available to the public for inspection and copying. Given
that this information will be public, we do not accept the other
comments above.
Comment: One comment stated that the public notification rule
should not apply to, or include, matters referred to the Department of
Justice. Another comment asked that HHS confirm that the public
notification provision would not apply to informal resolutions.
Response: In neither of the above situations has a final order on a
penalty proposed under Sec. 160.420 been entered. Consequently,
neither situation would come within the public notification requirement
of Sec. 160.426.
Comment: Several comments expressed concern that publication of a
penalty could occur prematurely, before all of the covered entity's
appeals had been exhausted. They requested clarification as to when a
penalty is considered final for purposes of notification. A couple of
comments stated that the penalty should be considered to be final, for
purposes of the public notification, when all court appeals have been
exhausted.
Response: A civil money penalty is considered to be final, for
purposes of notification, when it is a final agency action--i.e., the
time for administrative appeal has run or the adverse administrative
finding has otherwise become final. The final opinion or order that is
subject to the notification provisions of this section is the notice of
proposed determination, if a request for hearing is not timely filed,
the decision of the ALJ, if that is not appealed, or the final decision
of the Board.
D. Subpart E--Procedures for Hearings
As previously explained, the provisions of section 1128A of the Act
apply to the imposition of a civil money penalty under section 1176
``in the same manner as'' they apply to the imposition of civil money
penalties under section 1128A itself. The provisions of subpart E are,
as a consequence, based in large part upon, and are in many respects
the same as, the OIG regulations implementing section 1128A. We adapt,
re-order, or combine the language of the OIG regulations in a number of
places for clarity of presentation or to reflect concepts unique to the
HIPAA provisions or rules. To avoid confusion, we also employ certain
language usages in order to be consistent with the usages in the other
HIPAA rules (for example, for mandatory duties, ``must'' or ``will''
instead of ``shall'' is used; for discretionary duties, ``may'' instead
of ``has the authority to'' is used).
Subpart E, as adopted by the April 17, 2003 interim final rule,
adopted provisions relating to investigational inquiries and subpoenas
and certain definitions that have now been moved to subpart C. It also
adopted a number of provisions that relate to all civil money penalties
that have now been moved to subpart D. Subpart E, as revised below,
addresses only the administrative hearing phase of the enforcement
process.
General comment: Several comments argued that the proposed
Enforcement Rule, as a whole, would give the government an unfair
advantage and seriously compromise the ability of covered entities to
defend themselves before an ALJ and on an appeal to the Board. It was
argued that the following provisions, in combination, would ``stack the
deck'' in the government's favor:
(1) The severely restricted ability of covered entities to rebut
the statistical sampling report; (2) the ``extraordinary
circumstances'' standard for failure to timely exchange exhibits and
witness statements; (3) the inability to depose prior to the hearing
or question at the hearing the government's statistical sampling
expert; (4) the ability of the * * * ALJ * * * to admit prior
evidence of witnesses which were not subject to cross examination by
the covered entity; (5) the requirements regarding hearing requests;
(6) the limited nature of discovery and the lack of obligation to
share exculpatory evidence; (7) the ALJ's discretion about applying
the Federal Rules of Evidence; (8) the very broad harmless error
rule which significantly restricts a covered entity's appeal rights;
and (9) the limited authority of the ALJ and correspondingly broad
discretion provided to the Secretary.
Response: While we also discuss the above provisions individually,
we provide the following general response. We do not agree that the
proposed rule would have given HHS an unfair advantage or compromised
the ability of covered entities to defend themselves. Most of the
provisions cited should operate even-handedly, providing no greater
advantage to the government than to the respondent. For example, the
limitation on depositions will also mean that the governmental party
cannot depose any statistical expert of the respondent; similarly, the
other limitations on discovery should operate similarly for both
parties, as should the ALJ's discretion with respect to the application
of the Federal Rules of Evidence and the application of the harmless
error rule.
In any event, we have changed several of the provisions cited. We
have required the government's statistical study to be provided with
the notice of proposed determination, we have clarified the conditions
for the admission of written statements, and we have eliminated the
restriction on the ALJ's authority to review the method by which the
number of violations is determined. We believe that the final rule
strikes an appropriate balance and should ensure that neither party has
a procedural advantage.
1. Section 160.504--Hearing Before an ALJ
Proposed rule: The proposed rule proposed few changes to this
section, which was Sec. 160.526 of the April 17, 2003 interim final
rule. Section 160.526(a)(2) of the April 17, 2003 interim final rule
stated that the Departmental party in a hearing is ``the Secretary.''
The term ``Secretary'' is defined at Sec. 160.103 of the HIPAA rules
as ``the Secretary of Health and Human Services or any other officer or
employee of HHS to whom the authority involved has been delegated.''
However, in light of the multiple roles of the Secretary in the context
of a hearing (OCR and/or CMS would be a party, while the ALJ or the
Board would be the adjudicator), we proposed to clarify in Sec.
160.504(a)(2) which part of HHS acts as the ``party'' in the hearing.
Because which component of HHS will be the ``party'' in a particular
case will depend on which rule is alleged to have been violated, and
because a particular case could involve more than one HIPAA rule, we
proposed to define the Secretarial party generically, by reference to
the component with the delegated enforcement authority. Under the
proposed provision, the Secretarial party could consist of more than
one officer or employee, so that it is possible for both CMS and OCR to
be the Secretarial party in a particular case.
Proposed Sec. 160.504(b) provided that the request for a hearing
must be mailed within 60 days, via certified mail, return receipt
requested, to the address specified in the notice of proposed
determination. The last sentence of proposed Sec. 160.504(b) provided
that the date of receipt of the notice of proposed determination is
presumed to be five days after the date of the notice unless the
respondent makes a reasonable
[[Page 8415]]
showing to the contrary. This showing may be made even where the notice
is sent by mail and is not precluded by the computation of time rule of
proposed Sec. 160.526(c), establishing a five-day allowance for
mailing.
Proposed Sec. 160.504(c) would require that the request for
hearing clearly and directly admit, deny, or explain each of the
findings of fact contained in the notice of proposed determination with
respect to which the respondent has knowledge and must also state the
circumstances or arguments that the respondent alleges constitute the
grounds for any defense and the factual and legal basis for opposing
the penalty. Proposed Sec. 160.504(d)(1) would require the ALJ to
dismiss a hearing request where ``[t]he respondent's hearing request is
not filed as required by paragraphs (b) and (c) of this section.''
Proposed Sec. Sec. 160.504(d)(2)-(4) would require dismissal where the
hearing request was, respectively, withdrawn, abandoned, or raised no
issue that could properly be addressed in a hearing.
Final rule: Section 160.504 below revises the proposed rule in
several respects. The proposed 60-day time limit for filing a request
for hearing is extended to 90 days. See Sec. 160.504(b). Section
160.504(c) provides that an affirmative defense under Sec.
160.410(b)(1) may be raised at any time. Section 160.504(d)(1) provides
that a dismissal on the grounds stated in that paragraph may only be
made on motion of the Secretary, and the ground for dismissal under
paragraph (b) is limited to the respondent's failure to comply with the
timely filing requirement of paragraph (b).
Comment: A number of comments objected to the 60-day time limit of
proposed Sec. 160.504(b) as unreasonably short and unfair, given the
detailed showing the covered entity is required to provide in its
request for hearing and the severe consequences, under proposed Sec.
160.504(d)(1), of failing to meet this requirement. A couple of
comments also objected that this provision is not necessary and does
not follow the OIG regulation in this respect. Comments suggested
several changes: (1) That the required specificity of the request for
hearing be eliminated, (2) that the time for response be lengthened,
and/or (3) that there be a provision to excuse an untimely request for
hearing based on good cause.
Response: We accommodate the concerns raised in the public comment
by extending the period for filing a request for hearing from 60 to 90
days. We note that, as so revised, the rule does not parallel the
analogous provision of the OIG regulations (42 CFR 1005.2(c)) in two
respects: (1) It requires more specificity in the hearing request; and
(2) it provides the respondent more time in which to file the hearing
request. We are of the view, however, that the compromise in Sec.
160.504(b), as revised, will promote the conduct of the hearing in an
efficient manner by clarifying at an early stage of the process the
issues in dispute and the basis for those disputes. We retain the
requirement of proposed Sec. 160.504(c) that the request for hearing
clearly and directly admit, deny, or explain each of the findings of
fact and state the circumstances or arguments that the respondent
alleges constitute the grounds for any defense and the factual and
legal basis for opposing the penalty. (However, the respondent need not
provide its statistical study, assuming it has one, until 30 days
before the scheduled hearing. See Sec. 160.518.) This requirement will
facilitate narrowing and refining the issues in dispute, thereby
expediting the conduct of the hearing.
Comment: One comment suggested that, if the 60-day time period for
response were retained, HHS be required to send a reminder to the
covered entity on the 45th day.
Response: We do not adopt this suggestion. The need for the
suggested change is obviated by our decision to extend the 60-day
period.
Comment: Several comments suggested that the rule does not properly
take into account the possibility of notices being delivered to the
wrong official in a covered entity or getting lost in a covered
entity's internal mail system. They recommended that the rule specify
the official(s) in the covered entity to whom the notice of proposed
determination must be sent, so that the covered entity does not lose
time needed to prepare its defense. A few comments suggested that the
notice of proposed determination be sent to the Privacy Officer. It was
suggested that the covered entity be able to show good cause for
failing to respond in a timely manner in such cases, or that the 60-day
time period be tolled.
Response: We do not think it is necessary or feasible to identify
the person(s) to whom the notice of proposed determination should be
addressed. Fed. R. Civ. P. 4 (28 U.S.C. Appendix), which applies under
section 1128A(c), establishes who may be served and applies without
need for further regulatory action. Because the size and other
organizational circumstances of covered entities vary greatly, a rule
that further limited or defined who must be served would most likely be
inappropriate for some covered entities. Further, it is likely that a
notice of proposed determination would be issued after significant
prior contact with the covered entity, so we anticipate that our
investigators would be able to ascertain which officer would be the
appropriate recipient of the notice.
In any event, a respondent can raise the issues of concern raised
by the comments--e.g., failure to reach the appropriate official or the
official to whom the notice of proposed determination was addressed due
to problems in the entity's mail system--under Sec. 160.504(b). Under
that section, if the respondent makes ``a reasonable showing'' to the
ALJ that the mailed notice of proposed determination was not properly
received by the covered entity or by a proper official within the
covered entity, the ALJ can extend the 90-day period to the extent he
or she considers appropriate.
Comment: One comment asked whether findings of fact that are not
contested or about which the claim is made of insufficient knowledge to
respond in the hearing request are deemed admitted.
Response: Section 160.504(c) provides respondents with two choices
with respect to denying findings of fact: (1) The respondent may deny
them; or (2) the respondent may claim a lack of knowledge, in which
case the finding in question is ``deemed denied.'' Since the regulation
deems a finding of fact denied only where lack of knowledge is claimed,
if the respondent has neither denied nor asserted lack of knowledge
with respect to the finding, the finding must be deemed admitted.
Comment: One comment stated that dismissal of a hearing request on
the grounds described in proposed Sec. 160.504(d)(1)-(3) should be
made permissive, not mandatory, and Sec. 160.504(d)(4) (dismissal
where the respondent fails to state an issue that may properly be
addressed in a hearing) should be eliminated, to ensure that covered
entities are provided a fair opportunity to request a hearing and
develop an appropriate defense.
Response: We revise proposed Sec. 160.504(d)(1) to require
dismissal on the ground of failure to comply with paragraph (b) to be
limited to failure to comply with the requirement of the paragraph for
timely filing of the request for hearing. We revise proposed Sec.
160.504(d)(1) to provide that dismissal on this ground may occur only
if the Secretary moves for dismissal on this ground. If the Secretarial
party--OCR, CMS, or both--does not believe that the hearing should be
dismissed due to the insufficiency of the respondent's request
[[Page 8416]]
for hearing, and so does not challenge the timeliness or sufficiency of
the request for hearing under paragraph (b) or (c), respectively, the
hearing should go forward. The revision to paragraph (d)(1) would
permit this to occur.
Like its counterparts in other rules issued pursuant to section
1128A, Sec. 160.504(d)(1)-(3) mandates dismissal so that the limited
resources of the government and of respondents are not expended on
hearing requests that fail to comply with the straightforward
requirements of this section or that have been withdrawn or abandoned
by the respondent. We believe that considerations of economy and
efficiency require the dismissal of cases that fall within the
descriptions of these subsections. However, in response to the
comments, we have added a requirement to Sec. 160.504(d)(1) that the
Secretary must file a motion for dismissal of a hearing request rather
than permit an automatic dismissal by the ALJ. The filing of such a
motion will require the Secretary to enunciate the reasons a hearing
request is deficient under paragraphs (b) and (c) of this section and
allow the respondent the opportunity to answer those charges. We do not
add such a requirement to Sec. 160.504(d)(2)-(3), because we think
that the ALJ should have authority to dismiss such cases for reasons of
withdrawal or abandonment by the respondent without being requested to
do so by the Secretary.
Section 160.504(d)(4) provides the administrative review channel
leading to judicial review of claims that may not be reviewed
administratively, such as constitutional claims. This subsection is
necessary so that there is no confusion about how respondents can
efficiently exhaust the administrative process for such claims. We,
thus, decline to eliminate this subsection.
2. Section 160.508--Authority of the ALJ
Proposed rule: The text of proposed Sec. 160.508 was adopted by
the April 17, 2003 interim final rule as Sec. 160.530. No changes to
paragraphs (a) and (b) were proposed. We proposed to revise paragraph
(c) by adding paragraphs (c)(1) and (c)(5) to the list of limitations
on the authority of the ALJ. Proposed paragraph (c)(1) would require
the ALJ to follow Federal statutes, regulations, and Secretarial
delegations of authority, and to give deference to published guidance
to the extent not inconsistent with statute or regulation; the preamble
to the proposed rule indicated that by ``published guidance'' we meant
guidance that has been publicly disseminated, including posting on the
CMS or OCR Web site. Proposed paragraph (c)(5) would clarify that ALJs
may not review the Secretary's exercise of discretion whether to grant
an extension or to provide technical assistance under section
1176(b)(3)(B) of the Act or the Secretary's exercise of discretion in
the choice of variable(s) under proposed Sec. 160.406.
Final rule: The final rule adopts the provisions of the proposed
rule, except for proposed Sec. 160.508(c)(5)(ii), which is eliminated.
A conforming change is made to Sec. 160.508(c)(5).
a. Section 160.508(b)
Comment: One comment stated that this provision should be amended
to add a provision requiring that a requested hearing be conducted
within a time certain, not to exceed 90 days from receipt of the
request for a hearing. Another comment suggested that the ALJ should
notify a respondent of the date and time for the hearing no later than
90 days after the request for hearing is filed.
Response: It would not be reasonable or appropriate to impose a
fixed deadline by which hearings must be scheduled, and we decline to
do so. In a complicated case, the time for discovery and pre-hearing
motions may take more than 90 days, and, thus, imposing such a deadline
may circumscribe the parties' ability to prepare their cases. Moreover,
the ALJs have other cases on their dockets, and we cannot assume that
they will in all cases be able to begin a hearing on a civil money
penalty within 90 days. The scheduling of the hearing is best left to
the ALJs, in consultation with the parties.
b. Section 160.508(c)
Comment: A number of comments opposed proposed Sec. 160.508(c), on
the ground that it would significantly limit the ALJ's authority to
rule on pertinent issues. They stated that it was questionable under
this section whether the ALJ would have the authority to review the
determination of the number of violations, or imposition of joint and
several liability, since they may be addressed in published guidance to
which the ALJ must give deference. It was suggested that this
limitation would be a problem under proposed Sec. 160.424(d), since
those are issues that a respondent would be unable to raise at the
administrative level.
Response: We do not agree. We believe that it is of importance to
covered entities that ALJ and Board decisions, as components of HHS, be
consistent with one another and with the published compliance guidance
HHS provides to covered entities. Accordingly, we require ALJs and the
Board to follow guidance which has been publicly disseminated, unless
the ALJ or Board finds the guidance to be inconsistent with statute or
regulation. In the examples cited, any published guidance related to
the determination of the number of violations, or when joint and
several liability is appropriate must be consistent with applicable
statute and regulation, matters upon which the ALJ may rule. See
section 1176 and Sec. Sec. 160.402(b)(2), 160.406, and 160.508. While
deference to such published guidance is required of the ALJs and DAB,
as components of HHS, similar deference is not necessarily afforded
such guidance in any judicial review of an adverse final agency
determination sought by a respondent. Section 160.424(d) should not
present a problem, since challenges related to published guidance may
be raised during administrative and judicial reviews of the proposed
penalty.
Comment: One comment stated that ALJs should be allowed to consider
affirmative defenses during a hearing, even if they relate to issues
committed to the Secretary's discretion. The comment argued that an
inability to raise affirmative defenses before the ALJ might impact a
covered entity's ability to subsequently pursue legal remedies under
Sec. 160.424(d).
Response: We agree that the ALJ is allowed to consider affirmative
defenses during a hearing. See the discussion of Sec. 160.410 above.
Comment: A couple of comments agreed that ALJs should have the
authority to evaluate whether there was a violation in the first place
and asked that this provision be retained in the final rule.
Response: We agree and have done so.
c. Section 160.508(c)(1)
Comment: One comment asked, if a guidance in effect at the time a
violation occurred were changed before the date of the hearing, which
version of the guidance the ALJ would have to follow.
Response: The guidance in effect at the time the violation occurred
would govern.
Comment: One comment expressed concern with Sec. 160.508(c)(1),
insofar as it would include in ``published guidance'' FAQs published on
the CMS and OCR Web sites. According to the comment, FAQs have never
been designated in the HIPAA regulations as having the force of
regulations themselves. According to the comment, many covered entities
are not aware of these postings and the industry is unaware that they
will have the same
[[Page 8417]]
force and effect as regulations. The comment further stated that if
FAQs are to have the force of regulation, then the questions and
responses should be organized for such use, and the HIPAA regulation
should specifically designate that covered entities will be held
accountable for compliance with these responses or ``published
guidance.'' Another comment suggested that proposed Sec. 160.508(c)(1)
should be revised to require the ALJ to give consideration to published
guidance and consider whether the covered entity reasonably relied on
such guidance, as is done in the regulations relating to hearings by
the Provider Reimbursement Review Board (PRRB), citing to 42 CFR
405.1867.
Response: The ``published guidances'', including FAQs, inform
covered entities of the approach HHS is taking in the enforcement of
the HIPAA rules. The guidances do not have the force and effect of a
regulation, as the comment suggests, and are not controlling upon the
courts, as would be the case with a regulation. As previously
explained, HHS seeks to provide consistent compliance guidance to
covered entities and, to the extent possible, to render decisions in
the adjudicative process that are both consistent with other
adjudicated cases and with the policy decisions of the Secretary
expressed in HHS rules and guidances. The consistency sought within HHS
is achieved by requiring the ALJ and the Board, which are components of
HHS, to defer to such published guidances, if they are consistent with
statute and regulation. This is consistent with, and recognizes the
effect of, the existing delegations of authority by the Secretary,
which delegate to the programs the Secretary's authority to establish
policy. Requiring that only consideration be given to such published
guidances, as in PRRB hearings, rather than deference, would not
achieve the desired result.
Comment: One comment argued that proposed Sec. 160.508(c)(1)
should be changed to add ``and does not establish requirements in
addition to those specified in the applicable statute or regulation,''
on the ground that covered entities should not be penalized for not
complying with requirements that exceed the plain language of the
statute.
Response: It is not clear what the comment is suggesting, but if
the comment is suggesting that guidance merely parrot what is in the
statute and regulations, guidance would be both unnecessary and
unhelpful. If, however, the comment is suggesting that guidance not
exceed any explicit limits imposed by the statute or regulations, the
language is likewise unnecessary, as the current language would permit
the ALJ or the Board to disregard guidance that was not consistent with
statute or regulations.
d. Section 160.508(c)(5)
Comment: Proposed Sec. 160.508(c)(5)(ii) would have made the
Secretary's selection of the variable under Sec. 160.406 unreviewable
by the ALJ. It was criticized by several commenters as unfair and
inconsistent with the statute on the grounds that the whole purpose of
the hearing before an ALJ is to review the Secretary's assessment of a
penalty. It was argued that, if a covered entity has a reasonable
argument as to why the use of variables or a particular variable was
not appropriate, it should be allowed to present the argument during
the ALJ hearing to which it is entitled by statute. It was also argued
that, since proposed Sec. 160.406 would include a factual
determination of the number of times a covered entity may have failed
to engage in required conduct, or may have engaged in a prohibited act,
each of the parties should be authorized to address, and the ALJ to
consider at a hearing, that factual determination. One comment asked
whether, even if the ALJ lacks authority to directly question the
variable(s) selected, a challenge to the variable could be made through
a claim that ``justice required'' selection of a different variable.
Response: Section 1128A(c)(2) establishes the right to a hearing on
the record for any person who has been given an adverse determination
by the Secretary. In a proceeding under section 1176, the adverse
determination by the Secretary is the civil money penalty proposed in
the notice of proposed determination under Sec. 160.420. Upon review
of the comments regarding proposed Sec. 160.508(c)(5)(ii), we agree
that the count of violations is an integral part of a civil money
penalty and should be reviewable by the ALJ. Thus, we have deleted
proposed subparagraph (ii) from Sec. 160.508(c)(5) in the final rule.
As a conforming change, we have integrated subparagraph (i) into the
text of Sec. 160.508(c)(5).
3. Section 160.512--Prehearing Conferences
Proposed rule: Proposed Sec. 160.512 would adopt Sec. 160.534, as
added by the April 17, 2003 interim final rule, with two changes.
Proposed Sec. 160.512 would revise paragraph (a) to establish a
minimum amount of notice (not less than 14 business days) that must be
provided to the parties in the scheduling of prehearing conferences.
Proposed Sec. 160.512 would also revise paragraph (b)(11) to include
the issue of the protection of individually identifiable health
information as a matter that may be discussed at the prehearing
conference, if appropriate.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment recommended that a provision be added to Sec.
160.512 to require the ALJ to schedule a prehearing conference within
30 days of a request for a hearing, unless both parties agree to a
later date.
Response: The scheduling of a prehearing conference will depend, in
part, on the scheduling of the hearing. For the reasons discussed under
Sec. 160.508(b) above, we do not agree that it is advisable to so
circumscribe the ALJ's flexibility to set the hearing calendar.
Comment: A couple of comments objected that the time frame for
notice of a pre-hearing conference provided for by proposed Sec.
160.512 is inadequate to permit all necessary parties involved to
prepare a response. One comment stated that the rule should extend the
time frame to 25 business days, while the other suggested that the rule
should require at least a 30-day notice of a pre-hearing conference.
Response: Section 160.512 does not prescribe 14 days as the amount
of notice of a pre-hearing conference that must be given; rather, it
simply establishes 14 days as the minimum amount of notice that is
``reasonable.'' In our experience, 14 days should in most cases be
sufficient for the parties to prepare for the conference adequately;
however, nothing in the rule prohibits a party from requesting a longer
period of time to prepare for a pre-hearing conference or the ALJ from
granting such a request.
4. Section 160.516--Discovery
Proposed rule: Proposed Sec. 160.516 would adopt Sec. 160.538 of
the April 17, 2003 interim final rule. As relevant here, proposed Sec.
160.516 would permit requests for production of documents, but would
not permit other forms of discovery, such as interrogatories, requests
for admission, and depositions. Proposed paragraph (d) states that this
section ``may not be construed to require the disclosure of interview
reports or statements obtained by any party, or on behalf of any party,
of persons who will not be called as witnesses by that party, or
analyses and summaries prepared in conjunction with the investigation
or litigation of the case, or any otherwise privileged documents.''
[[Page 8418]]
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: Several comments recommended that proposed Sec. 160.516
should be revised to allow requests for admissions, depositions, and
written interrogatories in the discovery process. It was argued that
permitting these forms of discovery would ensure that covered entities
are able to mount a proper defense. It also was asserted that expert
testimony will be necessary to establish both the alleged violation(s)
and any affirmative defenses. Allowing such discovery would, it was
asserted, help to produce a record, make appeals less likely, and
potentially decrease the length of administrative hearings.
Response: We believe that the level of detail provided to a covered
entity in the notice of proposed determination (including, where
applicable, a copy of HHS's statistical expert's study), coupled with a
right to request the production of documents for copying and
inspection, provides the covered entity with the information reasonably
required to mount its challenge to the proposed civil money penalty or
to determine whether an affirmative defense applies. The additional
discovery mentioned in the comments would result in delays and costs.
Experience with the OIG regulation at 42 CFR 1005.7, which likewise
does not authorize other types of discovery, has demonstrated that the
discovery provided for is appropriate and sufficient.
Comment: Several comments argued that, at a minimum, depositions
should be permitted at least with regard to expert witnesses, including
the government's statistical expert. They asserted that, because
depositions would not be permitted, covered entities would lose another
potential opportunity to question the government's statistician in an
effort to understand and defend against the conclusion and assumptions
made in establishing the proposed civil money penalty, which would be
prejudicial to the covered entity.
Response: We do not agree that depositions are necessary. Under
Sec. 160.420(a)(2), as adopted in this final rule, the study of HHS's
statistical expert must be provided to the respondent with the notice
of proposed determination.
Comment: A couple of comments criticized the proposed rule for not
requiring that OCR and/or CMS hand over potentially exculpatory
information to the entity being investigated. The obligation to provide
exculpatory evidence should include handing over exculpatory interview
reports or statements obtained by the government of persons who will
not be called as witnesses by that party. It was recommended that this
obligation be added to the final rule.
Response: The obligation to provide exculpatory evidence to an
accused, which applies in criminal proceedings, is inapplicable in a
HIPAA administrative simplification enforcement case.
Comment: One comment contended that Sec. 160.516 should be revised
to treat personal health information as privileged information not
subject to discovery, since hearings are open to the public under
proposed Sec. 160.534.
Response: A covered entity concerned with potential public access
to protected health information may raise the issue before the ALJ and
seek a protective order under Sec. 160.512(b)(11). Depending on the
circumstances, an ALJ may require the information to be de-identified
or direct identifiers to be stripped to protect the privacy of
individuals or order other protections routinely afforded to similarly
confidential information within the litigation forum, such as
protective orders on the use of the information in public portions of
the proceedings. In addition, the ALJ may, for good cause shown, order
appropriate redactions made to the record after hearing. See Sec.
160.542(d).
5. Section 160.518--Exchange of Witness Lists, Witness Statements, and
Exhibits
Proposed rule: Proposed Sec. 160.518 would carry forward Sec.
160.540, as adopted by the April 17, 2003 interim final rule, with one
substantive change. It would revise paragraph (a) to provide time
limits within which the exchange of witness lists, statements, and
exhibits must occur prior to a hearing. Under proposed Sec.
160.518(a), these items must be exchanged not more than 60, but not
less than 15, days prior to the scheduled hearing.
Final rule: The final rule revises this provision to require that,
where a respondent retains a statistical expert for the purpose of
challenging the Secretary's statistical sampling, a report by the
respondent's expert be provided to the Secretarial party not less than
30 days prior to the hearing.
Comment: Several comments criticized the time frames of proposed
Sec. 160.518 as problematic in light of the anticipated use of
statistical sampling. They argued that, if HHS uses statistical
sampling to determine the number of violations and to establish its
prima facie case against a covered entity, the covered entity must have
a fair opportunity to rebut this evidence. That fair opportunity should
permit the addition of rebuttal witnesses, statements and exhibits
after the 15-day period and/or requiring the government to provide more
detailed information to the covered entity regarding its statistical
sampling calculations, methodology and assumptions at a time that is
sufficiently prior to the 15-day deadline. The comments requested that
the time frames listed in the regulation be increased to allow a
covered entity adequate time to prepare for a hearing. Specifically,
the comments urged that witness lists, statements, and exhibits for a
hearing be exchanged by the parties not more than 60 days and not less
than 30 days before a scheduled hearing date.
Response: We have accommodated the concern that the details of
HHS's statistical study will not be made available early enough in the
proceeding to allow a fair opportunity for rebuttal by requiring in
Sec. 160.420(a)(2) that a copy of the study be given to the respondent
with the notice of proposed determination. Accordingly, under such
circumstances, there should not be a problem identifying who respondent
should call as a rebuttal witness within the time frames set out in
this section.
We revise Sec. 160.518(a) to require the respondent to provide to
HHS a copy of the report of its statistical expert not less than 30
days before the scheduled hearing. This will give the Secretarial party
adequate time to prepare the statistical part of its case and is
reasonable in light of the fact that the respondent is given HHS's
statistical study at the commencement of the proceeding.
Comment: With respect to proposed Sec. 160.518(b)(2), one comment
asked what would constitute extraordinary circumstances. The comment
stated that this standard seems unnecessarily high and that ``good
cause'' would be a more reasonable and fairer standard, given the need
for covered entities to rebut the evidence of a statistical expert
whose information they will not receive until the exchange of witnesses
and exhibits.
Response: The decision concerning what is sufficient to convince
the ALJ that extraordinary circumstances exist will be case-specific.
The justification for lowering the standard no longer applies, given
our change to Sec. 160.420. Accordingly, we retain the ``extraordinary
circumstances'' standard to emphasize the importance of observing the
time frame for the exchange of such information.
[[Page 8419]]
6. Section 160.520--Subpoenas for Attendance at Hearing
Proposed rule: Proposed Sec. 160.520 would carry forward Sec.
160.542, as adopted by the April 17, 2003 interim final rule, mainly
unchanged. Proposed Sec. 160.520 would clarify that when a subpoena is
served on HHS, the Secretary may comply with the subpoena by
designating any knowledgeable representative to testify. Proposed Sec.
160.520(d) would require a party seeking a subpoena to file a written
motion not less than 30 days before the scheduled hearing, unless
otherwise allowed by the ALJ for good cause shown; the paragraph
specified what such a motion must contain.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment asked that the language in proposed Sec.
160.520(c) be modified to provide that, if a respondent subpoenas a
particular employee or official with specific knowledge of the case at
hand, the identified employee or official would be required to testify.
While acknowledging that it was reasonable for HHS to be able to
substitute a witness if a respondent subpoenas an employee or official
with no knowledge of the case (such as the Secretary), the comment
argued that HHS should not have such discretion if the employee or
official who is subpoenaed has specific knowledge of the case.
Response: We retain the provision as proposed, because it is
necessary to permit the smooth conduct of government business. We do
not agree that the provision will damage a respondent's ability to
litigate his case, as the provision requires that, although the
Secretary may designate an HHS representative, the person so designated
must be ``knowledgeable.'' That person may be the employee or official
upon whom the subpoena was first served, if the Secretary determines
that such person is the appropriate witness, possessed of the requisite
knowledge to testify upon the issues which are the subject of the
subpoena.
Comment: One comment stated concerns with the interplay of proposed
Sec. 160.538 with proposed Sec. 160.520(d). Under proposed Sec.
160.538(b), if a party seeks to admit the testimony of a witness in the
form of a written statement, that statement must be provided to the
other party ``in a manner that allows sufficient time for the other
party to subpoena the witness for cross-examination at the hearing.''
Under proposed Sec. 160.520(d), ``a party seeking a subpoena must file
a written motion not less than 30 days before the date fixed for the
hearing, unless otherwise allowed by the ALJ for good cause shown.''
The comment argued that a party that wanted to subpoena a person whose
written statement was being offered by the opposing party should not
have the burden of showing good cause for moving for a subpoena less
than 30 days before the hearing date. Instead, the party seeking to
admit the written statement should be required to provide that
statement to the other party more than 30 days before the hearing, so
that the other party will have an opportunity to subpoena that witness
under the procedures established by these regulations.
Response: We believe that the rules adequately provide for such a
contingency, and so do not revise Sec. 160.520 as requested. The party
that seeks to introduce testimony, other than expert testimony, in the
form of a written statement must provide the other party with a copy of
the statement and the address of the witness in sufficient time to
allow that other party to subpoena that witness for cross examination.
Since Sec. 160.520(d) requires that motions seeking a subpoena be
filed not less than 30 days before the hearing, the witness statement
and address should be provided in sufficient time to allow a timely
motion to be made. In the event that such statement and/or address is
not provided in sufficient time to allow for a timely motion, good
cause for permitting the motion for subpoena to be made on fewer than
30 days notice would exist.
7. Section 160.522--Fees
Proposed rule: The proposed rule proposed in Sec. 160.522 to carry
forward unchanged Sec. 160.544 of the April 17, 2003 interim final
rule. The provision requires the party subpoenaing a witness to pay the
cost of fees and mileage. Where the respondent is the party subpoenaing
the witness, the check for such fees and mileage must accompany the
subpoena when served, but the check is not required to accompany the
subpoena where the party subpoenaing the witness is the Secretary.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment requested clarification of this provision.
Observing that proposed Sec. 160.522 would require a check for
specific fees to accompany the subpoena except when HHS issues such a
subpoena, the comment questioned whether this meant that HHS would be
required to reimburse someone they subpoenaed or whether the HHS
reimbursement would come at a later date. Further, if it was the case
that HHS was not required to reimburse such fees, the comment asked why
this is the case, since any other party would be required to reimburse
those fees.
Response: HHS is required to, and will, pay to a subpoenaed witness
the fees provided for in this section. The payment, however, need not
accompany the subpoena. This policy is consistent with the usual
procedure when the federal government is a party. See, e.g., Fed. R.
Civ. P. 45(b)(1). (28 U.S.C. Appendix).
8. Section 160.534--The Hearing
Proposed rule: The text of proposed Sec. 160.534 was adopted by
the April 17, 2003 interim final rule as Sec. 160.554. No changes to
paragraphs (a) and (c) were proposed. However, it was proposed to add a
new paragraph (b) allocating the burden of proof at the hearing. Under
proposed Sec. 160.534(b), the respondent would bear the burden of
proof with respect to: (1) Any affirmative defense, including those set
out in section 1176(b) of the Act, as implemented by proposed Sec.
160.410; (2) any challenge to the amount or scope of a proposed penalty
under section 1128A(d), as implemented by proposed Sec. Sec. 160.404-
160.408, including mitigating factors; and (3) any contention that a
proposed penalty should be reduced or waived under section 1176(b)(4),
as implemented by Sec. 160.412. The Secretary would have the burden of
proof with respect to all other issues, including issues of liability
and the factors considered as aggravating factors under proposed Sec.
160.408 in determining the amount of penalties to be imposed. The
burden of persuasion would be judged by a preponderance of the evidence
(i.e., it is more likely than not that the position advocated is true).
We also proposed a new Sec. 160.534(d), which would provide that
any party may present items or information, during its case in chief,
that were discovered after the date of the notice of proposed
determination or request for a hearing, as applicable. The
admissibility of such proffered evidence would be governed generally by
the provisions of proposed Sec. 160.540, and be subject to the 15-day
rule for the exchange of trial exhibits, witness lists and statements
set out at proposed Sec. 160.518(a). If any such evidence is offered
by the Secretary, it would not be admissible, unless relevant and
material to the findings of fact set forth in the notice of proposed
determination, including circumstances that may increase such penalty.
If any such evidence is offered by the respondent, it would not be
admissible unless relevant and material to a
[[Page 8420]]
specific admission, denial, or explanation of a finding of fact, or to
a specific circumstance or argument expressly stated in the
respondent's request for hearing that are alleged to constitute grounds
for any defense or the factual and legal basis for opposing or reducing
the penalty.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment recommended that proposed Sec.
160.534(b)(1)(ii) (placing the burden of proof on the respondent with
respect to any challenge to the amount of a proposed penalty pursuant
to Sec. 160.404-160.408, including mitigating factors) be deleted. It
was argued that due process requires that HHS sustain the burden of
going forward with evidence proving the amount of a proposed penalty
and the burden of persuasion. It was also noted that this section would
place on the respondent the burden of proof with respect to an issue
that is unreviewable under proposed Sec. 160.508(c)(5)--the selection
of variables under Sec. 160.406.
Response: We disagree that Sec. 160.534(b)(1)(ii) violates the due
process clause. Rather, it is consistent with the normal allocation of
the burden of proof, in which the proponent of a fact or argument has
the burden of proving it. Our change to Sec. 160.508(c)(5) renders the
remainder of the comment moot.
Comment: One comment suggested that Sec. 160.534(c) be revised to
require the ALJ, upon the request of either party, to close a public
hearing that could result in disclosure of privacy or security
information that should not be made public and seal the records.
Response: We agree that protecting protected health information is
important and is an issue about which all parties and the ALJ should be
concerned. However, administrative hearings are, in general, required
to be open to the public. See, e.g., Detroit Free Press v. Ashcroft,
303 F.3d 681, 700 (6th Cir. 2002) (stating that INS deportation
hearings and similar administrative proceedings are traditionally open
to the public). An ALJ has means by which he can protect the privacy of
protected health information to be introduced into evidence, if he
determines that this should be done, including requiring redaction of
identifying information and closing part of the hearing. In our view,
the ALJ will be in the best position to balance the competing interests
of the public's right to information and the privacy interests
associated with any protected health information. Accordingly, we do
not mandate closure of the hearing on request.
9. Section 160.536--Statistical Sampling
Proposed rule: Proposed Sec. 160.536 would permit the Secretary to
introduce the results of a statistical sampling study as evidence of
the number of violations under proposed Sec. 160.406(b), or, where
appropriate, any factor considered in determining the amount of the
civil money penalty under proposed Sec. 160.408. If the estimation is
based upon an appropriate sampling and employs valid statistical
methods, it would constitute prima facie evidence of the number of
violations or amount of the penalty sought that is a part of the
Secretary's burden of proof. Such a showing would cause the burden of
going forward to shift to the respondent, although the burden of
persuasion would remain with the Secretary.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: Several comments argued that the proposed rule would
significantly limit a covered entity's ability to challenge HHS's
statistical evidence. Although proposed Sec. 160.420(a)(2) would
require HHS, in the notice of proposed determination, to describe the
sampling technique used by the Secretary, it is unclear what
constitutes a ``brief'' description, and a brief description will most
likely be insufficient to provide the covered entity with enough
information to mount an adequate challenge. Because the covered entity
may not receive a copy of the actual statistical study until 15 days
before the hearing, it would have a very short period of time in which
to review, investigate, critique, and/or rebut the statistical study.
Because proposed Sec. 160.516 would prohibit the taking of
depositions, there would be no way to subject the HHS's statistical
expert to adverse examination until the hearing, if then. The comments
requested that proposed Sec. 160.536 be deleted or, alternatively, the
rule be revised to permit depositions of HHS's statistical expert and
require HHS to give covered entities more detail of the technique
utilized in sufficient time to allow entities to provide a meaningful
defense and rebuttal.
Response: We recognize the concern that to make an effective
challenge to the Secretary's introduction of the results of a
statistical study, a covered entity should be provided with the details
of that study early in the proceeding. Accordingly, we have revised
proposed Sec. 160.420(a)(2) to require HHS to provide a copy of the
study relied upon to the respondent with the notice of proposed
determination. Further, we have revised proposed Sec. 160.504(b) to
enlarge the time within which a respondent seeking a hearing before an
ALJ must mail its request for hearing from 60 to 90 days. We do not
agree that depositions, which are expensive and time consuming, are
required; the statistical study relied upon will be given to respondent
with the notice of proposed determination, allowing an adequate amount
of time to prepare any opposition thereto.
Comment: Several comments contended that permitting proof of
violations by statistical sampling violates basic notions of due
process and fundamental fairness, in that either a violation is
provable or it is not. The comments raised the following specific
objections on this ground. Statistical sampling merely estimates the
number of violations that could have occurred and should not be used as
a ``short cut'' for appropriate investigation and review. The
determination of any variable used to calculate the number of
violations should be based on an objective standard. The proposed
approach would not treat all covered entities the same. The following
example was provided to illustrate this latter concern. Suppose that a
dentist had 3,000 patients of record, and that seven percent of those
patients, or 210, did not receive a Notice of Privacy Practices.
Suppose that a sample of 100 of the 3,000 patients was examined by HHS,
and it was determined that 15 did not receive a notice. A statistical
inference from this sample would estimate that 600, or 15 percent of
all patients of record, did not receive a notice, even though in fact
only 210 had not received a notice. Under Sec. 160.536, the provider
could be charged for 600 violations. While, on average, the sampling
approach would yield the correct estimate of all providers, it would
not necessarily be correct for any specific provider, which would be
unfair to the individual providers involved.
Response: The use of sampling and statistical methods is recognized
under Fed. R. Evid. 702 and under 42 CFR 1003.133 of the OIG rules,
upon which the language of this section is based. The respondent may
challenge whether the estimation offered by the Secretary is based upon
a valid sample and employs valid statistical methods or may otherwise
rebut the statistical evidence submitted. In the example cited by the
comment, the respondent also could rebut the results with evidence that
the actual number of violations is less than the estimate derived from
the statistical sample.
With respect to the concerns regarding the fairness and
appropriateness of using statistical
[[Page 8421]]
sampling to determine the number of violations, HHS will use sampling
methods which follow recognized scientific guidelines for statistical
validity and precision. These methods would be applicable to all types
of covered entities and will objectively measure the number of
violations by a covered entity or the number of occurrences of a
particular aggravating circumstance. Because of the wide range of
possible violations, however, we cannot at this time present specific
sampling designs or levels of acceptable precision. However, the
methodology employed will be documented and made available in the
statistical sampling study provided with the notice of proposed
determination.
Comment: Several comments argued that the use of statistical
sampling is inappropriate to determine violations of the HIPAA rules. A
couple of comments argued that, because of the many variables and
discretionary considerations that can go into determining that a
violation has occurred, and because many complaints or investigations
will relate to individual circumstances, using statistical sampling to
determine the number of violations is not appropriate. Another comment
gave as an example of this problem Privacy Rule violations involving
disclosure of protected health information beyond the ``minimum
necessary;'' it asserted that the number of such violations cannot be
adequately assessed through a statistical sample. Use of statistical
sampling in such a case could preclude a covered entity from asserting
its fact-based affirmative defenses. It was argued that statistical
sampling is appropriate for use in estimating averages, but is not
appropriate for determining the number of violations by a specific
covered entity.
Response: As noted above, statistical sampling is recognized under
the Federal Rules of Evidence and other HHS regulations. See, e.g., 42
CFR 1003.133. The results, if based upon an appropriate sampling and
computed by valid statistical methods, are only prima facie evidence of
the number of violations or the existence of factors material to the
proposed civil money penalty. The respondent may challenge the adequacy
or size of the sample or the statistical methods employed, and may
offer other evidence to rebut the results derived through the
statistical methodology.
We do not agree that statistical methods are, per se, inappropriate
for determining the number of violations that have occurred. For
example, suppose that a health plan with a large volume of electronic
claims is found to have required providers to include on such claims a
data element which is not part of the standard. A sample of the claims
would be selected, and the percentage of claims found to be in
violation of the standard would be computed from the sample and
projected to the universe of claims for the year to establish the total
number of violations of the standard in the calendar year. Of course,
HHS's statistical methods would have to pass muster, and a respondent
could challenge the statistical results, on normal statistical grounds,
e.g., that the sample size was insufficient, that the sample was not
representative, and so on.
Comment: Several comments contended that, by allowing statistical
sampling to be introduced at a hearing, proposed Sec. 160.536 directly
contradicts the language of Sec. 160.508, which does not allow an ALJ
to review issues under the Secretary's discretion, which includes
calculating the number of violations. Other comments stated that, in
the event that statistical sampling is used by HHS to determine the
number of violations, it should be subject to ALJ review and that
insulating it from review would increase the potential for abuse
exponentially.
Response: Proposed Sec. 160.508(c) has been revised to permit the
ALJ to review the Secretary's calculation of the number of violations
of an identical administrative simplification provision under Sec.
160.406. If statistical sampling is employed to determine the number of
violations, the results are subject to challenge before the ALJ.
Comment: The provision of proposed Sec. 160.536 limiting
statistical studies to those ``based upon an appropriate sampling and
computed by valid statistical methods'' was criticized. It was noted
that no criteria for validity are given, even though the comments by
the agency specifically acknowledge the danger of extrapolating from
small sample sizes. It also was argued that the appropriateness and
validity of such sampling techniques are left to the discretion of the
Secretary, who will employ criteria known only to the Secretary. It was
recommended that statistical sampling not be permitted without clearer
guidelines or more flexibility to challenge the study at an early
stage, before significant investment of resources.
Response: By requiring that appropriate sampling and valid
statistical methods be employed, HHS is mirroring the standard by which
the reliability of such expert testimony is assessed under Fed. R.
Evid. 702. If statistical sampling is employed to determine the number
of violations of an administrative simplification provision in a
calendar year, such determination is subject to review by the ALJ. With
respect to a respondent's ability to challenge the study at an earlier
stage, under Sec. 160.420(a)(2), a copy of the study relied upon will
be provided to the respondent with the notice of proposed
determination.
10. Section 160.538--Witnesses
Proposed rule: Proposed Sec. 160.538 would carry forward unchanged
Sec. 160.556, as adopted by the April 17, 2003 interim final rule. As
relevant here, paragraph (b) provides that, at the discretion of the
ALJ and subject to certain conditions, testimony of witnesses other
than the testimony of expert witnesses may be admitted in the form of a
written statement and the ALJ may, at his discretion, admit prior sworn
testimony of experts that has been subject to adverse examination.
Final rule: The final rule adopts the provisions of the proposed
rule, except that the fourth sentence of proposed Sec. 160.538(b) is
placed before the second sentence of proposed Sec. 160.538(b).
Comment: One comment stated that it was unclear whether the
government's statistician could even be required to testify; rather, it
appeared that the government could rely solely on the expert's prior
testimony in other cases and/or the expert's report. Because
depositions are not allowed, this provision must mean that testimony
from experts in other cases may be used. It was argued that this would
be prejudicial, because the covered entity will not have had an
opportunity to subject the testimony to adverse examination and the
facts of different cases would likely not be identical. Therefore, the
expert testimony in one case may not be appropriate for use in a
different case. It was recommended that this section be revised to
require, at the covered entity's request, the testimony at the hearing
of the government's statistical expert and prohibit the use of prior
sworn testimony of experts unless from the specific case at issue.
Response: HHS expects that its statistical expert will testify at
the hearing. Moreover, the respondent may move the ALJ to subpoena
HHS's statistical expert to appear and testify at the hearing. See
Sec. 160.520.
Comment: One comment stated that, when Sec. Sec. 160.538 and
160.516(b) are read together, they would permit an expert's testimony,
taken under oath in a different case, to be admitted into
[[Page 8422]]
evidence, leaving the respondent with no chance to question the expert.
Response: We recognize the concern raised, which we believe arises
out of an inadvertent transposition of a sentence in the text of
proposed Sec. 160.538(b). We intended that the subsection's text
mirror that of the OIG regulation at 45 CFR 1005.16(b) by ending with
the following: ``Any such written statement must be provided to the
other party, along with the last known address of the witness, in a
manner that allows sufficient time for the other party to subpoena the
witness for cross-examination at the hearing. Prior written statements
of witnesses proposed to testify at the hearing must be exchanged as
provided in Sec. 160.518.'' We have corrected this error. As the rule
now reads, the prior sworn testimony of an expert will be treated like
any other witness's statement that a party proposes to offer in lieu of
testimony at the hearing: a copy must be provided to the other party
along with the witness's address in sufficient time to permit such
other party to subpoena and question that witness at the hearing.
11. Section 160.540--Evidence
Proposed rule: Proposed Sec. 160.540 would carry forward unchanged
Sec. 160.558, which was adopted by the April 17, 2003 interim final
rule. Paragraph (b) of this section provides that the ALJ is not bound
by the Federal Rules of Evidence, except as provided in the subpart.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment argued that proposed Sec. 160.540(b) should
be revised. The comment stated that the optional use of the Federal
Rules of Evidence is insufficient and would not allow entities to know
what evidence will be admissible at the hearing or what rules of
evidence will apply. At a minimum, it was argued, the use of hearsay
should be prohibited except pursuant to the hearsay exceptions of the
Federal Rules of Evidence.
Response: The Administrative Procedure Act does not require HHS to
apply the Federal Rules of Evidence to limit the discretion of ALJs to
admit evidence at hearings. See 5 U.S.C. 556(d). To be admissible,
evidence need only be relevant, material, reliable, and probative.
However, the ALJ may apply the Federal Rules of Evidence, where
appropriate. Examples of situations where use of the Federal Rules of
Evidence might be appropriate would include to exclude unreliable
evidence, to weigh the probative value of evidence against the risks
attending its admission, to determine whether a Federal privilege
exists, or to determine whether the evidence relates to an offered
compromise and settlement, which would be inadmissible under Fed. R.
Evid. 408.
Comment: One comment argued that proposed Sec. 160.540(g) should
be deleted. It was argued that this provision is inconsistent with the
six-year time limit in Sec. 160.414, in that it permits admission at
the hearing of ``crimes, wrongs or acts'' without limit as to when they
may have occurred. The comment stated that acts or other behaviors that
are not the subject of civil money penalties are not relevant factors
in determining the penalties that should be imposed, nor are they proof
that the prohibited activity occurred. The Secretary is not required in
a civil administrative proceeding to prove intent or mens rea.
Response: We believe that evidence of prior bad acts, admitted for
the purposes listed (which are consistent with Fed. R. Evid. 404(b))
may be relevant and material in particular cases and, thus, should not
be categorically excluded, as suggested. For instance, such evidence
may be relevant and material to proving a covered entity's knowledge of
the violation or aggravating circumstances affecting the amount of the
civil money penalty imposed. In the latter case, for example, the
evidence would be admitted to prove the aggravating circumstances and
not the actual violations at issue; thus, the statute of limitations
would not apply with respect to the bad acts. (We note, however, that
prior bad acts unrelated to the covered entity's compliance with the
HIPAA provisions or rules would not be admissible to prove aggravating
circumstances under Sec. 160.408(d).) Comment: Another comment argued
that proposed Sec. 160.540(g) should be deleted, but if retained, such
evidence should be reviewable under the other criteria for
admissibility of proposed Sec. 160.540, and HHS should be required to
provide advance notice of its intent to present such evidence.
Response: Evidence of prior bad acts would be subject to the same
criteria for admissibility as other evidence offered at the hearing--
for instance, whether the probative value of such evidence is
substantially outweighed by its potential for prejudice. Such evidence
is also subject to the rules regarding notice that apply to other
evidence; see, e.g., Sec. Sec. 160.420(a)(5), 160.516, and 160.518.
12. Section 160.542--The Record
Proposed rule: This section would carry forward unchanged Sec.
160.560, adopted by the April 17, 2003 interim final rule. Since the
section provides that the record of the proceedings be transcribed, we
proposed to add to paragraph (a) of this section a requirement that the
cost of transcription of the record be borne equally by the parties, in
the interest of fairness.
Final rule: The final rule adopts the provisions of the proposed
rule, except that paragraph (a) is revised to clarify that if a party
requests a copy of the transcript of the hearing proceedings it must
pay the cost of such transcript, unless such payment is waived by the
ALJ or the Board for good cause shown.
Comment: One comment recommended that this fee be assessed at the
end of the investigation and assumed by the responsible party based on
the outcome of the investigation. Another comment requested that HHS
bear the cost of the court reporter's appearance (as opposed to the
cost of copies).
Response: We acknowledge that the language of proposed paragraph
(a) suggested that there is a fee or cost for a court reporter's
appearance, in addition to the cost of obtaining a copy of the
transcript of the hearing proceedings. As there is no such additional
cost, we have revised paragraph (a) to state that a party that requests
a copy of the transcript of hearing is required to pay the cost of
preparing such transcript. We have also added a provision that will
permit the ALJ or the Board, for good cause shown, to waive the cost of
obtaining the transcript.
13. Section 160.546--ALJ Decision
Proposed rule: The proposed rule proposed that the ALJ decision
would be the initial decision of the Secretary, rather than the final
decision of the Secretary as set forth in Sec. 160.564(d) of the April
17, 2003 interim final rule. Thus, we proposed to revise paragraph (d)
to provide that the decision of the ALJ will be final and binding on
the parties 60 days from the date of service of the ALJ decision,
unless it is timely appealed by either party.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment requested that the section be revised to
provide that the ALJ could not increase a penalty beyond the statutory
cap of section 1176(a)(1).
Response: The ALJ is bound by both the statute and the regulations,
which both explicitly address this issue. Section 1176(a)(1) states
that ``the total amount imposed on the person for all violations of an
identical requirement or prohibition during a calendar year may not
exceed $25,000.'' Section
[[Page 8423]]
160.404(b)(1)(ii) states that the Secretary may not impose a civil
money penalty in excess of $25,000 for identical violations during a
calendar year.
In light of these explicit provisions, we do not agree that the
suggested change is necessary.
14. Section 160.548--Appeal of the ALJ Decision
Proposed rule: Proposed Sec. 160.548 would provide that any party
may appeal the initial decision of the ALJ to the Board within 30 days
of the date of service of the ALJ initial decision, unless extended for
good cause. The appealing party must file a written brief specifying
its exceptions to the initial decision. The opposing party may file an
opposition brief, which is limited to the exceptions raised in the
brief accompanying notice of appeal and any relevant issues not
addressed in said exceptions and must be filed within 30 days of
receiving the appealing party's notice of appeal and brief. The
appealing party may, if permitted by the Board, file a reply brief.
These briefs may be the only means that the parties will have to
present their case to the Board, since there is no right to appear
personally before the Board. The proposed rule provided that if a party
demonstrates that additional evidence is material and relevant and
there are reasonable grounds why such evidence was not introduced at
the ALJ hearing, the Board may remand the case to the ALJ for
consideration of the additional evidence. In an appeal to the Board,
the standard of review on a disputed issue of fact would be whether the
ALJ's initial decision is supported by substantial evidence on the
record as a whole; on a disputed issue of law, the standard of review
is whether the ALJ's initial decision is erroneous. The Board could
decline review, affirm, increase, reduce, or reverse any penalty, or
remand a penalty determination to the ALJ.
Under proposed Sec. 160.548(i), the Board must serve its decision
on the parties within 60 days after final briefs are filed. The
decision of the Board becomes the final decision of the Secretary 60
days after service of the decision, except where the decision is to
remand to the ALJ or a party requests reconsideration before the
decision becomes final. Proposed Sec. 160.548(j) provides that a party
may request reconsideration of the Board's decision, provides a
reconsideration process, and provides that the Board's reconsideration
decision becomes final on service. The decision of the Board
constitutes the final decision of the Secretary from which a petition
for judicial review may be filed by a respondent aggrieved by the
Board's decision. Proposed Sec. 160.548(k) provides for a petition for
judicial review of a final decision of the Secretary.
Final rule: The final rule adopts the provisions of the proposed
rule, except that paragraph (e) is revised to make it consistent with
the revision to Sec. 160.504(c). The revision would permit the Board
to consider an affirmative defense under Sec. 160.410(b)(1) that is
raised for the first time before the Board. Thus, under paragraph (f)
of this section, the Board could, but would not be required to, remand
the case to the ALJ for consideration of any evidence adduced with
respect to such defense.
Comment: One comment was received on this section. It requested
that the section be revised to provide that the Board could not
increase a penalty beyond the statutory cap of section 1176(a)(1).
Response: We do not agree that such a provision is necessary, for
the reasons discussed in the preceding section.
15. Section 160.552--Harmless Error
Proposed rule: Proposed Sec. 160.552 proposed to adopt the
``harmless error'' rule that applies to civil litigation in Federal
courts. The provision would provide, in general, that the ALJ and the
Board at every stage of the proceeding will disregard any error or
defect in the proceeding that does not affect the substantial rights of
the parties.
Final rule: The final rule adopts the provisions of the proposed
rule.
Comment: One comment asked for further guidance on, and
clarification of, this provision. Another comment stated that the
provision was far too broad, particularly given the limited discovery
available to covered entities. Concern was expressed that the rule
would severely limit a covered entity's ability to appeal an adverse
ruling.
Response: The proposed rule was modeled after Fed. R. Civ. P. 61
and 42 CFR 1005.23 of the OIG regulations. It is a common provision in
procedural rules that govern civil and administrative adjudications and
is intended to promote efficiency in the resolution of disputes. If a
respondent seeks an appeal because of an error that affects the party's
substantive rights or the case's outcome, this section would not be
applicable. Thus, we do not agree that it would severely limit a
covered entity's ability to appeal an adverse ruling, and we adopt the
section as proposed.
IV. Impact Statement and Other Required Analyses
Comment: Only one comment was received on the impact and other
required analyses of the proposed rule (see 70 FR 20247-49). The
comment asserted that HHS was declaring itself exempt from complying
with the Paperwork Reduction Act, the Regulatory Flexibility Act, the
Unfunded Mandates Reform Act of 1995, the Small Business Regulatory
Enforcement and Fairness Act, and Executive Order 13132, and that an
effort to compute vigorously the range of potential effects is needed
to assure agency accountability.
Response: The comment misstates the position HHS took in the
proposed rules concerning these laws. HHS does not consider itself, or
the Enforcement Rule, exempt from these laws. However, each of these
laws covers only certain types of rules and agency actions. For the
reasons stated in the proposed rule and summarized below, those laws do
not apply to the particular actions taken with respect to this rule.
The comment provides no substantive grounds for altering our prior
conclusions with respect to these laws.
A. Paperwork Reduction Act
We reviewed this final rule to determine whether it raises issues
that would subject it to the Paperwork Reduction Act (PRA). Since the
final rule comes within the exemption of 5 CFR 1320.4(a), as it deals
entirely with administrative investigations and actions against
specific individuals or entities, it need not be reviewed by the Office
of Management and Budget under the authority of the PRA.
B. Executive Order 12866; Regulatory Flexibility Act; Unfunded Mandates
Reform Act of 1995; Small Business Regulatory Enforcement Fairness Act
of 1996; Executive Order 13132
We have examined the impacts of this final rule as required by
Executive Order 12866 (September 1993, Regulatory Planning and Review),
the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-
354), the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), the
Small Business Regulatory Enforcement and Fairness Act, 5 U.S.C. 801,
et seq., and Executive Order 13132.
1. Executive Order 12866
Executive Order 12866 (as amended by Executive Order 13258, which
merely reassigns responsibility of duties) directs agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is
[[Page 8424]]
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts, and equity). Executive Order 12866
defines, at section 3(f), several categories of ``significant
regulatory actions.'' One category is ``economically significant''
rules, which are defined in section 3(f)(1) of the Order as rules that
may ``have an annual effect on the economy of $100 million or more, or
adversely affect in a material way the economy, productivity,
competition, jobs, the environment, public health or safety, or State,
local, or tribal governments or communities.'' Another category, under
section 3(f)(4) of the Order, consists of rules that are ``significant
regulatory actions'' because they ``raise novel legal or policy issues
arising out of legal mandates, the President's priorities, or the
principles set forth in this Executive Order.'' Executive Order 12866
requires a full economic impact analysis only for ``economically
significant'' rules under section 3(f)(1). For the reasons stated at 70
FR 20248-49, we have concluded that this rule should be treated as a
``significant regulatory action'' within the meaning of section 3(f)(4)
of Executive Order 12866, but that the impact of this rule is not such
that it reaches the economically significant threshold under section
3(f)(1) of the Order.
We note, with regard to our prior analysis, that our ongoing
experiences with HIPAA complaints bears out our experience to July
2004, which was discussed at 70 FR 20248. As of October 31, 2005, OCR
had received and initiated review of over 16,000 complaints and had
closed 68 percent of the complaints; at the same time, CMS had received
and initiated review of 413 complaints and closed 67 percent of the
complaints. Thus, we continue to be of the view that the costs
attributable to the provisions of this rule will, in most cases that
are opened, be low. We likewise continue to believe, for the reasons
stated at 70 FR 20249, that the value of the benefits brought by the
HIPAA provisions are sufficient to warrant appropriate enforcement
efforts and that the benefits of these protections far outweigh the
costs of this enforcement regulation.
Thus, in most cases, if covered entities comply with the various
HIPAA rules, they should not incur any significant additional costs as
a result of the Enforcement Rule. This is based on the fact the costs
intrinsic to most of the HIPAA rules and operating directions against
which compliance is evaluated have been scored independently of this
rule, and those requirements are not changed by this rule. We recognize
that the specific requirements against which compliance is evaluated
are not yet well known and may evolve with experience under HIPAA, but
we expect that covered entities have both the ability and expectation
to maintain compliance, especially given our commitment to encouraging
and facilitating voluntary compliance. While not straightforward to
project, it seems likely that the number of times in which the full
civil money penalty enforcement process will be invoked will be
extremely small, based on the evidence to date.
2. Other Analyses
We also examined the impact of this rule as required by the
Regulatory Flexibility Act (RFA). The RFA requires agencies to
determine whether a rule will have a significant economic impact on a
substantial number of small entities. For purposes of the RFA, small
entities include small businesses, nonprofit organizations, and
government jurisdictions; for health care entities, the size standard
for a ``small'' entity ranges from $6 million to $29 million in
revenues in any one year. For the reasons discussed at 70 FR 20249, the
Secretary certifies that this rule will not have a significant economic
impact on a substantial number of small entities.
Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C.
1531 et seq., also requires that agencies assess anticipated costs and
benefits before issuing any rule that may result in expenditure in any
one year by State, local, or tribal governments, in the aggregate, or
by the private sector, of $100 million, adjusted for inflation. The
Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), 5
U.S.C. 801, et seq., requires that rules that will have an impact on
the economy of $100 million or more per annum be submitted for
Congressional review. For the reasons discussed above and at 70 FR
20248-49, this rule will not impose a burden large enough to require a
section 202 statement under the Unfunded Mandates Reform Act of 1995 or
Congressional review under SBREFA.
Executive Order 13132 establishes certain requirements that an
agency must meet when it adopts a final rule that imposes substantial
direct requirement costs on State and local governments, preempts State
law, or otherwise has Federalism implications. This final rule does not
have ``Federalism implications, `` as it will not have ``substantial
direct effects on the States, on the relationship between the national
government and the States, or on the distribution of power and
responsibilities among the various levels of government,'' nor, for the
reasons previously explained, will it have substantial economic effects
would not be substantial, while any preemption of State law that could
occur would be a function of the underlying HIPAA rules, not this rule.
Therefore, the Enforcement Rule is not subject to Executive Order 13132
(Federalism).
Dated: December 20, 2005.
Michael O. Leavitt,
Secretary.
List of Subjects
45 CFR Part 160
Administrative practice and procedure, Computer technology,
Electronic transactions, Employer benefit plan, Health, Health care,
Health facilities, Health insurance, Health records, Hospitals,
Investigations, Medicaid, Medical research, Medicare, Penalties,
Privacy, Reporting and record keeping requirements, Security.
45 CFR Part 164
Administrative practice and procedure, Electronic information
system, Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health Insurance, Health records, Hospitals,
Medicaid, Medical research, Medicare, Privacy, Reporting and record
keeping requirements, Security.
0
For the reasons set forth in the preamble, the Department of Health and
Human Services amends 45 CFR subtitle A, subchapter C, parts 160 and
164, as set forth below.
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation for part 160 is revised to read as follows:
Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d--1320d-8, sec. 264
of Pub. L.104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)),
and 5 U.S.C. 552.
0
2. Add to Sec. 160.103 in alphabetical order the definition of
``Person'' to read as follows:
Sec. 160.103 Definitions.
* * * * *
``Person'' means a natural person, trust or estate, partnership,
corporation, professional association or corporation, or other entity,
public or private.
* * * * *
0
3. Revise subpart C to read as follows:
[[Page 8425]]
Subpart C--Compliance and Investigations
Sec.
160.300 Applicability.
160.302 Definitions.
160.304 Principles for achieving compliance.
160.306 Complaints to the Secretary.
160.308 Compliance reviews.
160.310 Responsibilities of covered entities.
160.312 Secretarial action regarding complaints and compliance
reviews.
160.314 Investigational subpoenas and inquiries.
160.316 Refraining from intimidation or retaliation.
Sec. 160.300 Applicability.
This subpart applies to actions by the Secretary, covered entities,
and others with respect to ascertaining the compliance by covered
entities with, and the enforcement of, the applicable provisions of
this part 160 and parts 162 and 164 of this subchapter.
Sec. 160.302 Definitions.
As used in this subpart and subparts D and E of this part, the
following terms have the following meanings:
Administrative simplification provision means any requirement or
prohibition established by:
(1) 42 U.S.C. 1320d--1320d-4, 1320d-7, and 1320d-8;
(2) Section 264 of Pub. L. 104-191; or
(3) This subchapter.
ALJ means Administrative Law Judge.
Civil money penalty or penalty means the amount determined under
Sec. 160.404 of this part and includes the plural of these terms.
Respondent means a covered entity upon which the Secretary has
imposed, or proposes to impose, a civil money penalty.
Violation or violate means, as the context may require, failure to
comply with an administrative simplification provision.
Sec. 160.304 Principles for achieving compliance.
(a) Cooperation. The Secretary will, to the extent practicable,
seek the cooperation of covered entities in obtaining compliance with
the applicable administrative simplification provisions.
(b) Assistance. The Secretary may provide technical assistance to
covered entities to help them comply voluntarily with the applicable
administrative simplification provisions.
Sec. 160.306 Complaints to the Secretary.
(a) Right to file a complaint. A person who believes a covered
entity is not complying with the administrative simplification
provisions may file a complaint with the Secretary.
(b) Requirements for filing complaints. Complaints under this
section must meet the following requirements:
(1) A complaint must be filed in writing, either on paper or
electronically.
(2) A complaint must name the person that is the subject of the
complaint and describe the acts or omissions believed to be in
violation of the applicable administrative simplification provision(s).
(3) A complaint must be filed within 180 days of when the
complainant knew or should have known that the act or omission
complained of occurred, unless this time limit is waived by the
Secretary for good cause shown.
(4) The Secretary may prescribe additional procedures for the
filing of complaints, as well as the place and manner of filing, by
notice in the Federal Register.
(c) Investigation. The Secretary may investigate complaints filed
under this section. Such investigation may include a review of the
pertinent policies, procedures, or practices of the covered entity and
of the circumstances regarding any alleged violation. At the time of
initial written communication with the covered entity about the
complaint, the Secretary will describe the act(s) and/or omission(s)
that are the basis of the complaint.
Sec. 160.308 Compliance reviews.
The Secretary may conduct compliance reviews to determine whether
covered entities are complying with the applicable administrative
simplification provisions.
Sec. 160.310 Responsibilities of covered entities.
(a) Provide records and compliance reports. A covered entity must
keep such records and submit such compliance reports, in such time and
manner and containing such information, as the Secretary may determine
to be necessary to enable the Secretary to ascertain whether the
covered entity has complied or is complying with the applicable
administrative simplification provisions.
(b) Cooperate with complaint investigations and compliance reviews.
A covered entity must cooperate with the Secretary, if the Secretary
undertakes an investigation or compliance review of the policies,
procedures, or practices of the covered entity to determine whether it
is complying with the applicable administrative simplification
provisions.
(c) Permit access to information. (1) A covered entity must permit
access by the Secretary during normal business hours to its facilities,
books, records, accounts, and other sources of information, including
protected health information, that are pertinent to ascertaining
compliance with the applicable administrative simplification
provisions. If the Secretary determines that exigent circumstances
exist, such as when documents may be hidden or destroyed, a covered
entity must permit access by the Secretary at any time and without
notice.
(2) If any information required of a covered entity under this
section is in the exclusive possession of any other agency,
institution, or person and the other agency, institution, or person
fails or refuses to furnish the information, the covered entity must so
certify and set forth what efforts it has made to obtain the
information.
(3) Protected health information obtained by the Secretary in
connection with an investigation or compliance review under this
subpart will not be disclosed by the Secretary, except if necessary for
ascertaining or enforcing compliance with the applicable administrative
simplification provisions, or if otherwise required by law.
Sec. 160.312 Secretarial action regarding complaints and compliance
reviews.
(a) Resolution when noncompliance is indicated. (1) If an
investigation of a complaint pursuant to Sec. 160.306 or a compliance
review pursuant to Sec. 160.308 indicates noncompliance, the Secretary
will attempt to reach a resolution of the matter satisfactory to the
Secretary by informal means. Informal means may include demonstrated
compliance or a completed corrective action plan or other agreement.
(2) If the matter is resolved by informal means, the Secretary will
so inform the covered entity and, if the matter arose from a complaint,
the complainant, in writing.
(3) If the matter is not resolved by informal means, the Secretary
will--
(i) So inform the covered entity and provide the covered entity an
opportunity to submit written evidence of any mitigating factors or
affirmative defenses for consideration under Sec. Sec. 160.408 and
160.410 of this part. The covered entity must submit any such evidence
to the Secretary within 30 days (computed in the same manner as
prescribed under Sec. 160.526 of this part) of receipt of such
notification; and
(ii) If, following action pursuant to paragraph (a)(3)(i) of this
section, the
[[Page 8426]]
Secretary finds that a civil money penalty should be imposed, inform
the covered entity of such finding in a notice of proposed
determination in accordance with Sec. 160.420 of this part.
(b) Resolution when no violation is found. If, after an
investigation pursuant to Sec. 160.306 or a compliance review pursuant
to Sec. 160.308, the Secretary determines that further action is not
warranted, the Secretary will so inform the covered entity and, if the
matter arose from a complaint, the complainant, in writing.
Sec. 160.314 Investigational subpoenas and inquiries.
(a) The Secretary may issue subpoenas in accordance with 42 U.S.C.
405(d) and (e), 1320a-7a(j), and 1320d-5 to require the attendance and
testimony of witnesses and the production of any other evidence during
an investigation or compliance review pursuant to this part. For
purposes of this paragraph, a person other than a natural person is
termed an ``entity.''
(1) A subpoena issued under this paragraph must--
(i) State the name of the person (including the entity, if
applicable) to whom the subpoena is addressed;
(ii) State the statutory authority for the subpoena;
(iii) Indicate the date, time, and place that the testimony will
take place;
(iv) Include a reasonably specific description of any documents or
items required to be produced; and
(v) If the subpoena is addressed to an entity, describe with
reasonable particularity the subject matter on which testimony is
required. In that event, the entity must designate one or more natural
persons who will testify on its behalf, and must state as to each such
person that person's name and address and the matters on which he or
she will testify. The designated person must testify as to matters
known or reasonably available to the entity.
(2) A subpoena under this section must be served by--
(i) Delivering a copy to the natural person named in the subpoena
or to the entity named in the subpoena at its last principal place of
business; or
(ii) Registered or certified mail addressed to the natural person
at his or her last known dwelling place or to the entity at its last
known principal place of business.
(3) A verified return by the natural person serving the subpoena
setting forth the manner of service or, in the case of service by
registered or certified mail, the signed return post office receipt,
constitutes proof of service.
(4) Witnesses are entitled to the same fees and mileage as
witnesses in the district courts of the United States (28 U.S.C. 1821
and 1825). Fees need not be paid at the time the subpoena is served.
(5) A subpoena under this section is enforceable through the
district court of the United States for the district where the
subpoenaed natural person resides or is found or where the entity
transacts business.
(b) Investigational inquiries are non-public investigational
proceedings conducted by the Secretary.
(1) Testimony at investigational inquiries will be taken under oath
or affirmation.
(2) Attendance of non-witnesses is discretionary with the
Secretary, except that a witness is entitled to be accompanied,
represented, and advised by an attorney.
(3) Representatives of the Secretary are entitled to attend and ask
questions.
(4) A witness will have the opportunity to clarify his or her
answers on the record following questioning by the Secretary.
(5) Any claim of privilege must be asserted by the witness on the
record.
(6) Objections must be asserted on the record. Errors of any kind
that might be corrected if promptly presented will be deemed to be
waived unless reasonable objection is made at the investigational
inquiry. Except where the objection is on the grounds of privilege, the
question will be answered on the record, subject to objection.
(7) If a witness refuses to answer any question not privileged or
to produce requested documents or items, or engages in conduct likely
to delay or obstruct the investigational inquiry, the Secretary may
seek enforcement of the subpoena under paragraph (a)(5) of this
section.
(8) The proceedings will be recorded and transcribed. The witness
is entitled to a copy of the transcript, upon payment of prescribed
costs, except that, for good cause, the witness may be limited to
inspection of the official transcript of his or her testimony.
(9)(i) The transcript will be submitted to the witness for
signature.
(A) Where the witness will be provided a copy of the transcript,
the transcript will be submitted to the witness for signature. The
witness may submit to the Secretary written proposed corrections to the
transcript, with such corrections attached to the transcript. If the
witness does not return a signed copy of the transcript or proposed
corrections within 30 days (computed in the same manner as prescribed
under Sec. 160.526 of this part) of its being submitted to him or her
for signature, the witness will be deemed to have agreed that the
transcript is true and accurate.
(B) Where, as provided in paragraph (b)(8) of this section, the
witness is limited to inspecting the transcript, the witness will have
the opportunity at the time of inspection to propose corrections to the
transcript, with corrections attached to the transcript. The witness
will also have the opportunity to sign the transcript. If the witness
does not sign the transcript or offer corrections within 30 days
(computed in the same manner as prescribed under Sec. 160.526 of this
part) of receipt of notice of the opportunity to inspect the
transcript, the witness will be deemed to have agreed that the
transcript is true and accurate.
(ii) The Secretary's proposed corrections to the record of
transcript will be attached to the transcript.
(c) Consistent with Sec. 160.310(c)(3), testimony and other
evidence obtained in an investigational inquiry may be used by HHS in
any of its activities and may be used or offered into evidence in any
administrative or judicial proceeding.
Sec. 160.316 Refraining from intimidation or retaliation.
A covered entity may not threaten, intimidate, coerce, harass,
discriminate against, or take any other retaliatory action against any
individual or other person for--
(a) Filing of a complaint under Sec. 160.306;
(b) Testifying, assisting, or participating in an investigation,
compliance review, proceeding, or hearing under this part; or
(c) Opposing any act or practice made unlawful by this subchapter,
provided the individual or person has a good faith belief that the
practice opposed is unlawful, and the manner of opposition is
reasonable and does not involve a disclosure of protected health
information in violation of subpart E of part 164 of this subchapter.
0
4. Add a new subpart D to read as follows:
Subpart D--Imposition of Civil Money Penalties
160.400 Applicability.
160.402 Basis for a civil money penalty.
160.404 Amount of a civil money penalty.
160.406 Violations of an identical requirement or prohibition.
160.408 Factors considered in determining the amount of a civil
money penalty.
160.410 Affirmative defenses.
160.412 Waiver.
160.414 Limitations.
160.416 Authority to settle.
160.418 Penalty not exclusive.
[[Page 8427]]
160.420 Notice of proposed determination.
160.422 Failure to request a hearing.
160.424 Collection of penalty.
160.426 Notification of the public and other agencies.
Sec. 160.400 Applicability.
This subpart applies to the imposition of a civil money penalty by
the Secretary under 42 U.S.C. 1320d-5.
Sec. 160.402 Basis for a civil money penalty.
(a) General rule. Subject to Sec. 160.410, the Secretary will
impose a civil money penalty upon a covered entity if the Secretary
determines that the covered entity has violated an administrative
simplification provision.
(b) Violation by more than one covered entity. (1) Except as
provided in paragraph (b)(2) of this section, if the Secretary
determines that more than one covered entity was responsible for a
violation, the Secretary will impose a civil money penalty against each
such covered entity.
(2) A covered entity that is a member of an affiliated covered
entity, in accordance with Sec. 164.105(b) of this subchapter, is
jointly and severally liable for a civil money penalty for a violation
of part 164 of this subchapter based on an act or omission of the
affiliated covered entity, unless it is established that another member
of the affiliated covered entity was responsible for the violation.
(c) Violation attributed to a covered entity. A covered entity is
liable, in accordance with the federal common law of agency, for a
civil money penalty for a violation based on the act or omission of any
agent of the covered entity, including a workforce member, acting
within the scope of the agency, unless--
(1) The agent is a business associate of the covered entity;
(2) The covered entity has complied, with respect to such business
associate, with the applicable requirements of Sec. Sec. 164.308(b)
and 164.502(e) of this subchapter; and
(3) The covered entity did not--
(i) Know of a pattern of activity or practice of the business
associate, and
(ii) Fail to act as required by Sec. Sec. 164.314(a)(1)(ii) and
164.504(e)(1)(ii) of this subchapter, as applicable.
Sec. 160.404 Amount of a civil money penalty.
(a) The amount of a civil money penalty will be determined in
accordance with paragraph (b) of this section and Sec. Sec. 160.406,
160.408, and 160.412.
(b) The amount of a civil money penalty that may be imposed is
subject to the following limitations:
(1) The Secretary may not impose a civil money penalty--
(i) In the amount of more than $100 for each violation; or
(ii) In excess of $25,000 for identical violations during a
calendar year (January 1 through the following December 31).
(2) If a requirement or prohibition in one administrative
simplification provision is repeated in a more general form in another
administrative simplification provision in the same subpart, a civil
money penalty may be imposed for a violation of only one of these
administrative simplification provisions.
Sec. 160.406 Violations of an identical requirement or prohibition.
The Secretary will determine the number of violations of an
administrative simplification provision based on the nature of the
covered entity's obligation to act or not act under the provision that
is violated, such as its obligation to act in a certain manner, or
within a certain time, or to act or not act with respect to certain
persons. In the case of continuing violation of a provision, a separate
violation occurs each day the covered entity is in violation of the
provision.
Sec. 160.408 Factors considered in determining the amount of a civil
money penalty.
In determining the amount of any civil money penalty, the Secretary
may consider as aggravating or mitigating factors, as appropriate, any
of the following:
(a) The nature of the violation, in light of the purpose of the
rule violated.
(b) The circumstances, including the consequences, of the
violation, including but not limited to:
(1) The time period during which the violation(s) occurred;
(2) Whether the violation caused physical harm;
(3) Whether the violation hindered or facilitated an individual's
ability to obtain health care; and
(4) Whether the violation resulted in financial harm.
(c) The degree of culpability of the covered entity, including but
not limited to:
(1) Whether the violation was intentional; and
(2) Whether the violation was beyond the direct control of the
covered entity.
(d) Any history of prior compliance with the administrative
simplification provisions, including violations, by the covered entity,
including but not limited to:
(1) Whether the current violation is the same or similar to prior
violation(s);
(2) Whether and to what extent the covered entity has attempted to
correct previous violations;
(3) How the covered entity has responded to technical assistance
from the Secretary provided in the context of a compliance effort; and
(4) How the covered entity has responded to prior complaints.
(e) The financial condition of the covered entity, including but
not limited to:
(1) Whether the covered entity had financial difficulties that
affected its ability to comply;
(2) Whether the imposition of a civil money penalty would
jeopardize the ability of the covered entity to continue to provide, or
to pay for, health care; and
(3) The size of the covered entity.
(f) Such other matters as justice may require.
Sec. 160.410 Affirmative defenses.
(a) As used in this section, the following terms have the following
meanings:
Reasonable cause means circumstances that would make it
unreasonable for the covered entity, despite the exercise of ordinary
business care and prudence, to comply with the administrative
simplification provision violated.
Reasonable diligence means the business care and prudence expected
from a person seeking to satisfy a legal requirement under similar
circumstances.
Willful neglect means conscious, intentional failure or reckless
indifference to the obligation to comply with the administrative
simplification provision violated.
(b) The Secretary may not impose a civil money penalty on a covered
entity for a violation if the covered entity establishes that an
affirmative defense exists with respect to the violation, including the
following:
(1) The violation is an act punishable under 42 U.S.C. 1320d-6;
(2) The covered entity establishes, to the satisfaction of the
Secretary, that it did not have knowledge of the violation, determined
in accordance with the federal common law of agency, and, by exercising
reasonable diligence, would not have known that the violation occurred;
or
(3) The violation is--
(i) Due to reasonable cause and not willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the date the covered entity
liable for the penalty knew, or by exercising reasonable diligence
would have known, that the violation occurred; or
[[Page 8428]]
(B) Such additional period as the Secretary determines to be
appropriate based on the nature and extent of the failure to comply.
Sec. 160.412 Waiver.
For violations described in Sec. 160.410(b)(3)(i) that are not
corrected within the period described in Sec. 160.410(b)(3)(ii), the
Secretary may waive the civil money penalty, in whole or in part, to
the extent that payment of the penalty would be excessive relative to
the violation.
Sec. 160.414 Limitations.
No action under this subpart may be entertained unless commenced by
the Secretary, in accordance with Sec. 160.420, within 6 years from
the date of the occurrence of the violation.
Sec. 160.416 Authority to settle.
Nothing in this subpart limits the authority of the Secretary to
settle any issue or case or to compromise any penalty.
Sec. 160.418 Penalty not exclusive.
Except as otherwise provided by 42 U.S.C. 1320d-5(b)(1), a penalty
imposed under this part is in addition to any other penalty prescribed
by law.
Sec. 160.420 Notice of proposed determination.
(a) If a penalty is proposed in accordance with this part, the
Secretary must deliver, or send by certified mail with return receipt
requested, to the respondent, written notice of the Secretary's intent
to impose a penalty. This notice of proposed determination must
include--
(1) Reference to the statutory basis for the penalty;
(2) A description of the findings of fact regarding the violations
with respect to which the penalty is proposed (except that, in any case
where the Secretary is relying upon a statistical sampling study in
accordance with Sec. 160.536 of this part, the notice must provide a
copy of the study relied upon by the Secretary);
(3) The reason(s) why the violation(s) subject(s) the respondent to
a penalty;
(4) The amount of the proposed penalty;
(5) Any circumstances described in Sec. 160.408 that were
considered in determining the amount of the proposed penalty; and
(6) Instructions for responding to the notice, including a
statement of the respondent's right to a hearing, a statement that
failure to request a hearing within 90 days permits the imposition of
the proposed penalty without the right to a hearing under Sec. 160.504
or a right of appeal under Sec. 160.548 of this part, and the address
to which the hearing request must be sent.
(b) The respondent may request a hearing before an ALJ on the
proposed penalty by filing a request in accordance with Sec. 160.504
of this part.
Sec. 160.422 Failure to request a hearing.
If the respondent does not request a hearing within the time
prescribed by Sec. 160.504 of this part and the matter is not settled
pursuant to Sec. 160.416, the Secretary will impose the proposed
penalty or any lesser penalty permitted by 42 U.S.C. 1320d-5. The
Secretary will notify the respondent by certified mail, return receipt
requested, of any penalty that has been imposed and of the means by
which the respondent may satisfy the penalty, and the penalty is final
on receipt of the notice. The respondent has no right to appeal a
penalty under Sec. 160.548 of this part with respect to which the
respondent has not timely requested a hearing.
Sec. 160.424 Collection of penalty.
(a) Once a determination of the Secretary to impose a penalty has
become final, the penalty will be collected by the Secretary, subject
to the first sentence of 42 U.S.C. 1320a-7a(f).
(b) The penalty may be recovered in a civil action brought in the
United States district court for the district where the respondent
resides, is found, or is located.
(c) The amount of a penalty, when finally determined, or the amount
agreed upon in compromise, may be deducted from any sum then or later
owing by the United States, or by a State agency, to the respondent.
(d) Matters that were raised or that could have been raised in a
hearing before an ALJ, or in an appeal under 42 U.S.C. 1320a-7a(e), may
not be raised as a defense in a civil action by the United States to
collect a penalty under this part.
Sec. 160.426 Notification of the public and other agencies.
Whenever a proposed penalty becomes final, the Secretary will
notify, in such manner as the Secretary deems appropriate, the public
and the following organizations and entities thereof and the reason it
was imposed: the appropriate State or local medical or professional
organization, the appropriate State agency or agencies administering or
supervising the administration of State health care programs (as
defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and
quality control peer review organization, and the appropriate State or
local licensing agency or organization (including the agency specified
in 42 U.S.C. 1395aa(a), 1396a(a)(33)).
0
5. Revise subpart E of this part to read as follows:
Subpart E--Procedures for Hearings
Sec.
160.500 Applicability.
160.502 Definitions.
160.504 Hearing before an ALJ.
160.506 Rights of the parties.
160.508 Authority of the ALJ.
160.510 Ex parte contacts.
160.512 Prehearing conferences.
160.514 Authority to settle.
160.516 Discovery.
160.518 Exchange of witness lists, witness statements, and exhibits.
160.520 Subpoenas for attendance at hearing.
160.522 Fees.
160.524 Form, filing, and service of papers.
160.526 Computation of time.
160.528 Motions.
160.530 Sanctions.
160.532 Collateral estoppel.
160.534 The hearing.
160.536 Statistical sampling.
160.538 Witnesses.
160.540 Evidence.
160.542 The record.
160.544 Post hearing briefs.
160.546 ALJ's decision.
160.548 Appeal of the ALJ's decision.
160.550 Stay of the Secretary's decision.
160.552 Harmless error.
Sec. 160.500 Applicability.
This subpart applies to hearings conducted relating to the
imposition of a civil money penalty by the Secretary under 42 U.S.C.
1320d-5.
Sec. 160.502 Definitions.
As used in this subpart, the following term has the following
meaning:
Board means the members of the HHS Departmental Appeals Board, in
the Office of the Secretary, who issue decisions in panels of three.
Sec. 160.504 Hearing before an ALJ.
(a) A respondent may request a hearing before an ALJ. The parties
to the hearing proceeding consist of--
(1) The respondent; and
(2) The officer(s) or employee(s) of HHS to whom the enforcement
authority involved has been delegated.
(b) The request for a hearing must be made in writing signed by the
respondent or by the respondent's attorney and sent by certified mail,
return receipt requested, to the address specified in the notice of
proposed determination. The request for a hearing must be mailed within
90 days after notice of the proposed determination is received by the
respondent. For purposes of this section, the
[[Page 8429]]
respondent's date of receipt of the notice of proposed determination is
presumed to be 5 days after the date of the notice unless the
respondent makes a reasonable showing to the contrary to the ALJ.
(c) The request for a hearing must clearly and directly admit,
deny, or explain each of the findings of fact contained in the notice
of proposed determination with regard to which the respondent has any
knowledge. If the respondent has no knowledge of a particular finding
of fact and so states, the finding shall be deemed denied. The request
for a hearing must also state the circumstances or arguments that the
respondent alleges constitute the grounds for any defense and the
factual and legal basis for opposing the penalty, except that a
respondent may raise an affirmative defense under Sec. 160.410(b)(1)
at any time.
(d) The ALJ must dismiss a hearing request where--
(1) On motion of the Secretary, the ALJ determines that the
respondent's hearing request is not timely filed as required by
paragraphs (b) or does not meet the requirements of paragraph (c) of
this section;
(2) The respondent withdraws the request for a hearing;
(3) The respondent abandons the request for a hearing; or
(4) The respondent's hearing request fails to raise any issue that
may properly be addressed in a hearing.
Sec. 160.506 Rights of the parties.
(a) Except as otherwise limited by this subpart, each party may--
(1) Be accompanied, represented, and advised by an attorney;
(2) Participate in any conference held by the ALJ;
(3) Conduct discovery of documents as permitted by this subpart;
(4) Agree to stipulations of fact or law that will be made part of
the record;
(5) Present evidence relevant to the issues at the hearing;
(6) Present and cross-examine witnesses;
(7) Present oral arguments at the hearing as permitted by the ALJ;
and
(8) Submit written briefs and proposed findings of fact and
conclusions of law after the hearing.
(b) A party may appear in person or by a representative. Natural
persons who appear as an attorney or other representative must conform
to the standards of conduct and ethics required of practitioners before
the courts of the United States.
(c) Fees for any services performed on behalf of a party by an
attorney are not subject to the provisions of 42 U.S.C. 406, which
authorizes the Secretary to specify or limit their fees.
Sec. 160.508 Authority of the ALJ.
(a) The ALJ must conduct a fair and impartial hearing, avoid delay,
maintain order, and ensure that a record of the proceeding is made.
(b) The ALJ may--
(1) Set and change the date, time and place of the hearing upon
reasonable notice to the parties;
(2) Continue or recess the hearing in whole or in part for a
reasonable period of time;
(3) Hold conferences to identify or simplify the issues, or to
consider other matters that may aid in the expeditious disposition of
the proceeding;
(4) Administer oaths and affirmations;
(5) Issue subpoenas requiring the attendance of witnesses at
hearings and the production of documents at or in relation to hearings;
(6) Rule on motions and other procedural matters;
(7) Regulate the scope and timing of documentary discovery as
permitted by this subpart;
(8) Regulate the course of the hearing and the conduct of
representatives, parties, and witnesses;
(9) Examine witnesses;
(10) Receive, rule on, exclude, or limit evidence;
(11) Upon motion of a party, take official notice of facts;
(12) Conduct any conference, argument or hearing in person or, upon
agreement of the parties, by telephone; and
(13) Upon motion of a party, decide cases, in whole or in part, by
summary judgment where there is no disputed issue of material fact. A
summary judgment decision constitutes a hearing on the record for the
purposes of this subpart.
(c) The ALJ--
(1) May not find invalid or refuse to follow Federal statutes,
regulations, or Secretarial delegations of authority and must give
deference to published guidance to the extent not inconsistent with
statute or regulation;
(2) May not enter an order in the nature of a directed verdict;
(3) May not compel settlement negotiations;
(4) May not enjoin any act of the Secretary; or
(5) May not review the exercise of discretion by the Secretary with
respect to whether to grant an extension under Sec.
160.410(b)(3)(ii)(B) of this part or to provide technical assistance
under 42 U.S.C. 1320d-5(b)(3)(B).
Sec. 160.510 Ex parte contacts.
No party or person (except employees of the ALJ's office) may
communicate in any way with the ALJ on any matter at issue in a case,
unless on notice and opportunity for both parties to participate. This
provision does not prohibit a party or person from inquiring about the
status of a case or asking routine questions concerning administrative
functions or procedures.
Sec. 160.512 Prehearing conferences.
(a) The ALJ must schedule at least one prehearing conference, and
may schedule additional prehearing conferences as appropriate, upon
reasonable notice, which may not be less than 14 business days, to the
parties.
(b) The ALJ may use prehearing conferences to discuss the
following--
(1) Simplification of the issues;
(2) The necessity or desirability of amendments to the pleadings,
including the need for a more definite statement;
(3) Stipulations and admissions of fact or as to the contents and
authenticity of documents;
(4) Whether the parties can agree to submission of the case on a
stipulated record;
(5) Whether a party chooses to waive appearance at an oral hearing
and to submit only documentary evidence (subject to the objection of
the other party) and written argument;
(6) Limitation of the number of witnesses;
(7) Scheduling dates for the exchange of witness lists and of
proposed exhibits;
(8) Discovery of documents as permitted by this subpart;
(9) The time and place for the hearing;
(10) The potential for the settlement of the case by the parties;
and
(11) Other matters as may tend to encourage the fair, just and
expeditious disposition of the proceedings, including the protection of
privacy of individually identifiable health information that may be
submitted into evidence or otherwise used in the proceeding, if
appropriate.
(c) The ALJ must issue an order containing the matters agreed upon
by the parties or ordered by the ALJ at a prehearing conference.
Sec. 160.514 Authority to settle.
The Secretary has exclusive authority to settle any issue or case
without the consent of the ALJ.
Sec. 160.516 Discovery.
(a) A party may make a request to another party for production of
documents for inspection and copying
[[Page 8430]]
that are relevant and material to the issues before the ALJ.
(b) For the purpose of this section, the term ``documents''
includes information, reports, answers, records, accounts, papers and
other data and documentary evidence. Nothing contained in this section
may be interpreted to require the creation of a document, except that
requested data stored in an electronic data storage system must be
produced in a form accessible to the requesting party.
(c) Requests for documents, requests for admissions, written
interrogatories, depositions and any forms of discovery, other than
those permitted under paragraph (a) of this section, are not
authorized.
(d) This section may not be construed to require the disclosure of
interview reports or statements obtained by any party, or on behalf of
any party, of persons who will not be called as witnesses by that
party, or analyses and summaries prepared in conjunction with the
investigation or litigation of the case, or any otherwise privileged
documents.
(e)(1) When a request for production of documents has been
received, within 30 days the party receiving that request must either
fully respond to the request, or state that the request is being
objected to and the reasons for that objection. If objection is made to
part of an item or category, the part must be specified. Upon receiving
any objections, the party seeking production may then, within 30 days
or any other time frame set by the ALJ, file a motion for an order
compelling discovery. The party receiving a request for production may
also file a motion for protective order any time before the date the
production is due.
(2) The ALJ may grant a motion for protective order or deny a
motion for an order compelling discovery if the ALJ finds that the
discovery sought--
(i) Is irrelevant;
(ii) Is unduly costly or burdensome;
(iii) Will unduly delay the proceeding; or
(iv) Seeks privileged information.
(3) The ALJ may extend any of the time frames set forth in
paragraph (e)(1) of this section.
(4) The burden of showing that discovery should be allowed is on
the party seeking discovery.
Sec. 160.518 Exchange of witness lists, witness statements, and
exhibits.
(a) The parties must exchange witness lists, copies of prior
written statements of proposed witnesses, and copies of proposed
hearing exhibits, including copies of any written statements that the
party intends to offer in lieu of live testimony in accordance with
Sec. 160.538, not more than 60, and not less than 15, days before the
scheduled hearing, except that if a respondent intends to introduce the
evidence of a statistical expert, the respondent must provide the
Secretarial party with a copy of the statistical expert's report not
less than 30 days before the scheduled hearing.
(b)(1) If, at any time, a party objects to the proposed admission
of evidence not exchanged in accordance with paragraph (a) of this
section, the ALJ must determine whether the failure to comply with
paragraph (a) of this section should result in the exclusion of that
evidence.
(2) Unless the ALJ finds that extraordinary circumstances justified
the failure timely to exchange the information listed under paragraph
(a) of this section, the ALJ must exclude from the party's case-in-
chief--
(i) The testimony of any witness whose name does not appear on the
witness list; and
(ii) Any exhibit not provided to the opposing party as specified in
paragraph (a) of this section.
(3) If the ALJ finds that extraordinary circumstances existed, the
ALJ must then determine whether the admission of that evidence would
cause substantial prejudice to the objecting party.
(i) If the ALJ finds that there is no substantial prejudice, the
evidence may be admitted.
(ii) If the ALJ finds that there is substantial prejudice, the ALJ
may exclude the evidence, or, if he or she does not exclude the
evidence, must postpone the hearing for such time as is necessary for
the objecting party to prepare and respond to the evidence, unless the
objecting party waives postponement.
(c) Unless the other party objects within a reasonable period of
time before the hearing, documents exchanged in accordance with
paragraph (a) of this section will be deemed to be authentic for the
purpose of admissibility at the hearing.
Sec. 160.520 Subpoenas for attendance at hearing.
(a) A party wishing to procure the appearance and testimony of any
person at the hearing may make a motion requesting the ALJ to issue a
subpoena if the appearance and testimony are reasonably necessary for
the presentation of a party's case.
(b) A subpoena requiring the attendance of a person in accordance
with paragraph (a) of this section may also require the person (whether
or not the person is a party) to produce relevant and material evidence
at or before the hearing.
(c) When a subpoena is served by a respondent on a particular
employee or official or particular office of HHS, the Secretary may
comply by designating any knowledgeable HHS representative to appear
and testify.
(d) A party seeking a subpoena must file a written motion not less
than 30 days before the date fixed for the hearing, unless otherwise
allowed by the ALJ for good cause shown. That motion must--
(1) Specify any evidence to be produced;
(2) Designate the witnesses; and
(3) Describe the address and location with sufficient particularity
to permit those witnesses to be found.
(e) The subpoena must specify the time and place at which the
witness is to appear and any evidence the witness is to produce.
(f) Within 15 days after the written motion requesting issuance of
a subpoena is served, any party may file an opposition or other
response.
(g) If the motion requesting issuance of a subpoena is granted, the
party seeking the subpoena must serve it by delivery to the person
named, or by certified mail addressed to that person at the person's
last dwelling place or principal place of business.
(h) The person to whom the subpoena is directed may file with the
ALJ a motion to quash the subpoena within 10 days after service.
(i) The exclusive remedy for contumacy by, or refusal to obey a
subpoena duly served upon, any person is specified in 42 U.S.C. 405(e).
Sec. 160.522 Fees.
The party requesting a subpoena must pay the cost of the fees and
mileage of any witness subpoenaed in the amounts that would be payable
to a witness in a proceeding in United States District Court. A check
for witness fees and mileage must accompany the subpoena when served,
except that, when a subpoena is issued on behalf of the Secretary, a
check for witness fees and mileage need not accompany the subpoena.
Sec. 160.524 Form, filing, and service of papers.
(a) Forms. (1) Unless the ALJ directs the parties to do otherwise,
documents filed with the ALJ must include an original and two copies.
(2) Every pleading and paper filed in the proceeding must contain a
caption setting forth the title of the action, the case number, and a
designation of the paper, such as motion to quash subpoena.
[[Page 8431]]
(3) Every pleading and paper must be signed by and must contain the
address and telephone number of the party or the person on whose behalf
the paper was filed, or his or her representative.
(4) Papers are considered filed when they are mailed.
(b) Service. A party filing a document with the ALJ or the Board
must, at the time of filing, serve a copy of the document on the other
party. Service upon any party of any document must be made by
delivering a copy, or placing a copy of the document in the United
States mail, postage prepaid and addressed, or with a private delivery
service, to the party's last known address. When a party is represented
by an attorney, service must be made upon the attorney in lieu of the
party.
(c) Proof of service. A certificate of the natural person serving
the document by personal delivery or by mail, setting forth the manner
of service, constitutes proof of service.
Sec. 160.526 Computation of time.
(a) In computing any period of time under this subpart or in an
order issued thereunder, the time begins with the day following the
act, event or default, and includes the last day of the period unless
it is a Saturday, Sunday, or legal holiday observed by the Federal
Government, in which event it includes the next business day.
(b) When the period of time allowed is less than 7 days,
intermediate Saturdays, Sundays, and legal holidays observed by the
Federal Government must be excluded from the computation.
(c) Where a document has been served or issued by placing it in the
mail, an additional 5 days must be added to the time permitted for any
response. This paragraph does not apply to requests for hearing under
Sec. 160.504.
Sec. 160.528 Motions.
(a) An application to the ALJ for an order or ruling must be by
motion. Motions must state the relief sought, the authority relied upon
and the facts alleged, and must be filed with the ALJ and served on all
other parties.
(b) Except for motions made during a prehearing conference or at
the hearing, all motions must be in writing. The ALJ may require that
oral motions be reduced to writing.
(c) Within 10 days after a written motion is served, or such other
time as may be fixed by the ALJ, any party may file a response to the
motion.
(d) The ALJ may not grant a written motion before the time for
filing responses has expired, except upon consent of the parties or
following a hearing on the motion, but may overrule or deny the motion
without awaiting a response.
(e) The ALJ must make a reasonable effort to dispose of all
outstanding motions before the beginning of the hearing.
Sec. 160.530 Sanctions.
The ALJ may sanction a person, including any party or attorney, for
failing to comply with an order or procedure, for failing to defend an
action or for other misconduct that interferes with the speedy, orderly
or fair conduct of the hearing. The sanctions must reasonably relate to
the severity and nature of the failure or misconduct. The sanctions may
include--
(a) In the case of refusal to provide or permit discovery under the
terms of this part, drawing negative factual inferences or treating the
refusal as an admission by deeming the matter, or certain facts, to be
established;
(b) Prohibiting a party from introducing certain evidence or
otherwise supporting a particular claim or defense;
(c) Striking pleadings, in whole or in part;
(d) Staying the proceedings;
(e) Dismissal of the action;
(f) Entering a decision by default;
(g) Ordering the party or attorney to pay the attorney's fees and
other costs caused by the failure or misconduct; and
(h) Refusing to consider any motion or other action that is not
filed in a timely manner.
Sec. 160.532 Collateral estoppel.
When a final determination that the respondent violated an
administrative simplification provision has been rendered in any
proceeding in which the respondent was a party and had an opportunity
to be heard, the respondent is bound by that determination in any
proceeding under this part.
Sec. 160.534 The hearing.
(a) The ALJ must conduct a hearing on the record in order to
determine whether the respondent should be found liable under this
part.
(b) (1) The respondent has the burden of going forward and the
burden of persuasion with respect to any:
(i) Affirmative defense pursuant to Sec. 160.410 of this part;
(ii) Challenge to the amount of a proposed penalty pursuant to
Sec. Sec. 160.404-160.408 of this part, including any factors raised
as mitigating factors; or
(iii) Claim that a proposed penalty should be reduced or waived
pursuant to Sec. 160.412 of this part.
(2) The Secretary has the burden of going forward and the burden of
persuasion with respect to all other issues, including issues of
liability and the existence of any factors considered as aggravating
factors in determining the amount of the proposed penalty.
(3) The burden of persuasion will be judged by a preponderance of
the evidence.
(c) The hearing must be open to the public unless otherwise ordered
by the ALJ for good cause shown.
(d)(1) Subject to the 15-day rule under Sec. 160.518(a) and the
admissibility of evidence under Sec. 160.540, either party may
introduce, during its case in chief, items or information that arose or
became known after the date of the issuance of the notice of proposed
determination or the request for hearing, as applicable. Such items and
information may not be admitted into evidence, if introduced--
(i) By the Secretary, unless they are material and relevant to the
acts or omissions with respect to which the penalty is proposed in the
notice of proposed determination pursuant to Sec. 160.420 of this
part, including circumstances that may increase penalties; or
(ii) By the respondent, unless they are material and relevant to an
admission, denial or explanation of a finding of fact in the notice of
proposed determination under Sec. 160.420 of this part, or to a
specific circumstance or argument expressly stated in the request for
hearing under Sec. 160.504, including circumstances that may reduce
penalties.
(2) After both parties have presented their cases, evidence may be
admitted in rebuttal even if not previously exchanged in accordance
with Sec. 160.518.
Sec. 160.536 Statistical sampling.
(a) In meeting the burden of proof set forth in Sec. 160.534, the
Secretary may introduce the results of a statistical sampling study as
evidence of the number of violations under Sec. 160.406 of this part,
or the factors considered in determining the amount of the civil money
penalty under Sec. 160.408 of this part. Such statistical sampling
study, if based upon an appropriate sampling and computed by valid
statistical methods, constitutes prima facie evidence of the number of
violations and the existence of factors material to the proposed civil
money penalty as described in Sec. Sec. 160.406 and 160.408.
(b) Once the Secretary has made a prima facie case, as described in
paragraph (a) of this section, the burden of going forward shifts to
the respondent
[[Page 8432]]
to produce evidence reasonably calculated to rebut the findings of the
statistical sampling study. The Secretary will then be given the
opportunity to rebut this evidence.
Sec. 160.538 Witnesses.
(a) Except as provided in paragraph (b) of this section, testimony
at the hearing must be given orally by witnesses under oath or
affirmation.
(b) At the discretion of the ALJ, testimony of witnesses other than
the testimony of expert witnesses may be admitted in the form of a
written statement. The ALJ may, at his or her discretion, admit prior
sworn testimony of experts that has been subject to adverse
examination, such as a deposition or trial testimony. Any such written
statement must be provided to the other party, along with the last
known address of the witness, in a manner that allows sufficient time
for the other party to subpoena the witness for cross-examination at
the hearing. Prior written statements of witnesses proposed to testify
at the hearing must be exchanged as provided in Sec. 160.518.
(c) The ALJ must exercise reasonable control over the mode and
order of interrogating witnesses and presenting evidence so as to:
(1) Make the interrogation and presentation effective for the
ascertainment of the truth;
(2) Avoid repetition or needless consumption of time; and
(3) Protect witnesses from harassment or undue embarrassment.
(d) The ALJ must permit the parties to conduct cross-examination of
witnesses as may be required for a full and true disclosure of the
facts.
(e) The ALJ may order witnesses excluded so that they cannot hear
the testimony of other witnesses, except that the ALJ may not order to
be excluded--
(1) A party who is a natural person;
(2) In the case of a party that is not a natural person, the
officer or employee of the party appearing for the entity pro se or
designated as the party's representative; or
(3) A natural person whose presence is shown by a party to be
essential to the presentation of its case, including a person engaged
in assisting the attorney for the Secretary.
Sec. 160.540 Evidence.
(a) The ALJ must determine the admissibility of evidence.
(b) Except as provided in this subpart, the ALJ is not bound by the
Federal Rules of Evidence. However, the ALJ may apply the Federal Rules
of Evidence where appropriate, for example, to exclude unreliable
evidence.
(c) The ALJ must exclude irrelevant or immaterial evidence.
(d) Although relevant, evidence may be excluded if its probative
value is substantially outweighed by the danger of unfair prejudice,
confusion of the issues, or by considerations of undue delay or
needless presentation of cumulative evidence.
(e) Although relevant, evidence must be excluded if it is
privileged under Federal law.
(f) Evidence concerning offers of compromise or settlement are
inadmissible to the extent provided in Rule 408 of the Federal Rules of
Evidence.
(g) Evidence of crimes, wrongs, or acts other than those at issue
in the instant case is admissible in order to show motive, opportunity,
intent, knowledge, preparation, identity, lack of mistake, or existence
of a scheme. This evidence is admissible regardless of whether the
crimes, wrongs, or acts occurred during the statute of limitations
period applicable to the acts or omissions that constitute the basis
for liability in the case and regardless of whether they were
referenced in the Secretary's notice of proposed determination under
Sec. 160.420 of this part.
(h) The ALJ must permit the parties to introduce rebuttal witnesses
and evidence.
(i) All documents and other evidence offered or taken for the
record must be open to examination by both parties, unless otherwise
ordered by the ALJ for good cause shown.
Sec. 160.542 The record.
(a) The hearing must be recorded and transcribed. Transcripts may
be obtained following the hearing from the ALJ. A party that requests a
transcript of hearing proceedings must pay the cost of preparing the
transcript unless, for good cause shown by the party, the payment is
waived by the ALJ or the Board, as appropriate.
(b) The transcript of the testimony, exhibits, and other evidence
admitted at the hearing, and all papers and requests filed in the
proceeding constitute the record for decision by the ALJ and the
Secretary.
(c) The record may be inspected and copied (upon payment of a
reasonable fee) by any person, unless otherwise ordered by the ALJ for
good cause shown.
(d) For good cause, the ALJ may order appropriate redactions made
to the record.
Sec. 160.544 Post hearing briefs.
The ALJ may require the parties to file post-hearing briefs. In any
event, any party may file a post-hearing brief. The ALJ must fix the
time for filing the briefs. The time for filing may not exceed 60 days
from the date the parties receive the transcript of the hearing or, if
applicable, the stipulated record. The briefs may be accompanied by
proposed findings of fact and conclusions of law. The ALJ may permit
the parties to file reply briefs.
Sec. 160.546 ALJ's decision.
(a) The ALJ must issue a decision, based only on the record, which
must contain findings of fact and conclusions of law.
(b) The ALJ may affirm, increase, or reduce the penalties imposed
by the Secretary.
(c) The ALJ must issue the decision to both parties within 60 days
after the time for submission of post-hearing briefs and reply briefs,
if permitted, has expired. If the ALJ fails to meet the deadline
contained in this paragraph, he or she must notify the parties of the
reason for the delay and set a new deadline.
(d) Unless the decision of the ALJ is timely appealed as provided
for in Sec. 160.548, the decision of the ALJ will be final and binding
on the parties 60 days from the date of service of the ALJ's decision.
Sec. 160.548 Appeal of the ALJ's decision.
(a) Any party may appeal the decision of the ALJ to the Board by
filing a notice of appeal with the Board within 30 days of the date of
service of the ALJ decision. The Board may extend the initial 30 day
period for a period of time not to exceed 30 days if a party files with
the Board a request for an extension within the initial 30 day period
and shows good cause.
(b) If a party files a timely notice of appeal with the Board, the
ALJ must forward the record of the proceeding to the Board.
(c) A notice of appeal must be accompanied by a written brief
specifying exceptions to the initial decision and reasons supporting
the exceptions. Any party may file a brief in opposition to the
exceptions, which may raise any relevant issue not addressed in the
exceptions, within 30 days of receiving the notice of appeal and the
accompanying brief. The Board may permit the parties to file reply
briefs.
(d) There is no right to appear personally before the Board or to
appeal to the Board any interlocutory ruling by the ALJ.
[[Page 8433]]
(e) Except for an affirmative defense under Sec. 160.410(b)(1) of
this part, the Board may not consider any issue not raised in the
parties' briefs, nor any issue in the briefs that could have been
raised before the ALJ but was not.
(f) If any party demonstrates to the satisfaction of the Board that
additional evidence not presented at such hearing is relevant and
material and that there were reasonable grounds for the failure to
adduce such evidence at the hearing, the Board may remand the matter to
the ALJ for consideration of such additional evidence.
(g) The Board may decline to review the case, or may affirm,
increase, reduce, reverse or remand any penalty determined by the ALJ.
(h) The standard of review on a disputed issue of fact is whether
the initial decision of the ALJ is supported by substantial evidence on
the whole record. The standard of review on a disputed issue of law is
whether the decision is erroneous.
(i) Within 60 days after the time for submission of briefs and
reply briefs, if permitted, has expired, the Board must serve on each
party to the appeal a copy of the Board's decision and a statement
describing the right of any respondent who is penalized to seek
judicial review.
(j)(1) The Board's decision under paragraph (i) of this section,
including a decision to decline review of the initial decision, becomes
the final decision of the Secretary 60 days after the date of service
of the Board's decision, except with respect to a decision to remand to
the ALJ or if reconsideration is requested under this paragraph.
(2) The Board will reconsider its decision only if it determines
that the decision contains a clear error of fact or error of law. New
evidence will not be a basis for reconsideration unless the party
demonstrates that the evidence is newly discovered and was not
previously available.
(3) A party may file a motion for reconsideration with the Board
before the date the decision becomes final under paragraph (j)(1) of
this section. A motion for reconsideration must be accompanied by a
written brief specifying any alleged error of fact or law and, if the
party is relying on additional evidence, explaining why the evidence
was not previously available. Any party may file a brief in opposition
within 15 days of receiving the motion for reconsideration and the
accompanying brief unless this time limit is extended by the Board for
good cause shown. Reply briefs are not permitted.
(4) The Board must rule on the motion for reconsideration not later
than 30 days from the date the opposition brief is due. If the Board
denies the motion, the decision issued under paragraph (i) of this
section becomes the final decision of the Secretary on the date of
service of the ruling. If the Board grants the motion, the Board will
issue a reconsidered decision, after such procedures as the Board
determines necessary to address the effect of any error. The Board's
decision on reconsideration becomes the final decision of the Secretary
on the date of service of the decision, except with respect to a
decision to remand to the ALJ.
(5) If service of a ruling or decision issued under this section is
by mail, the date of service will be deemed to be 5 days from the date
of mailing.
(k)(1) A respondent's petition for judicial review must be filed
within 60 days of the date on which the decision of the Board becomes
the final decision of the Secretary under paragraph (j) of this
section.
(2) In compliance with 28 U.S.C. 2112(a), a copy of any petition
for judicial review filed in any U.S. Court of Appeals challenging the
final decision of the Secretary must be sent by certified mail, return
receipt requested, to the General Counsel of HHS. The petition copy
must be a copy showing that it has been time-stamped by the clerk of
the court when the original was filed with the court.
(3) If the General Counsel of HHS received two or more petitions
within 10 days after the final decision of the Secretary, the General
Counsel will notify the U.S. Judicial Panel on Multidistrict Litigation
of any petitions that were received within the 10 day period.
Sec. 160.550 Stay of the Secretary's decision.
(a) Pending judicial review, the respondent may file a request for
stay of the effective date of any penalty with the ALJ. The request
must be accompanied by a copy of the notice of appeal filed with the
Federal court. The filing of the request automatically stays the
effective date of the penalty until such time as the ALJ rules upon the
request.
(b) The ALJ may not grant a respondent's request for stay of any
penalty unless the respondent posts a bond or provides other adequate
security.
(c) The ALJ must rule upon a respondent's request for stay within
10 days of receipt.
Sec. 160.552 Harmless error.
No error in either the admission or the exclusion of evidence, and
no error or defect in any ruling or order or in any act done or omitted
by the ALJ or by any of the parties is ground for vacating, modifying
or otherwise disturbing an otherwise appropriate ruling or order or
act, unless refusal to take such action appears to the ALJ or the Board
inconsistent with substantial justice. The ALJ and the Board at every
stage of the proceeding must disregard any error or defect in the
proceeding that does not affect the substantial rights of the parties.
PART 164--SECURITY AND PRIVACY
0
1. The authority citation for part 164 is revised to read as follows:
Authority: 42 U.S.C. 1320d-1320d-8 and sec. 264, Pub. L. No.
104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).
0
2. In Sec. 164.530, revise paragraph (g) to read as follows:
Sec. 164.530 Administrative requirements.
* * * * *
(g) Standard: refraining from intimidating or retaliatory acts. A
covered entity--
(1) May not intimidate, threaten, coerce, discriminate against, or
take other retaliatory action against any individual for the exercise
by the individual of any right established, or for participation in any
process provided for by this subpart, including the filing of a
complaint under this section; and
(2) Must refrain from intimidation and retaliation as provided in
Sec. 160.316 of this subchapter.
* * * * *
[FR Doc. 06-1376 Filed 2-10-06; 2:59 pm]
BILLING CODE 4153-01-P
|