Recently the Department of Health and Human Services (HHS) published its "interim rule" (the Interim Rule) establishing the procedures for the imposition by the Secretary of HHS of civil money penalties to covered entities who violate the standards adopted under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Interim Rule does not address substantive issues relating to civil money penalties, such as how violations will be established or the manner in which penalties will be calculated. Additionally, the Interim Rule also does not address the imposition of criminal penalties for violations of the Administrative Simplification standards of HIPAA, which will be handled by the Department of Justice. HHS revealed that these rules would be the "first installment" of a larger set that will become the "Enforcement Rule." When complete, the Enforcement Rule will set forth procedural and substantive requirements for the imposition of civil money penalties. The Interim Rule became effective on May 19, 2003 and will expire sixteen months after such date. HHS is seeking comments on the Interim Rule. Comments must be submitted by June 16, 2003.
While the text and preamble to the Interim Rule do not provide readers with too many surprises regarding enforcement of HIPAA, the Interim Rule does clarify that only "covered entities," which consist of health plans, health care clearinghouses and health care providers (as defined in HIPAA), will be subject to civil money penalties. The preamble to the Interim Rule also reiterates what HHS has been publicizing for months now: that HHS intends to seek and promote "voluntary compliance" with the HIPAA standards and that most enforcement will be complaint driven. Furthermore, the Interim Rule makes clear that HHS’ enforcement approach will be similar in form and structure to the procedures that the Office of Inspector General (OIG) adopts in administering its civil monetary penalties for violations of certain federal health program laws.
Another positive aspect of the Interim Rule for covered entities is that HHS’ Office for Civil Rights (OCR), which has been designated as the entity that will enforce the HIPAA Privacy Standards, has been directed by HHS to attempt to resolve potential violations of the Privacy Standards in an informal matter, by providing covered entities an opportunity to demonstrate compliance or by allowing them to submit a corrective action plan, before issuing civil money penalties. The Centers for Medicare and Medicaid Services (CMS), which has been designated as the agency responsible for administering and enforcing the remaining HIPAA regulations (including the Transactions and Code Sets Standards and the Security Standards) will also attempt to resolve matters by informal means.
The civil money penalty for violating a HIPAA standard is no more than $100 per violation, except that the total amount imposed on a person for all violations of a single requirement or prohibition may not exceed $25,000 per calendar year. The procedures that are established in the Interim Rule are applicable to any investigations conducted, penalties imposed, hearings conducted and subpoenas issued as a result of a proposed imposition of a civil money penalty. When HHS investigates the imposition of a civil money penalty, it will have the authority to issue investigational subpoenas and conduct non-public investigational inquiries. It will also have the authority to settle any case before it imposes a civil money penalty to a covered entity.
The Interim Rule sets forth the following procedures for the imposition of civil money penalties:
HHS has six years from the date of the alleged occurrence that forms the basis for the violation of the HIPAA standard to send formal written notice of intent to impose a civil money penalty
Written notice to the alleged violator from HHS must include: a reference to the basis for the penalty; a description of the findings of fact regarding the alleged act; a reason as to why the act subjects the covered entity to a civil money penalty; the amount of the proposed penalty; and instructions on how to respond to the written notice
Upon receipt of the notice, a covered entity must request a hearing in writing within 60 days of receipt of the notice. Such request for a hearing must contain certain elements that are set forth in the Interim
If the alleged violator fails to request a hearing within the prescribed timeframe, HHS may impose the civil money penalty and such party’s right to appeal is automatically waived
Once a civil money penalty has been made final, HHS may collect such civil money penalty in a civil action in United States District Court or by deduction from any sum owed by the covered entity to the United States or a state agency
The Interim Rule also sets forth specific procedures and requirements for covered entities and the Administrative Law Judge (ALJ) to follow in the event that an alleged violator requests a hearing. At such hearing, which shall be open to the public, the parties may be represented by attorneys and may engage in limited discovery. Parties to the hearing may also request the ALJ to issue a subpoena directing any person to appear and testify if it is reasonably necessary for that person to be included in the case. Unlike the OIG’s rule for hearing procedures, the ALJ decision is the final decision of HHS, and the parties may seek direct judicial review to the United States Court of Appeals of any adverse decision. The parties do not have to endure a second level of administrative review before seeking judicial review.
As indicated above, the Interim Rule will be enhanced by additional installments which will eventually become the Enforcement Rule. HHS has indicated that when the substantive issues relating to civil money penalties are fleshed out in the Enforcement Rule, covered entities will receive further guidance on what constitutes a violation of HIPAA and how such penalties shall be calculated.
We look forward to assisting you in analyzing the implications of the Interim Rule and identifying ways to adjust your implementation efforts to ensure compliance with the Administrative Simplification provisions of HIPAA.