-
Start Preamble
AGENCY:
Office of the Secretary, HHS.
ACTION:
Interim final rule; request for comments
SUMMARY:
The Secretary of the Department of Health and Human Services (HHS) adopts this interim final rule to conform the enforcement regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to the effective statutory revisions made pursuant to the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). More specifically, this interim final rule amends HIPAA's enforcement regulations, as they relate to the imposition of civil money penalties, to incorporate the HITECH Act's categories of violations, tiered ranges of civil money penalty amounts, and revised limitations on the Secretary's authority to impose civil money penalties for established violations of HIPAA's Administrative Simplification rules (HIPAA rules). This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions. Such amendments will be subject to forthcoming rulemaking(s).
DATES:
Effective Date: This interim final rule is effective November 30, 2009. Comment Date: Comments on this interim final rule will be considered if received at the appropriate address, as provided below, no later than December 29, 2009.
ADDRESSES:
Please submit comments to any one of the addresses specified below:
- Federal eRulemaking Portal: You may submit electronic comments at http://www.regulations.gov.
- Regular, Express, or Overnight Mail: You may mail written comments to the following address only: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: HIPAA Enforcement Rule IFR (RIN 0991-AB55), Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 20201.
- Hand Delivery or Courier: If you prefer, you may deliver (by hand or courier) your written comments to the following address only: Office for Civil Rights, Attention: HIPAA Enforcement Rule IFR (RIN 0991-AB55), Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington, DC 20201.
FOR FURTHER INFORMATION CONTACT:
Andra Wicks, 202-205-2292.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
I. Public Participation
A. Instructions for Submission of Public Comments
Please follow these instructions when submitting public comments. Please use only one of these methods.
- Federal eRulemaking Portal: Follow the instructions for submitting electronic comments at http://www.regulations.gov. Attachments will be accepted in Microsoft Word, WordPerfect, or Excel format, though Microsoft Word format is preferred.
- Regular, Express, or Overnight Mail: Submit one original and two copies of mailed, written comments. Please allow Start Printed Page 56124sufficient time for timely receipt of mailed comments, as delivery may be subject to delay due to security procedures.
- Hand Delivery or Courier: Submit one original and two copies if delivering written comments by hand or by courier. Because access to the interior of the Hubert H. Humphrey Building is not readily available to persons without federal government identification, commenters are encouraged to leave their comments in the mail drop slots located in the main lobby of the building.
B. Inspection of Public Comments
All comments received before the close of the comment period will be available for public inspection, including any personally identifiable or confidential business information contained within each comment. We will post all comments received before the close of the comment period at http://www.regulations.gov.
II. Background
This interim final rule amends the sections within 45 CFR part 160 that relate to the authority of the Secretary of the HHS (the Secretary) to impose civil money penalties on entities that violate the HIPAA rules adopted under subtitle F of title II of HIPAA. The interim final rule amends subpart D of part 160 to conform its language to the revisions that became effective on February 18, 2009, under section 1176 of the Social Security Act (the Act), 42 U.S.C. 1320d-5, which was revised pursuant to section 13410(d) of the HITECH Act, Public Law 111-5, 123 Stat. 115, and correspondingly amends the “Statutory basis and purpose” section in subpart A. HHS issues these amendments as an interim final rule with request for comments to immediately provide regulated entities with additional notice as to how the Secretary's civil money penalty authority has been strengthened by the HITECH Act and to explain HHS' implementation of such authority with respect to violations occurring on or after February 18, 2009. HHS also pursues this expedited rulemaking to avoid any public misunderstanding or undue delay with respect to implementing Congress' intent to strengthen enforcement of the HIPAA rules.
We set out below the statutory and regulatory background for this interim final rule and follow with a description of our approach to this rulemaking. We then discuss each section of the interim final rule, request comments from the public, and conclude with our analyses of impact and other issues considered under applicable law.
A. Statutory Background
HIPAA Prior to the HITECH ACT
Subtitle F of title II of HIPAA, entitled “Administrative Simplification,” was enacted in 1996, for the purpose of improving the Medicare program under title XVIII of the Act, the Medicaid program under title XIX of the Act, and the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information. 42 U.S.C. 1320d note. To this end, subtitle F directs the Secretary to adopt national standards (HIPAA standards) for certain information-related activities and to protect the privacy and security of such information.
Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a), the HIPAA provisions apply to the following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1173(a)(1).
Under sections 1176 and 1177 of the Act, 42 U.S.C. 1320d-5 and 6, these persons or organizations, collectively referred to as “covered entities,” may be subject to civil money penalties and criminal penalties for violations of the HIPAA rules. HHS enforces the civil money penalties under section 1176 of the Act, and the U.S. Department of Justice enforces the criminal penalties under section 1177 of the Act.
Prior to the HITECH Act, section 1176(a) of the Act, 42 U.S.C. 1320d-5(a), authorized the Secretary to impose a civil money penalty, as follows:
(1) IN GENERAL. Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part [42 U.S.C. 1320d et seq.] a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
(2) PROCEDURES. The provisions of section 1128A [42 U.S.C. 1320a-7a] (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1128A.
Prior to the HITECH Act, section 1176(b) of the Act, 42 U.S.C. 1320d-5(b), set out limitations on the Secretary's above referenced authority to impose civil money penalties. Such limitations included prohibitions on imposing civil money penalties for: (1) An act that “constitutes an offense punishable under section 1177” of the Act (the criminal penalty provisions), (2) violations “if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision,” and (3) violations if the failure to comply was due “to reasonable cause and not to willful neglect” and was corrected during a 30-day time period or pursuant to an extension determined to be appropriate by the Secretary based on the nature and circumstances of the covered entity's failure to comply.
Section 13410(d) of the HITECH Act
The HITECH Act was incorporated into ARRA to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act, sections 13400-13424, addresses the privacy and security concerns associated with the electronic transmission of health information. It does so, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Many of these enforcement provisions became effective as of February 18, 2009 and are the impetus of this rulemaking. Other enforcement provisions have yet to become effective under the HITECH Act and are therefore subject to future rulemaking.
Section 13410(d) of the HITECH Act became effective February 18, 2009, revising section 1176 of the Act, 42 U.S.C. 1320d-5, to strengthen enforcement of the HIPAA rules in several ways. As modified, section 1176(a) establishes categories of violations that reflect increasing levels of culpability, requires that a penalty determination be based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation, and establishes tiers of increasing penalty amounts that establish, by reference, the range of the Secretary's authority to impose civil money penalties. The revised text of section 1176(a) that became effective February 18, 2009, pursuant to section 13410(d) of the HITECH Act is as follows:
GENERAL PENALTY.
(1) IN GENERAL. Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part—Start Printed Page 56125
(A) in the case of a violation of such provision in which it is established that the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(A) but not to exceed the amount described in paragraph (3)(D);
(B) in the case of a violation of such provision in which it is established that the violation was due to reasonable cause and not to willful neglect, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D); and
(C) in the case of a violation of such provision in which it is established that the violation was due to willful neglect—
(i) if the violation is corrected as described in subsection (b)(3)(A),[1] a penalty in an amount that is at least the amount described in paragraph (3)(C) but not to exceed the amount described in paragraph (3)(D); and
(ii) if the violation is not corrected as described in such subsection, a penalty in an amount that is at least the amount described in paragraph (3)(D).
In determining the amount of a penalty under this section for a violation, the Secretary shall base such determination on the nature and extent of the violation and the nature and extent of the harm resulting from such violation.
(2) PROCEDURES. The provisions of section 1128A (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1128A.
(3) Tiers of penalties described.—For purposes of paragraph (1), with respect to a violation by a person of a provision of this part—
(A) the amount described in this subparagraph is $100 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000;
(B) the amount described in this subparagraph is $1,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000;
(C) the amount described in this subparagraph is $10,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000; and
(D) the amount described in this subparagraph is $50,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.
Section 13410(d) of the HITECH Act also revised section 1176(b) of the Act by: (1) Striking the affirmative defense for violations in which the covered entity did not know, or by reasonable diligence would not have known, of the violation (such violations are now punishable under the first tier of penalties); and (2) revising the subsection that provides an affirmative defense for a 30-day time period of correction to only require that the covered entity demonstrate the violation was not due to willful neglect (the statute previously also required a showing that the violation was due to reasonable cause). The revised statutory text of section 1176(b) that became effective February 18, 2009,[2] pursuant to section 13410(d) of the HITECH Act is as follows:
LIMITATIONS.
(1) OFFENSES OTHERWISE PUNISHABLE. No penalty may be imposed under subsection (a) and no damages obtained under subsection (d) with respect to an act if the act constitutes an offense punishable under section 1177.
(2) FAILURES DUE TO REASONABLE CAUSE.
(A) IN GENERAL. Except as provided in subparagraph (B) or subsection (a)(1)(C), no penalty may be imposed under subsection (a) and no damages obtained under subsection (d) if the failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.
(B) EXTENSION OF PERIOD.—
(i) NO PENALTY.—With respect to the imposition of a penalty by the Secretary under subsection (a), the period referred to in subparagraph (A) may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply.
(ii) ASSISTANCE.—If the Secretary determines that a person failed to comply because the person was unable to comply, the Secretary may provide technical assistance to the person during the period described in subparagraph (A). Such assistance shall be provided in any manner determined appropriate by the Secretary.
(3) REDUCTION.—In the case of a failure to comply which is due to reasonable cause and not to willful neglect, any penalty under subsection (a) and any damages under subsection (d) that is not entirely waived under paragraph (3) [3] may be waived to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.
B. Regulatory Background
Section 1173 of the Act, 42 U.S.C. 1320d-2, and section 264 of HIPAA, require the Secretary to adopt a number of national standards to facilitate the exchange of certain health information and to protect the privacy and security of such information. The Secretary has adopted a number of national standards to that end, which include the following: Standards for Electronic Transactions and Code Sets (Transactions and Code Sets Rules); Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule); Standard Unique Employer Identifier (EIN Rule); Security Standards (HIPAA Security Rule); and Standard Unique Health Identifier for Health Care Providers (NPI Rule). See 70 FR 20224, 20225-26 (April 18, 2005) for a more detailed description of the history of these HIPAA rules. Covered entities are required to comply with these HIPAA standards.
In addition, the Secretary promulgated rules that relate to compliance with, and enforcement of, the HIPAA rules, which are codified at 45 CFR part 160, subparts C, D, and E and collectively referred to as the Enforcement Rule. The Secretary first issued an interim final rule promulgating the procedural requirements for imposition of civil money penalties on violations of the privacy standards on April 17, 2003, Civil Money Penalties: Procedures for Investigations, Imposition of Penalties (68 FR 18896). The Secretary subsequently proposed a rule on April 18, 2005, HIPAA Administrative Simplification: Enforcement; Proposed Rule (70 FR 20224), proposing the amendment of 45 CFR part 160, subparts A (General Provisions), C (Compliance and Enforcement), and E (Procedures for Hearing), proposing a new subpart D (Imposition of Civil Money Penalties) that addressed the substantive issues related to the imposition of civil money penalties, and proposing that the above provisions be applied to all of the HIPAA rules, rather Start Printed Page 56126than only the privacy standards. The Secretary then adopted a final rule, HIPAA Administrative Simplification: Enforcement; Final Rule (71 FR 8390, February 16, 2006). The preambles of these rulemakings provide additional information that may be helpful to readers seeking a general understanding of HIPAA's compliance and enforcement scheme. Where, if at all, language in these prior preambles is contrary to language in this preamble or regulation text, the language herein applies.
Subpart D of the Enforcement Rule pertains to the imposition of civil money penalties under section 1176 of the Act and includes a number of provisions that apply to violations occurring before section 13410(d) of the HITECH Act's effective date of February 18, 2009, but that conflict with the statutory language as it has been revised with respect to violations occurring on or after February 18, 2009. Thus, the primary objectives of this interim final rule are to conform the Enforcement Rule provisions found in subpart D to the amended language in section 1176 of the Act, to provide covered entities with additional notice of the Secretary's revised statutory authority with respect to the imposition of civil money penalties, and to avoid any public misunderstanding or undue delay with respect to Congress' intent to strengthen enforcement of the HIPAA rules.
III. Approach to the Interim Final Rule
As stated previously, this interim final rule amends several provisions of the Enforcement Rule, subpart D, to conform its language regarding HHS' imposition of civil money penalties to section 1176 of the Act, which section 13410(d) of the HITECH Act revised as of February 18, 2009. Subtitle D of the HITECH Act, which specifically pertains to privacy, contains several other provisions crafted to strengthen enforcement, some but not all of which pertain to HHS' implementation of the Enforcement Rule. We recognize that additional amendments will become necessary as such provisions become effective, but we do not adopt amendments in this interim final rule pursuant to those other provisions of subtitle D which have not yet become statutorily effective and have not, as a result, yet operated to revise HHS' enforcement authority under section 1176 of the Act.
HHS has concluded that it has good cause, under 5 U.S.C. 553(b)(B), to waive the notice-and-comment requirements of the Administrative Procedure Act (APA) and to proceed with this interim final rule. We first note that section 13410(d) of the HITECH Act's amendment of section 1176 of the Act, 42, U.S.C. 1320d-5, became effective the day after the date of enactment and that many covered entities may be unaware they are currently subject to significantly greater penalties for violations of the HIPAA rules. In addition, section 13410(d) of the HITECH Act's amendments have caused a number of provisions of the Enforcement Rule to conflict with the amended statute, and the resulting inconsistency has led to public confusion, both as to the penalty amounts for violations of the HIPAA rules and as to what defenses remain in effect. Delaying the promulgation of these conforming amendments would also forestall HHS' timely implementation of the strengthened enforcement approach mandated by statute and would maintain the status quo with respect to the heightened privacy and security concerns associated with the electronic transmission of health information among health care entities.
Based on the above reasons, we believe that delaying amendment to the Enforcement Rule, through the exercise of notice-and-comment rulemaking prior to publication of a final rule, would be impracticable, unnecessary, or contrary to public policy. Accordingly, HHS has good cause under the APA, 5 U.S.C. 553(b)(B), to waive notice-and-comment rulemaking and to proceed directly with the issuance of a final rule. At the same time, HHS is interested in the public's input and requests public comments regarding the substance of these amendments.
While HIPAA generally requires certain consultations with industry as a predicate to the issuance of the HIPAA standards, this interim final rule does not adopt standards, as the term is defined and interpreted under subtitle F of title II of HIPAA. Therefore, the requirement for such industry consultations in section 1172(c) of the Act, 42 U.S.C. 1320d-1(c), does not apply. For the same reason, the timeframes for compliance with the HIPAA rules, as set forth in section 1175 of the Act, 42 U.S.C. 1320d-4, do not apply.
IV. Provisions in the Interim Final Rule
This interim final rule amends 45 CFR part 160, subpart D, which establishes rules relating to the imposition of civil money penalties, to conform several provisions to section 13410(d) of the HITECH Act's amendments to section 1176 of the Act, 42 U.S.C. 1320d-6, which became effective February 18, 2009. This interim final rule's amendments distinguish between violations occurring before February 18, 2009, and violations occurring on or after that date, with respect to the potential amount of the civil money penalty and the affirmative defenses available to covered entities. We discuss this interim final rule's amendments to the Enforcement Rule on a provision-by-provision basis below:
A. Subpart A—General Provisions
1. Section 160.101—Statutory Basis and Purpose
Section 160.101 is amended to add the statutory citation for section 13410(d) of the HITECH Act to the list of the statutes that the requirements of the subchapter are designed to implement.
B. Subpart D—Imposition of Civil Money Penalties
1. Section 160.401—Definitions
Section 160.401 is added and defines the terms of reasonable cause, reasonable diligence and willful neglect, using the same definitions currently found at § 160.410. As discussed below, we are removing these terms from § 160.410 as a conforming amendment. This reorganization of the definitions signals the application of these terms to the entirety of subpart D. We do not discuss the terms further, as we are amending their placement in the rule but not their substance. Readers who would like a better understanding of these terms are encouraged to consult prior preamble explanations at 70 FR 20224, 20237-9 (April 18, 2005) and 71 FR 8390, 8409-11 (February 16, 2006).
2. Section 160.404—Amount of Civil Money Penalties
Subsection 160.404(b) is amended to revise the range of potential civil money penalty amounts a covered entity will be subject to based on the HITECH Act's amendments of section 1176 of the Act, 42 U.S.C. 1320-5, which are currently in effect. As amended, § 160.404(b)(1) retains the range of penalty amounts enumerated prior to the statutory revision for those violations occurring before February 18, 2009. The current content of § 160.404(b)(2) is re-designated as § 160.404(b)(3). A new § 160.404(b)(2) is added which identifies the range of penalty amounts for violations occurring on or after February 18, 2009.
Section 160.404 currently implements a penalty scheme, as required by section 1176(a)(1) prior to the HITECH Act's revisions, which explicitly established the maximum penalty amount for each violation as “not more than $100” and Start Printed Page 56127the maximum penalty amount “for all violations of an identical requirement or prohibition during a calendar year” as “not to exceed $25,000.” Subsection 160.404(b)(1) retains this penalty scheme for violations occurring before February 18, 2009, though its language is slightly modified to accommodate the parallel provisions for those violations that occur on or after February 18, 2009.
As modified, section 1176(a)(1) generally establishes a minimum penalty amount “for each such violation” by stating the penalty amount is to be “at least” the amount described in a specifically referenced tier and establishes a maximum penalty amount per violation by stating that each such violation is “not to exceed the amount described in [section 1176(a)(3)(D)].” [4] Each referenced penalty tier additionally provides a total penalty amount for all such violations of an identical requirement or prohibition during a calendar year. The HITECH Act's revised penalty scheme is similar to its predecessor with respect to its identification of a range of available civil money penalty amounts, a maximum penalty amount for violations of identical provisions during a calendar year, and generally with respect to the discretion it allows HHS in determining the appropriate penalty amount within the range prescribed.
The revised penalty scheme differs significantly from its predecessor by its establishment of several categories of violations that reflect increasing levels of culpability. The revised penalty scheme also differs significantly from its predecessor in its establishment of the range of available penalty amounts for each category of violation by reference to tiers of penalty amounts. Each tier specifies a minimum penalty amount that accompanies the increasing culpability associated with each category of violation and, for three of the four violation categories, defaults to “the amount described in paragraph 3(D)” as the outside limit.
For example, in the case of a violation where it is established that a covered entity did not know of the violation and would not have known through the exercise of reasonable diligence, section 13410(d) of the HITECH Act provides that the minimum penalty amount for each such violation is “at least” the amount described in paragraph (3)(A) [section 1176(a)(3)(A)] (i.e., $100) but is “not to exceed” the amount described in paragraph (3)(D) [section 1176(a)(3)(D)] (i.e., $50,000). Paragraphs 1176(a)(3)(A) and (D) each additionally provide that the total penalty amount for multiple violations of an identical requirement or prohibition during a calendar year is $25,000 and $1.5 million respectively.
HHS considered the conflicting statutory language that references two tiers of penalties “for each violation,” which each provide a penalty amount “for all such violations” of an identical requirement or prohibition in a calendar year. With the exception of violations due to willful neglect that are not timely corrected, this interim final rule adopts a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopts the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules. For violations due to willful neglect that are not timely corrected, this interim final rule adopts the penalty amount of $50,000 as the minimum for each violation and $1.5 million for all such violations of an identical requirement or prohibition. These regulatory amendments are consistent with the most logical reading of section 1176(a)(1) and (3). The amendments are also consistent with Congress' intent to strengthen enforcement, in part, by increasing the minimum penalty amounts available according to categories of violation, and with the clear discretion Congress has provided to impose a penalty amount up to the amount described in “paragraph (3)(D).”
More specifically, HHS amends § 160.404(b)(2) to reflect each category of violation that will serve as the basis for a civil money penalty on or after February 18, 2009, as well as the respective range of penalty amounts available. The range of penalty amounts available for the first three categories of violations (i.e., where it is established the covered entity did not reasonably know of the violation, the violation was due to a reasonable cause, or the violation was due to willful neglect but timely corrected) is defined consistent with the controlling language of section 1176(a)(1)(A)-(C)(i), whereby the minimum penalty amount for each violation is set pursuant to the specific tier referenced by each category of violation, and the maximum penalty amount for each violation is capped at $50,000, the amount identified “for such each violation” in section 1176(a)(3)(D). For these categories of violations, the maximum penalty amount available for all such violations of an identical provision in a calendar year is consistently capped at $1.5 million, the other amount referenced in section 1176(a)(1) as that “not to exceed” and identified in section 1176(a)(3)(D) “for all such violations of an identical requirement or prohibition during a calendar year.”
The penalty amounts available for the fourth level of culpability (i.e., where it is established the violation is due to willful neglect but not timely corrected) are also consistent with the controlling language of section 1176(a)(1)(C)(ii). Unlike the other levels of culpability at section 1176(a)(1)(A), (B) and (C)(i), section 1176(a)(1)(C)(ii) only provides in its reference to section 1176(a)(3)(D) a minimum penalty amount of $50,000 “for each violation” and a penalty cap of $1.5 million for multiple violations of an identical requirement or prohibition in a calendar year.
We highlight the penalty amounts in Table 1, below, to ensure that covered entities are fully aware of their potential liability:
Start Printed Page 56128Table 1—Categories of Violations and Respective Penalty Amounts Available
Violation category—Section 1176(a)(1) Each violation All such violations of an identical provision in a calendar year (A) Did Not Know $100-$50,000 $1,500,000 (B) Reasonable Cause 1,000-50,000 1,500,000 (C)(i) Willful Neglect—Corrected 10,000-50,000 1,500,000 (C)(ii) Willful Neglect—Not Corrected 50,000 1,500,000 We note that HHS will not impose the maximum penalty amount in all cases. Rather, HHS will determine penalty amounts as required by the statute at section 1176(a)(1) and the regulations at § 160.408. That is, penalty determinations will be based on the nature and extent of the violation, the nature and extent of the resulting harm, as well as the other factors set forth at § 160.408 (such as the covered entity's history of prior compliance or financial condition).
For counting violations that occur on or after February 18, 2009, HHS will continue to utilize the methodology discussed in prior preambles of the Enforcement Rule. See 70 FR 20224, 20233-35 (April 18, 2005) and 71 FR 8390, 8404-07 (February 16, 2006). For violations that began prior to February 18, 2009, and continue after that date, we will treat violations occurring before February 18, 2009, as subject to the penalties in effect prior to February 18, 2009 and violations occurring on or after February 18, 2009, as subject to the penalties in effect on or after February 18, 2009.
3. Section 160.410—Affirmative Defenses
As previously discussed, the terms reasonable cause, reasonable diligence and willful neglect, have been moved from § 160.410 to § 160.401 in order to apply more generally to all of subpart D. Accordingly, we have removed the current paragraph (a) from § 160.410 and redesignated paragraph (b) as paragraph (a).
We also amended § 160.410 to conform its provisions to the statutory language in section 1176(a)(3), as revised by section 13410(d) of the HITECH Act. Section 160.410(b) currently provides three affirmative defenses to the Secretary's authority to impose a civil money penalty, including the following:
(1) The violation is an act punishable under 42 U.S.C. 1320d-6;
(2) The covered entity establishes, to the satisfaction of the Secretary, that it did not have knowledge of the violation, determined in accordance with the federal common law of agency, and by exercising reasonable diligence, would not have known that the violation occurred; or
(3) The violation is—
(i) Due to reasonable cause and not willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the date the covered entity liable for the penalty knew, or by exercising reasonable diligence would have known, that the violation occurred; or
(B) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply
Section 13410(d) of the HITECH Act revises section 1176(b) of the Act to: (a) Strike the limitation on imposing a penalty when a covered entity establishes, to the Secretary's satisfaction, that it “did not know, and by exercising reasonable diligence would not have known” of the violation; and (b) extend the affirmative defense for violations that are timely corrected, which was previously limited to violations due to “reasonable cause and not to willful neglect,” to all violations not due to willful neglect.
The amendments conform § 160.410 to distinguish the limitations placed on the Secretary's authority to impose civil money penalties before and after the HITECH Act by: (a) Revising the current provisions, which have been redesignated as paragraph (a), to apply only “[f]or violations occurring prior to February 18, 2009”; and (b) adding a new paragraph (b) that applies “[f]or violations occurring on or after February 18, 2009.” The amendments also conform § 160.410 to the amended section 1176(b) by removing a covered entity's lack of knowledge as an affirmative defense for violations occurring on or after February 18, 2009. As a result, a covered entity that did not know and reasonably should not have known of such violations, will not have this affirmative defense available, unless it also corrects the violation during the 30-day time period beginning on the first date of such knowledge or during the period determined appropriate by the Secretary based on the nature and extent of the failure to comply. The amendments likewise revise the affirmative defenses available for violations occurring on or after February 18, 2009 to conform to the amended statute by removing any specific reference to “reasonable cause” while retaining more generalized language applicable to all violations “not due to willful neglect.” Notwithstanding these revisions, the Secretary may continue to use discretion in providing technical assistance, obtaining corrective action, and resolving possible noncompliance by informal means where the possible noncompliance is due to reasonable cause or in the event a person did not reasonably know that the violation occurred.
We note that the amendments made to § 160.410 do not alter the beginning of the 30-day cure period. Section 1176(b)(2)(A) of the Act continues to provide that the 30-day cure period begins “on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.” As prior preambles to the Enforcement Rule explain, the statute, “on its face suggests that the knowledge involved must be knowledge that a `violation' has occurred, not just knowledge of the facts constituting the violation. * * * [HHS], thus, interpret[s] this knowledge requirement to mean that the covered entity must have knowledge that a violation has occurred, not just knowledge of the facts underlying the violation.” However, the “reasonable diligence” requirement makes the affirmative defense unavailable, in the event a covered entity's “lack of knowledge” resulted from its failure to inform itself about its compliance obligations or to investigate received complaints or other information indicating likely noncompliance. See 70 FR 20224, 20237-8 (April 18, 2005) and 71 FR 8390, 8410 (February 16, 2006). Thus, HHS expects its determination of the beginning of the cure period will be based on evidence gathered during its investigation of when a covered entity had actual or constructive knowledge of a violation.
We also note that the amendments made to § 160.410 do not alter affirmative defenses with respect to violations due to willful neglect. Section 1176(b)(2)(A) still operates to exclude violations due to willful neglect from those that, if timely corrected, would be exempt from the imposition of a civil money penalty. Violations due to willful neglect are therefore not eligible for extension, nor will their timely correction be an affirmative defense. Timely correction will, however, determine which tier of penalty amounts will be applicable to violations due to willful neglect.
Thus, for example, referring to “Table 1. Categories of Violations and Respective Penalty Amounts Available,” which appears in the discussion about § 160.404, a covered entity's timely correction would bar the Secretary's imposition of the penalty amounts identified in columns two and three, if the covered entity did not reasonably know of the violation or if the violation was due to reasonable cause. In contrast, a covered entity's timely correction of a violation due to willful neglect would not be an affirmative defense that bars the Secretary's imposition of a penalty amount identified in columns two and three of the table.
To determine the appropriate penalty tier for a violation due to willful neglect, HHS will calculate the 30-day cure period in the same manner as that described above for the affirmative defense of timely correction of a violation not due to willful neglect. Our determination of when a covered entity Start Printed Page 56129first had actual or constructive knowledge of a violation due to willful neglect for the purpose of calculating whether it was timely corrected will be based on evidence gathered during our investigation and will thus necessarily be made on a case-by-case basis. The minimum penalty amount under the HITECH Act for a violation due to willful neglect that is corrected during the 30-day cure period is significantly less than the minimum penalty amount for a violation due to willful neglect that is not timely corrected. In recognition of the HITECH Act's enhanced penalties and its application of a 30-day cure period to a determination of the appropriate penalty tier for a violation due to willful neglect, we request public comment on whether there are alternative approaches to calculating the beginning of the 30-day cure period for this purpose.
This interim final rule does not amend § 160.410 with respect to the affirmative defense pertaining to criminal violations, punishable under 42 U.S.C. 1320d-6, since the relevant statutory revision will not become effective until February 18, 2011. The interim final rule also does not amend § 160.410 with respect to the enforcement authority of state attorneys general to bring civil actions under the HIPAA rules in certain circumstances, as set forth in § 13410(e) of the HITECH Act, since such authority operates pursuant to the statute and does not require HHS rulemaking.
4. Section 160.412—Waiver
Section 160.412 is amended to reflect the revisions to § 160.410. Regardless of whether violations occur before, on, or after February 18, 2009, the Secretary may continue to provide a waiver for violations due to reasonable cause and not willful neglect that are not timely corrected (pursuant to the correction period in revised § 160.410(a)(3)(ii) or (b)(2)(ii), as applicable).
5. Section 160.420—Notice of Proposed Determination
Section 160.420(a)(4) is amended to add the requirement that, in addition to the proposed penalty amount, HHS identify the applicable violation category in § 160.404 upon which the proposed penalty amount is based. While such additional language is not required by statute, HHS makes this amendment to provide covered entities with additional notice and information to benefit their understanding of the violation findings in the Notice of Proposed Determination.
V. Request for Comments
HHS seeks public comments on any aspect of this interim final rule. In particular, we invite public comments with respect to the following: (1) The calculation of when the 30-day cure period begins for the purpose of determining the appropriate penalty tier for a violation due to willful neglect as discussed above in the penultimate paragraph of Section IV.B.3; (2) whether moving the definitions of “reasonable cause,” “reasonable diligence,” and “willful neglect” to the new § 160.401 leads to any unintended consequences; and (3) the HHS interpretations of Congressional intent referenced in footnotes 1 and 3.
VI. Impact Statement and Other Required Analyses
A. Paperwork Reduction Act
We reviewed this interim final rule to determine whether it invokes issues that would relate to the Paperwork Reduction Act (PRA). While the PRA applies to agencies and collections of information conducted or sponsored by those agencies, 5 CFR 1320.4(a) exempts collections of information that occur “during the conduct of * * * an administrative action, investigation, or audit involving an agency against specific individuals or entities,” except for investigations or audits “undertaken with reference to a category of individuals entities or entities such as a class of licensees or an entire industry.” The rules adopted below come squarely within this exemption, as they deal entirely with administrative investigations and actions against specific individuals or entities. Therefore, we have determined that the PRA does not apply to this interim final rule and need not be reviewed by the Office of Management and Budget under the authority of the PRA.
B. Executive Order 12866
We also reviewed the impacts of this interim final rule as required by Executive Order 12866 (58 FR 51735, October 4, 1993), which directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 12866 requires that a regulatory impact analysis (RIA) be prepared for “significant regulatory actions,” which it defines at section 3(f), to include rules that may:
(1) Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local, or tribal government or communities;
(2) Create a serious inconsistency or otherwise interfere with an action taken or planned by another agency;
(3) Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof; or
(4) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.
Executive Order 12866 requires a full economic impact analysis only for “economically significant” rules under section 3(f)(1). The amendments contained within this interim final rule only conform the regulatory language of subpart D to that of the Act's revised statutory basis, in a way that differentiates the categories of violations for which a civil money penalty may be imposed, sets forth ranges of increasing penalty amounts with respect to each category of violation, and narrows the grounds for the affirmative defenses available.
HHS has concluded, for reasons similar, and in addition to, those discussed in the preambles to the proposed and final Enforcement Rules at 70 FR 20224, 20248-49 (April 18, 2005) and 71 FR 8390, 8424 (February 16, 2006), that the impact of this interim final rule is not such that it would reach the “economically significant” threshold under section 3(f)(1) of the Executive Order. As was the case at the time of earlier promulgations, the costs covered entities may incur with respect to their compliance with the Enforcement Rule, itself, should be low in most cases. That is, covered entities that comply with the HIPAA rules voluntarily, as is expected, should not incur any additional, significant costs with respect to the imposition of a civil money penalty. HHS' experience enforcing the HIPAA rules also suggests that violations should not collectively amount to an annual effect on the economy of $100 million or more, even in light of the higher penalty amounts prescribed by statute.
Further, HHS does not expect the imposition of civil money penalties pursuant to these amendments to “adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local, or tribal government or communities.” To the contrary, HHS maintains that the benefits brought by Start Printed Page 56130the HIPAA provisions and their strengthened enforcement under this interim final rule will far outweigh the potential costs. We believe the added penalties will encourage covered entities to take steps necessary to comply and thus not be liable for violations. In addition, we believe the conforming amendments made with respect to the affirmative defenses available will encourage covered entities to quickly and voluntarily correct acts or omissions that might otherwise be established as violations of the HIPAA rules. Greater vigilance in protecting privacy may also encourage public trust in the industry's use of health information technology. For these reasons, among others, a detailed cost-benefit assessment of the interim final rule is not required.
C. Other Analyses
We also examined the impacts of the interim final rule as required by the Regulatory Flexibility Act (RFA), section 1102(b) of the Act, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), the Small Business Regulatory Enforcement and Fairness Act, 5 U.S.C. 801 et seq., and Executive Order 13132.
The RFA requires agencies to determine whether a rule will have a significant economic impact on a substantial number of small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and government jurisdictions. The standard size of a “small” health care entity ranges from $7 million to $34.5 million in revenues in any one year. HHS assumes that the majority of covered entities to which this interim final rule is applicable are likely to be deemed small businesses based on the size standards of the Small Business Administration. As is discussed above, HHS expects that a covered entity's voluntary compliance and timely correction will not result in any significant economic impact, and that only a small percentage of violations occurring on or after February 18, 2009, will necessitate investigation and the imposition of a civil money penalty due to willful neglect. As discussed in prior enforcement rulemakings, (70 FR 20224, 20249 (April 18, 2005) and 71 FR 8390, 8424 (February 16, 2006)), the absence of evidence that small entities have a higher rate of noncompliance than larger entities provides additional support for the Secretary's certification that this rule will not have a significant economic impact on a substantial number of small entities.
Section 1102(b) of the Act requires agencies to prepare a regulatory impact analysis if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform to the provisions of section 603 (proposed documents)/604 (final documents) of the RFA. A small rural hospital, for purposes of section 1102(b) of the Act, is defined as a hospital that is located outside of a Metropolitan Statistical Area and has fewer than 100 beds. For reasons described above, this interim final rule is not expected to have a significant impact on small rural hospitals any more than it is expected to negatively impact any “small” health care entity.
Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1531 et seq., requires that agencies assess anticipated costs and benefits before issuing a rule that may result in an aggregate expenditure of $100 million in any one year, by State, local, or tribal governments, or by the private sector. The Small Business Regulatory Enforcement Act of 1996 (SBREFA), 5 U.S.C. 801 et seq., also requires that rules that will have an impact on the economy of $100 million or more per annum be submitted for Congressional review. For the reasons discussed above, this interim final rule would not impose a burden large enough to require a statement under section 202 of the Unfunded Mandates Reform Act of 1995 or Congressional review under the SBREFA.
Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a rule that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. As previously discussed, this interim final rule is not likely to have substantial economic effects. Any preemption of State law that could occur would be a function of the HIPAA statute and the underlying HIPAA rules and not these amendments to the Enforcement Rule, which principally establish the means by which the statutory civil money penalty provisions will be implemented. This interim final rule does not have “substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government,” nor does it have “Federalism implications.” It is therefore not subject to Executive Order 13132.
Start List of SubjectsList of Subjects in 45 CFR Part 160
- Administrative practice and procedure
- Computer technology
- Electronic transactions
- Employer benefit plan
- Health
- Health care
- Health facilities
- Health insurance
- Health records
- Hospitals
- Investigations
- Medicaid
- Medical research
- Medicare
- Penalties
- Privacy
- Reporting and recordkeeping requirements
- Security
For the reasons set forth in the preamble, the Department of Health and Human Services amends 45 CFR subtitle A, subchapter C, part 160, as set forth below.
End Amendment Part Start PartPART 160—GENERAL ADMINISTRATIVE REQUIREMENTS
End Part Start Amendment Part1. The authority citation for part 160 is revised to read as follows:
End Amendment Part* * * * *Start Amendment Part2. Revise § 160.101 to read as follows:
End Amendment PartStatutory basis and purpose.The requirements of this subchapter implement sections 1171 through 1179 of the Social Security Act (the Act), as added by section 262 of Public Law 104-191, section 264 of Public Law 104-191, section 13402 of Public Law 111-5, and section 13410(d) of Public Law 111-5.
3. Add § 160.401 to subpart D to read as follows:
End Amendment PartDefinitions.As used in this subpart, the following terms have the following meanings:
Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.
Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.
Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
4. Revise paragraph (b) of § 160.404 to read as follows:
End Amendment PartAmount of a civil monetary penalty.* * * * *Start Printed Page 56131(b) The amount of a civil money penalty that may be imposed is subject to the following limitations:
(1) For violations occurring prior to February 18, 2009, the Secretary may not impose a civil money penalty—
(i) In the amount of more than $100 for each violation; or
(ii) In excess of $25,000 for identical violations during a calendar year (January 1 through the following December 31);
(2) For violations occurring on or after February 18, 2009, the Secretary may not impose a civil money penalty—
(i) For a violation in which it is established that the covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated such provision,
(A) In the amount of less than $100 or more than $50,000 for each violation; or
(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);
(ii) For a violation in which it is established that the violation was due to reasonable cause and not to willful neglect,
(A) In the amount of less than $1,000 or more than $50,000 for each violation; or
(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);
(iii) For a violation in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred,
(A) In the amount of less than $10,000 or more than $50,000 for each violation; or
(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);
(iv) For a violation in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred,
(A) In the amount of less than $50,000 for each violation; or
(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31).
(3) If a requirement or prohibition in one administrative simplification provision is repeated in a more general form in another administrative simplification provision in the same subpart, a civil money penalty may be imposed for a violation of only one of these administrative simplification provisions.
5. Revise § 160.410 to read as follows:
End Amendment PartAffirmative defenses.(a) For violations occurring prior to February 18, 2009, the Secretary may not impose a civil money penalty on a covered entity for a violation if the covered entity establishes that an affirmative defense exists with respect to the violations, including the following:
(1) The violation is an act punishable under 42 U.S.C. 1320d-6;
(2) The covered entity establishes, to the satisfaction of the Secretary, that it did not have knowledge of the violation, determined in accordance with the federal common law of agency, and, by exercising reasonable diligence, would not have known that the violation occurred; or
(3) The violation is—
(i) Due to reasonable cause and not willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the first date the covered entity liable for the penalty knew, or by exercising reasonable diligence would have known, that the violation occurred; or
(B) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.
(b) For violations occurring on or after February 18, 2009, the Secretary may not impose a civil money penalty on a covered entity for a violation if the covered entity establishes that an affirmative defense exists with respect to the violations, including the following:
(1) The violation is an act punishable under 42 U.S.C. 1320d-6; or
(2) The covered entity establishes to the satisfaction of the Secretary that the violation is—
(i) Not due to willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the first date the covered entity liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred; or
(B) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.
6. Revise § 160.412 to read as follows:
End Amendment PartWaiver.For violations due to reasonable cause and not willful neglect that are not corrected within the period described in § 160.410(a)(3)(ii) or (b)(2)(ii), as applicable, the Secretary may waive the civil money penalty, in whole or in part, to the extent that the payment of the penalty would be excessive relative to the violation.
7. Revise § 160.420(a)(4) to read as follows:
End Amendment PartNotice of Proposed Determination.(a) * * *
(4) The amount of the proposed penalty and a reference to the subparagraph of § 160.404 upon which it is based.
* * * * *Dated: August 11, 2009.
Kathleen Sebelius,
Secretary.
Footnotes
1. We note that, as amended, section 1176 no longer includes a subsection (b)(3)(A). We interpret this text as referencing the 30-day period in section 1176(b)(2)(A), which was designated as section 1176(b)(3)(A) prior to the HITECH Act's amendment. We request public comment on this interpretation, to the extent there is disagreement.
Back to Citation2. Note that section 13410(a) of the HITECH Act further amends section 1176(b) of the Act with respect to penalties imposed on or after February 18, 2011. These changes are not reflected in the statutory text, as they have yet to become effective.
Back to Citation3. We note that this reference to paragraph (3) creates a circular reference which appears to be an error. Section 13410(d) of the HITECH Act redesignated the prior paragraph (3) to paragraph (2), but did not include a conforming revision to this reference. Accordingly, we interpret this reference as being to paragraph (2) (i.e., the affirmative defense for violations that are not due to willful neglect and are timely corrected) and request public comment to the extent there is disagreement.
Back to Citation4. Section 1176(a)(1) notably provides no maximum penalty amount, however, with respect to “each such violation” described in subparagraph (C)(ii) (for violations established as due to willful neglect and not timely corrected), although a cap is set by section 1176(a)(3)(D). This caveat is discussed further below.
Back to Citation[FR Doc. E9-26203 Filed 10-29-09; 8:45 am]
BILLING CODE 4150-03-P
Document Information
- Comments Received:
- 0 Comments
- Published:
- 10/30/2009
- Department:
- Health and Human Services Department
- Entry Type:
- Rule
- Action:
- Interim final rule; request for comments
- Document Number:
- E9-26203
- Pages:
- 56123-56131 (9 pages)
- RINs:
- 0991-AB55: Modifications to the HIPAA Enforcement Rule Under the Health Information Technology for Economic and Clinical Health Act
- RIN Links:
- https://www.federalregister.gov/regulations/0991-AB55/modifications-to-the-hipaa-enforcement-rule-under-the-health-information-technology-for-economic-and
- Topics:
- Administrative practice and procedure, Computer technology, Employee benefit plans, Health, Health care, Health facilities, Health insurance, Health records, Hospitals, Investigations, Medicaid, Medical research, Medicare, Penalties, Privacy, Reporting and recordkeeping requirements
- PDF File:
- e9-26203.pdf
- CFR: (6)
- 45 CFR 160.101
- 45 CFR 160.401
- 45 CFR 160.404
- 45 CFR 160.410
- 45 CFR 160.412
- More ...