[Federal Register Volume 64, Number 161 (Friday, August 20, 1999)]
[Rules and Regulations]
[Pages 45786-45807]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-21662]
[[Page 45785]]
_______________________________________________________________________
Part VI
Department of Health and Human Services
_______________________________________________________________________
Health Care Financing Administration
_______________________________________________________________________
45 CFR Parts 144, 146, 148, and 150
Federal Enforcement in Group and Individual Health Insurance Markets;
Interim Rule
��Federal Register / Vol. 64, No. 161 / Friday, August 20, 1999 / Rules
and Regulations��
[[Page 45786]]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Health Care Financing Administration
45 CFR Parts 144, 146, 148, and 150
[HCFA-2019-IFC]
RIN 0938-AJ48
Federal Enforcement in Group and Individual Health Insurance
Markets
AGENCY: Health Care Financing Administration (HCFA), HHS.
ACTION: Interim final rule with comment period.
-----------------------------------------------------------------------
SUMMARY: This interim final rule with comment period details procedures
for enforcing title XXVII of the Public Health Service Act as added by
the Health Insurance Portability and Accountability Act of 1996, and as
amended by the Mental Health Parity Act of 1996, the Newborns' and
Mothers' Health Protection Act of 1996, and the Women's Health and
Cancer Rights Act of 1998, in States that do not enact the legislation
necessary to enforce or otherwise do not substantially enforce the
requirements of these acts. This regulation also delineates the process
for taking enforcement actions against non-Federal governmental plans
and, in those States in which HCFA is directly enforcing the
requirements of these acts, health insurance issuers that are not
complying with those requirements.
DATES: Effective date: September 20, 1999. Comments will be considered
if we receive them at the appropriate address, as provided below, no
later than 5 p.m. on October 19, 1999.
ADDRESSES: Mail written comments (1 original and 3 copies) to the
following address:
Health Care Financing Administration, Department of Health and Human
Services, Attention: HCFA-2019-IFC, P.O. Box 9016, Baltimore, MD 21244-
9016.
If you prefer, you may deliver your written comments (1 original
and 3 copies) to one of the following addresses:
Room 309-G, Hubert H. Humphrey Building, 200 Independence Avenue, SW.,
Washington, DC,
or
Room C5-16-03, 7500 Security Boulevard, Baltimore, MD
FOR FURTHER INFORMATION CONTACT: Rochelle Shevitz, (410) 786-1565.
SUPPLEMENTARY INFORMATION:
Comments, Procedures, and Availability of Copies
Because of staff and resource limitations, we cannot accept
comments by facsimile (FAX) transmission. In commenting, please refer
to file code HCFA-2019-IFC. Comments received timely will be available
for public inspection as they are received, generally beginning
approximately 3 weeks after publication of a document, in Room 443-G of
the Department's office at 200 Independence Avenue, SW., Washington,
DC, on Monday through Friday of each week from 8:30 to 5 p.m. (phone:
(202) 690-7890).
Copies: To order copies of the Federal Register containing this
document, send your request to: New Orders, Superintendent of
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date
of the issue requested and enclose a check or money order payable to
the Superintendent of Documents, or enclose your Visa or Master Card
number and expiration date. Credit card orders can also be placed by
calling the order desk at (202) 512-1800 or by faxing to (202) 512-
2250. The cost for each copy is $8. As an alternative, you can view and
photocopy the Federal Register document at most libraries designated as
Federal Depository Libraries and at many other public and academic
libraries throughout the country that receive the Federal Register.
I. Background
Title I of the Health Insurance Portability and Accountability Act
of 1996 (HIPAA) created a new title XXVII of the Public Health Service
(PHS) Act (42 U.S.C. 300gg, et seq.) that requires group health plans
and health insurance issuers to provide certain guarantees for
availability and renewability of health coverage in the group and
individual health insurance markets. 1
---------------------------------------------------------------------------
\1\ HIPAA created a series of parallel provisions that were
placed in the Employee Retirement Security Act (ERISA), which is
within the jurisdiction of the Department of Labor; the Public
Health Service Act (PHS), which is within the jurisdiction of the
Department of Health and Human Services; and the Internal Revenue
Code, which is within the jurisdiction of the Department of the
Treasury. These ``shared provisions'' set forth Federal requirements
relating to portability, access, and renewability of group health
plans and group health insurance coverage provided by issuers.
Specifically, the shared provisions contain rules limiting the use
of preexisting condition exclusion periods, and prohibiting
discrimination against participants and beneficiaries based on
health status.
Section 104 of Title I of HIPAA requires that the three
departments ensure through an interagency memorandum of
understanding (MOU) that regulations, rulings and interpretations
issued by each of the departments relating to the same matter over
which two or more departments have jurisdiction, are administered so
as to have the same effect at all times. Section 104 also requires
the departments, through the MOU, to provide for coordination of
policies relating to enforcement of the same requirements in order
to have a coordinated enforcement strategy that avoids duplication
of enforcement efforts and assigns priorities in enforcement. The
three departments recently signed the MOU.
HIPAA also added certain provisions governing insurance in the
group and individual markets, and with respect to non-Federal
government plans which are contained only in the Public Health
Service Act and thus are not within the regulatory jurisdiction of
the Department of Labor or the Department of the Treasury. Section
101(b) of HIPAA provides that the Department of Labor is not
authorized to enforce any of the portability requirements of part 7
of ERISA (the ``shared'' provisions) against a health insurance
issuer offering health insurance coverage in connection with a group
health plan, although individuals covered under ERISA can bring
suit. Also, governmental plans, as defined in section 3(32) are
exempt from ERISA, under section 4(1) of ERISA. Thus the scope of
the MOU is limited, with respect to coordination of enforcement
activities, to enforcement of shared provisions. Enforcement of
these provisions constitutes only a relatively small portion of
HCFA's responsibilities.
---------------------------------------------------------------------------
The Newborns' and Mothers' Health Protection Act of 1996 amended
the PHS Act to provide protections for mothers and their newborn
children with regard to the length of hospital stay following
childbirth. The Mental Health Parity Act of 1996 further amended title
XXVII of the PHS Act to provide for parity in the application of
certain annual and lifetime dollar limits on mental health benefits
with annual and lifetime dollar limits on medical/surgical benefits.
The Women's Health and Cancer Rights Act of 1998 amended the PHS Act to
provide certain protections for patients who elect breast
reconstruction in connection with a mastectomy (As used hereafter in
this preamble, HIPAA refers to title XXVII of the PHS Act, as added by
the Health Insurance Portability and Accountability Act of 1996, and
later amended by the Mental Health Parity Act of 1996, the Newborns'
and Mothers' Health Protection Act, and the Women's Health and Cancer
Rights Act of 1998.)
HIPAA added two preemption provisions to the PHS Act. With respect
to HIPAA's preexisting condition exclusions rules and special
enrollment rights contained in section 2701 of the PHS Act, State law
cannot differ in any way from the Federal requirements, except to
expand the protections in one of several ways specifically permitted by
the statute (See section 2723(b). With respect to HIPAA's other
requirements, for example, HIPAA's non-discrimination provisions, State
laws are preempted only to the extent they prevent the application of
any requirement of HIPAA. (See section 2723(a)).
[[Page 45787]]
HIPAA affirms that the States are the primary regulators of health
insurance coverage in each State. However, in the event that a State
either does not enact legislation that meets or exceeds the Federal
health insurance requirements, if it or otherwise fails to
substantially enforce the HIPAA standards, the Health Care Financing
Administration (HCFA) enforces the HIPAA requirements that apply to
health insurance issuers offering coverage within that State.
HCFA is also responsible for enforcing the HIPAA requirements with
respect to non-Federal governmental plans. Non-Federal governmental
plans that are not provided through health insurance coverage may elect
exemption from one or more requirements of HIPAA, but must comply with
requirements regarding certification and disclosure of creditable
coverage.
II. Provisions of the Proposed Regulations
Subpart A--General Provisions
Section 150.101 Basis and Scope
On April 8, 1997, we published regulations to implement HIPAA by
adding 45 CFR parts 144, 146, and 148. The enforcement provisions of
that rule are contained in Secs. 146.184, 148.200, and 148.202. Now
that HCFA has had experience with direct Federal enforcement in some
States, we have determined that it is necessary to provide more detail
on the procedures that will be used to enforce HIPAA when a State does
not do so. We are adding a new part that will revise and expand the
provisions contained in Secs. 146.184, 148.200, and 148.202. Those
sections are deleted.
This new part, 45 CFR part 150, consists of four subparts. Subpart
A explains the scope and basis of this regulation and presents
definitions that supplement definitions located in 45 CFR 144.103 and
148.103. Subpart B describes how HCFA determines whether to assume
enforcement authority in a State and explains the process for
transferring such authority back to the State. Subpart C describes
procedures for assessing civil money penalties. Examples of specific
situations that may trigger the assessment are listed in Appendix A to
Subpart C. Subpart D describes the administrative appeals process.
Section 150.103 Definitions
In order to convey the requirements of 45 CFR part 150, we are
defining a number of terms that will be found at 45 CFR 150.103. Terms
found at 45 CFR part 150 have the same meaning given to them in 45 CFR
144.103 and 148.103, unless otherwise indicated. Section 150.103 will
include definitions of the following terms: amendment, endorsement or
rider; application; certificate of insurance; complaint; group health
insurance policy or group policy; individual health insurance policy or
individual policy; plan document; and State law.
Subpart B--HCFA Enforcement Processes for Determining Whether States
Are Failing To Substantially Enforce HIPAA Requirements
This subpart describes the steps we will take to determine whether
a State is failing to substantially enforce HIPAA requirements and the
notification procedures we will follow prior to beginning direct
enforcement.
Section 150.201 State Enforcement
HIPAA affirmed the States' role as the primary regulator of health
insurance in each State. Consistent with HIPAA, Sec. 150.201 will state
that, except as provided in subpart B, each State enforces HIPAA
requirements with respect to health insurance issuers that issue, sell,
renew, or offer health insurance coverage in the State.
Section 150.203 Circumstances Requiring HCFA Enforcement
Federal enforcement is triggered in two instances: (1) A State
notifies us that it has not enacted the necessary legislation to bring
its laws into compliance with HIPAA requirements or that it is
otherwise not substantially enforcing those requirements; or (2) a
State does not notify us of its failure to substantially enforce HIPAA
requirements, but we receive or obtain information that forms the basis
for HCFA's determination that such a failure is occurring. When we
receive such notification or make such a determination, we will discuss
with State officials the requirements that are not substantially
enforced and begin Federal enforcement of those requirements.
With regard to the group health insurance market, section
2722(a)(2) of the PHS Act requires Federal enforcement of any
``provision (or provisions)'' that a State fails to substantially
enforce. Therefore, it is possible that a State could enforce some
group market provisions while HCFA enforces others.
With regard to the individual market, section 2761(a)(2) of the PHS
Act calls for Federal enforcement of the ``requirements of this part''
whenever a State fails to substantially enforce them. However, HCFA
does not enforce those State laws that constitute an ``acceptable
alternative mechanism'' (as defined in Sec. 148.128) for enforcing
guaranteed availability regulations. In addition, HIPAA does not
preempt State laws that afford greater protections to HIPAA-eligible
individuals than HIPAA without preventing the application of a HIPAA
requirement. Thus, in the individual market, it is also possible that
HCFA will enforce some requirements while the State enforces others.
The complexity of the situation varies from one State to another and
requires careful consideration on a case-by-case basis.
Section 150.205 Sources of Information Triggering an Investigation of
State Enforcement
The interim final regulations provide more specific guidance on
situations in which there is no formal complaint, but other information
indicates that a State's failure to substantially enforce may exist.
Information regarding an alleged failure to enforce may come from a
variety of sources, including, but not limited to--
A complaint;
Informal contacts with State officials;
Communication with other individuals, such as brokers and
agents, or consumers themselves; and
Reports in the news media.
When we receive information indicating that a failure to
substantially enforce might exist in a particular State, we will write
to the governor and the commissioner of insurance or chief insurance
regulatory official of that State (and/or the official responsible for
regulating HMOs if the alleged failure involves HMOs) to inquire about
the status of HIPAA enforcement in the State. Further action on our
part will be dictated by the nature of the State's answer. If a State
informs us that it is enforcing all of the requirements of HIPAA and
provides a satisfactory explanation of why there is no failure, we will
take no further action unless there are further indications to
contradict the State's assertion.
Sections 150.207-150.219 Procedure for Determining That a State Fails
to Substantially Enforce HIPAA Requirements
If we receive a complaint indicating that a State is failing to
substantially enforce the law, we will first make a preliminary
assessment of whether the complainant who is adversely affected has
made a reasonable effort to resolve the issue through any remedies
available under State law (Sec. 150.209). We will contact the
complainant to
[[Page 45788]]
determine actions already taken, including whether State officials have
been notified and what action, if any, those officials have taken. We
may also contact State officials informally to discuss the situation.
If we receive information other than an individual complaint, we will
initiate similar contact with State officials.
In accordance with Sec. 150.211, we will send a written notice to
the State if we find that there is a reasonable question as to whether
the State is failing to substantially enforce HIPAA requirements. The
notice will be addressed to--
(1) The governor or chief executive officer of the State;
(2) The insurance commissioner or chief insurance regulatory
official; and
(3) If the alleged failure involves HMOs, the official responsible
for regulating HMOs if different from the individual identified in (2).
Under Sec. 150.213, the notice to the State will identify the
requirement or requirements of HIPAA for which there is evidence of a
potential failure to enforce and will describe the facts of any alleged
violation by an issuer or the ways in which the State law fails to
acceptably implement HIPAA. The letter will further explain that the
consequence of a State's failure to substantially enforce those
requirements is that HCFA will do so. The notice will give the State 30
days to respond unless an extension is granted.
In the interim final regulations published on April 8, 1997, a
response time of 45 days was allowed. This regulation shortens the
response time to 30 days to lessen any adverse impact on consumers.
This shorter response time appears to balance the States' prerogative
to enact and enforce their own insurance laws with the consumer rights
and protections that the Congress intended to guarantee when it enacted
HIPAA. We invite comment on this change.
We may extend the 30-day response period for good cause at a
State's request (see Sec. 150.215). The length of the extension period
granted may vary depending upon the specific circumstances of the
situation; thus, the regulation does not set forth a prescribed
extension period. Extensions will be granted based upon the
circumstances, and at our discretion.
Example: The State replies to our notice by stating that some State
regulators had been unclear on the scope of their new responsibilities.
Having recognized the problem, the State plans to train all affected
regulatory staff as quickly as possible. However, it is unlikely that
the State will be able to assure us within 30 days that full HIPAA
enforcement is taking place. Therefore, the State requests an extension
until staff training is completed.
If, at the end of 30 days (and any extension), the State does not
establish to our satisfaction that it is substantially enforcing the
requirements described in the notice, we may, after further
consultation with the appropriate State officials or their designees,
send the State a notice of preliminary determination (see
Sec. 150.217). The notice of preliminary determination will specify the
HIPAA requirements that the State has failed to substantially enforce.
The notice will afford the State a reasonable opportunity to present
evidence of substantial enforcement.
We will allow the State a reasonable opportunity--normally, 30
days--to correct its failure to substantially enforce the requirements
identified in the preliminary determination. However, in accordance
with Sec. 150.219, if we find that the State has not taken the
necessary corrective action, we will issue a final written
determination. The final determination will identify the HIPAA
requirements that HCFA is enforcing. The notice will also specify the
effective date of HCFA's enforcement. This date may be retroactive to
apply so that civil monetary penalties, that HCFA later assesses, may
take into account violations that occurred after the effective dates
specified in HIPAA or a date that HCFA identifies as the point at which
the State's failure to substantially enforce the specified requirements
commenced. HCFA does not enforce a State law that was enacted as an
alternative mechanism. However, in the case of a State that is found
not to be implementing its acceptable alternative mechanism, and also
is found not to be substantially enforcing the Federal fallback
regulations on guaranteed availability, HCFA will enforce the HIPAA
requirements as of the date that HCFA determines that the State has
failed to enforce. HCFA does not enforce a State law that was enacted
as an alternative mechanism.
In cases where HCFA assumes enforcement responsibility in a State,
the transition to Federal enforcement should be as smooth as possible
in order to protect consumers and create as little disruption as
possible for health insurance issuers.
Section 150.221 Transition to State Enforcement
When the State demonstrates that it is prepared to undertake
substantial enforcement and if and when we determine that
responsibility for enforcement should be returned to the State, we will
enter into discussions with State officials to ensure that a smooth
transition back to State enforcement is effected, especially with
respect to the handling of consumer inquiries and complaints. To the
extent practicable and legally permissible, we will make available to
the State our records documenting issuer compliance, as well as other
relevant areas of our enforcement operations, for incorporation into
the records of the regulatory authority assuming jurisdiction. We
invite comments on the transition procedures described in this
subsection.
Subpart C--HCFA Enforcement With Respect to Issuers and Non-Federal
Governmental Plans--Civil Money Penalties
This subpart describes the bases for imposing civil money penalties
against non-Federal governmental plans, and, in those States in which
we are enforcing the HIPAA requirements, against health insurance
issuers that are not complying with the requirements of HIPAA.
The basis for our enforcement actions are the requirements of 45
CFR parts 146 and 148 as set forth in the interim final rules published
on April 8, 1997 in the Federal Register, as well as the rules
published on December 22, 1997 (implementing the Mental Health Parity
Act of 1996) and October 27, 1998 (implementing the Newborns' and
Mothers' Health Protection Act of 1996), and the requirements in
sections 2706 and 2752 of the PHS Act (relating to the Women's Health
and Cancer Rights Act of 1998). Those rules explain practices to which
issuers and non-Federal governmental plans are required to adhere.
However, since publication of the April 8, 1997 rules, we have become
aware of actions taken by issuers and other responsible entities that
are inconsistent with several requirements of HIPAA but are not
specifically addressed in the rules. We addressed some of these actions
in Bulletin 98-01, discussed below. In an appendix to Subpart C we
provide a list of business practices or situations, including those
listed in the bulletin, that violate HIPAA and may trigger enforcement
action. This list is not all-inclusive. Rather, it highlights the
compliance problems that we have encountered most frequently.
This subpart establishes an enforcement process that ensures the
rights of individuals protected by HIPAA and provides for due
consideration toward health insurance issuers and non-Federal
governmental plans. This subpart explains the process
[[Page 45789]]
for investigating complaints to determine whether a violation has
occurred, and, when necessary, the process for assessing a civil money
penalty. In addition, this subpart provides suggestions to issuers and
other responsible entities of possible ways to avoid civil money
penalties through early identification of compliance problems.
Section 150.301 General Rule Regarding the Imposition of Civil Money
Penalties
Section 150.301 states that any health insurance issuer or non-
Federal governmental plan, or employer that sponsors a non-federal
government plan, subject to our enforcement authority that fails to
comply with HIPAA may be subject to a civil money penalty as described
in this subpart.
Section 150.303 Information Initiating Administrative Action or
Investigation
In accordance with Sec. 150.303, any individual or any entity
acting on his or her behalf may request that we investigate the
possible denial or abridgement of a HIPAA right. Complaints may be
directed to any of our regional offices where the complaint will be
either investigated or forwarded to the appropriate office for
investigation. Information about all complaints received will be
accessible to all HCFA staff involved in HIPAA enforcement in both the
central and regional offices.
Since many individuals protected by HIPAA will not initiate
complaints because they are unaware of their rights under the law and
therefore do not realize when their rights are being denied or
abridged, HCFA will consider other information when determining whether
a State is substantially enforcing HIPAA or when determining the
compliance of an issuer or other responsible entity as defined in
Sec. 150.305 (Determination of entity liable for civil money penalty).
Essentially, ``other information'' means any information HCFA receives
from any source that indicates that a potential violation of HIPAA has
been committed by a health insurance issuer or other responsible
entity. Other information includes any other indication that an issuer
or non-Federal governmental plan fails to meet any requirement of
HIPAA. Sources of information that we may rely upon include, but are
not limited to:
Reports and information collected from State insurance
departments, the National Association of Insurance Commissioners, and
other State, local, and Federal entities;
Information received through HCFA's enforcement activities
and from other sources that may include policy form review and market
conduct examinations.
Section 150.305 Determination of Entity Liable for Civil Money Penalty
Health insurance issuers that issue, sell, renew, or offer coverage
to either private employers that sponsor group health plans or to non-
Federal governmental plan sponsors are responsible for compliance with
HIPAA and applicable implementing regulations at 45 CFR part 146.
Under Sec. 150.305, we consider a health insurance issuer to be
subject to a civil money penalty if a group health insurance policy it
sells is written, serviced, or administered in a manner that fails to
comply with, or conflicts with, an applicable requirement of HIPAA. To
the extent that a group health plan is subject to HIPAA, a health
insurance issuer may be liable for the penalty even if a group health
plan sponsor had expressly requested that the issuer provide a policy
that does not comply with one or more requirements of HIPAA. In that
situation, the issuer should inform the plan sponsor that it would be
illegal to sell such a policy and refuse to structure the policy as
requested. With regard to health insurance sold in the individual
market, the issuer is the responsible entity and therefore liable for
any assessed civil money penalty. To the extent that policies sold in
the individual market are subject to the requirements of HIPAA, issuers
are responsible for ensuring that their policies comply and are
marketed and administered in accordance with those requirements and
applicable implementing regulations at 45 CFR Part 148. In addition,
when a policy does not comply with applicable HIPAA requirements, the
issuer may be subject to a civil money penalty irrespective of whether
the issuer sold the policy directly, or a broker or agent sold the
policy on the issuer's behalf.
Under section 2722(b)(1)(B) of the PHS Act, we have direct
enforcement authority with respect to group health plans that are non-
Federal governmental plans. A non-Federal governmental plan sponsored
by one or multiple non-Federal governmental entities is subject to
HIPAA to the same extent as any other group health plan, unless, in the
case of a non-Federal governmental plan that is not provided through
health insurance coverage, the plan sponsor(s) has (have) elected to
exempt the plan from one or more HIPAA provisions (as permitted under
45 CFR 146.180, and section 2721(b)(2) of the PHS Act).
When the sponsor of a non-Federal governmental plan does not elect
to have its plan exempted from one or more HIPAA requirements and the
plan fails to comply with one or more applicable provisions of HIPAA,
we enforce the law, and either the plan or the non-Federal governmental
employer sponsoring the plan is subject to a civil money penalty. In
accordance with section 2722(b)(2)(B) of the PHS Act, if the plan is
sponsored by a single non-Federal governmental employer, the non-
Federal governmental employer is subject to the penalty; if the plan is
sponsored by two or more non-Federal governmental employers, the plan
is subject to the penalty.
Separate civil money penalties may be assessed against an issuer
and a non-Federal governmental plan or employer, depending upon the
circumstances of the compliance failure(s). A civil money penalty, or
penalties, will be determined in accordance with sections 150.317
through 150.325.
Section 150.307 Notice to Responsible Entities
Under Sec. 150.307, when we receive a complaint or other
information indicating a possible violation of HIPAA, we will provide
written notice to the responsible entity(ies) that describes the
substance of the complaint or other information and any identifiable
actions that need to be taken to come into compliance. The notice will
also provide the responsible entities 30 days from the date of the
notice in which to respond. Furthermore, the notice will state that a
civil money penalty may be imposed if the entity fails to comply.
Section 150.309 Request for Extension
Section 150.309 will allow issuers and other responsible entities
to request an extension of time to respond to the notice. We will
consider granting the request provided:
(1) The request for the extension is made in writing;
(2) The issuer or other responsible entity can show good cause; and
(3) A complete response can be provided within the additional time
granted by HCFA.
This section, which allows for additional time, will benefit both
issuers and other responsible entities that are unable to respond to an
inquiry from us within 30 days regarding a potential HIPAA violation.
Failure to respond to a notice from HCFA within 30 days, or any
extended time frame, may result in the assessment of a civil money
penalty based upon the complaint or other information. This section
reflects HCFA's interest in ensuring complete responses. However, in
deciding
[[Page 45790]]
whether to grant the extension, HCFA will also consider the facts and
circumstances of the situation to assure thet individuals are not
adversely affected.
Section 150.311 Responses to Allegations of Noncompliance
Section 150.311 will state that in determining whether to assess a
civil money penalty and the amount of any such penalty, HCFA will
consider documentation provided by an issuer or other responsible
entity. If documentation substantiates that the violation was corrected
within 30 days of the first day that the responsible entity knew, or
exercising reasonable diligence, could have known of the violation,
then no civil money penalty may be imposed (see Sec. 150.341). However,
if the correction is made beyond the 30 days, we will review all
documentation supporting a responsible entity's efforts to comply with
HIPAA and, under appropriate circumstances, take such efforts into
account in our calculation of the amount of the penalty. In general, we
view more favorably responses where the rights and protections afforded
consumers are quickly and completely restored, and where the issuer or
other responsible entity can demonstrate that adequate changes have
been made to ensure future compliance.
Examples of documentation that may be included in a response
include:
Relevant policy forms, advertising material, and other
documents
Other evidence refuting the alleged noncompliance
Evidence showing the approximate cost to the affected
individual(s)
Evidence showing the number of individuals affected
Evidence that the entity did not know, or exercising due
diligence would not have known, of the violation
Documentation proving that issued policies and/or
certificates of coverage and plan documents were amended to comply with
HIPAA and showing the date of such amendment
Documentation of the issuance of forms that comply with
HIPAA (with respect to any forms that were submitted and reviewed by
us, such documentation may also include any final letter from us that
closed the review)
Evidence documenting the development and implementation of
internal policies and procedures to ensure HIPAA compliance (including
corporate compliance programs)
Other evidence showing the entity's prior record of HIPAA
compliance
Section 150.313 Market Conduct Examinations
In 1974 the National Association of Insurance Commissioners
recommended the establishment of a ``separate and distinct'' program of
surveillance to ensure fair treatment of insurance policyholders. Since
then, these surveillance programs, known as ``market conduct
examinations,'' have been an essential tool used by State insurance
departments to confirm the compliance of issuers with various State
insurance laws and regulations.
Market conduct examinations differ from traditional financial
audits performed on issuers by either regulators or the companies
themselves. While financial audits are primarily concerned with the
financial solvency of a company, market conduct examinations are
primarily concerned with the issuer's compliance with legal
requirements because the issuer's business practices impact consumers
directly. For example, while an issuer may be judged financially strong
through a financial audit, if this financial strength is obtained
through non-compliant claim denials, the issuer could ``pass'' a
financial audit, while ``failing'' a market conduct examination.
Pursuant to guidelines of the National Association of Insurance
Commissioners and State insurance laws, State insurance departments
charge the expenses of a market conduct examination directly to the
issuer. In contrast, HCFA will not require an issuer or other
responsible entity to bear the expense of a market conduct examination.
During a HCFA market conduct examination, HCFA will sample and, in some
cases, review in their entirety specific records, information, and
other documentation maintained by the issuer or other responsible
entity to determine compliance with the specific requirements of HIPAA.
HCFA market conduct examinations will differ from traditional State
insurance department examinations in that the scope of HCFA's reviews
will be much narrower, focusing on the provisions and requirements of
HIPAA.
For example, areas of HCFA examinations may include, but are not
limited to:
The issuer's, or non-Federal governmental plan's
certificate of creditable coverage issuance procedures and practices;
Claim denials based on pre-existing condition exclusion
provisions of the issuer's, or the non-Federal governmental plans;
The issuance of guaranteed available individual and small
employer group products; or
The guaranteed renewability of health insurance policies.
A market conduct examination may be performed at HCFA's initiation,
or upon request of a potential responsible entity. During the course of
a complaint investigation, HCFA may determine that a pattern of
noncompliance exists to warrant a market conduct examination. An
issuer, or a non-Federal governmental plan, may request a market
conduct examination to confirm compliance or to identify potential
violations and initiate corrective action that may enable it to
completely avoid imposition of a civil money penalty under Sec. 150.315
of this subpart. If we identify potential violations, we will provide
notice to the issuer or other responsible entity of such defects and
may present a proposed plan of correction.
A market conduct examination may be performed through either on-
site examinations, when appropriate; or ``in-house'' examinations or
``desk audits'' at a HCFA location. In general, on-site examinations
are appropriate when we have reason to believe that, in order to obtain
and have ready access to all of the information necessary to identify
existing failures to comply with HIPAA or confirm the compliance of an
issuer, or a non-Federal governmental plan, it is necessary for our
examiners to be at a responsible entity's site. On-site examinations
may also be appropriate when the market share of an issuer represents a
significant portion of the marketplace in a State or when an issuer's
entire program for HIPAA compliance is the subject of the examination.
In general, a ``desk audit'' is sufficient to confirm a responsible
entity's compliance with regard to a specific area(s) of compliance or
when circumstances make an on-site examination impracticable.
When HCFA identifies an issue that warrants investigation, HCFA
will appoint one or more examiners to perform the examination and
instruct them as to the scope of the examination. HCFA will observe the
guidelines adopted by the NAIC and may employ additional guidelines as
deemed appropriate. Upon completion of the market conduct examination,
HCFA will develop a report that will address the results of the
examination. Responsible entities will be advised of HCFA's position on
each issue contained in the report. The purpose of the report is to
identify areas of the business or operational affairs of the
responsible entity that may need to be corrected.
[[Page 45791]]
Sections 150.315 Through 150.323 Provisions Relating to the Amount of
Penalty
These sections of the regulation establish the process for
determining the amount of any penalty that is imposed on a responsible
entity for a violation of a provision or requirement of HIPAA. The
statute allows for a penalty that does not exceed $100 for each day for
each individual with respect to each violation. The statute further
requires at section 2722 that, in determining the amount of the
penalty, the responsible entity's previous record of compliance as well
as the gravity of the violation be taken into consideration. Therefore,
in determining the amount of the penalty, we intend to use a process
that takes into account both mitigating and aggravating circumstances.
We will take into account evidence of the entity's efforts to comply
with HIPAA in assessing the entity's previous record of compliance.
This will be determined largely through documentation submitted by the
responsible entity during the course of the investigation of the
complaint or other information. We will consider the gravity of the
violation by reviewing the frequency of the violation as well as the
level of the financial impact on any affected individuals.
Responsible entities that discover violations are encouraged to
take all necessary steps to correct the violations and identify the
individuals adversely affected and restore their rights. Under
Sec. 150.319, those actions taken by responsible entities to correct
the violations and restore individuals' rights will be considered
mitigating circumstances and will be taken into account to reduce the
penalty or assessment.
Conversely, under Sec. 150.321, we will consider as aggravating
circumstances instances in which violations that appear to be frequent
have resulted in an obvious or significant financial and other impacts
on affected individuals or cannot be adequately corrected. These
parameters will be considered in determining the gravity of the
violation. In determining the appropriate amount of the penalty and
assessment to be imposed, we will take into account all mitigating and
aggravating circumstances outlined by these sections.
Section 150.325 Settlement Authority
This section will state that nothing in Secs. 150.315 through
150.323 limits our authority to settle any issue or case or to reduce
any penalty or assessment.
Section 150.341 Limitations on Penalties
This section explains that HCFA will not impose any civil money
penalty on any failure if the failure was due to reasonable cause and
not due to willful neglect and the failure was corrected within 30 days
of the first day that any of the entities against whom the penalty
would be imposed knew, or exercising reasonable diligence would have
known, that the failure existed. The burden of establishing that the
responsible entity did not know, and exercising reasonable diligence,
could not have known that a failure existed, is on the responsible
entity.
Section 150.343 Notice of Proposed Penalty
This section of the regulation further describes the information to
be disclosed in the written notice of the proposed penalty to the
responsible entity, including instructions to the responsible entity
for responding and an explanation of the entity's right to a hearing if
the responsible entity is appealing the proposed penalty.
Section 150.345 Appeal of Proposed Penalty
We include this section to direct the reader to our appeal
procedures.
Section 150.347 Failure to Request a Hearing
This section of the regulation describes our responsibility to
notify the entity in writing of the assessed penalty and the means by
which to satisfy the judgment following the entity's failure to request
a hearing within the specified period of time.
Appendix A to Subpart C of Part 150--Examples of Violations
This Appendix A includes examples of practices which, if undertaken
by issuers, or non-federal governmental plans, may warrant the
imposition of a civil money penalty. For convenience, the Appendix is
divided into the group and individual markets and the types of
violations are listed in numerical order by regulatory citation number
in each of the two markets.
Subpart D--Administrative Hearings
This subpart describes the processes for administrative hearings
and appeals of civil money penalties.
Sections 150.401 Through 150.463
Sections 150.401 through 150.463 set forth the procedures for
appeal of HCFA's assessment of a civil money penalty. The PHS Act
provides that if a responsible entity appeals HCFA's assessment of a
civil money penalty, the administrative law judge hearing the appeal
makes the initial agency decision.
Although the administrative law judge makes the initial agency
decision, the considerations and factors set forth in this part are
binding on the administrative law judge's decision. The administrative
law judge may not add or disregard such considerations and factors in
deciding whether assessment of a civil money penalty is appropriate,
and the amount of such penalty.
Section 150.457 sets forth the process through which the HCFA
Administrator may vacate or modify the administrative law judge's
decision. Section 150.459 provides that any responsible entity against
whom a final assessment of a civil money penalty is made may appeal
that assessment to the appropriate United States District Court.
Section 150.465 Collection and Use of Penalty Funds
This section describes to whom (HCFA) penalty funds are paid and
how they may be used.
Sections 144.101, 144.102, and 144.103
We are adding provisions to include the new part 150. We are also
revising the definition of ``non-Federal governmental plan'' under
Sec. 144.103 because the existing definition reiterates the definition
in section 2791(d)(8)(C) of the PHS Act. This definition simply states
that the term ``non-Federal governmental plan'' means ``a governmental
plan that is not a Federal governmental plan.'' Section 2791(d)(8)(A)
defines the term ``governmental plan'' as that term is defined under
section 3(32) of ERISA. (Determining whether an entity is a
``governmental plan'' for purposes of section 3(32) of ERISA is within
the jurisdiction of the Department of Labor.) Subparagraphs (B) and (C)
of section 2791(d)(8), respectively, define ``Federal governmental
plan'' and ``non-Federal governmental plan''. ERISA does not separately
define these terms. Section 3(32) of ERISA, in pertinent part, defines
the term ``governmental plan'' as ``a plan established or maintained
for its employees by the Government of the United States, by the
government of any State or political subdivision thereof, or by any
agency or instrumentality of any of the foregoing.'' We have revised
the definition of the term ``non-Federal governmental plan'' by
adopting that portion of the ERISA definition of ``governmental plan''
that defines a non-Federal governmental plan.
[[Page 45792]]
Parts 146 and 148
We are deleting Secs. 146.184, 148.200, and 148.202, as these
provisions are now in part 150.
III. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995, we are required to
provide a 60-day notice in the Federal Register and solicit public
comment before a collection of information is submitted to the Office
of Management and Budget (OMB) for review and approval. This document
does not impose any information collection and record keeping
requirements subject to the Paperwork Reduction Act (PRA).
Consequently, it does not need to be reviewed by the Office of
Management and Budget (OMB) under the authority of the PRA.
IV. Response to Comments
Because of the large number of items of correspondence we normally
receive on Federal Register documents published for comment, we are not
able to acknowledge or respond to them individually. We will consider
all comments we receive by the date and time specified in the DATES
section of this preamble, and, if we proceed with a subsequent
document, we will respond to the major comments in the preamble to that
document.
V. Waiver of Proposed Rulemaking
We ordinarily publish a notice of proposed rulemaking in the
Federal Register and invite public comment on the proposed rule. The
notice of proposed rulemaking includes a reference to the legal
authority under which the rule is proposed, and the terms and
substances of the proposed rule or a description of the subjects and
issues involved. This procedure can be waived, however, if an agency
finds good cause that a notice-and-comment procedure is impracticable,
unnecessary, or contrary to the public interest and incorporates a
statement of the finding and its reasons in the rule issued. We believe
that dispensing with proposed rulemaking is in the public interest.
Proposed rulemaking is also unnecessary. Accordingly, we are proceeding
here directly with an interim final rule.
The basic requirements of this interim final rule already exist in
45 CFR parts 146 and 148. Therefore, we are not adding anything that
will impose new requirements. We do include provisions that will assist
health insurance issuers, and non-Federal governmental plans/employers,
by letting them know what they can do if we impose a civil money
penalty; for example, refute our findings or request a hearing. This
rule will also help individuals whose health insurance coverage is
subject to part 146 or 148 in that we will be better able to enforce
our rules and provide protections to individuals.
Therefore, we find good cause to waive the notice of proposed
rulemaking and to issue this rule as an interim final rule with comment
period. We are, however, providing a 60-day comment period and will
respond to comments we receive in any subsequent Federal Register
document.
VI. Regulatory Impact Statement
A. Overall Impact
We have examined the impacts of this rule as required by Executive
Order 12866 and the Regulatory Flexibility Act (RFA) (Pub. L. 96-354).
Executive Order 12866 directs agencies to assess all costs and benefits
of available regulatory alternatives and, if regulation is necessary,
to select regulatory approaches that maximize net benefits (including
potential economic, environmental, public health and safety effects,
distributive impacts, and equity). A regulatory impact analysis (RIA)
must be prepared for major rules with economically significant effects
($100 million or more annually). A discussion regarding the expected
economic effects of this interim final rule is presented below.
The RFA requires agencies to analyze options for regulatory relief
of small businesses. For purposes of the RFA, small entities include
small businesses and nonprofit organizations. Entities are considered
small either because of nonprofit status or because of having revenues
of $5 million or less annually. For purposes of the RFA, we consider it
unlikely that many health insurance issuers will meet this definition
of small entity. This interim final rule will also affect non-Federal
governmental plans, but these plans do not meet the definition of a
small entity.
Section 202 of the Unfunded Mandates Reform Act of 1995 also
requires that agencies assess anticipated costs and benefits before
issuing any rule that may result in an annual expenditure by State,
local, or tribal governments, in the aggregate, or by the private
sector, of $100 million. Although this interim final rule will affect
State and local governments and health insurance issuers in the private
sector, such impact is expected to be minimal and less than $100
million in the aggregate. Set forth below is a discussion regarding the
expected impact of this interim final rule.
B. Anticipated Effects
The Congress intended that the protections provided in HIPAA be
afforded to all Americans, regardless of whether such protections are
guaranteed by States or the Federal government. These regulations are
intended to expand upon the basic process for Federal enforcement of
HIPAA. Federal enforcement presently exists in California, Missouri and
Rhode Island. We estimate that approximately 325 health insurance
issuers offer health insurance coverage in these States and would
therefore be affected by these regulations. While we recognize that
direct Federal enforcement may become necessary in additional States,
we are unable to predict the number of States or issuers affected in
the future. We expect these regulations to impose a minimal burden on
States, health insurance issuers, and non-Federal governmental plans/
employers but we invite comments from affected parties regarding the
potential or real impact of these regulations.
1. Effects on State and Local Governments
The primary impact of these regulations on States is to clarify the
process by which we determine that Federal enforcement is necessary. As
described in the regulations, which closely follow the statutory
language, we determine that Federal enforcement is necessary when
either a State notifies us of its failure to enact and/or enforce the
necessary legislation; or we receive information or otherwise discover
that a State is not substantially enforcing HIPAA. We are exercising
our regulatory discretion where necessary to ensure that consumers are
protected to the full extent of the law. The impact of our regulatory
discretion with respect to States is discussed below.
These regulations will also affect State and local governments to
the extent that these governments provide health plans to their
employees. These plans, designated as non-Federal governmental plans
under HIPAA, are subject to our direct enforcement, but those that are
self-funded are permitted to elect to be exempt from one or more HIPAA
provisions, with the exception of the requirement that the plan issue
certificates of creditable coverage. The impact of these regulations on
non-Federal governmental plans is discussed below under subsection 2.
These regulations, however, will not affect health plans provided by
tribal governments because such entities are not covered by the PHS Act
and are
[[Page 45793]]
therefore not subject to our direct enforcement.
The interim final regulations published on April 8, 1997 (42 CFR
Parts 144, 146, and 148) address the situation in which we learn of a
State's failure to substantially enforce the HIPAA provisions by a
``complaint or other means.'' These interim final regulations clarify
the scope of the term ``other means'' to include informal contact
between us and State officials, a report in the news media, periodic
communication by us with the States, periodic review of State health
care legislation, or any other information that indicates a substantial
failure to enforce. Since many individuals protected by HIPAA will not
initiate complaints because they are unaware of their rights under the
law and therefore do not realize when their rights are being denied or
abridged, we cannot limit the basis of our investigation solely to
complaints received from individuals. Therefore, we have clarified the
definition of ``other information'' to include other forms of
information so that we will learn about potential HIPAA violations and
if necessary, initiate enforcement action as soon as possible.
If we initiate an inquiry in a particular State, we may begin our
inquiry by informally contacting appropriate State officials. If a
State informs us that it is enforcing all of the HIPAA provisions and
requirements, we will take no further action unless there are further
indications to contradict the State's assertion. If we find that a
State has failed to substantially enforce HIPAA, we will allow the
State a reasonable opportunity to correct such a failure. It is only
when other efforts have failed that we will initiate the formal
determination process in a particular State. Thus, as permitted by
current regulations, while we may initiate an inquiry in a State on
information other than a complaint, these regulations that we are
publishing today will provide flexibility for the State to respond to
the inquiry and will allow the State a reasonable opportunity to
enforce HIPAA.
In the event that we determine that there is a reasonable basis for
finding a State's failure to substantially enforce HIPAA, we will
provide written notice to the chief executive officer of the State and
other appropriate State officials. In the interim final regulations
published on April 8, 1997 a response time of 45 days was allowed. This
regulation shortens the response time to 30 days in order to lessen any
adverse effect on individuals in that particular State. Individuals may
not incur a break in coverage of more than 63 days without losing their
right to HIPAA protections. Our primary concern is that individuals
receive rights to which they are entitled under HIPAA. This shorter
response time appears to strike a balance between the States'
prerogative to regulate health insurance issuers and the rights of
individuals that Congress intended to protect by enacting HIPAA. We
have invited comments on this change.
However, if a State is unable to respond to our inquiry within the
30-day response period, these regulations will allow us to extend the
30-day response period for good cause. We estimate that those States
responding to an inquiry will incur some costs in providing
information, whether orally or in writing, to demonstrate their
enforcement of HIPAA.
These regulations also provide a transition process from Federal
enforcement back to State enforcement if and when HCFA determines that
Federal enforcement is no longer necessary. The impact of these
transitional processes is difficult to estimate at this time. We invite
comments on this process and the possible impacts associated with it.
2. Effects of These Regulations on Non-Federal Governmental Plans
State and local governmental plans may offer health insurance
coverage to their members through an issuer or may self-insure their
members. For those non-Federal governmental plans that offer health
insurance coverage through an issuer, violations by the non-Federal
governmental plan are subject to our enforcement. Violations by the
issuer are subject to enforcement by the State unless HCFA is directly
enforcing HIPAA requirements in that State. Those plans that self-
insure their members (i.e., do not purchase insurance from an insurance
issuer) are subject to our enforcement but are also permitted to elect
exemptions from one or more HIPAA requirements. To date, approximately
615 self-insured non-Federal governmental plans have notified us of
their intent to opt out of one or more HIPAA provisions. Since self-
insured non-Federal governmental plans are permitted to elect exemption
from one or more HIPAA provisions, we expect to find relatively few of
these plans out of compliance with HIPAA. While the exact number of
non-Federal governmental plans is not known at this time, we do not
expect many more plans to exercise their right to opt out. In general,
the effects of the regulations on health insurance issues as discussed
below under subsection 3, also apply to non-Federal governmental
plans/employers that are subject to HIPAA requirements.
3. Effects of the Regulations on Health Insurance Issuers Offering
Individual or Group Health Insurance Coverage
In those instances in which HCFA enforces HIPAA, we are responsible
for enforcing HIPAA with respect to health insurance issuers. As stated
above, we estimate that 325 health insurance issuers issue policies in
those three States currently subject to Federal enforcement in the
individual market, group market, or both (California, Missouri, and
Rhode Island). These issuers will be primarily affected to the extent
that they fail to comply with the HIPAA provisions and requirements.
Issuers will be required to establish new relationships and communicate
directly with Federal officials. Thus, issuers may incur some costs as
they develop and maintain new processes for dealing with Federal
regulators. However, in those States in which we have begun directly
enforcing HIPAA, we have already held meetings with health insurance
issuers and provided information about appropriate Federal officials
and general enforcement processes. Thus, to some extent, new
relationships between health insurance issuers and Federal officials
have already been established in those States. Issuers in those States
will therefore incur only minimal costs in maintaining these
relationships.
As part of our direct enforcement responsibilities, we may request
additional information from issuers pursuant to a complaint or other
information. This may impose a burden on issuers to the extent that
they must submit additional information to us in response to a
complaint. These interim final regulations will provide a process for
doing so that is similar to the complaint resolution process currently
in practice in many States. If a complaint or other information we
receive indicates a potential violation, we will provide written notice
to the issuer and provide 30 days from the date of the notice for the
issuer to respond with additional information. This time frame may be
more lenient than similar State requirements, which provide as few as
15 working days or 20 calendar days for the issuer's response. If the
30-day period is not sufficient, the issuer may request an extension
for good cause. We will consider the potential impact of granting an
extension on those individuals who may incur a significant break in
coverage as a result of the extension.
During an investigation of any potential violation, we will review
and consider documentation provided that
[[Page 45794]]
demonstrates the issuers compliance with HIPAA. These interim final
regulations will not require, but will suggest, documentation that an
issuer may submit in response to the complaint allegation. If, in the
course of an investigation of a potential violation, we discover a
pattern of noncompliance or any other issue that warrants further
investigation, we may initiate a market conduct examination of the
issuer. If, during the course of our examination, we identify a
potential violation(s), we will provide notice to the issuer of the
violation and a proposed plan of correction. While the issuer that
undergoes a market conduct examination may incur some costs in
providing the documentation requested pursuant to that examination, the
issuer may avoid the imposition of a civil money penalty or may be
subject to a civil money penalty of a lesser amount.
Although those health insurance issuers given notice of a potential
violation may incur additional costs in responding to our inquiry,
these costs are expected to be minimal and incurred only by a small
number of issuers. Generally, consumers will first seek redress by the
health insurance issuer and second by the State insurance department.
Complaints are then forwarded to one of our regional offices and
possibly our central office after the first two steps have been taken.
Therefore, the number of complaints that will be brought to our
attention will be relatively small given the universe of health
insurance issuers.
In those instances in which documents (e.g, new policy forms or
marketing materials) must be modified to meet the HIPAA standards,
issuers may have to resubmit these documents to the appropriate State
officials to be reviewed for compliance with other applicable State
laws. Thus, issuers may spend more time bringing new materials and
products to the market. However, in the absence of Federal enforcement,
these documents would have had to have been reviewed by State officials
for compliance with applicable HIPAA standards, as well as those of
other State laws. Under Federal enforcement, issuers are therefore
required to submit to a separate regulatory body--the Federal
government--only information they are already required to submit to the
State, and are expected to incur minimal costs in doing so.
In the event that an issuer is found to be in violation of HIPAA,
the Secretary of the Department of Health and Human Services is
authorized to impose civil money penalties of no more than $100 for
each day for each violation for each affected individual. These
regulations will provide further details regarding possible
alternatives to the imposition of a civil money penalty, including
returning adversely affected individuals to the same position in which
they would have been had the violation not occurred.
However, in the event that an issuer refuses to respond to or
resolve a complaint or other inquiry in a satisfactory manner, we will
assess the penalty and provide notice of this penalty to the health
insurance issuer. In assessing the penalty, we will consider several
mitigating factors, also enumerated in the current interim final
regulations, which include the issuer's record of prior compliance and
the gravity of the violation. We will also consider aggravating
circumstances, including the frequency of the violation, the financial
and other impacts of the violation on the average affected individual,
or the issuer's inability to show that substantially all of the
violations were corrected. Issuers will be permitted to request a
hearing and may also request a settlement or alternative dispute
resolution.
4. Effects on the Medicare and Medicaid Programs
We do not expect that this rule will have any impact on Medicare
expenditures or the solvency of the trust fund or on Medicaid program
expenditures.
5. Federalism
Under Executive Order 12612, this regulation will not significantly
affect the States beyond what is required by HIPAA. It follows the
intent and letter of the law and does not usurp State authority beyond
what the HIPAA requires. This regulation describes only processes that
must be undertaken to fulfill our obligation to conduct enforcement as
required by the April 8, 1997 regulation. In addition, HIPAA follows a
narrow preemption of State laws and does not preempt State laws that
afford greater protections to HIPAA-eligible individuals.
We have included various provisions throughout this regulation that
demonstrate cooperation with the States. For example, States are
afforded the opportunity to enforce HIPAA requirements, which is the
preferred avenue of HIPPA implementation. If we receive information
that a State is not substantially enforcing, we first ask whether State
officials have been notified. We may also contact State officials
informally to discuss the requirements that are allegedly not being
enforced. If the State provides a satisfactory explanation that
indicates it is enforcing the HIPAA requirements, we will take no
further action unless we receive further information to validate the
assertion that the State is failing to enforce the requirements.
If there is a reasonable question regarding whether a State is
failing to substantially enforce HIPAA requirements, we will send our
preliminary determination to the chief executive officer of the State,
as well as to other appropriate regulatory officials of the State. This
preliminary determination will provide the State with a reasonable
opportunity to present evidence of substantial enforcement, to take
corrective action, and under certain specific circumstances, with an
opportunity to request an extension.
If we subsequently find that a State is not enforcing the HIPAA
requirements, we will issue a final written determination that will
identify the requirements that we will enforce and the effective date
of our enforcement. Under certain circumstances it is even possible
that States may enforce certain requirements while we enforce others.
After we have assumed enforcement responsibility in a State, should
the State demonstrate that it is prepared to begin its own enforcement
we may, at our discretion, enter into discussions with State officials
regarding the possibility of a transition back to State enforcement. In
this case, to the extent permissible, we will make our records
documenting compliance and enforcement available for incorporation into
State records.
C. Alternatives Considered
Throughout the process of developing these regulations, we
attempted to balance States' interest in regulating health insurance
issuers and the rights of those individuals that the Congress intended
to protect in enacting HIPAA. In those cases where we are exercising
regulatory discretion (described above), we are allowing States the
maximum amount of flexibility without jeopardizing the individual's
rights to the HIPAA protections. Likewise, we are attempting to
establish a process for investigating complaints and other information
regarding potential HIPAA violations that serves as an effective
deterrent to HIPAA violations. This process will provide ample notice
to the issuer and other responsible entities under investigation and
will provide guidance to issuers and other responsible entities that
wish to comply with the HIPAA provisions. We expect these regulations
to impose a minimal burden on States, health insurance issuers, and
non-Federal governmental plans/employers but we invite
[[Page 45795]]
comments from affected parties regarding the potential or real impact
of these regulations.
D. Conclusion
In accordance with the requirements of the RFA, we have performed
the above analysis, and we believe that there will be minimal impact on
small entities. We request comments on our findings. In accordance with
the provisions of Executive Order 12866, this regulation was reviewed
by the Office of Management and Budget.
List of Subjects Affected
45 CFR Parts 144 and 146
Health care, Health insurance, Reporting and recordkeeping
requirements.
45 CFR Part 148
Administrative practice and procedure, Health care, Health
insurance, Penalties, Reporting and recordkeeping requirements.
45 CFR Part 150
Administrative practice and procedure, Health care, Health
insurance, Penalties, Reporting and recordkeeping requirements.
For the reasons set forth in the preamble, 45 CFR subtitle A,
subchapter B, is amended as set forth below:
A. Part 144 is amended as follows:
PART 144--REQUIREMENTS RELATING TO HEALTH INSURANCE COVERAGE
1. The authority citation for part 144 continues to read as
follows:
Authority: Secs. 2701 through 2763, 2791, and 2792 of the Public
Health Service Act (42 U.S.C. 300gg through 300gg-63, 300gg-91, and
300gg-92).
2. Section 144.101 is revised to read as follows:
Sec. 144.101 Basis and purpose.
(a) Part 146 of this subchapter implements sections 2701 through
2723 of the Public Health Service Act (PHS Act, 42 U.S.C. 300gg, et
seq.). Its purpose is to improve access to group health insurance
coverage, guarantee the renewability of all coverage in the group
market, provide certain protections for mothers and newborns with
respect to coverage for hospital stays in connection with childbirth,
and provide parity between the application of annual and lifetime
dollar limits to mental health benefits and those limits for other
health benefits and to provide certain protections for patients who
elect breast reconstruction in connection with a mastectomy.
(b) Part 148 of this subchapter implements sections 2741 through
2763 of the PHS Act. Its purpose is to improve access to individual
health insurance coverage for certain individuals who previously had
group coverage, guarantee the renewability of all health insurance
coverage in the individual market, and provide certain protections for
mothers and newborns with respect to coverage for hospital stays in
connection with childbirth, and to provide certain protections for
patients who elect breast reconstruction in connection with a
mastectomy.
(c) Part 150 of this subchapter implements the enforcement
provisions of sections 2722 and 2761 of the PHS Act with respect to the
following:
(1) States that fail to substantially enforce one or more
provisions of part 146 concerning group health insurance or the
requirements of part 148 of this subchapter concerning individual
health insurance.
(2) Insurance issuers in States described in paragraph (c)(1) of
this section.
(3) Group health plans that are non-Federal governmental plans.
(d) Sections 2791 and 2792 of the PHS Act define terms used in the
regulations in this subchapter and provide the basis for issuing these
regulations.
3. In Sec. 144.102, paragraph (d) is added to read as follows:
Sec. 144.102 Scope and applicability.
* * * * *
(d) Provisions relating to HCFA enforcement of one or more
provisions of part 146 or the requirements of part 148, or both, are
contained in part 150 of this subchapter.
4. In Sec. 144.103, the title, the introductory text, and the
definition of non-Federal governmental plan are revised and a
definition of ``HCFA'' is added to read as follows:
Sec. 144.103 Definitions.
For purposes of parts 146 (group market), 148 (individual market),
and 150 (enforcement) of this subchapter, the following definitions
apply unless otherwise provided:
* * * * *
HCFA means the Health Care Financing Administration.
* * * * *
Non-Federal governmental plan means a governmental plan established
or maintained for its employees by the government of any State or
political subdivision thereof, or by any agency or instrumentality of
either.
* * * * *
PART 146--[AMENDED]
B. Part 146 is amended as follows:
1. The authority citation continues to read as follows:
Authority: Secs. 2701 through 2723, 2791, and 2792 of the PHS
Act, 42 U.S.C. 300gg through 300gg-63, 300gg-91, and 300gg-92.
Sec. 146.180 [Amended]
2. The cross-reference in Sec. 146.180(i)(2) to
``Sec. 146.184(d)(7)(iii)(B)'' is revised to read
``Sec. 150.341(a)(2).''
3. The cross-reference in Sec. 146.180(i)(3) to ``Sec. 146.184'' is
revised to read ``part 150 of this subchapter.''
Sec. 146.184 [Removed]
4. Section 146.184 is removed.
PART 148--[AMENDED]
C. Part 148 is amended as follows:
1. The authority citation continues to read as follows:
Authority: Secs. 2741 through 2763, 2791, and 2792 of the Public
Health Service Act (42 U.S.C. 300gg-41 through 300gg-63, 300gg-91,
and 300gg-92).
Sec. Sec. 148.200 and 148.202 [Removed]
2. Sections 148.200 and 148.202 are removed.
D. Part 150 is added to read as follows:
PART 150--HCFA ENFORCEMENT IN GROUP AND INDIVIDUAL INSURANCE
MARKETS
Subpart A--General Provisions
Sec.
150.101 Basis and scope.
150.103 Definitions.
Subpart B--HCFA Enforcement Processes For Determining Whether States
Are Failing to Substantially Enforce HIPAA Requirements
Sec.
150.201 State enforcement.
150.203 Circumstances requiring HCFA enforcement.
150.205 Sources of information triggering an investigation of State
enforcement.
150.207 Procedure for determining that a State fails to
substantially enforce HIPAA requirements.
150.209 Verification of exhaustion of remedies and contact with
State officials.
150.211 Notice to the State.
150.213 Form and content of notice.
150.215 Extension for good cause.
150.217 Preliminary determination.
150.219 Final determination.
150.221 Transition to State enforcement.
[[Page 45796]]
Subpart C--HCFA Enforcement With Respect to Issuers and Non-Federal
Governmental Plans--Civil Money Penalties
150.301 General rule regarding the imposition of civil money
penalties.
150.303 Basis for initiating an investigation of a potential
violation.
150.305 Determination of entity liable for civil money penalty.
150.307 Notice to responsible entities.
150.309 Request for extension.
150.311 Responses to allegations of noncompliance.
150.313 Market conduct examinations.
150.315 Amount of penalty--General.
150.317 Factors HCFA uses to determine the amount of penalty.
150.319 Determining the amount of the penalty--mitigating
circumstances.
150.321 Determining the amount of penalty--aggravating
circumstances.
150.323 Determining the amount of penalty--other matters as justice
may require.
150.325 Settlement authority.
150.341 Limitations on penalties.
150.343 Notice of proposed penalty.
150.345 Appeal of proposed penalty.
150.347 Failure to request a hearing.
Appendix A to Subpart C of Part 150--Examples of Violations
Subpart D--Administrative Hearings
150.401 Definitions.
150.403 Scope of ALJ's authority.
150.405 Filing of request for hearing.
150.407 Form and content of request for hearing.
150.409 Amendment of notice of assessment or request for hearing.
150.411 Dismissal of request for hearing.
150.413 Settlement.
150.415 Intervention.
150.417 Issues to be heard and decided by ALJ.
150.419 Forms of hearing.
150.421 Appearance of counsel.
150.423 Communications with the ALJ.
150.425 Motions.
150.427 Form and service of submissions.
150.429 Computation of time and extensions of time.
150.431 Acknowledgment of request for hearing.
150.435 Discovery.
150.437 Submission of briefs and proposed hearing exhibits.
150.439 Effect of submission of proposed hearing exhibits.
150.441 Prehearing conferences.
150.443 Standard of proof.
150.445 Evidence.
150.447 The record.
150.449 Cost of transcripts.
150.451 Posthearing briefs.
150.453 ALJ decision.
150.455 Sanctions.
150.457 Review by Administrator.
150.459 Judicial review.
150.461 Failure to pay assessment.
150.463 Final order not subject to review.
150.465 Collection and use of penalty funds.
Authority: Secs. 2701 through 2763, 2791, and 2792 of the PHS
Act (42 U.S.C. 300gg through 300gg-63, 300gg-91, and 300gg-92).
Subpart A--General Provisions
Sec. 150.101 Basis and scope.
(a) Basis. HCFA's enforcement authority under sections 2722 and
2761 of the PHS Act and its rulemaking authority under section 2792 of
the PHS Act provide the basis for issuing regulations under this part
150.
(b) Scope--(1) Enforcement with respect to group heath plans. The
provisions of title XXVII of the PHS Act that apply to group health
plans that are non-Federal governmental plans are enforced by HCFA
using the procedures described in Sec. 150.301 et seq.
(2) Enforcement with respect to health insurance issuers. The
States have primary enforcement authority with respect to the
requirements of title XXVII of the PHS Act that apply to health
insurance issuers offering coverage in the group or individual health
insurance market. If HCFA determines under subpart B of this part that
a State is not substantially enforcing title XXVII of the PHS Act,
including the implementing regulations in part 146 and part 148 of this
subchapter, HCFA enforces them under subpart C of this part.
Sec. 150.103 Definitions.
The definitions that appear in part 144 of this subchapter apply to
this part 150, unless stated otherwise. As used in this part:
Amendment, endorsement, or rider means a document that modifies or
changes the terms or benefits of an individual policy, group policy, or
certificate of insurance.
Application means a signed statement of facts by a potential
insured that an issuer uses as a basis for its decision whether, and on
what basis to insure an individual, or to issue a certificate of
insurance, or that a non-Federal governmental health plan uses as a
basis for a decision whether to enroll an individual under the plan.
Certificate of insurance means the document issued to a person or
entity covered under an insurance policy issued to a group health plan
or an association or trust that summarizes the benefits and principal
provisions of the policy.
Complaint means any expression, written or oral, indicating a
potential denial of any right or protection contained in HIPAA
requirements (whether ultimately justified or not) by an individual, a
personal representative or other entity acting on behalf of an
individual, or any entity that believes such a right is being or has
been denied an individual.
Group health insurance policy or group policy means the legal
document or contract issued by an issuer to a plan sponsor with respect
to a group health plan (including a plan that is a non-Federal
governmental plan) that contains the conditions and terms of the
insurance that covers the group.
HIPAA requirements means the requirements of title XXVII of the PHS
Act and its implementing regulations in parts 146 and 148 of this
subchapter.
Individual health insurance policy or individual policy means the
legal document or contract issued by the issuer to an individual that
contains the conditions and terms of the insurance. Any association or
trust arrangement that is not a group health plan as defined in
Sec. 144.103 of this subchapter or does not provide coverage in
connection with one or more group health plans is individual coverage
subject to the requirements of part 148 of this subchapter. The term
``individual health insurance policy'' includes a policy that is----
(1) Issued to an association that makes coverage available to
individuals other than in connection with one or more group health
plans; or
(2) Administered, or placed in a trust, and is not sold in
connection with a group health plan subject to the provisions of part
146 of this subchapter.
Plan document means the legal document that provides the terms of
the plan to individuals covered under a group health plan, such as a
non-Federal governmental health plan.
State law means all laws, decisions, rules, regulations, or other
State action having the effect of law, of any State as defined in
Sec. 144.103 of this subchapter. A law of the United States applicable
to the District of Columbia is treated as a State law rather than a law
of the United States.
Subpart B--HCFA Enforcement Processes for Determining Whether
States Are Failing to Substantially Enforce HIPAA Requirements
Sec. 150.201 State enforcement.
Except as provided in subpart C of this part, each State enforces
HIPAA requirements with respect to health insurance issuers that issue,
sell, renew, or offer health insurance coverage in the State.
Sec. 150.203 Circumstances requiring HCFA enforcement.
HCFA enforces HIPAA requirements to the extent warranted (as
determined by HCFA) in any of the following circumstances:
[[Page 45797]]
(a) Notification by State. A State notifies HCFA that it has not
enacted legislation to enforce or that it is not otherwise enforcing
HIPAA requirements.
(b) Determination by HCFA. If HCFA receives or obtains information
that a State may not be substantially enforcing HIPAA requirements, it
may initiate the process described in this subchapter to determine
whether the State is failing to substantially enforce these
requirements.
(c) Special rule for guaranteed availability in the individual
market. If a State has notified HCFA that it is implementing an
acceptable alternative mechanism in accordance with Sec. 148.128 of
this subchapter instead of complying with the guaranteed availability
requirements of Sec. 148.120, HCFA's determination focuses on the
following:
(1) Whether the State's mechanism meets the requirements for an
acceptable alternative mechanism.
(2) Whether the State is implementing the acceptable alternative
mechanism.
(d) Consequence of a State not implementing an alternative
mechanism. If a State is not implementing an acceptable alternative
mechanism, HCFA determines whether the State is substantially enforcing
the requirements of Secs. 148.101 through 148.126 and Sec. 148.170 of
this subchapter.
Sec. 150.205 Sources of information triggering an investigation of
State enforcement.
Information that may trigger an investigation of State enforcement
includes, but is not limited to, any of the following:
(a) A complaint received by HCFA.
(b) Information learned during informal contact between HCFA and
State officials.
(c) A report in the news media.
(d) Information from the governors and commissioners of insurance
of the various States regarding the status of their enforcement of
HIPAA requirements.
(e) Information obtained during periodic review of State health
care legislation. HCFA may review State health care and insurance
legislation and regulations to determine whether they are:
(1) Consistent with HIPAA requirements.
(2) Not pre-empted as provided in Sec. 146.143 (relating to group
market provisions) and Sec. 148.120 (relating to individual market
requirements) on the basis that they prevent the application of a HIPAA
requirement.
(f) Any other information that indicates a possible failure to
substantially enforce.
Sec. 150.207 Procedure for determining that a State fails to
substantially enforce HIPAA requirements.
Sections 150.209 through 150.219 describe the procedures HCFA
follows to determine whether a State is substantially enforcing HIPAA
requirements.
Sec. 150.209 Verification of exhaustion of remedies and contact with
State officials.
If HCFA receives a complaint or other information indicating that a
State is failing to enforce HIPAA requirements, HCFA assesses whether
the affected individual or entity has made reasonable efforts to
exhaust available State remedies. As part of its assessment, HCFA may
contact State officials regarding the questions raised.
Sec. 150.211 Notice to the State.
If HCFA is satisfied that there is a reasonable question whether
there has been a failure to substantially enforce HIPAA requirements,
HCFA sends, in writing, the notice described in Sec. 150.213 of this
part, to the following State officials:
(a) The governor or chief executive officer of the State.
(b) The insurance commissioner or chief insurance regulatory
official.
(c) If the alleged failure involves HMOs, the official responsible
for regulating HMOs if different from the official listed in paragraph
(b) of this section.
Sec. 150.213 Form and content of notice.
The notice provided to the State is in writing and does the
following:
(a) Identifies the HIPAA requirement or requirements that have
allegedly not been substantially enforced.
(b) Describes the factual basis for the allegation of a failure or
failures to enforce HIPAA requirements.
(c) Explains that the consequence of a State's failure to
substantially enforce HIPAA requirements is that HCFA enforces them.
(d) Advises the State that it has 30 days from the date of the
notice to respond, unless the time for response is extended as
described in Sec. 150.215 of this subpart. The State's response should
include any information that the State wishes HCFA to consider in
making the preliminary determination described in Sec. 150.217.
Sec. 150.215 Extension for good cause.
HCFA may extend, for good cause, the time the State has for
responding to the notice described in Sec. 150.213 of this subpart.
Examples of good cause include an agreement between HCFA and the State
that there should be a public hearing on the State's enforcement, or
evidence that the State is undertaking expedited enforcement
activities.
Sec. 150.217 Preliminary determination.
If, at the end of the 30-day period (and any extension), the State
has not established to HCFA's satisfaction that it is substantially
enforcing the HIPAA requirements described in the notice, HCFA takes
the following actions:
(a) Consults with the appropriate State officials identified in
Sec. 150.211 (or their designees).
(b) Notifies the State of HCFA's preliminary determination that the
State has failed to substantially enforce the requirements and that the
failure is continuing.
(c) Permits the State a reasonable opportunity to show evidence of
substantial enforcement.
Sec. 150.219 Final determination.
If, after providing notice and a reasonable opportunity for the
State to show that it has corrected any failure to substantially
enforce, HCFA finds that the failure to substantially enforce has not
been corrected, it will send the State a written notice of its final
determination. The notice includes the following:
(a) Identification of the HIPAA requirements that HCFA is
enforcing.
(b) The effective date of HCFA's enforcement.
Sec. 150.221 Transition to State enforcement.
(a) If HCFA determines that a State for which it has assumed
enforcement authority has enacted and implemented legislation to
enforce HIPAA requirements and also determines that it is appropriate
to return enforcement authority to the State, HCFA will enter into
discussions with State officials to ensure that a transition is
effected with respect to the following:
(1) Consumer complaints and inquiries.
(2) Instructions to issuers.
(3) Any other pertinent aspect of operations.
(b) HCFA may also negotiate a process to ensure that, to the extent
practicable, and as permitted by law, its records documenting issuer
compliance and other relevant areas of HCFA's enforcement operations
are made available for incorporation into the records of the State
regulatory authority that will assume enforcement responsibility.
[[Page 45798]]
Subpart C--HCFA Enforcement With Respect to Issuers and Non-Federal
Governmental Plans--Civil Money Penalties
Sec. 150.301 General rule regarding the imposition of civil money
penalties.
If any health insurance issuer that is subject to HCFA's
enforcement authority under Sec. 150.101(b)(2), or any non-Federal
governmental plan (or employer that sponsors a non-Federal governmental
plan) that is subject to HCFA's enforcement authority under
Sec. 150.101(b)(1), fails to comply with HIPAA requirements, it may be
subject to a civil money penalty as described in this subpart.
Sec. 150.303 Basis for initiating an investigation of a potential
violation.
(a) Information. Any information that indicates that any issuer may
be failing to meet the HIPAA requirements or that any non-Federal
governmental plan that is a group health plan as defined in section
2791(a)(1) of the PHS Act and 45 CFR Sec. 144.103 may be failing to
meet an applicable HIPAA requirement, may warrant an investigation.
HCFA may consider, but is not limited to, the following sources or
types of information:
(1) Complaints.
(2) Reports from State insurance departments, the National
Association of Insurance Commissioners, and other Federal and State
agencies.
(3) Any other information that indicates potential noncompliance
with HIPAA requirements.
(b) Who may file a complaint. Any entity or individual, or any
entity or personal representative acting on that individual's behalf,
may file a complaint with HCFA if he or she believes that a right to
which the aggrieved person is entitled under HIPAA requirements is
being, or has been, denied or abridged as a result of any action or
failure to act on the part of an issuer or other responsible entity as
defined in Sec. 150.305.
(c) Where a complaint should be directed. A complaint may be
directed to any HCFA regional office.
Sec. 150.305 Determination of entity liable for civil money penalty.
If a failure to comply is established under this Part, the
responsible entity, as determined under this section, is liable for any
civil money penalty imposed.
(a) Health insurance issuer is responsible entity--(1) Group health
insurance policy. To the extent a group health insurance policy issued,
sold, renewed, or offered to a private plan sponsor or a non-Federal
governmental plan sponsor is subject to applicable HIPAA requirements,
a health insurance issuer is subject to a civil money penalty,
irrespective of whether a civil money penalty is imposed under
paragraphs (b) or (c) of this section, if the policy itself or the
manner in which the policy is marketed or administered fails to comply
with an applicable HIPAA requirement.
(2) Individual health insurance policy. To the extent an individual
health insurance policy is subject to an applicable HIPAA requirement,
a health insurance issuer is subject to a civil money penalty if the
policy itself, or the manner in which the policy is marketed or
administered, violates any applicable HIPAA requirement.
(b) Non-Federal governmental plan is responsible entity. (1) Basic
rule. If a non-Federal governmental plan is sponsored by two or more
employers and fails to comply with an applicable HIPAA requirement, the
plan is subject to a civil money penalty, irrespective of whether a
civil money penalty is imposed under paragraph (a) of this section. The
plan is the responsible entity irrespective of whether the plan is
administered by a health insurance issuer, an employer sponsoring the
plan, or a third-party administrator.
(2) Exception. In the case of a non-Federal governmental plan that
is not provided through health insurance coverage, this paragraph (b)
does not apply to the extent that the non-Federal governmental
employers have elected under Sec. 146.180 to exempt the plan from
applicable HIPAA requirements.
(c) Employer is responsible entity. (1) Basic rule. If a non-
Federal governmental plan is sponsored by a single employer and fails
to comply with an applicable HIPAA requirement, the employer is subject
to a civil money penalty, irrespective of whether a civil money penalty
is imposed under paragraph (a) of this section. The employer is the
responsible entity irrespective of whether the plan is administered by
a health insurance issuer, the employer, or a third-party
administrator.
(2) Exception. In the case of a non-Federal governmental plan that
is not provided through health insurance coverage, this paragraph (c)
does not apply to the extent the non-Federal governmental employer has
elected under Sec. 146.180 to exempt the plan from applicable HIPAA
requirements.
(d) Actions or inactions of agent. A principal is liable for
penalties assessed for the actions or inactions of its agent.
Sec. 150.307 Notice to responsible entities.
If an investigation under Sec. 150.303 indicates a potential
violation, HCFA provides written notice to the responsible entity or
entities identified under Sec. 150.305. The notice does the following:
(a) Describes the substance of any complaint or other information.
(See Appendix A to this subpart for examples of violations.)
(b) Provides 30 days from the date of the notice for the
responsible entity or entities to respond with additional information,
including documentation of compliance as described in Sec. 150.311.
(c) States that a civil money penalty may be assessed.
Sec. 150.309 Request for extension.
In circumstances in which an entity cannot prepare a response to
HCFA within the 30 days provided in the notice, the entity may make a
written request for an extension from HCFA detailing the reason for the
extension request and showing good cause. If HCFA grants the extension,
the responsible entity must respond to the notice within the time frame
specified in HCFA's letter granting the extension of time. Failure to
respond within 30 days, or within the extended time frame, may result
in HCFA's imposition of a civil money penalty based upon the complaint
or other information alleging or indicating a violation of HIPAA
requirements.
Sec. 150.311 Responses to allegations of noncompliance.
In determining whether to impose a civil money penalty, HCFA
reviews and considers documentation provided in any complaint or other
information, as well as any additional information provided by the
responsible entity to demonstrate that it has complied with HIPAA
requirements. The following are examples of documentation that a
potential responsible entity may submit for HCFA's consideration in
determining whether a civil money penalty should be assessed and the
amount of any civil money penalty:
(a) Any individual policy, group policy, certificate of insurance,
application, rider, amendment, endorsement, certificate of creditable
coverage, advertising material, or any other documents if those
documents form the basis of a complaint or allegation of noncompliance,
or the basis for the responsible entity to refute the complaint or
allegation.
(b) Any other evidence that refutes an alleged noncompliance.
[[Page 45799]]
(c) Evidence that the entity did not know, and exercising due
diligence could not have known, of the violation.
(d) Documentation that the policies, certificates of insurance, or
non-Federal governmental plan documents have been amended to comply
with HIPAA requirements either by revision of the contracts or by the
development of riders, amendments, or endorsements.
(e) Documentation of the entity's issuance of conforming policies,
certificates of insurance, plan documents, or amendments to
policyholders or certificate holders before the issuance of the notice
of intent to assess a penalty described in Sec. 150.307.
(f) Evidence documenting the development and implementation of
internal policies and procedures by an issuer, or non-Federal
governmental health plan or employer, to ensure compliance with HIPAA
requirements. Those policies and procedures may include or consist of a
voluntary compliance program. Any such program should do the following:
(1) Effectively articulate and demonstrate the fundamental mission
of compliance and the issuer's, or non-Federal governmental health
plan's or employer's, commitment to the compliance process.
(2) Include the name of the individual in the organization
responsible for compliance.
(3) Include an effective monitoring system to identify practices
that do not comply with HIPAA requirements and to provide reasonable
assurance that fraud, abuse, and systemic errors are detected in a
timely manner.
(4) Address procedures to improve internal policies when
noncompliant practices are identified.
(g) Evidence documenting the entity's record of previous compliance
with HIPAA requirements.
Sec. 150.313 Market conduct examinations.
(a) Definition. A market conduct examination means the examination
of health insurance operations of an issuer, or the operation of a non-
Federal governmental plan, involving the review of one or more (or a
combination) of a responsible entity's business or operational affairs,
or both, to verify compliance with HIPAA requirements.
(b) General. If, based on the information described in
Sec. 150.303, HCFA finds evidence that a specific entity may be in
violation of a HIPAA requirement, HCFA may initiate a market conduct
examination to determine whether the entity is out of compliance. HCFA
may conduct the examinations either at the site of the issuer or other
responsible entity or a site HCFA selects. When HCFA selects a site, it
may direct the issuer or other responsible entity to forward any
documentation HCFA considers relevant for purposes of the examination
to that site.
(c) Appointment of examiners. When HCFA identifies an issue that
warrants investigation, HCFA will appoint one or more examiners to
perform the examination and instruct them as to the scope of the
examination.
(d) Appointment of professionals and specialists. When conducting
an examination under this part, HCFA may retain attorneys, independent
actuaries, independent market conduct examiners, or other professionals
and specialists as examiners.
(e) Report of market conduct examination. (1) HCFA review. When
HCFA receives a report, it will review the report, together with the
examination work papers and any other relevant information, and prepare
a final report. The final examination report will be provided to the
issuer or other responsible entity.
(2) Response from issuer or other responsible entity. With respect
to each examination issue identified in the report, the issuer or other
responsible entity may:
(i) Concur with HCFA's position(s) as outlined in the report,
explaining the plan of correction to be implemented.
(ii) Dispute HCFA's position(s), clearly outlining the basis for
its dispute and submitting illustrative examples where appropriate.
(3) HCFA's reply to a response from an issuer or other responsible
entity. Upon receipt of a response from the issuer or other responsible
entity, HCFA will provide a letter containing its reply to each
examination issue. HCFA's reply will consist of one of the following:
(i) Concurrence with the issuer's or non-Federal governmental
plan's position.
(ii) Approval of the issuer's or non-Federal governmental plan's
proposed plan of correction.
(iii) Conditional approval of the issuer's or non-Federal
governmental plan's proposed plan of correction, which will include any
modifications HCFA requires.
(iv) Notice to the issuer or non-Federal governmental plan that
there exists a potential violation of HIPAA requirements.
Sec. 150.315 Amount of penalty--General.
A civil money penalty for each violation of 42 U.S.C. 300gg et seq.
may not exceed $100 for each day, for each responsible entity, for each
individual affected by the violation. Penalties imposed under this part
are in addition to any other penalties prescribed or allowed by law.
Sec. 150.317 Factors HCFA uses to determine the amount of penalty.
In determining the amount of any penalty, HCFA takes into account
the following:
(a) The entity's previous record of compliance. This may include
any of the following:
(1) Any history of prior violations by the responsible entity,
including whether, at any time before determination of the current
violation or violations, HCFA or any State found the responsible entity
liable for civil or administrative sanctions in connection with a
violation of HIPAA requirements.
(2) Documentation that the responsible entity has submitted its
policy forms to HCFA for compliance review.
(3) Evidence that the responsible entity has never had a complaint
for noncompliance with HIPAA requirements filed with a State or HCFA.
(4) Such other factors as justice may require.
(b) The gravity of the violation. This may include any of the
following:
(1) The frequency of the violation, taking into consideration
whether any violation is an isolated occurrence, represents a pattern,
or is widespread.
(2) The level of financial and other impacts on affected
individuals.
(3) Other factors as justice may require.
Sec. 150. 319 Determining the amount of the penalty--mitigating
circumstances.
For every violation subject to a civil money penalty, if there are
substantial or several mitigating circumstances, the aggregate amount
of the penalty is set at an amount sufficiently below the maximum
permitted by Sec. 150.315 to reflect that fact. As guidelines for
taking into account the factors listed in Sec. 150.317, HCFA considers
the following:
(a) Record of prior compliance. It should be considered a
mitigating circumstance if the responsible entity has done any of the
following:
(1) Before receipt of the notice issued under Sec. 150.307,
implemented and followed a compliance plan as described in
Sec. 150.311(f).
(2) Had no previous complaints against it for noncompliance.
(b) Gravity of the violation(s). It should be considered a
mitigating circumstance if the responsible entity has done any of the
following:
[[Page 45800]]
(1) Made adjustments to its business practices to come into
compliance with HIPAA requirements so that the following occur:
(i) All employers, employees, individuals and non-Federal
governmental entities are identified that are or were issued any
policy, certificate of insurance or plan document, or any form used in
connection therewith that failed to comply.
(ii) All employers, employees, individuals, and non-Federal
governmental plans are identified that were denied coverage or were
denied a right provided under HIPAA requirements.
(iii) Each employer, employee, individual, or non-Federal
governmental plan adversely affected by the violation has been, for
example, offered coverage or provided a certificate of creditable
coverage in a manner that complies with HIPAA requirements that were
violated so that, to the extent practicable, that employer, employee,
individual, or non-Federal governmental entity is in the same position
that he, she, or it would have been in had the violation not occurred.
(iv) The adjustments are completed in a timely manner.
(2) Discovered areas of noncompliance without notice from HCFA and
voluntarily reported that noncompliance, provided that the responsible
entity submits the following:
(i) Documentation verifying that the rights and protections of all
individuals adversely affected by the noncompliance have been restored;
and
(ii) A plan of correction to prevent future similar violations.
(3) Demonstrated that the violation is an isolated occurrence.
(4) Demonstrated that the financial and other impacts on affected
individuals is negligible or nonexistent.
(5) Demonstrated that the noncompliance is correctable and that a
high percentage of the violations were corrected.
Sec. 150.321 Determining the amount of penalty--aggravating
circumstances.
For every violation subject to a civil money penalty, if there are
substantial or several aggravating circumstances, HCFA sets the
aggregate amount of the penalty at an amount sufficiently close to or
at the maximum permitted by Sec. 150.315 to reflect that fact. HCFA
considers the following circumstances to be aggravating circumstances:
(a) The frequency of violation indicates a pattern of widespread
occurrence.
(b) The violation(s) resulted in significant financial and other
impacts on the average affected individual.
(c) The entity does not provide documentation showing that
substantially all of the violations were corrected.
Sec. 150.323 Determining the amount of penalty--other matters as
justice may require.
HCFA may take into account other circumstances of an aggravating or
mitigating nature if, in the interests of justice, they require either
a reduction or an increase of the penalty in order to assure the
achievement of the purposes of this part, and if those circumstances
relate to the entity's previous record of compliance or the gravity of
the violation.
Sec. 150.325 Settlement authority.
Nothing in Secs. 150.315 through 150.323 limits the authority of
HCFA to settle any issue or case described in the notice furnished in
accordance with Sec. 150.307 or to compromise on any penalty provided
for in Secs. 150.315 through 150.323.
Sec. 150.341 Limitations on penalties.
(a) Circumstances under which a civil money penalty is not imposed.
HCFA does not impose any civil money penalty on any failure for the
period of time during which none of the responsible entities knew, or
exercising reasonable diligence would have known, of the failure. HCFA
also does not impose a civil money penalty for the period of time after
any of the responsible entities knew, or exercising reasonable
diligence would have known of the failure, if the failure was due to
reasonable cause and not due to willful neglect and the failure was
corrected within 30 days of the first day that any of the entities
against whom the penalty would be imposed knew, or exercising
reasonable diligence would have known, that the failure existed.
(b) Burden of establishing knowledge. The burden is on the
responsible entity or entities to establish to HCFA's satisfaction that
no responsible entity knew, or exercising reasonable diligence would
have known, that the failure existed.
Sec. 150.343 Notice of proposed penalty.
If HCFA proposes to assess a penalty in accordance with this part,
it delivers to the responsible entity, or sends to that entity by
certified mail, return receipt requested, written notice of its intent
to assess a penalty. The notice includes the following:
(a) A description of the HIPAA requirements that HCFA has
determined that the responsible entity violated.
(b) A description of any complaint or other information upon which
HCFA based its determination, including the basis for determining the
number of affected individuals and the number of days for which the
violations occurred.
(c) The amount of the proposed penalty as of the date of the
notice.
(d) Any circumstances described in Secs. 150.317 through 150.323
that were considered when determining the amount of the proposed
penalty.
(e) A specific statement of the responsible entity's right to a
hearing.
(f) A statement that failure to request a hearing within 30 days
permits the assessment of the proposed penalty without right of appeal
in accordance with Sec. 150.347.
Sec. 150.345 Appeal of proposed penalty.
Any entity against which HCFA has assessed a penalty may appeal
that penalty in accordance with Sec. 150.401 et seq.
Sec. 150.347 Failure to request a hearing.
If the responsible entity does not request a hearing within 30 days
of the issuance of the notice described in Sec. 150.343, HCFA may
assess the proposed civil money penalty, a less severe penalty, or a
more severe penalty. HCFA notifies the responsible entity in writing of
any penalty that has been assessed and of the means by which the
responsible entity may satisfy the judgment. The responsible entity has
no right to appeal a penalty with respect to which it has not requested
a hearing in accordance with Sec. 150.405 unless the responsible entity
can show good cause, as determined under Sec. 150.405(b), for failing
to timely exercise its right to a hearing.
Appendix A to Subpart C of Part 150--Examples of Violations
This appendix lists actions in the group and individual markets
for which HCFA may impose civil money penalties. This list is not
all-inclusive.
Note 1: All cross-references to sections of the Code of Federal
Regulations are cross-references to sections in parts 144, 146, or
148 of this subchapter.
Note 2: Except as otherwise expressly noted, all references to
non-Federal governmental plans refer to non-Federal governmental
plans that are not exempt from HIPAA requirements (as defined in
Sec. 150.103) under section 2721(b)(2) of the PHS Act and
Sec. 146.180.
I. Basis for Imposition of Civil Money Penalties--Actions in the
Group Market
a. Failure to comply with the limitations on pre-existing
condition exclusions (Sec. 146.111).
[[Page 45801]]
Violations of the limitations on preexisting condition
exclusions, set forth in Sec. 146.111, includes those circumstances
in which a non-Federal governmental plan or health insurance issuer
offering group health insurance coverage does the following:
(1) Imposes a preexisting condition exclusion period that
exceeds 12 months or, in the case of a late enrollee, 18 months,
from the enrollment date (the first day of coverage or the first day
of the waiting period, if any).
(2) Fails to reduce a pre-existing condition exclusion period by
creditable coverage as provided in Secs. 146.111(a)(1)(iii) and
146.113.
(3) Imposes a pre-existing condition exclusion period without
first giving the two written notices required in Secs. 146.111(c)
and 146.115(d). The first notice is a general notice to all plan
participants of the existence and terms of any pre-existing
condition exclusion under the plan, and the rights of individuals to
demonstrate creditable coverage. The notice should explain the right
of an individual to request a certificate from a previous plan or
issuer, if necessary, and include a statement that the current plan
or issuer will assist in obtaining a certificate from a previous
plan or issuer, if necessary. The second notice is required to be
sent to any individual who has presented evidence of creditable
coverage, and to whom a pre-existing condition exclusion period will
be applied. This second notice informs the individual of the plan's
determination of any pre-existing condition exclusion period, the
basis for such determination, a written explanation of any appeals
procedures established by the plan or issuer, and a reasonable
opportunity to submit additional evidence of creditable coverage.
(4) Treats pregnancy as a pre-existing condition, as prohibited
by Sec. 146.111(b)(4). For example, an issuer may not refuse to pay
for prenatal care and delivery effective with the date maternity
coverage began because the individual did not have maternity
coverage at the time the pregnancy began.
(5) Imposes a pre-existing condition exclusion with regard to a
child who enrolls in a group health plan within 30 days of birth,
adoption, or placement for adoption.
(6) Imposes a pre-existing condition exclusion with regard to a
child who was enrolled in another group health plan within 30 days
of birth, adoption, or placement for adoption and who does not
experience significant break in coverage.
(7) Uses a pre-existing condition look-back period that exceeds
the six-month period ending on the enrollment date in violation of
Sec. 146.111(a)(1) of this chapter.
(8) Determines whether a pre-existing condition exclusion
applies by using a standard other than whether medical advice,
diagnosis, care, or treatment was actually recommended or received
during the look-back period. A determination that a reasonably
prudent person would or should have sought medical care for the
condition is an unacceptable standard by which to determine whether
a pre-existing condition exclusion applies.
(9) Uses genetic information as part of the definition of pre-
existing condition in the absence of a diagnosis of the condition
related to the genetic information.
(10) Otherwise fails to comply with Sec. 146.111.
b. Failure to comply with the provisions relating to creditable
coverage (Sec. 146.113).
Failure to comply with the Sec. 146.113 rules relating to
creditable coverage includes those circumstances in which a non-
Federal governmental plan or issuer offering group health insurance
coverage does the following:
(1) Fails to treat all forms of coverage listed in
Sec. 146.113(a) as creditable coverage.
(2) Counts creditable coverage in a manner inconsistent with the
standard method described in Sec. 146.113(b) or the alternative
method described in Sec. 146.113(c), if it elects to use the
alternative method.
(3) Treats an individual with fewer than 63 consecutive days
without creditable coverage as having a significant break in
coverage in violation of Sec. 146.113(b)(2)(iii).
(4) Takes either a waiting period or an affiliation period into
account when calculating a significant break in coverage, as
prohibited by Sec. 146.113(b)(2)(iii).
(5) Otherwise fails to comply with Sec. 146.113.
c. Failure to comply with the provisions regarding certification
and disclosure of previous coverage (Sec. 146.115).
Except as provided in paragraph (c)(b), the plan sponsor of a
self-funded non-Federal governmental plan may not elect to exempt
its plan from the requirements of this paragraph.
Failure to comply with the requirements in Sec. 146.115
regarding certification and disclosure of previous coverage includes
those circumstances in which a non-Federal governmental plan or
issuer offering group health insurance coverage does the following:
(1) Fails to ensure that individuals who request certification
receive it.
(2) Fails to automatically provide certificates of creditable
coverage promptly, either--
(i) When the individual ceases to be covered under the plan
(whether or not COBRA continuation coverage is offered or elected);
or
(ii) When the COBRA continuation coverage is exhausted or is
terminated by the individual, if COBRA continuation coverage was
offered and was elected.
(3) Fails to provide certificates of creditable coverage
promptly upon request.
(4) Fails to provide the required information in certificates of
creditable coverage.
(5) Fails to provide certificates of creditable coverage to
dependents.
(6) Fails to accept other evidence of creditable coverage as
provided in Sec. 146.115(c). (The plan sponsor of a self-funded non-
Federal governmental plan may elect to exempt its plan from the
requirements of this paragraph (6)).
(7) Otherwise fails to comply with Sec. 146.115.
d. Failure to comply with the provisions regarding special
enrollment periods (Sec. 146.117).
Failure to comply with the Sec. 146.117 requirements regarding
special enrollment periods includes those circumstances in which an
issuer or a non-Federal governmental plan does the following:
(1) Fails to permit employees and dependents to enroll for
coverage if they satisfy the conditions of Sec. 146.117(a) or (b).
(2) Fails to provide coverage on a timely basis to individuals
protected by a special enrollment period as provided in
Sec. 146.117.
(3) Fails to provide the employee with a description of the
plan's or issuer's special enrollment rules on or before the time
the employee is offered the opportunity to enroll as provided in
Sec. 146.117(c).
(4) Otherwise fails to comply with Sec. 146.117.
e. Failure to comply with the HMO affiliation period provisions
(Sec. 146.119).
Failure to comply with the Sec. 146.119 affiliation period
requirements includes those circumstances in which an HMO that
offers group health insurance coverage does the following:
(1) Imposes a pre-existing condition exclusion period.
(2) Charges a premium for months in an affiliation period.
(3) Fails to impose an affiliation period uniformly without
regard to any health status-related factor.
(4) Imposes an affiliation period that is longer than 2 months
(or 3 months for late enrollees), or one that begins later than the
enrollment date or does not run concurrently with any waiting
period.
(5) Otherwise fails to comply with Sec. 146.119.
f. Failure to comply with the provisions regarding
nondiscrimination (Sec. 146.121).
Failure to comply with the Sec. 146.121 prohibitions regarding
nondiscrimination includes those circumstances in which an issuer or
a non-Federal governmental plan does the following:
(1) Applies rules of eligibility (including continued
eligibility) to enroll under the terms of the plan based any of the
health-status related factors described in Sec. 146.121(a).
(2) Requires an individual as a condition of enrollment or re-
enrollment to pay a higher premium than others similarly situated by
reason of a health-status related factor of the individual or the
individual's dependent.
(3) Otherwise fails to comply with Sec. 146.121.
g. Failure to comply with the provisions relating to benefits
for mothers and newborns (Sec. 146.130) in States where the
Sec. 146.130 standards are applicable.
Failure of an issuer or a non-Federal governmental plan to
comply with the standards in Sec. 146.130 relating to benefits for
mothers and newborns includes the following:
(1) Restricts benefits for a mother or her newborn to less than
48 hours following a vaginal delivery or less than 96 hours
following a delivery by cesarean section, unless the attending
provider decides, in consultation with the mother, to discharge the
mother or newborn earlier.
(2) Fails to calculate the length of stay from the time of
delivery when delivery occurs in a hospital, or from the time of
admission when delivery occurs outside the hospital.
(3) Penalizes an attending provider for complying with the law.
[[Page 45802]]
(4) Offers incentives to an attending provider to provide care
in a manner inconsistent with the provisions of Sec. 146.130.
(5) Denies the mother or newborn eligibility or continued
eligibility to enroll under the plan to avoid complying with
Sec. 146.130.
(6) Provides payments or rebates to mothers to encourage them to
accept less than the minimum stay required.
(7) Requires an attending provider to obtain authorization to
prescribe a hospital length of stay of up to 48 hours (or 96 hours)
after delivery.
(8) Imposes deductibles, coinsurance, or other cost-sharing
measures for any portion of a 48-hour (or 96-hour) hospital stay
that are less favorable than those imposed on any preceding portion
of the stay.
(9) In the case of a non-Federal governmental plan, fails to
provide participants and beneficiaries with a statement describing
the requirements of the Newborns' and Mothers' Health Protection Act
of 1996, using the language provided at Sec. 146.130(d)(2), not
later than 60 days after the first day of the first plan year
beginning on or after January 1, 1999.
(10) Otherwise fails to comply with Sec. 146.130.
h. Failure to comply with the provisions pertaining to parity in
the application of certain limits to mental health benefits in the
large group market (Sec. 146.136).
Failure of a non-Federal governmental plan offered by a large
employer or health insurance issuer offering health insurance
coverage to large employers to comply with the Sec. 146.136
provisions pertaining to parity in the application of certain limits
to mental health benefits (with respect to a plan that must comply
with such provisions) includes the following:
(1) Sale of a product by a health insurance issuer that fails to
comply with the mental health parity provisions of Sec. 146.136.
(2) Failure of a non-Federal governmental plan to comply with
the annual and lifetime dollar limits provisions concerning mental
health parity.
i. Failure to comply with the Women's Health and Cancer Rights
Act of 1998 (section 2706 of the PHS Act, 42 U.S.C. 300gg-06).
j. Failure to comply with the provisions regarding guaranteed
availability of coverage in the small group market (Sec. 146.150).
Failure to provide guaranteed availability in the small group
market as provided in Sec. 146.150 includes those circumstances in
which a health insurance issuer offering any health insurance
coverage to group health plans in the small group market does the
following:
(1) Fails to offer all products on a guaranteed availability
basis to all small employers.
(2) Fails to define a small employer using the definition at
Sec. 144.103, unless otherwise provided under State law; that is,
generally an employer with between 2 and 50 employees.
(3) Fails to count as employees all individual employees that an
employer wants to include in the group by applying a more
restrictive definition of ``employee'' than is permitted by
Sec. 144.103.
(4) Fails to accept all employee dependents who are qualified
under the terms of the employer's group health plan.
(5) Sets agent commissions for sales to small employers so low
as to discourage agents from marketing policies to, or enrolling,
these groups so that a failure to offer coverage results.
(6) Unreasonably delays the processing of applications submitted
by small employers, so that a break in coverage of more than 63 days
results.
(7) Fails to offer to any small employer on a guaranteed
availability basis any product that the issuer sells to small
employers through one or more associations that are not bona fide
associations, as defined in Sec. 144.103. The requirement to
guarantee availability of such products to all small employers
applies whether or not the small employer is a member of, or could
qualify for membership in, that association.
(8) Otherwise fails to comply with Sec. 146.150.
k. Failure to comply with the requirements regarding guaranteed
renewability in either the large or small group market
(Sec. 146.152).
Failure to provide guaranteed renewability of coverage as
provided in Sec. 146.152 includes those circumstances in which a
health insurance issuer offering health insurance coverage to a
group health plan in the small or large group market does the
following:
(1) Fails to renew or continue in force coverage at the option
of the plan sponsor unless one of the specific exceptions in
Sec. 146.152(b) is met.
(2) Fails to follow the requirements as described in
Sec. 146.152(c)-(e) relating to the discontinuance of a particular
product or withdrawal from the market of a particular product.
(3) Fails to renew coverage of an individual employer who has
been a member of an association when the individual employer ceases
to be a member of the association, unless it is a bona fide
association as defined in Sec. 144.103, and the issuer terminates
coverage for all former members on a uniform basis.
(4) Fails to act uniformly if the issuer cancels coverage.
(5) Otherwise fails to comply with Sec. 146.152.
l. Failure to comply with the requirements relating to
disclosure of information (Sec. 146.160).
Failure to make reasonable disclosure as provided in
Sec. 146.160 includes those circumstances in which an issuer
offering group health insurance coverage to a small employer, as
defined in Sec. 144.103, does the following:
(1) Fails to disclose all information concerning all products
available from the issuer in the small group market as defined in
Sec. 144.103.
(2) Otherwise fails to comply with Sec. 146.160.
II. Basis for Imposition of Civil Money Penalties--Actions in the
Individual Market
a. Failure to comply with the requirements regarding guaranteed
availability of coverage (Sec. 148.120).
In States that are not implementing an acceptable alternative
mechanism described in Sec. 148.128, failure to provide guaranteed
availability with no preexisting condition exclusion period as
provided in Sec. 148.120 includes those circumstances in which an
issuer does the following:
(1) Fails to provide to eligible individuals, on a guaranteed
availability basis, at least one of the following:
(i) Enrollment in all individual market policies it actually
markets.
(ii) The two most popular policies described in
Sec. 148.120(c)(2).
(iii) Two representative policy forms as described in
Sec. 148.120(c)(3).
(2) Imposes any preexisting condition exclusion or affiliation
period on eligible individuals under any policy that it sells on a
guaranteed availability basis.
(3) Sets agent commissions for sales to eligible individuals so
low as to discourage agents from marketing policies to, or
enrolling, these individuals so that a failure to offer coverage
results.
(4) Unreasonably delays the processing of applications submitted
by eligible individuals.
(5) Fails to offer to any eligible individual as defined in
Sec. 148.103 (on a guaranteed availability basis with no preexisting
condition exclusions) any product the issuer sells to individuals
through one or more associations that are not bona fide
associations, as defined in Sec. 144.103, unless the issuer has
designated at least two other products (as its two most popular or
its two representative policies) that it will sell to eligible
individuals.
(6) Denies an eligible individual a policy on the basis that the
individual has had a significant break in coverage even though a
substantially complete application was filed on or before the 63rd
day after the prior group coverage ended.
(7) Otherwise fails to comply with Sec. 148.120.
b. Failure to comply with the requirements regarding guaranteed
renewability of coverage (Sec. 148.122).
Failure to provide guaranteed renewability as provided in
Sec. 148.122 includes those circumstances in which an issuer does
the following:
(1) Fails to renew or continue in force coverage at the option
of the individual, unless one of the specific exceptions in
Sec. 148.122 is met.
(2) Fails to follow the requirements relating to the
discontinuance of a particular product or withdrawal from the market
of a particular product as described in Sec. 148.122(d).
(3) Fails to continue coverage at the option of the individual
after the individual becomes eligible for Medicare.
(4) Fails to renew coverage for an individual who has been a
member of an association when the individual ceases to be a member
of the association, unless the association is a bona fide
association as defined in Sec. 144.103 and the issuer uniformly
terminates coverage for all former members.
(5) Otherwise fails to comply with Sec. 148.122.
c. Failure to comply with the requirements regarding
certification and disclosure of coverage (Sec. 148.124).
Failure to comply with the requirements of Sec. 148.124
regarding certification and
[[Page 45803]]
disclosure of previous coverage includes those circumstances in
which an issuer does any of the following:
(1) Fails to provide automatic certificates of creditable
coverage promptly.
(2) Fails to disclose the required information in certificates
of creditable coverage as provided in Sec. 148.124(b).
(3) Fails to provide certificates of creditable coverage to
dependents who are insured in the individual market and whose
coverage ceases under an individual policy.
(4) Fails to credit coverage or establish eligibility as
provided in Sec. 148.124 solely because the individual is unable to
obtain a certificate. This includes failing to accept, acknowledge,
consider, or otherwise use other evidence of creditable coverage
described in Sec. 146.115(c) submitted by, or on behalf of, an
individual to establish that person is an eligible individual.
(5) Otherwise fails to comply with Sec. 148.124.
d. Failure to comply with the requirements regarding
determination of an eligible individual (Sec. 148.126).
Failure to determine, as provided in Sec. 148.126, that an
applicant for health insurance is an eligible individual includes
those circumstances in which an issuer does the following:
(1) Fails to identify eligible individuals, to provide
information regarding all coverage options, and to issue policies
promptly.
(2) Requires eligible individuals to specify their desire to
invoke the requirements of part 148 or to explicitly request their
rights under the law in order to obtain information about products
available to them.
(3) Otherwise fails to comply with Sec. 148.126.
e. Failure to comply with the standards relating to benefits for
mothers and newborns (Sec. 148.170).
In States where the Sec. 148.170 standards are applicable (see
Sec. 148.170(e)), failure to comply with the Sec. 148.170 standards
relating to benefits for mothers and newborns includes those
circumstances in which a health insurance issuer does the following:
(1) Restricts benefits for a mother or her newborn to fewer than
48 hours following a vaginal delivery or fewer than 96 hours
following a delivery by cesarean section, unless the attending
provider decides, in consultation with the mother, to discharge the
mother or newborn earlier.
(2) Fails to calculate the length of stay from the time of
delivery when delivery occurs in a hospital, or from the time of
admission when delivery occurs outside the hospital.
(3) Requires an attending provider to obtain authorization to
prescribe a hospital length of stay of up to 48 hours (or 96 hours,
if applicable) after delivery.
(4) Imposes deductibles, coinsurance, or other cost-sharing
measures for any portion of a 48-hour (or 96-hour, if applicable)
hospital stay that are less favorable than those imposed on any
preceding portion of the stay.
(6) Penalizes a provider for complying with the law.
(7) Offers incentives to a provider to provide care in a manner
inconsistent with the provisions of Sec. 148.170 to avoid complying
with Sec. 148.170.
(8) Denies the mother or newborn eligibility or continued
eligibility solely to avoid the requirements of Sec. 148.170.
(9) Provides incentives to mothers to encourage them to accept
less than the minimum stay requirement.
(10) Fails to provide participants and beneficiaries with a
statement describing the requirements of the Newborns' and Mothers'
Health Protection Act of 1996, using the language provided at
Sec. 148.170 (d)(2), not later than March 1, 1999.
(11) Otherwise fails to comply with Sec. 148.170.
f. Failure to comply with the Women's Health and Cancer Rights
Act of 1998 (section 2752 of the PHS Act, 42 U.S.C. 300gg-52) and
any additional implementing regulations.
Subpart D--Administrative Hearings
Sec. 150.401 Definitions.
In this subpart, unless the context indicates otherwise:
ALJ means administrative law judge of the Departmental Appeals
Board of the Department of Health and Human Services.
Filing date means the date postmarked by the U.S. Postal Service,
deposited with a carrier for commercial delivery, or hand delivered.
Hearing includes a hearing on a written record as well as an in-
person or telephone hearing.
Party means HCFA or the respondent.
Receipt date means five days after the date of a document, unless
there is a showing that it was in fact received later.
Respondent means an entity that received a notice of proposed
assessment of a civil money penalty issued pursuant to Sec. 150.343.
Sec. 150.403 Scope of ALJ's authority.
(a) The ALJ has the authority, including all of the authority
conferred by the Administrative Procedure Act, to adopt whatever
procedures may be necessary or proper to carry out in an efficient and
effective manner the ALJ's duty to provide a fair and impartial hearing
on the record and to issue an initial decision concerning the
imposition of a civil money penalty.
(b) The ALJ's authority includes the authority to modify,
consistent with the Administrative Procedure Act (5 U.S.C. 552a), any
hearing procedures set out in this subpart.
(c) The ALJ does not have the authority to find invalid or refuse
to follow Federal statutes or regulations.
Sec. 150.405 Filing of request for hearing.
(a) A respondent has a right to a hearing before an ALJ if it files
a request for hearing that complies with Sec. 150.407(a), within 30
days after the date of issuance of either HCFA's notice of proposed
assessment under Sec. 150.343 or notice that an alternative dispute
resolution process has terminated. The request for hearing should be
addressed as instructed in the notice of proposed determination. ``Date
of issuance'' is five (5) days after the filing date, unless there is a
showing that the document was received earlier.
(b) The ALJ may extend the time for filing a request for hearing
only if the ALJ finds that the respondent was prevented by events or
circumstances beyond its control from filing its request within the
time specified above. Any request for an extension of time must be made
promptly by written motion.
Sec. 150.407 Form and content of request for hearing.
(a) The request for hearing must do the following:
(1) Identify any factual or legal bases for the assessment with
which the respondent disagrees.
(2) Describe with reasonable specificity the basis for the
disagreement, including any affirmative facts or legal arguments on
which the respondent is relying.
(b) The request for hearing must identify the relevant notice of
assessment by date and attach a copy of the notice.
Sec. 150.409 Amendment of notice of assessment or request for hearing.
The ALJ may permit HCFA to amend its notice of assessment, or
permit the respondent to amend a request for hearing that complies with
Sec. 150.407(a), if the ALJ finds that no undue prejudice to either
party will result.
Sec. 150.411 Dismissal of request for hearing.
An ALJ will order a request for hearing dismissed if the ALJ
determines that:
(a) The request for hearing was not filed within 30 days as
specified by Sec. 150.405(a) or any extension of time granted by the
ALJ pursuant to Sec. 150.405(b).
(b) The request for hearing fails to meet the requirements of
Sec. 150.407.
(c) The entity that filed the request for hearing is not a
respondent under Sec. 150.401.
(d) The respondent has abandoned its request.
(e) The respondent withdraws its request for hearing.
Sec. 150.413 Settlement.
HCFA has exclusive authority to settle any issue or any case,
without the consent of the administrative law judge at any time before
or after the administrative law judge's decision.
[[Page 45804]]
Sec. 150.415 Intervention.
(a) The ALJ may grant the request of an entity, other than the
respondent, to intervene if all of the following occur:
(1) The entity has a significant interest relating to the subject
matter of the case.
(2) Disposition of the case will, as a practical matter, likely
impair or impede the entity's ability to protect that interest.
(3) The entity's interest is not adequately represented by the
existing parties.
(4) The intervention will not unduly delay or prejudice the
adjudication of the rights of the existing parties.
(b) A request for intervention must specify the grounds for
intervention and the manner in which the entity seeks to participate in
the proceedings. Any participation by an intervenor must be in the
manner and by any deadline set by the ALJ.
(c) The Department of Labor or the IRS may intervene without regard
to paragraphs (a)(1) through (a)(3) of this section.
Sec. 150.417 Issues to be heard and decided by ALJ.
(a) The ALJ has the authority to hear and decide the following
issues:
(1) Whether a basis exists to assess a civil money penalty against
the respondent.
(2) Whether the amount of the assessed civil money penalty is
reasonable.
(b) In deciding whether the amount of a civil money penalty is
reasonable, the ALJ--
(1) Applies the factors that are identified in Sec. 150.317.
(2) May consider evidence of record relating to any factor that
HCFA did not apply in making its initial determination, so long as that
factor is identified in this subpart.
(c) If the ALJ finds that a basis exists to assess a civil money
penalty, the ALJ may sustain, reduce, or increase the penalty that HCFA
assessed.
Sec. 150.419 Forms of hearing.
(a) All hearings before an ALJ are on the record. The ALJ may
receive argument or testimony in writing, in person, or by telephone.
The ALJ may receive testimony by telephone only if the ALJ determines
that doing so is in the interest of justice and economy and that no
party will be unduly prejudiced. The ALJ may require submission of a
witness' direct testimony in writing only if the witness is available
for cross-examination.
(b) The ALJ may decide a case based solely on the written record
where there is no disputed issue of material fact the resolution of
which requires the receipt of oral testimony.
Sec. 150.421 Appearance of counsel.
Any attorney who is to appear on behalf of a party must promptly
file, with the ALJ, a notice of appearance.
Sec. 150.423 Communications with the ALJ.
No party or person (except employees of the ALJ's office) may
communicate in any way with the ALJ on any matter at issue in a case,
unless on notice and opportunity for both parties to participate. This
provision does not prohibit a party or person from inquiring about the
status of a case or asking routine questions concerning administrative
functions or procedures.
Sec. 150.425 Motions.
(a) Any request to the ALJ for an order or ruling must be by
motion, stating the relief sought, the authority relied upon, and the
facts alleged. All motions must be in writing, with a copy served on
the opposing party, except in either of the following situations:
(1) The motion is presented during an oral proceeding before an ALJ
at which both parties have the opportunity to be present.
(2) An extension of time is being requested by agreement of the
parties or with waiver of objections by the opposing party.
(b) Unless otherwise specified in this subpart, any response or
opposition to a motion must be filed within 20 days of the party's
receipt of the motion. The ALJ does not rule on a motion before the
time for filing a response to the motion has expired except where the
response is filed at an earlier date, where the opposing party consents
to the motion being granted, or where the ALJ determines that the
motion should be denied.
Sec. 150.427 Form and service of submissions.
(a) Every submission filed with the ALJ must be filed in
triplicate, including one original of any signed documents, and
include:
(1) A caption on the first page, setting forth the title of the
case, the docket number (if known), and a description of the submission
(such as ``Motion for Discovery'').
(2) The signatory's name, address, and telephone number.
(3) A signed certificate of service, specifying each address to
which a copy of the submission is sent, the date on which it is sent,
and the method of service.
(b) A party filing a submission with the ALJ must, at the time of
filing, serve a copy of such submission on the opposing party. An
intervenor filing a submission with the ALJ must, at the time of
filing, serve a copy of the submission on all parties. Service must be
made by mailing or hand delivering a copy of the submission to the
opposing party. If a party is represented by an attorney, service must
be made on the attorney.
Sec. 150.429 Computation of time and extensions of time.
(a) For purposes of this subpart, in computing any period of time,
the time begins with the day following the act, event, or default and
includes the last day of the period unless it is a Saturday, Sunday, or
legal holiday observed by the Federal government, in which event it
includes the next business day. When the period of time allowed is less
than seven days, intermediate Saturdays, Sundays, and legal holidays
observed by the Federal government are excluded from the computation.
(b) The period of time for filing any responsive pleading or papers
is determined by the date of receipt (as defined in Sec. 150.401) of
the submission to which a response is being made.
(c) The ALJ may grant extensions of the filing deadlines specified
in these regulations or set by the ALJ for good cause shown (except
that requests for extensions of time to file a request for hearing may
be granted only on the grounds specified in section Sec. 150.405(b)).
Sec. 150.431 Acknowledgment of request for hearing.
After receipt of the request for hearing, the ALJ assigned to the
case or someone acting on behalf of the ALJ will send a letter to the
parties that acknowledges receipt of the request for hearing,
identifies the docket number assigned to the case, provides
instructions for filing submissions and other general information
concerning procedures, and sets out the next steps in the case.
Sec. 150.435 Discovery.
(a) The parties must identify any need for discovery from the
opposing party as soon as possible, but no later than the time for the
reply specified in Sec. 150.437(c). Upon request of a party, the ALJ
may stay proceedings for a reasonable period pending completion of
discovery if the ALJ determines that a party would not be able to make
the submissions required by Sec. 150.437 without discovery. The parties
should attempt to resolve any discovery issues informally before
seeking an order from the ALJ.
(b) Discovery devices may include requests for production of
documents,
[[Page 45805]]
requests for admission, interrogatories, depositions, and stipulations.
The ALJ orders interrogatories or depositions only if these are the
only means to develop the record adequately on an issue that the ALJ
must resolve to decide the case.
(c) Each discovery request must be responded to within 30 days of
receipt, unless that period of time is extended for good cause by the
ALJ.
(d) A party to whom a discovery request is directed may object in
writing for any of the following reasons:
(1) Compliance with the request is unduly burdensome or expensive.
(2) Compliance with the request will unduly delay the proceedings.
(3) The request seeks information that is wholly outside of any
matter in dispute.
(4) The request seeks privileged information. Any party asserting a
claim of privilege must sufficiently describe the information or
document being withheld to show that the privilege applies. If an
asserted privilege applies to only part of a document, a party
withholding the entire document must state why the nonprivileged part
is not segregable.
(e) Any motion to compel discovery must be filed within 10 days
after receipt of objections to the party's discovery request, within 10
days after the time for response to the discovery request has elapsed
if no response is received, or within 10 days after receipt of an
incomplete response to the discovery request. The motion must be
reasonably specific as to the information or document sought and must
state its relevance to the issues in the case.
Sec. 150.437 Submission of briefs and proposed hearing exhibits.
(a) Within 60 days of its receipt of the acknowledgment provided
for in Sec. 150.431, the respondent must file the following with the
ALJ:
(1) A statement of its arguments concerning HCFA's notice of
assessment (respondent's brief), including citations to the
respondent's hearing exhibits provided in accordance with paragraph
(a)(2) of this section. The brief may not address factual or legal
bases for the assessment that the respondent did not identify as
disputed in its request for hearing or in an amendment to that request
permitted by the ALJ.
(2) All documents (including any affidavits) supporting its
arguments, tabbed and organized chronologically and accompanied by an
indexed list identifying each document (respondent's proposed hearing
exhibits).
(3) A statement regarding whether there is a need for an in-person
hearing and, if so, a list of proposed witnesses and a summary of their
expected testimony that refers to any factual dispute to which the
testimony will relate.
(4) Any stipulations or admissions.
(b) Within 30 days of its receipt of the respondent's submission
required by paragraph (a) of this section, HCFA will file the following
with the ALJ:
(1) A statement responding to the respondent's brief, including the
respondent's proposed hearing exhibits, if appropriate. The statement
may include citations to HCFA's proposed hearing exhibits submitted in
accordance with paragraph (b)(2) of this section.
(2) Any documents supporting HCFA's response not already submitted
as part of the respondent's proposed hearing exhibits, organized and
indexed as indicated in paragraph (a)(2) of this section (HCFA's
proposed hearing exhibits).
(3) A statement regarding whether there is a need for an in-person
hearing and, if so, a list of proposed witnesses and a summary of their
expected testimony that refers to any factual dispute to which the
testimony will relate.
(4) Any admissions or stipulations.
(c) Within 15 days of its receipt of HCFA's submission required by
paragraph (b) of this section, the respondent may file with the ALJ a
reply to HCFA's submission.
Sec. 150.439 Effect of submission of proposed hearing exhibits.
(a) Any proposed hearing exhibit submitted by a party in accordance
with Sec. 150.437 is deemed part of the record unless the opposing
party raises an objection to that exhibit and the ALJ rules to exclude
it from the record. An objection must be raised either in writing prior
to the prehearing conference provided for in Sec. 150.441 or at the
prehearing conference. The ALJ may require a party to submit the
original hearing exhibit on his or her own motion or in response to a
challenge to the authenticity of a proposed hearing exhibit.
(b) A party may introduce a proposed hearing exhibit following the
times for submission specified in Sec. 150.437 only if the party
establishes to the satisfaction of the ALJ that it could not have
produced the exhibit earlier and that the opposing party will not be
prejudiced.
Sec. 150.441 Prehearing conferences.
An ALJ may schedule one or more prehearing conferences (generally
conducted by telephone) on the ALJ's own motion or at the request of
either party for the purpose of any of the following:
(a) Hearing argument on any outstanding discovery request.
(b) Establishing a schedule for any supplements to the submissions
required by Sec. 150.437 because of information obtained through
discovery.
(c) Hearing argument on a motion.
(d) Discussing whether the parties can agree to submission of the
case on a stipulated record.
(e) Establishing a schedule for an in-person hearing, including
setting deadlines for the submission of written direct testimony or for
the written reports of experts.
(f) Discussing whether the issues for a hearing can be simplified
or narrowed.
(g) Discussing potential settlement of the case.
(h) Discussing any other procedural or substantive issues.
Sec. 150.443 Standard of proof.
(a) In all cases before an ALJ--
(1) HCFA has the burden of coming forward with evidence sufficient
to establish a prima facie case;
(2) The respondent has the burden of coming forward with evidence
in response, once HCFA has established a prima facie case; and
(3) HCFA has the burden of persuasion regarding facts material to
the assessment; and
(4) The respondent has the burden of persuasion regarding facts
relating to an affirmative defense.
(b) The preponderance of the evidence standard applies to all cases
before the ALJ.
Sec. 150.445 Evidence.
(a) The ALJ will determine the admissibility of evidence.
(b) Except as provided in this part, the ALJ will not be bound by
the Federal Rules of Evidence. However, the ALJ may apply the Federal
Rules of Evidence where appropriate; for example, to exclude unreliable
evidence.
(c) The ALJ excludes irrelevant or immaterial evidence.
(d) Although relevant, evidence may be excluded if its probative
value is substantially outweighed by the danger of unfair prejudice,
confusion of the issues, or by considerations of undue delay or
needless presentation of cumulative evidence.
(e) Although relevant, evidence is excluded if it is privileged
under Federal law.
(f) Evidence concerning offers of compromise or settlement made in
this
[[Page 45806]]
action will be inadmissible to the extent provided in the Federal Rules
of Evidence.
(g) Evidence of acts other than those at issue in the instant case
is admissible in determining the amount of any civil money penalty if
those acts are used under Secs. 150.317 and 150.323 of this part to
consider the entity's prior record of compliance, or to show motive,
opportunity, intent, knowledge, preparation, identity, or lack of
mistake. This evidence is admissible regardless of whether the acts
occurred during the statute of limitations period applicable to the
acts that constitute the basis for liability in the case and regardless
of whether HCFA's notice sent in accordance with Secs. 150.307 and
150.343 referred to them.
(h) The ALJ will permit the parties to introduce rebuttal witnesses
and evidence.
(i) All documents and other evidence offered or taken for the
record will be open to examination by all parties, unless the ALJ
orders otherwise for good cause shown.
(j) The ALJ may not consider evidence regarding the willingness and
ability to enter into and successfully complete a corrective action
plan when that evidence pertains to matters occurring after HCFA's
notice under Sec. 150.307.
Sec. 150.447 The record.
(a) Any testimony that is taken in-person or by telephone is
recorded and transcribed. The ALJ may order that other proceedings in a
case, such as a prehearing conference or oral argument of a motion, be
recorded and transcribed.
(b) The transcript of any testimony, exhibits and other evidence
that is admitted, and all pleadings and other documents that are filed
in the case constitute the record for purposes of an ALJ decision.
(c) For good cause, the ALJ may order appropriate redactions made
to the record.
Sec. 150.449 Cost of transcripts.
Generally, each party is responsible for 50 percent of the
transcript cost. Where there is an intervenor, the ALJ determines what
percentage of the transcript cost is to be paid for by the intervenor.
Sec. 150.451 Posthearing briefs.
Each party is entitled to file proposed findings and conclusions,
and supporting reasons, in a posthearing brief. The ALJ will establish
the schedule by which such briefs must be filed. The ALJ may direct the
parties to brief specific questions in a case and may impose page
limits on posthearing briefs. Additionally, the ALJ may allow the
parties to file posthearing reply briefs.
Sec. 150.453 ALJ decision.
The ALJ will issue an initial agency decision based only on the
record and on applicable law; the decision will contain findings of
fact and conclusions of law. The ALJ's decision is final and appealable
after 30 days unless it is modified or vacated under Sec. 150.457.
Sec. 150.455 Sanctions.
(a) The ALJ may sanction a party or an attorney for failing to
comply with an order or other directive or with a requirement of a
regulation, for abandonment of a case, or for other actions that
interfere with the speedy, orderly or fair conduct of the hearing. Any
sanction that is imposed will relate reasonably to the severity and
nature of the failure or action.
(b) A sanction may include any of the following actions:
(1) In the case of failure or refusal to provide or permit
discovery, drawing negative fact inferences or treating such failure or
refusal as an admission by deeming the matter, or certain facts, to be
established.
(2) Prohibiting a party from introducing certain evidence or
otherwise advocating a particular claim or defense.
(3) Striking pleadings, in whole or in part.
(4) Staying the case.
(5) Dismissing the case.
(6) Entering a decision by default.
(7) Refusing to consider any motion or other document that is not
filed in a timely manner.
(8) Taking other appropriate action.
Sec. 150.457 Review by Administrator.
(a) The Administrator of HCFA (which for purposes of this
subsection may include his or her delegate), at his or her discretion,
may review in whole or in part any initial agency decision issued under
Sec. 150.453.
(b) The Administrator may decide to review an initial agency
decision if it appears from a preliminary review of the decision (or
from a preliminary review of the record on which the initial agency
decision was based, if available at the time) that:
(1) The ALJ made an erroneous interpretation of law or regulation.
(2) The initial agency decision is not supported by substantial
evidence.
(3) The ALJ has incorrectly assumed or denied jurisdiction or
extended his or her authority to a degree not provided for by statute
or regulation.
(4) The ALJ decision requires clarification, amplification, or an
alternative legal basis for the decision.
(5) The ALJ decision otherwise requires modification, reversal, or
remand.
(c) Within 30 days of the date of the initial agency decision, the
Administrator will mail a notice advising the respondent of any intent
to review the decision in whole or in part.
(d) Within 30 days of receipt of a notice that the Administrator
intends to review an initial agency decision, the respondent may
submit, in writing, to the Administrator any arguments in support of,
or exceptions to, the initial agency decision.
(e) This submission of the information indicated in paragraph (d)
of this section must be limited to issues the Administrator has
identified in his or her notice of intent to review, if the
Administrator has given notice of an intent to review the initial
agency decision only in part. A copy of this submission must be sent to
the other party.
(f) After receipt of any submissions made pursuant to paragraph (d)
of this section and any additional submissions for which the
Administrator may provide, the Administrator will affirm, reverse,
modify, or remand the initial agency decision. The Administrator will
mail a copy of his or her decision to the respondent.
(g) The Administrator's decision will be based on the record on
which the initial agency decision was based (as forwarded by the ALJ to
the Administrator) and any materials submitted pursuant to paragraphs
(b), (d), and (f) of this section.
(h) The Administrator's decision may rely on decisions of any
courts and other applicable law, whether or not cited in the initial
agency decision.
Sec. 150.459 Judicial review.
(a) Filing of an action for review. Any responsible entity against
whom a final order imposing a civil money penalty is entered may obtain
review in the United States District Court for any district in which
the entity is located or in the United States District Court for the
District of Columbia by doing the following:
(1) Filing a notice of appeal in that court within 30 days from the
date of a final order.
(2) Simultaneously sending a copy of the notice of appeal by
registered mail to HCFA.
(b) Certification of administrative record. HCFA promptly certifies
and files with the court the record upon which the penalty was
assessed.
[[Page 45807]]
(c) Standard of review. The findings of HCFA and the ALJ may not be
set aside unless they are found to be unsupported by substantial
evidence, as provided by 5 U.S.C. 706(2)(E).
Sec. 150.461 Failure to pay assessment.
If any entity fails to pay an assessment after it becomes a final
order, or after the court has entered final judgment in favor of HCFA,
HCFA refers the matter to the Attorney General, who brings an action
against the entity in the appropriate United States district court to
recover the amount assessed.
Sec. 150.463 Final order not subject to review.
In an action brought under Sec. 150.461, the validity and
appropriateness of the final order described in Sec. 150.459 is not
subject to review.
Sec. 150.465 Collection and use of penalty funds.
(a) Any funds collected under Sec. 150.461 are paid to HCFA.
(b) The funds are available without appropriation until expended.
(c) The funds may be used only for the purpose of enforcing the
HIPAA requirements for which the penalty was assessed.
Dated: April 16, 1999.
Nancy-Ann Min DeParle,
Administrator, Health Care Financing Administration.
Dated May 25, 1999.
Donna E. Shalala,
Secretary.
[FR Doc. 99-21662 Filed 8-19-99; 8:45 am]
BILLING CODE 4120-01-P
