HIPAA Administrative Simplification; Enforcement

Summary:

The Secretary of Health and Human Services is proposing rules for the imposition of civil money penalties on entities that violate rules adopted by the Secretary to implement the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (HIPAA). The proposed rule would amend the existing rules relating to the investigation of noncompliance to make them apply to all of the HIPAA Administrative Simplification rules, rather than exclusively to the privacy standards. It would also amend the existing rules relating to the process for imposition of civil money penalties. Among other matters, the proposed rules would clarify and elaborate upon the investigation process, bases for liability, determination of the penalty amount, grounds for waiver, conduct of the hearing, and the appeal process.

Table of Contents

Addresses:

You may submit comments by any of the following methods:

• Federal eRulemaking Portal:http://www.regulations.gov. Include agency name and “RIN: 0991-AB29.”

• E-mail:CMS0010.Comments@hhs.gov. Include “RIN: 0991-AB29” in the subject line of the message.

• Mail: U.S. Department of Health and Human Services, Office of General Counsel, Attention: HIPAA Enforcement Rule, 330 Independence Ave., SW., Washington, DC 20201.

• Hand Delivery/Courier: Attention: HIPAA Enforcement Rule, Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington, DC 20201.

Instructions: Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission. For detailed instructions on submitting comments and additional information on the rulemaking process, see the “Public Participation” heading of the SUPPLEMENTARY INFORMATION section of this document.

For further information contact:

Carol Conrad, (202) 690-1840.

Supplementary information:

I. Public Participation

We welcome comments from the public on all issues set forth in this rule to assist us in fully considering issues and developing policies. You can assist us by referencing the RIN number (RIN: 0991-AB29) and by preceding your discussion of any particular provision with a citation to the section of the proposed rule being discussed.

A. Inspection of Public Comments

Comments received timely will be available for public inspection as they are received, generally beginning approximately 6 weeks after publication of this document, at the mail address provided above, Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule an appointment to view public comments, call Karen Shaw, (202) 205-0154.

B. Electronic Comments

We will consider all electronic comments that include the full name, postal address, and affiliation (if applicable) of the sender and are submitted to either of the electronic addresses identified in the ADDRESSES section of this preamble. All comments must be incorporated in the e-mail message, because we may not be able to access attachments. Copies of electronically submitted comments will be available for public inspection as soon as practicable at the address provided, and subject to the process described, in the preceding paragraph.

C. Mailed Comments and Hand Delivered/Couriered Comments

Mailed comments may be subject to delivery delays due to security procedures. Please allow sufficient time for mailed comments to be timely received in the event of delivery delays. Comments mailed to the address indicated for hand or courier delivery may be delayed and could be considered late.

D. Copies

To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Credit card orders can also be placed by calling the order desk at (202) 512-1800 (or toll-free at 1-866-512-1800) or by faxing to (202) 512-2250. The cost for each copy is $10. As an alternative, you may view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries and at many other public and academic libraries throughout the country that receive the Federal Register.

E. Electronic Access

This Federal Register document is available from the Federal Register online database through GPO Access, a service of the U.S. Government Printing Office. The web site address is:http://www.gpoaccess.gov/nara/index.html. This document is available electronically at the following web sites of the Department of Health and Human Services (HHS):http://www.hhs.gov/ocr/hipaa/ and http://www.cms.gov/hipaa/hipaa2.

F. Response to Comments

Because of the large number of public comments we normally receive on Federal Register documents, we are not able to acknowledge or respond to them individually. We will consider all comments we receive in accordance with the methods described above and by the date specified in the DATES section of this preamble. When we proceed with a final rule, we will respond to comments in the preamble to that rule.

II. Background

HHS proposes to amend or renumber existing rules that relate to compliance with, and enforcement of, the Administrative Simplification regulations (HIPAA rules) adopted by the Secretary of Health and Human Services (Secretary) under subtitle F of Title II of HIPAA (HIPAA provisions). These rules are codified at 45 CFR part 160, subparts C and E. In addition, this proposed rule would add a new subpart D to part 160. The new subpart D would contain additional rules relating to the imposition by the Secretary of civil money penalties on covered entities that violate the HIPAA rules. The full set of rules that will ultimately be codified at subparts C, D, and E of 45 CFR part 160 is collectively referred to in this proposed rule as the “Enforcement Rule.” Finally, HHS proposes conforming changes to subpart A of part 160 and subpart E of part 164.

The statutory and regulatory background of the proposed rule is set out below. A description of HHS's approach to enforcement of the HIPAA provisions and the HIPAA rules in general, the approach of this proposedrule in particular, and each section of the proposed rule follows. The preamble concludes with HHS's analyses of impact and other issues under applicable law.

A. Statutory Background

Subtitle F of Title II of HIPAA, entitled “Administrative Simplification,” requires the Secretary to adopt national standards for certain information-related activities of the health care industry. The purpose of subtitle F is to improve the Medicare program under title XVIII of the Social Security Act (Act), the Medicaid program under title XIX of the Act, and the efficiency and effectiveness of the health care system, by mandating the development of standards and requirements to enable the electronic exchange of certain health information. Section 262 of subtitle F added a new Part C to Title XI of the Act. Part C (sections 1171-1179 of the Act, 42 U.S.C. 1320d-1320d-8) requires the Secretary to adopt national standards for certain financial and administrative transactions and various data elements to be used in those transactions, such as code sets and certain unique health identifiers. Recognizing that the industry trend toward computerizing health information, which HIPAA encourages, may increase the accessibility of that information, sections 262 and 264 of HIPAA also require the Secretary to adopt national standards to protect the security and privacy of the information.

Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a), the HIPAA provisions apply only to—

The following persons:

(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1173(a)(1).

These entities are collectively known as “covered entities.” An additional category of covered entities was added by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L. 108-173) (MMA). As added by MMA, section 1860D-31(h)(6)(A) of the Act, 42 U.S.C. 1395w-141(h)(6)(A), provides that:

a prescription drug card sponsor is a covered entity for purposes of applying part C of title XI and all regulatory provisions promulgated thereunder, including regulations (relating to privacy) adopted pursuant to the authority of the Secretary under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note).

HIPAA requires certain consultations with industry as a predicate to the issuance of the HIPAA standards and provides that most covered entities have up to 2 years (small health plans have up to 3 years) to come into compliance with the standards, once adopted. The statute establishes civil money penalties and criminal penalties for violations. Act, sections 1172(c) (42 U.S.C. 1320d-1(c)), 1175(b) (42 U.S.C. 1320d-4(b)), 1176 (42 U.S.C. 1320d-5), 1177 (42 U.S.C. 1320d-6). HHS enforces the civil money penalties, while the U.S. Department of Justice enforces the criminal penalties.

HIPAA's civil money penalty provision, section 1176(a) of the Act, 42 U.S.C. 1320d-5(a), authorizes the Secretary to impose a civil money penalty, as follows:

(1) IN GENERAL. Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part [42 U.S.C. § 1320d et seq.] a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

(2) PROCEDURES. The provisions of section 1128A [42 U.S.C. 1320a-7a] (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1128A.

For simplicity, we refer throughout this preamble to this provision, the related provisions at section 1128A of the Act, and other related provisions of the Act, by their Social Security Act citations, rather than by their U.S. Code citations.

Subsection (b) of section 1176 sets out limitations on the Secretary's authority to impose civil money penalties and also provides authority for waiving such penalties. Under section 1176(b)(1), a civil money penalty may not be imposed with respect to an act that “constitutes an offense punishable” under the criminal penalty provision. Under section 1176(b)(2), a civil money penalty may not be imposed “if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision.” Under section 1176(b)(3), a civil money penalty may not be imposed if the failure to comply was due “to reasonable cause and not to willful neglect” and is corrected within a certain time. Finally, under section 1176(b)(4), a civil money penalty may be reduced or entirely waived “to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.”

As noted above, HIPAA incorporates by reference certain provisions of section 1128A of the Act. Those provisions, as relevant here, establish a number of requirements with respect to the imposition of civil money penalties. Under section 1128A(c)(1), the Secretary may not initiate a civil money penalty action “later than six years after the date” of the occurrence that forms the basis for the civil money penalty. Under section 1128A(c)(2), a person upon whom the Secretary seeks to impose a civil money penalty must be given written notice and an opportunity for a determination to be made “on the record after a hearing at which the person is entitled to be represented by counsel, to present witnesses, and to cross-examine witnesses against the person.” Section 1128A also provides, at subsections (c), (e), and (j), respectively, requirements for: service of the notice and authority for sanctions which the hearing officer may impose for misconduct in connection with the civil money penalty proceeding; judicial review of the Secretary's determination in the United States Court of Appeals for the circuit in which the person resides or maintains his/its principal place of business; and the issuance of subpoenas by the Secretary and the enforcement of those subpoenas. In addition, section 1128A of the Act contains provisions relating to liability for civil money penalties and how they are dealt with, once imposed. For example, section 1128A(d) provides that the Secretary must take into account certain factors “in determining the amount * * * of any penalty,” section 1128A(h) requires certain notifications once a civil money penalty is imposed, and section 1128A(l) makes a principal liable for penalties “for the actions of the principal's agent acting within the scope of the agency.” These provisions are discussed more fully below.

B. Regulatory Background

As noted above, HIPAA requires the Secretary to adopt a number of national standards to facilitate the exchange, and protect the privacy and security, of certain health information. The Secretary has already adopted many of these HIPAA standards by regulation.

• Regulations implementing the statutory requirement for the adoption of standards for transactions and code sets, Health Insurance Reform: Standards for Electronic Transactions (Transactions Rule), were published on August 17, 2000 (65 FR 50312), and were modified on February 20, 2003 (68 FR 8381). The Transactions Rulebecame effective on October 16, 2000, with an initial compliance date of October 16, 2002 for covered entities other than small health plans. The passage of the Administrative Simplification Compliance Act (ASCA), Pub. L. 107-105, in 2001 enabled covered entities to obtain an extension of the compliance date to October 16, 2003 by filing a compliance plan by October 15, 2002. If a covered entity (other than a small health plan) did not file such a plan, it was required to comply with the Transactions Rule by October 16, 2002. All covered entities were required to be in compliance with the Transactions Rule, as modified, by October 16, 2003.

• Regulations implementing the statutory requirement for the adoption of privacy standards, Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), were published on December 28, 2000 (65 FR 82462). The Privacy Rule became effective on April 14, 2001. Modifications to simplify and increase the workability of the Privacy Rule were published on August 14, 2002 (67 FR 53182). Compliance with the Privacy Rule, as modified, was required by April 14, 2003 for covered entities other than small health plans; small health plans were required to come into compliance by April 14, 2004.

The Privacy Rule adopted rules relating to compliance and enforcement. These rules are codified at 45 CFR part 160, subpart C. Subpart C presently applies only to compliance with, and enforcement of, the Privacy Rule.

• Regulations implementing the statutory requirement for the adoption of an employer identifier standard, Health Insurance Reform: Standard Unique Employer Identifier (EIN Rule), were published on May 31, 2002 (67 FR 38009) and became effective on July 30, 2002. The initial compliance date was July 30, 2004 for most covered entities; small health plans have until July 30, 2005 to come into compliance. These regulations were modified on January 23, 2004 (69 FR 3434), effective the same date.

• Regulations implementing the statutory requirement for the adoption of security standards, Health Insurance Reform: Security Standards, were published on February 20, 2003 (68 FR 8334), effective on April 21, 2003. The initial compliance date for covered entities other than small health plans is April 20, 2005; small health plans have until April 20, 2006 to come into compliance.

• An interim final rule promulgating procedural requirements for imposition of civil money penalties, Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings (April 17, 2003 interim final rule), was published on April 17, 2003 (68 FR 18895), was effective on May 19, 2003, with a sunset date of September 16, 2004 (as corrected at 68 FR 22453, April 28, 2003). The April 17, 2003 interim final rule adopted a new subpart E of part 160. The sunset date of the April 17, 2003 interim final rule was extended to September 16, 2005 on September 15, 2004 (69 FR 55515).

• Regulations implementing the requirement to issue standards for a unique identifier for health care providers, HIPAA Administrative Simplification: Standard Unique Health Identifier for Health Care Providers (NPI Rule), were issued on January 23, 2004 (69 FR 3434), effective on May 23, 2005. The compliance date is May 23, 2007 for most covered entities; small health plans have until May 23, 2008 to come into compliance.

In addition to the foregoing regulations implementing the HIPAA provisions, HHS has adopted two other regulations that are relevant, for some covered entities, to compliance with those provisions.

• Section 3 of the ASCA amended section 1862 of the Act to require Medicare providers, with certain exceptions, to submit claims to Medicare electronically (and, thus, in conformity with the Transactions Rule) by October 16, 2003. Regulations implementing section 3, Medicare Program: Electronic Submission of Medicare Claims, were published on August 15, 2003 (68 FR 48805), effective on October 16, 2003.

• Regulations implementing the Medicare Prescription Drug Discount Card program under MMA and the statutory provision that Medicare prescription drug discount card sponsors are covered entities under HIPAA, were issued on December 15, 2003 (68 FR 69840), effective the same date. These rules require such sponsors to comply with the HIPAA rules when they become sponsors, except and to the extent that the Secretary temporarily waives the Privacy Rule requirements, and provides some rules regarding how these entities are to comply with the HIPAA rules. The Secretary has indicated that he does not anticipate that it will be necessary to waive the Privacy Rule requirements and has not done so. 68 FR 69871.

III. General Approach

As the discussion above makes clear, the duty to comply with certain HIPAA rules is now a reality for all covered entities. The immediacy of the compliance obligation brings with it the issue of how these rules will be enforced. Accordingly, we discuss below our general approach to enforcement, how the rules proposed below would fit in with the existing components of the Enforcement Rule, and the basic approach of the proposed rule.

A. HHS's General Approach to Enforcement

One of the Secretary's priorities is “One HHS”: HHS's public health and welfare mission and message must be consistent, and HHS should speak with one voice. Because of the Secretary's One HHS policy and because there is one statutory provision for imposing civil money penalties on covered entities that violate the HIPAA rules, there is one enforcement and compliance policy for the HIPAA rules. We are committed to promoting and encouraging voluntary compliance with the HIPAA rules through education, cooperation, and technical assistance.

Many educational and technical assistance materials on HIPAA, including the HIPAA rules, are already available on HHS's Web sites. See http://www.hhs.gov/ocr/hipaa for the Privacy Rule and http://www.cms.gov/hipaa/hipaa2 for the other HIPAA rules. We continue to work on educational and technical assistance materials, including additional guidance on compliance and enforcement and targeted technical assistance materials focused on particular segments of the health care industry. We anticipate developing additional materials relevant to new HIPAA rules as the need arises.

The authority for administering and enforcing compliance with the Privacy Rule has been delegated to the HHS Office for Civil Rights (OCR). 65 FR 82381 (December 28, 2000). The authority for administering and enforcing compliance with the non-privacy HIPAA rules has been delegated to the Centers for Medicare Medicaid Services (CMS). 68 FR 60694 (October 23, 2003).

At present, our compliance and enforcement activities are primarily complaint-based. Although our enforcement efforts are focused on investigating complaints, they may also include conducting compliance reviews to determine if a covered entity is in compliance. When potential violations come to our attention through a complaint or a compliance review, OCR or CMS's Office of HIPAA Standards (OHS), as appropriate, attempts to resolve the matter informally. Many such matters are resolved at the initial stage of contact. However, even where amatter is not resolved at this initial stage and the investigation continues, the matter can still be resolved through voluntary compliance (for example, by means of a corrective action plan); and OCR or CMS may provide technical assistance to help the covered entity achieve compliance. Resolving issues through such informal means is often the quickest and most effective means of ensuring that the benefits of the HIPAA rules are realized. However, if we are unable to obtain compliance effectively on matters within our jurisdiction through voluntary means, we may seek to impose civil money penalties. Moreover, matters subject to criminal penalties are referred to the Department of Justice.

B. HHS's Approach to the Enforcement Rule

The Enforcement Rule would bring together and adopt rules governing the implementation of the civil money penalty authority of section 1176 of the Act for all of the HIPAA rules. As previously noted, parts of the Enforcement Rule are already in place: subpart C of part 160 establishes certain investigative procedures for the Privacy Rule, and subpart E establishes interim procedures for investigations and for the imposition of, and challenges to the imposition of, civil money penalties for all of the HIPAA rules. This proposed rule would complete the Enforcement Rule by addressing, among other issues, our policies for determining violations and calculating civil money penalties, how we will address the statutory limitations on the imposition of civil money penalties, and various procedural issues, such as provisions for appellate review within HHS of a hearing decision, burden of proof, and notification of other agencies of the imposition of a civil money penalty.

In developing these regulations, several principles guided our choice of policies from among the available options. The Enforcement Rule should promote voluntary compliance with the HIPAA rules, be clear and easy to understand, provide consistent results in the interest of fairness, provide the Secretary with reasonable discretion, particularly in areas where the exercise of judgment is called for by the statute or rules, and avoid being overly prescriptive in areas where it would be helpful to gain experience with the practical impact of the HIPAA rules, to avoid unintended adverse effects.

With respect to many of the Enforcement Rule's provisions, we were also mindful that section 1176(a) requires the Secretary to apply the incorporated provisions of section 1128A to the imposition of a civil money penalty under section 1176 “in the same manner as” they apply to the imposition of civil money penalties under section 1128A itself. As we explained in the preamble to the April 17, 2003 interim final rule, the imposition of civil money penalties under section 1128A is administered by the HHS Office of the Inspector General (OIG). Accordingly, the rules proposed below, like those in the current Subpart E, generally look to the regulations of the OIG that implement section 1128A, which are codified at 42 CFR parts 1003, 1005, and 1006 (OIG regulations).

The Enforcement Rule does not adopt standards, as that term is defined and interpreted under HIPAA. Thus, the requirement for industry consultations in section 1172(c) of the Act does not apply. For the same reason, HIPAA's time frames for compliance, set forth in section 1175 of the Act, will not apply to the Enforcement Rule, when adopted in final form.

IV. Provisions of the Proposed Rule

The proposed rule would revise 45 CFR part 160 as follows: it would revise the existing subpart C, adopt a new subpart D, and revise the existing subpart E; a minor amendment of subpart A is also proposed. Subpart A, which contains general provisions, would be amended to include a definition of “person.” Subpart C includes all provisions that relate to activities for determining compliance, including investigations and cooperation by covered entities. The proposed revisions of subpart C are largely technical, incorporating several provisions currently found in subpart E. We also propose to make subpart C applicable to the non-privacy HIPAA rules. The new subpart D would establish rules relating to the imposition of civil money penalties, including those which apply whether or not there is a hearing. Subpart D would also incorporate several provisions currently found in subpart E. Proposed subpart E would address the pre-hearing and hearing phases of the enforcement process. Many of the provisions of proposed subpart E were adopted by the April 17, 2003 interim final rule and would not be substantively changed, although they would, in general, be renumbered.

Finally, a conforming change to the privacy standards in subpart E of part 164 is proposed. This conforming change is discussed in connection with proposed § 160.316 at section IV.B.5 below.

A. Subpart A

We propose to amend § 160.103 to add a definition of the term “person.” This would replace the definition of that term adopted by the April 17, 2003 interim final rule. We propose to place this definition in § 160.103 so that it applies to all of the HIPAA rules. The term “person” appears throughout the HIPAA rules, and the definition of the term we propose is a universal one that should work in each of the contexts in which the term “person” occurs. If the proposed placement would create problems, commenters should bring that to our attention.

In § 160.502 of the April 17, 2003 interim final rule, we defined a “person” as “a natural or legal person” to clarify, in the context of administrative subpoenas, the distinction between an entity (defined as a “legal person”) and natural persons who would testify on the entity's behalf. The proposed rule would revise and expand this definition.

The statutory definition of a “person” that would otherwise apply to the HIPAA provisions is found in section 1101(3) of the Act. That section, which has been in the Act since it was originally enacted in 1935, defines a person as “an individual, a trust or estate, a partnership, or a corporation.” However, Part C of title XI specifies that the class of “persons” to whom the HIPAA standards apply—health plans, certain health care providers, and health care clearinghouses—includes certain State and federal programs, which are not included in the definition of “person” in section 1101(3). For example, section 1171(2) defines a health care clearinghouse as a “public or private” entity. Under section 1171(3), a “health care provider” is defined to include a provider of services as defined in section 1861(u), for purposes of the Medicare program. The definition includes hospitals, which in turn include State or local government-owned hospitals. Finally, the definition of “health plan” in section 1171(5) includes State and federal health plans: section 1171(5)(A) includes a group health plan “as defined in section 2791(a) of the Public Health Service Act,” and this definition includes State and local governmental group health plans; section 1171(5)(E) includes “the medicaid program under title XIX,” which is a State program; and other provisions of section 1171(5) explicitly include as health plans various federal health plans, such as Medicare, the Federal Employee Benefit Health Plan, CHAMPUS, and the program of benefits for veterans. Section 1176, by its terms,applies to “any person who violates a provision of this part.” Nothing in this language suggests that Congress intended to exempt any class of covered entities from liability for a civil money penalty under this section.

Thus, to effectuate Congress's purpose in enacting the HIPAA provisions, it is necessary to define “person” sufficiently broadly to encompass the entities to which the HIPAA rules apply. The Supreme Court has recognized that this is a valid approach in appropriate instances. See, e.g., Lawson v. Suwanee S.S. Co., 336 U.S. 198 (1949). This proposed approach is also consistent with that taken by the OIG regulations, the preamble to which explained that it was necessary to expand the definition of “person” in the context of section 1128A of the Act to include States because of clear Congressional intent to include them in the class of entities subject to civil money penalties. 48 FR 38837, 38828 (August 26, 1983).

Accordingly, the proposed rule generally tracks the definition of “person” in the OIG regulations. In particular, by defining the term as “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private,” the proposed rule clarifies, consistent with the HIPAA provisions, that the term includes States and other public entities. However, we propose to adapt the language used in the OIG regulations by substituting the term “natural person” for the term “individual” in the definition of “person” in the OIG regulations. The term “individual” is defined in § 160.103 as “the person who is the subject of protected health information.” Since the term “individual” has a defined, and narrower, meaning in the HIPAA rules than it does in the OIG regulations, the proposed rule uses the term “natural person” to make the definition of “person” have the same scope as in the OIG regulations.

B. Subpart C—Compliance and Investigations

We propose to amend subpart C to make the compliance and investigation provisions of the subpart—which at present apply only to the Privacy Rule—applicable to all of the HIPAA rules. In addition, we propose to include in subpart C the definitions that apply to subparts C, D, and E. In accordance with the organizational scheme described above, we also propose to move to subpart C from subpart E the provision relating to investigational subpoenas, which is currently codified at § 160.504. The title of this subpart has also been changed (from “Compliance and Enforcement”) to reflect the focus of this subpart within the larger Enforcement Rule. Finally, we propose to add to subpart C provisions prohibiting intimidation or retaliation that are currently found in the Privacy Rule but not in the other HIPAA rules. Aside from making conforming changes to § 160.312, discussed at section IV.B.3 below, we propose to leave the substance of the existing provisions of subpart C unchanged. We solicit comment as to whether these provisions should be revised and, if so, in what manner.

1. Application of Subpart C to the Non-Privacy HIPAA Rules

Subpart C is intended to provide a cooperative approach to obtaining compliance, including use of technical assistance and informal means to resolve disputes, and currently provides as follows. Section 160.304 provides that the Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance and may provide technical assistance to this end. Section 160.306 provides for the investigation of complaints by the Secretary and provides requirements relating to the filing of such complaints. Section 160.308 provides for the conduct of compliance reviews by the Secretary. Section 160.310 requires covered entities to keep and submit such records as the Secretary determines are necessary to determine compliance and cooperate with the Secretary in an investigation or compliance review. A covered entity must provide access during normal business hours to their books and records pertinent to ascertaining compliance; while we think such circumstances are very unlikely ever to arise, a covered entity is also required, where exigent circumstances exist, to permit such access at any time and without notice. This section also provides that the Secretary may disclose protected health information obtained in the course of an investigation or compliance review only if necessary for ascertaining or enforcing compliance with the applicable requirements of the Privacy Rule or if otherwise required by law. Section 160.312 addresses Secretarial action regarding complaints and compliance reviews. It provides that where noncompliance is indicated, the Secretary will attempt to resolve the matter by informal means wherever possible and provides for certain notifications to the covered entity (and the complainant, if the matter arose from a complaint).

At present, subpart C applies only to the Privacy Rule. However, to simplify, clarify, and reduce the burden of the compliance process for covered entities, the proposed rule would make this subpart applicable to the other HIPAA rules as well. A uniform regulatory scheme would simplify the compliance and enforcement process in the event that a covered entity violates provisions of more than one HIPAA rule (for example, where violations of both the Privacy Rule and the Security Rule are at issue) and is also consistent with the Secretary's “One HHS” policy.

Accordingly, we propose to amend the following sections of subpart C to make them applicable to all of the HIPAA rules: § 160.300—Applicability; § 160.304—Principles for achieving compliance; § 160.306—Complaints to the Secretary; § 160.308—Compliance reviews; and § 160.310—Responsibilities of covered entities. This would be accomplished by changing the present references in these sections from “subpart E of part 164” to the more inclusive, defined term, “administrative simplification provision” or “administrative simplification provisions,” as appropriate.

2. Section 160.302—Definitions

Section 160.302 presently states that the terms used in subpart C that are defined in § 164.501 have the same meaning as defined in that section. The terms that were initially defined in § 164.501 that would continue to be used in this subpart ( “individual,” “disclose,” “protected health information,” “use”) have subsequently been moved to § 160.103. The term “payment” is used in this subpart, but not as defined in § 164.501. Thus, we propose to delete this text, as it is no longer appropriate.

We propose to move to § 160.302 three definitions that were adopted in the April 17, 2003 interim final rule at § 160.502: “ALJ”, “civil money penalty or penalty”, and “respondent.” These terms are placed at the outset of the provisions that address compliance and enforcement for clarity, since they are used in more than one of the subparts that address compliance and enforcement. We do not discuss these terms, as we do not propose to change them. We discuss below two new terms which we propose to add to § 160.302 and which are likewise used throughout subparts C, D, and E: “administrative simplification provision” and “violation or violate.”

a. “Administrative Simplification Provision”

Section 1176(a)(1) provides that, except as provided in section 1176(b), the Secretary shall impose “on any person who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.” (Emphasis added.) Based on this statutory language, and also taking into account the structures of each of the HIPAA rules, HHS considered a number of different options for defining the term “provision of this part” in section 1176(a)(1) as it applies to the HIPAA rules.

The HIPAA rules generally are comprised of standards, implementation specifications, and requirements and prohibitions. However, the structure and composition of the HIPAA rules with respect to these elements vary. The Privacy Rule is generally comprised of standards that contain implementation specifications and other requirements or prohibitions. The identifier rules (the EIN Rule and the NPI Rule) contain standards and implementation specifications, and all requirements that apply to covered entities are in a standard or an implementation specification. In the Security Rule, most requirements are in standards or their related implementation specifications, but some requirements are freestanding. The Transactions Rule contains requirements and prohibitions, not all of which are contained in standards and implementation specifications, and adopts standards that are also implementation specifications. The provisions of subpart C of part 160 that apply to covered entities are framed as requirements. The HIPAA rules are silent as to which of these elements is a “provision of this part” that may be violated and for which civil money penalties may be assessed.

We propose to define a new term—“administrative simplification provision”—to express the scope and application of the compliance and investigation provisions, as well as the enforcement and penalty provisions. This proposed provision interprets “provision of this part” in section 1176 to refer to any requirement or prohibition established by the statute or any of the HIPAA rules that are adopted under the statute.

In determining how to define a “provision of this part” that could be violated, we considered options in light of our goal of implementing a unified approach with respect to all of the HIPAA rules. Given the variation in structure of the HIPAA rules, we sought an approach which would be flexible enough to apply to all the rules but which would not be too complex. Accordingly, we decided against an approach that would define the “provision of this part” that could be violated as either any “standard,” or any “implementation specification,” or both. These approaches would not have captured stand-alone requirements or prohibitions—i.e., those requirements and prohibitions in the HIPAA rules that fall outside of the structure of a standard or implementation specification. For example, in the Transactions Rule, the prohibition on a health plan delaying or rejecting a transaction that is a standard transaction (§ 162.925(a)(2)), which implements the statutory prohibition at section 1175(a)(1)(B), is a stand-alone requirement. It would be anomalous to create an enforcement scheme that, in effect, insulated this provision from enforcement. These options would also have resulted in complexity and inconsistency in the application of the Enforcement Rule to each of the HIPAA rules, given their varied structures with respect to standards and implementation specifications.

Instead, we propose to define a “provision of this part” that can be violated as any “requirement or prohibition” found within the rules, regardless of whether the requirement or prohibition falls within a standard, implementation specification, or elsewhere in the rules. This definition flows directly from the statutory language in section 1176(a)(1) of the Act, which refers to “violations of an identical requirement or prohibition.” It is also a definition that can be applied consistently across the HIPAA rules, regardless of how they are structured or titled. Accordingly, we propose to define the term “administrative simplification provision” in § 160.302 to mean any requirement or prohibition established by the HIPAA provisions or HIPAA rules: “* * * any requirement or prohibition established by: (1) 42 U.S.C. 1320d-1320d4, 1320d-7, and 1320d-8; (2) Section 264 of Pub. L. 104-191; or (3) This subchapter.” This definition would include those provisions in subpart C which apply to covered entities.

b. “Violation” or “Violate”

Building on this proposed definition of “administrative simplification provision,” we propose to define a “violation” (or “to violate”) to mean a “failure to comply with an administrative simplification provision.” Like the proposed definition of “administrative simplification provision,” the proposed definition of “violation” flows directly from the statutory language: subsections (b)(3) and (b)(4) of section 1176 equate a “violation” with a “failure to comply.” The proposed definition is likewise one that can be applied consistently across the HIPAA rules. This proposed definition would make no distinction between commissions and omissions—that is, a violation occurs when a covered entity fails to take an action required by a HIPAA rule, as well as when a covered entity takes an action prohibited by a HIPAA rule.

3. Section 160.312—Secretarial Action Regarding Complaints and Compliance Reviews

Section 160.312(a) currently provides that the Secretary will inform the covered entity and the complainant, if applicable, if an investigation or compliance review indicates a failure to comply and attempt to resolve the matter by informal means whenever possible. If the Secretary determines that the matter cannot be resolved by informal means, the Secretary may issue findings to the covered entity and, if applicable, the complainant.

Like the current § 160.312(a), proposed § 160.312(a)(1) provides that, where noncompliance is indicated, the Secretary would seek to reach a resolution of the matter satisfactory to the Secretary by informal means. Informal means would include demonstrated compliance, or a completed corrective action plan or other agreement. Under this provision, entering into a corrective action plan or other agreement would not, in and of itself, resolve the noncompliance; rather, the full performance by the covered entity of its obligations under the corrective action plan or other agreement would be necessary to resolve the noncompliance.

Proposed §§ 160.312(a)(2) and (3) address what notifications will be provided by the Secretary where noncompliance is indicated, based on an investigation or compliance review. Notification under this paragraph would not be required where the only contacts made were with the complainant, to determine whether the complaint warrants investigation. Paragraph (a)(2) provides for written notice to the covered entity and, if the matter arose from a complaint, the complainant, where the matter is resolved by informal means. If the matter is not resolved by informal means, paragraph (a)(3)(i) requires the Secretary to so inform the covered entity and provide the coveredentity an opportunity to submit written evidence of any mitigating factors or affirmative defenses for consideration under §§ 160.408 and 160.410; the covered entity must submit any such evidence to the Secretary within 30 days of receipt of such notification. Paragraph (a)(3)(ii) would revise the current § 160.312(a)(2) to avoid confusion with the notice of proposed determination process provided for at proposed § 160.420. Where a matter is not resolved by informal means and the Secretary finds that imposition of a civil money penalty is warranted, the formal finding would be contained in the notice of proposed determination issued under proposed § 160.420. See also the discussion at section V.J below.

Paragraph (b) of the current § 160.312 provides that if the Secretary finds after an investigation or compliance review that no further action is warranted, the Secretary will so inform the covered entity and, if the matter arose from a complaint, the complainant. This section does not apply where no investigation or compliance review has been initiated, such as where a complaint has been dismissed due to lack of jurisdiction. Paragraph (b) would remain largely unchanged.

4. Section 160.314—Investigational Subpoenas and Inquiries

The text of § 160.314 was adopted by the April 17, 2003 interim final rule as § 160.504. We propose to move this section to subpart C, consistent with our overall approach of organizing subparts C, D, and E to reflect the stages of the enforcement process. Since the investigational subpoenas and inquiries occur prior to the imposition of a civil money penalty, we propose to move the rules relating to them to subpart C, where other rules related to this stage of the process are located. This organizational arrangement should facilitate use of the Rule by covered entities and others.

One substantive change is proposed to paragraph (a). We would add to the introductory language of this paragraph a sentence which states that, for the purposes of paragraph (a), a person other than a natural person is termed an “entity.” This permits us to avoid creating a definition of the term “entity” that would have a broader application and might be incorrect in other contexts, but preserves the utility of the definition in this specific context. The term “entity” would no longer be a defined term for the rest of the Rule, unlike the approach taken in § 160.502 of the April 17, 2003 interim final rule.

Proposed paragraphs (b)(1), (2) and (8) are unchanged from the current paragraphs (b)(1)—(3) of § 160.504. We propose to add new paragraphs (3) through (7) and (9) to § 160.314(b) and also to add a new paragraph (c). Together, these additions would clarify the manner in which investigational inquiries will be conducted, and how testimony given, and evidence obtained, during such an investigation may be used.

The new paragraphs are based upon similar provisions in 42 CFR 1006.4. Proposed §§ 160.314(b)(3)—(7) describe the rights of the Secretary and the witness in the inquiry process: representatives of the Secretary are entitled to attend and ask questions, a witness may clarify his or her answers on the record following questioning by the Secretary, the witness must place any claim of privilege on the record, what requirements apply to the assertion of objections, and under what circumstances and how the Secretary may seek enforcement of the subpoena. Proposed § 160.314(b)(8) (currently § 160.504(b)(3) and which, as noted above, has not changed) recognizes that investigational inquiries are non-public proceedings. Accordingly, a witness's right to retain a copy of the transcript of his or her testimony may be limited for good cause (5 U.S.C. 555(c)). Proposed § 160.314(b)(9) explains what would happen in such a case: The witness would nonetheless be entitled to inspect the transcript and to propose any corrections. If the witness is provided a copy of the transcript, paragraph (b)(9)(i) would provide for the opportunity to review the transcript and offer proposed corrections. This provision is consistent with the practice under Rule 30(e) of the Federal Rules of Civil Procedure (F.R.C.P.). Paragraph (b)(9)(ii) would allow the Secretary to attach corrections to the transcript of a witness's testimonial interview if the record transcribing the interview is incorrect. Consistent with the practice under the OIG regulations, this provision would not permit the Secretary to propose substantive changes to the witness's testimony.

Proposed § 160.314(c) provides that, consistent with § 160.310, testimony and other evidence obtained in an investigational inquiry may be used by HHS in any of its activities and may be used or offered into evidence in any administrative or judicial proceeding. This provision follows § 1006.4(h) of the OIG regulations, but is tailored to be consistent with the existing § 160.310(c)(3). Under this provision, evidence obtained in an investigational inquiry could be used in any of HHS's activities and could be used or offered into evidence in any administrative or judicial proceeding, except to the extent it consists of protected health information. Evidence that is protected health information may be disclosed only “if necessary for ascertaining or enforcing compliance with the applicable administrative simplification provisions, or if otherwise required by law,” as provided at § 160.310(c).

5. Section 160.316—Refraining From Intimidation or Retaliation

Proposed § 160.316 would prohibit covered entities from threatening, intimidating, coercing, discriminating against, or taking any other retaliatory action against individuals or other persons (including other covered entities) who complain to HHS or otherwise assist or cooperate in the enforcement processes created by this rule. This provision is taken from § 164.530(g)(2) of the Privacy Rule, with only minor changes designed to adapt the provision to the new subparts which this rule would add. The intent of this addition to subpart C is to make these non-retaliation provisions applicable to all of the HIPAA rules, not just the Privacy Rule. The placement of these provisions in subpart C accomplishes this.

Section 164.530(g) would retain existing provisions which provide that a covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against an individual for exercising his or her rights or for participating in any process established by the Privacy Rule, including filing a complaint with a covered entity. A conforming change to § 164.530(g) of the Privacy Rule is proposed, to cross-reference proposed § 160.316.

As with other provisions of subpart C that impose requirements or prohibitions on covered entities, the provisions of § 160.316 are “administrative simplification provisions.” Thus, a violation of a requirement or prohibition of this section would be a basis for imposition of a civil money penalty.

C. Subpart D—Imposition of Civil Money Penalties

Proposed subpart D addresses the issuance of a notice of proposed determination to impose a civil money penalty and other events that would be relevant thereafter, whether or not a hearing follows the issuance of the notice of proposed determination. This subpart also would contain provisions on identifying violations, determining the number of violations, calculating civil money penalties for such violations, and establishing affirmativedefenses to the imposition of civil money penalties. It would, thus, implement the provisions of section 1176, as well as related provisions of section 1128A. As noted above, many provisions of the Rule are based in large part upon the OIG regulations, but, as with subpart E, we propose to adapt the OIG language to reflect issues presented by, or the authority underlying, the HIPAA rules.

1. Section 160.402—Basis for a Civil Money Penalty

Proposed § 160.402(a) would require the Secretary to impose a civil money penalty on any covered entity which the Secretary determines has violated an administrative simplification provision, unless the covered entity establishes that an affirmative defense, as provided for by § 160.410, exists. See the discussion at section IV.C.3 below. This provision is based on the language in section 1176(a) that “* * * the Secretary shall impose on any person who violates a provision of this part a penalty * * *”. This proposed provision interprets “provision of this part” in section 1176(a)(1) to refer to any requirement or prohibition established by the statute or any of the HIPAA rules that are adopted under the statute. See the discussion of the definitions of “administrative simplification provision” and “violation” in section IV.B.2 above.

The use of the term “shall impose” in section 1176(a) is more than a mere conveyance of authority to the Secretary to impose a penalty for a violation of an administrative simplification provision. If the Secretary finds in a notice of proposed determination that a covered entity has violated an administrative simplification provision, he is required to impose a penalty unless a basis for not imposing the penalty under section 1176 exists. Section 1176(a) does not limit the Secretary's discretion to encourage a covered entity to come into compliance voluntarily, to close a case without issuing a notice of proposed determination if voluntary compliance is obtained, or to set the amount of the penalty below the statutory caps. Nor does section 1176(a) limit the Secretary's discretion to settle any matter, including cases in which a civil money penalty has been proposed or which are in hearing. The first sentence of section 1128A(f) of the Act, which is incorporated by reference in section 1176, states, in part, “Civil money penalties * * * imposed under this section may be compromised by the Secretary * * *”. Therefore, the Secretary may settle a case even after a civil money penalty has been proposed.

a. Section 160.402(b)—Violations by More than One Covered Entity

The proposed rule includes a provision, at § 160.402(b), that addresses what would happen if multiple covered entities were responsible for violating a HIPAA provision. Proposed § 160.402(b)(1) provides that, except with respect to covered entities that are members of an affiliated covered entity, if the Secretary determines that more than one covered entity was responsible for violating an administrative simplification provision, the Secretary will impose a civil money penalty against each such covered entity. Proposed § 160.402(b)(2) provides that each covered entity that is a member of an affiliated covered entity would be jointly and severally liable for a civil money penalty for a violation by the affiliated covered entity.

Proposed § 160.402(b)(1) is based on a similar provision in the OIG regulations at 42 CFR 1003.102(d). It differs from the OIG provision in that this proposed provision requires the imposition of a penalty on each covered entity that the Secretary determines has violated an administrative simplification provision, rather than giving the Secretary discretion to determine whether to impose a civil money penalty on one or all. This is based on the statutory language in section 1176(a) which states that the Secretary “* * * shall impose a penalty * * *” when there is a determination that an entity has violated a HIPAA provision. As discussed above, the language in the statute mandates the imposition of a penalty in appropriate situations where there has been a finding of a violation. However, nothing in this section would limit the Secretary's ability to exercise enforcement discretion to investigate only one covered entity, to encourage one or more covered entities to come into compliance, to close a case against one or more covered entities without issuing a notice of proposed determination if voluntary compliance is obtained, or to set the amount of the penalty differently for each covered entity when multiple covered entities are responsible for violating an administrative simplification provision, to the extent section 1176 and this Rule would allow.

With the exception of affiliated covered entity arrangements, this provision may apply to any two covered entities, including, but not limited to, those that are part of a joint arrangement, such as an organized health care arrangement. The determination of whether or not an entity is responsible for the violation would be based on the facts. Simply being part of a joint arrangement would not, in and of itself, make a covered entity responsible for a violation by another entity in the joint arrangement, although it may be a factor considered in the analysis.

Proposed § 160.402(b)(2) provides that each covered entity that is a member of an affiliated covered entity would be jointly and severally liable for a civil money penalty for a violation by the affiliated covered entity. An affiliated covered entity is a group of covered entities under common ownership or control, which have elected to be treated as if they were one covered entity for purposes of compliance with the Security and Privacy Rules. See 45 CFR 164.105(b). Electing to become an affiliated covered entity may reduce the administrative burden and create certain efficiencies with respect to compliance. There is no requirement to form an affiliated covered entity; the entities that choose to form an affiliated covered entity must designate themselves as such and must document the designation in writing.

The December 2000 Privacy Rule stated as follows with respect to the liability of the component covered entities of an affiliated covered entity: “The covered entities that together make up the affiliated covered entity are separately subject to liability under this rule.” 65 FR 82503. We clarify this language in the proposed rule. Under proposed § 160.402(b)(2), each covered entity that is a member of an affiliated covered entity would be jointly and severally liable for a civil money penalty for a violation by the affiliated covered entity. This means that we could enforce a violation of the Security Rule or Privacy Rule by an affiliated covered entity against any covered entity member of the affiliated covered entity separately or against all of the covered entity members of the affiliated covered entity jointly. The reason for joint and several liability is that the affiliated covered entity is treated, under the Security and Privacy Rules, as one entity. Thus, it may be impossible to know or prove which covered entity within an affiliated covered entity is responsible for a violation, particularly in the case of a failure to act. For example, if an affiliated covered entity fails to appoint a privacy official as required by § 164.530(a)(1)(i), it may be impossible to identify one entity as responsible for the omission.

Proposed § 160.402(b)(2) differs from proposed § 160.402(b)(1) in two ways. First, no covered entity in an affiliated covered entity could avoid a civil money penalty by demonstrating that itwas not responsible for the act or omission constituting the violation or that another covered entity member of the affiliated covered entity was the culpable entity. Second, the maximum penalty that could be imposed on all members of the affiliated covered entity for identical violations in a calendar year would be the maximum allowed for one covered entity—$25,000. By contrast, under § 160.402(b)(1), if more than one covered entity were responsible for a violation of an administrative simplification provision, each covered entity would be treated as separately violating the provision, and each could be assessed the maximum penalty of $25,000 in a calendar year for sufficient identical violations.

b. Section 160.402(c)—Violations Attributed to a Covered Entity

Under section 1176(a)(2), “the provisions of section 1128A * * * shall apply to the imposition of a civil money penalty under [HIPAA] in the same manner as such provisions apply to the imposition of a penalty under such section 1128A.” Section 1128A(l) of the Act addresses the liability of a covered entity for violations committed by an agent. It states that “a principal is liable for penalties * * * under this section for the actions of the principal's agents acting within the scope of the agency.” This is similar to the traditional rule of agency in which principals are vicariously liable for the acts of their agents acting within the scope of their authority. See Meyer v. Holley,537 U.S. 280 (2003). The preamble to the December 2000 Privacy Rule discussed the applicability of section 1128A(l) as follows:

we note that section 1128A(l) of the Social Security Act, which applies to the imposition of civil monetary penalties under HIPAA, provides that a principal is liable for penalties for the actions of its agent acting within the scope of the agency. Therefore, a covered entity will generally be responsible for the actions of its employees such as where the employee discloses protected health information in violation of the regulation.

65 FR 82603.

We clarify in proposed § 160.402(c) that, in the context of the HIPAA rules, this means that a covered entity generally can be held liable for a civil money penalty based on the actions of any agent, including an employee or other workforce member, acting within the scope of the agency or employment. A business associate will often be an agent of a covered entity, but, as discussed below, a covered entity that complies with the HIPAA rules governing business associates will not be held liable for a business associate's actions that violate the rules.

i. Federal Common Law of Agency

A principal's liability for the actions of its agents is generally governed by State law. However, the Supreme Court has provided that the federal common law of agency may be applied where there is a strong governmental interest in nationwide uniformity and a predictable standard and when the federal rule in question is interpreting a federal statute. Burlington Indus. v. Ellerth, 524 U.S. 742 (1998). Here, there is a strong interest in nationwide uniformity. The fundamental goal of the HIPAA provisions is to achieve standardization of certain health care transactions, to standardize certain security practices, and to set a federal floor of privacy practices, in order to increase the efficiency and effectiveness of the health care system. Therefore, it is essential for HHS to apply one consistent body of law regardless of where an action is brought. The same considerations support a strong federal interest in the predictable operation of the standards, to ensure that the various covered entities operating thereunder can do so consistently so as to facilitate the legitimate exchange of information. Finally, the HIPAA rules interpret a federal statute, the HIPAA provisions. Thus, the tests for application of the federal common law of agency are met here. Accordingly, proposed § 160.402(c) contains specific language to make clear that the federal law of agency applies.

Where the federal common law of agency applies, the courts often look to the Restatement (Second) of Agency(1958) (Restatement) as a basis for explaining the common law's application. While the determination of whether an agent is acting within the scope of its authority must be decided on a case-by-case basis, the Restatement provides guidelines for this determination. Section 229 of the Restatement provides:

(1) To be within the scope of the employment, conduct must be of the same general nature as that authorized, or incidental to the conduct authorized.

(2) In determining whether or not the conduct, although not authorized, is nevertheless so similar to or incidental to the conduct authorized as to be within the scope of employment, the following matters of fact are to be considered;

(a) Whether or not the act is one commonly done by such servants;

(b) The time, place and purpose of the act;

(c) The previous relations between the master and the servant;

(d) The extent to which the business of the master is apportioned between different servants;

(e) Whether or not the act is outside the enterprise of the master or, if within the enterprise, has not been entrusted to any servant;

(f) Whether or not the master has reason to expect that such an act will be done;

(g) The similarity in quality of the act done to the act authorized;

(h) Whether or not the instrumentality by which the harm is done has been furnished by the master to the servant;

(i) The extent of departure from the normal method of accomplishing an authorized result; and

(j) Whether or not the act is seriously criminal.

In some cases, under federal agency law, a principal may be liable for an agent's acts even if the agent acts outside the scope of its authority. Rest. 2nd Agency § 219(2). However, proposed § 160.402(c) would follow section 1128A(l), which limits liability for the actions of an agent to those actions that are within the scope of the agency.

ii. Agents

Various categories of persons may be agents of a covered entity. These are workforce members, business associates, and others. “Workforce” is defined as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.” 45 CFR 160.103. Because of the “direct control” language of the rule, we believe that all workforce members, including those who are not employees, are agents of a covered entity. This conclusion is consistent with the requirements at §§ 164.308(a)(5) and 164.530(b) for a covered entity to train all workforce members and with the requirement at § 164.514(d)(2) for a covered entity to adopt minimum necessary policies and procedures for use of protected health information by all workforce members. The workforce may include an independent contractor; as explained in the preamble to the Privacy Rule, independent contractors “may or may not be workforce members.” 65 FR 82480. Under the proposed rule, a covered entity could be liable for a civil money penalty for a violation by any workforce member, whether an employee, contractor, volunteer, trainee, etc., acting within the scope of his or her employment or agency. We specifically request comment on whether there are categories of workforce members whom it would beinappropriate to treat as agents under § 160.402(c).

The definition of the term “business associate,” set forth at § 160.103, includes any agents of a covered entity, other than members of its workforce, that perform on its behalf any function or activity regulated by the HIPAA rules or perform certain specified services for the covered entity that involve the use or disclosure of protected health information. Under the Security and Privacy Rules, the covered entity may disclose protected health information to the business associate, and allow the business associate to create or receive protected health information on its behalf, if the covered entity complies with relevant requirements to obtain satisfactory assurances that the business associate will appropriately safeguard the information. In particular, §§ 164.308(b) and 164.502(e) of the HIPAA rules require covered entities using the services of business associates to obtain satisfactory assurances, by a written contract or other arrangement, that the business associate will safeguard the protected health information. If the covered entity complies with these requirements, then it can protect itself from what could otherwise be liability for actions of its agent business associates that violate the HIPAA rules. As specified in §§ 164.314(a)(1)(ii) and 164.504(e)(1)(ii), even if a covered entity knows of a pattern of activity or practice by the business associate that constitutes a material breach or violation of the business associate's obligations under the contract, the covered entity will not be considered to be in violation of the regulations if it takes certain actions. If the covered entity fails to take these steps, however, it is outside the safe harbor provided by the Security and Privacy Rules and may be subject to penalty.

Some business associates are also covered entities. Health care clearinghouses are one example of this situation, but a covered health care provider or a health plan may also act as a business associate of another covered entity. The business associate provisions of the Security and Privacy Rules provide that where one covered entity acts as the business associate of another covered entity and violates the satisfactory assurances it provided as a business associate, it is separately liable for violation of the business associate provisions of the Security and Privacy Rules. See §§ 164.308(b)(3) and 164.502(e)(1)(iii). If the act or omission that resulted in a breach of the business associate contract by the covered entity business associate would also constitute a violation of an underlying provision of the Security or Privacy Rule by that covered entity business associate, it would be in violation of the underlying provision as well.

To make this proposed rule consistent with the business associate provisions of the HIPAA rules, the proposed rule would carve out from the provision for vicarious liability those actions by a business associate that would be shielded by the business associate provisions of the Security and Privacy Rules. Thus, a covered entity that is in compliance with the business associate provisions of the Security and Privacy Rules would not be liable for a violation of those rules by the business associate, even though the business associate is the covered entity's agent and was acting within the scope of its agency when it violated the rule. We recognize that in many cases, a business associate contract may establish an agency relationship. However, there may also be situations in which the business associate may not be an agent. For example, the Privacy Rule permits a covered entity to rely, if such reliance is reasonable, on the request of a professional who is a business associate as the minimum necessary. This suggests that a business associate may not always be sufficiently under the direct control of the covered entity to qualify as an agent.

HHS has issued guidance stating that a covered entity is not required to monitor the activities of its business associate:

The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates which protect the privacy of protected health information; but covered entities are not required to monitor or oversee the means by which their business associate carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract. Nor is the covered entity responsible or liable for the actions of its business associates. However, if a covered entity finds out about a material breach or violation of the contract by the business associate, it must take reasonable steps to cure the breach or end the violation, and, if unsuccessful, terminate the contract with the business associate. If termination is not feasible (e.g., where there are no other viable business alternatives for the covered entity), the covered entity must report the problem to the Department of Health and Human Services Office for Civil Rights.

FAQ Answer ID # 236 at www.hhs.gov/ocr/hipaa, entitled “Is a covered entity liable for, or required to monitor, the actions of its business associates?” (Click on the link for Answers to Your Frequently Asked Questions, and then select and search on the subcategory for Business Associates.) Proposed § 160.402(c) is consistent with this guidance. If the covered entity complies with the applicable business associate provisions, the covered entity will not be held liable for the actions of its business associate. Concomitantly, if the covered entity fails to comply with those provisions, such as by not entering into the requisite arrangements or contracts, or by not taking reasonable steps to cure the breach or end the violation, it could be held liable under proposed § 160.402(c) for the actions of its business associate agent.

2. Sections 160.404, 160.406, 160.408—Calculation of Penalties

a. Section 160.404—Amount of a Civil Money Penalty

Section 1176(a)(1) establishes maximum penalty amounts for violations. The statute provides a maximum penalty of “not more than $100” for each violation (see section IV.B.2 above for the discussion of “violation”), and the penalty imposed on a covered entity “for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.”

The statute establishes only maximum penalty amounts, so the Secretary has the discretion to impose penalties that are less than the statutory maximum. This proposed regulation would not establish minimum penalties. Under proposed § 160.404(a), the penalty amount would be determined through the method provided for in proposed § 160.406, using the factors set forth in proposed § 160.408, and subject to the statutory caps reflected in proposed § 160.404(b) and any reduction under proposed § 160.412.

Proposed § 160.404 would follow the language of the statute and establish the maximum penalties for a violation and for identical violations during a calendar year, as set forth in the statute—up to $100 per violation and up to $25,000 for identical violations in a calendar year. Proposed § 160.404(b) makes clear that the term “calendar year” means the period from January 1 through the following December 31.

An identical violation is a violation of the same requirement or prohibition in one of the HIPAA rules or in the statute. It is based on the provision of the regulation or statute that has been violated and not on whether the violations relate to the same individual's protected health information, the same transaction, or are with the same trading partner. For example, assume that a health plan includes in its trading partneragreements a provision that requires the submission of a data element that is not included in the implementation guides for transactions covered by the agreement and requires 7,500 different trading partners to sign such agreements in a calendar year. Inclusion of the provision violates § 162.915(b), which prohibits covered entities from entering into a trading partner agreement which adds any data element or segments to the maximum defined data set. If the penalty is assessed at $100/violation, the total penalty for all such violations would amount to $750,000 ($100 x 7500). However, the maximum penalty that may be assessed for the calendar year for those violations is $25,000, because they all relate to the same prohibition. This is the case even though the violations involve 7,500 different trading partners.

b. Section 160.404(b)(2)—Violations of Repeated or Overlapping Provisions in a HIPAA Rule

Some requirements or prohibitions in the provisions of a HIPAA rule may be repeated in, or may overlap, other provisions in the same rule. We propose § 160.404(b)(2) to make clear that a violation of a more specific requirement or prohibition, such as one contained within an implementation specification, is not also counted, for purposes of determining civil money penalties, as an automatic violation of a broader requirement or prohibition that entirely encompasses the more specific one, in that such duplicative requirements generally reflect considerations of drafting and not of substance. Under this proposal, the Secretary could impose a civil money penalty for violation of either the general or the specific requirement, but not both.

For example, if, after the applicable compliance date for the Security Rule, a covered entity violates the requirement to implement policies and procedures for facility access controls at § 164.310(a)(1), the covered entity will also have violated the Security Rule's provision at § 164.316(a), which is the general standard requiring the implementation of policies and procedures. Similarly, if a covered entity fails to implement minimum necessary policies and procedures for uses of protected health information as required by the implementation specification at § 164.514(d)(2) of the Privacy Rule, the covered entity also has violated the minimum necessary standard at § 164.514(d)(1), which requires compliance with the implementation specification. In these two examples, the proposed provision would treat the act or omission as a violation of only one of the identified administrative simplification provisions, not both, for purposes of imposing civil money penalties.

Proposed § 160.404(b)(2) would not apply where a covered entity's action results in violations of multiple, differing requirements or prohibitions within the same HIPAA rule, however. The following is an example: due to inadequate safeguards, a covered entity uses protected health information in a manner prohibited by the Privacy Rule. Civil money penalties may be imposed on the covered entity for its violation of the use provision in § 164.502(a), as well as for its violation of the safeguards requirement in § 164.530(c).

Proposed § 160.404(b)(2) would also not apply where a covered entity's action may result in a violation of more than one HIPAA rule; for example, failure to adopt administrative safeguards may violate both the Privacy Rule (§ 164.530(c)) and the Security Rule (§ 164.308). In such a case, more than one regulatory standard has been violated, and the Secretary may assess a penalty under both HIPAA rules. The proposed provision is limited to duplicate provisions in the same subpart, or HIPAA rule, and would not apply to limit civil money penalties for violations of more than one HIPAA rule.

Proposed § 160.404(b)(2) would also not preclude assessing civil money penalties for multiple violations of an identical requirement or prohibition.

c. Section 160.406—Number of Violations

As stated above, section 1176(a) provides a maximum penalty for identical violations by a covered entity in a calendar year. However, in many cases, it may not be clear exactly how to quantify the number of violations. Furthermore, the types of requirements and prohibitions vary among and within the HIPAA rules—for example, requirements to adopt policies and procedures versus requirements to conduct transactions in standard format.

There are various possible measures, or variables, that can be used to count violations, and different laws use one or multiple approaches. See, e.g., 42 CFR part 488, subpart F. In the context of the HIPAA rules, there are three basic variables that seem reasonable to use in calculating the number of violations that have occurred—(1) the number of impermissible actions or failures to take required actions, (2) the number of persons involved, and (3) the amount of time during which the violation occurred.

i. Variables

Actions—The number of violations could be based on the number of times a covered entity takes a prohibited action (commission) or the number of times a covered entity fails to take a required action (omission). The “action” variable seems likely to be a workable variable for determining the number of violations where the acts in question are discrete and/or repetitive, such as could be the case with the Transactions Rule. However, the “action” variable may have a very different result in other circumstances. For example, if a covered entity fails to implement a required policy, there is only one failure to act, and, therefore, using this variable, the number of violations of the requirement would be one, even though such a failure to act might have extended over a long period of time, be intentional, and have serious consequences for other entities or individuals. Thus, the “action” variable might not be appropriate in many circumstances.

Persons—The number of violations could be measured in terms of the number of persons involved or affected. Persons may be natural persons or entities, and violations could be counted in terms of one of four categories of persons.

• Individuals who are the subject of protected health information—for example, the number of individuals who did not receive access to their records.

• Employees for whom the covered entity has an obligation—for example, the number of employees who improperly took one or more impermissible actions, such as improperly using protected health information.

• Persons who receive information in violation of the rules—for example, the number of employees who have access to protected health information but who should not have such access, either in violation of the covered entity's minimum necessary policies or in violation of its access control security procedures.

• Other persons affected by the violation—for example, the number of providers affected by an impermissible health plan requirement that providers use codes not permitted under subpart J of the Transactions Rule.

Using the “person” variable to determine the number of violations of a HIPAA rule may or may not be an appropriate approach, depending on the purpose of the regulatory provision. For example, counting by the “person” variable may not be appropriate forpurposes of counting violations of most of the Transactions Rule requirements.

Time—When violations are continuous, they could be calculated in terms of a unit of time, such as calendar days. For example, inclusion of a term in a trading partner agreement that is not permitted by § 162.915 would be one action, if counted as an action, but, if counted by time, the number of violations would depend on how long the impermissible agreement was in effect and what unit of time was applied to count the number of violations. However, using a time variable makes less sense for violations that are distinct and repetitive, such as many Transactions Rule violations would be. For example, if a covered entity conducted 3000 transactions that were not in standard form over a two-day period and another covered entity conducted two transactions that were not in standard form over a two-day period, each set of facts would result in two violations under a “per day” approach.

ii. Determining the Number of Violations

Proposed § 160.406 would establish the general rule that the Secretary will determine the number of violations of an identical requirement or prohibition by a covered entity by applying any of the variables of action, person, or time, as follows: (1) The number of times the covered entity failed to engage in required conduct or engaged in a prohibited act; (2) the number of persons involved in, or affected by, the violation; or (3) the duration of the violation, counted in days (because many of the HIPAA requirements are in terms of days, this seems to be the most appropriate unit of time to use). Paragraph (a) of this section would require the Secretary to determine the appropriate variable or variables for counting the number of violations based on the specific facts and circumstances related to the violation, and take into consideration the underlying purpose of the particular HIPAA rule that is violated. More than one variable could be used to determine the number of violations (for example, the number of people affected times the time (number of days) over which the violation occurred). Because of the range of circumstances that can be presented in determining the number of violations and the very different nature of the HIPAA rules that may be implicated by those violations, the Secretary would have discretion in determining which variable or variables were appropriate for determining the number of violations rather than being required to use a rigid formula, which could produce arbitrary results. Under this proposal, the policy for determining which variable(s) to use for which type of violation would be developed in the context of specific cases rather than established by regulation. Subsequent cases would be decided consistently with prior similar cases. This option would defer more specific decisions regarding the appropriate variable(s) for counting penalties to such time as a case raising the HIPAA provision occurs.

Several approaches were considered in deciding how to determine the number of violations:

• Use one variable for all of the HIPAA rules. While this approach has greater consistency, the variation among the rules in terms of their types of requirements and prohibitions makes it difficult to identify one variable that would work equally well in each rule.

• Use one variable or approach for each individual HIPAA rule. This approach would also have greater consistency and certainty. However, it would not address the variations within HIPAA rules and could be confusing when a covered entity violated more than one rule.

• Categorize requirements and prohibitions and assign variables to each. This approach would increase certainty and consistency across all of the HIPAA rules but would likely result in a complex scheme that might operate unfairly.

After weighing the advantages and disadvantages of each approach, it was determined that it would be preferable to determine the appropriate variable(s) for particular types of violations based on the context of a specific case. We welcome comments on this approach, the options that were considered, and other potential options for determining the number of violations.

d. Section 160.408—Factors Considered in Determining the Amount of a Civil Money Penalty

Section 1176(a)(2) states that, with some exceptions, the provisions of section 1128A of the Act shall apply to the imposition of a civil money penalty under section 1176 “in the same manner as” such provisions apply to the imposition of a civil money penalty under section 1128A. Section 1128A(d) requires that—

in determining the amount of * * * any penalty, * * * the Secretary shall take into account—

(1) The nature of the claims and the circumstances under which they were presented,

(2) The degree of culpability, history of prior offenses and financial condition of the person presenting the claims, and

(3) Such other matters as justice may require.

This language establishes factors to be considered in determining the ultimate amount of a civil money penalty. Because section 1176 requires that civil money penalties be imposed in the same manner as civil money penalties are imposed under section 1128A, such factors should be applied to determining the amount of a civil money penalty for HIPAA violations. This approach is consistent with the approach taken in other regulations that cross-reference section 1128A, which rely on these factors for purposes of determining civil money penalty amounts. See, e.g., 42 CFR 488.438.

The factors listed in section 1128A(d) were drafted to apply to violations involving claims for payment under federally funded health programs. Because HIPAA violations will usually not be about specific claims, HHS proposes to tailor the section 1128A(d) factors to the HIPAA rules and break them into their component elements for ease of understanding and application, as follows: (1) The nature of the violation; (2) the circumstances under which the violation occurred; (3) degree of culpability; (4) history of prior offenses; (5) financial condition of the covered entity; and (6) such other matters as justice may require.

Many regulations that implement section 1128A, such as the OIG regulations, further particularize the statutory factors by providing discrete criteria. Consistent with these other regulations, and in order to provide more guidance to covered entities as to the factors that would be used in calculating civil money penalties for violations of the HIPAA rules, we propose a more specific list of circumstances that would be considered in calculating penalty amounts. Therefore, proposed § 160.408 provides detailed factors, within the categories stated above, to consider in determining the amount of a civil money penalty, as follows:

(1) The nature of the violation, when considered in light of the purposes of the rule violated.

(2) The circumstances under which the violation occurred and the consequences, including the time period during which the violation(s) occurred, whether the violation caused physical harm, whether the violation hindered or facilitated an individual's ability to obtain health care, and whether the violation resulted in financial harm.

(3) The degree of culpability of the covered entity, including whether the violation was intentional, and whether the violation was beyond the direct control of the covered entity.

(4) Any history of prior offenses of the covered entity, including whether the current violation is the same or similar to prior violation(s), whether and to what extent the covered entity has attempted to correct previous violations, how the covered entity has responded to technical assistance from the Secretary provided in the context of a compliance effort, and how the covered entity has responded to prior complaints. This could include any violations that have been brought to the covered entity's attention, including complaints raised by individuals directly to the covered entity, violations of which the covered entity became aware on its own, and violations that have been raised in the context of a complaint to the Secretary.

(5) The financial condition of the covered entity, including whether the covered entity had financial difficulties that affected its ability to comply, whether the imposition of a civil money penalty would jeopardize the ability of the covered entity to continue to provide, or to pay for, health care, and the size of the covered entity.

(6) Such other matters as justice may require.

In many regulations that implement section 1128A, including the OIG regulations, the statutory factors and/or the discrete criteria are designated as either aggravating or mitigating. See, e.g., 42 CFR 1003.106(b)-(d). For example, in some of these regulations, history of prior offenses is listed as an aggravating factor. See, e.g., 42 CFR 1003.106(b)(3). However, because the Enforcement Rule will apply to a number of rules and an enormous number of entities and circumstances, factors may be aggravating or mitigating, depending on the context. For example, the factor “time period during which the violation(s) occurred” could be an aggravating circumstance where the covered entity decided not to comply at all with a HIPAA provision, but be a mitigating circumstance where a covered entity quickly found and corrected repetitive noncompliance. Thus, we do not propose to label any of these factors as aggravating or mitigating. Rather, proposed § 160.408 lists factors that may be considered by the Secretary as aggravating or mitigating in determining the amount of the civil money penalty to impose. The proposed approach would allow the Secretary to choose whether to consider a particular factor and how to consider each factor as appropriate in each situation to avoid unfair or inappropriate results. It also would keep the rule simple and makes possible a list of factors to consider in determining penalties that can work in all cases.

We propose to leave to the Secretary's discretion the decision regarding when aggravating and mitigating factors will be taken into account in determining the amount of the civil money penalty. This approach is consistent with other regulations implementing section 1128A, which do not explain how or at what point in the process these factors apply. See, e.g., 42 CFR 488.438.

3. Section 160.410—Affirmative Defenses to the Imposition of a Civil Money Penalty

Proposed § 160.410 implements section 1176(b)(1)—(3) of the Act, which specify certain limitations with respect to when civil money penalties may be imposed. Paragraphs (1), (2), and (3) of section 1176(b) each state that, if the conditions described in those paragraphs are met, “a penalty may not be imposed under subsection (a)” of section 1176. Under section 1176(b)(1), a civil money penalty may not be imposed with respect to an act that would be punishable by a criminal penalty under section 1177 of the Act. Under section 1176(b)(2), a civil money penalty may not be imposed if it is established to the satisfaction of the Secretary that the person who would be liable for the civil money penalty “did not know, and by exercising reasonable diligence would not have known” that the person violated the provision. Under section 1176(b)(3), a civil money penalty may not be imposed if the failure to comply “was due to reasonable cause and not to willful neglect” and is corrected within a certain period.

Where it is shown that one or more of these grounds exists with respect to a violation for which a civil money penalty is sought, such a showing bars the imposition of a civil money penalty for the violation. The provisions at section 1176(b)(1), (2), and (3), thus, constitute complete defenses to the imposition of a civil money penalty. As such, they meet the definition of an affirmative defense: “A defendant's assertion raising new facts and arguments that, if true, will defeat the plaintiff's or prosecution's claim, even if all allegations in the complaint are true.” Black's Law Dictionary (West, 7th ed. 1999).

Accordingly, proposed § 160.410 would characterize the limitations under section 1176(b)(1), (2), and (3) as “affirmative defenses,” to make clear that they must be raised in the first instance by the respondent. See the discussion at section IV.D.10 below regarding proposed § 160.534, with respect to the burden of proof. However, characterizing these grounds as affirmative defenses would not prevent the Secretary from concluding, based on information already in his possession, that one of these limitations applied. If the Secretary were to conclude, based on his investigation or on information provided by the covered entity under proposed § 160.312(a)(3)(i), that one or more of these limitations applied with respect to a violation, the Secretary would not pursue the civil money penalty action with respect to the violation. However, proposed § 160.410 assumes the situation where the Secretary, through OCR or CMS, has concluded that none of the statutory limitations at section 1176(b)(1), (2), or (3) applies to a particular case and has, accordingly, issued a notice of proposed determination to impose a civil money penalty. The purpose of § 160.410, therefore, is to describe what the respondent must show in order to establish such a defense in the proceeding that could then follow.

The grounds stated in sections 1176(b)(2) and (b)(3) are grounds about which the covered entity would be knowledgeable and could produce evidence. Treating them as affirmative defenses is consistent with how similar language in other statutes has been implemented. For example, similar language in section 102 of HIPAA has been treated as an affirmative defense: Under the implementing regulations at 45 CFR 150.341(b), the burden of persuasion is on the entity to establish that no responsible entity knew, or, exercising reasonable diligence, would have known of the violation. Examples of a similar assignment of burden in connection with similar statutory language are found elsewhere. See, e.g., 26 CFR 301.6651-1(c), implementing 26 U.S.C. 6651 (a failure to timely file a tax return “is due to reasonable cause and not due to willful neglect * * * ”), requires “an affirmative showing of all facts alleged as a reasonable cause * * * ” by the taxpayer; 8 CFR 280.5, 280.51, implementing 8 U.S.C. 1323 (remission of penalty for bringing in illegal aliens if the person “could not have ascertained, by the exercise of reasonable diligence, that * * * ”), place the burden on the party seeking remission; 11 U.S.C. 110 (penalties for persons who fraudulently prepare bankruptcy petitions except where failure is “due to reasonable cause”) has been treated as an affirmative defense, U.S. Trustee v. Womack,201 B.R. 511, 518 (E.D. Ark. 1996).

Under section 1176(b)(1), a civil money penalty may not be imposed if the act in question “constitutes an offense punishable under section 1177.” While it might appear unlikely that acovered entity would raise this as an affirmative defense, section 1176(b)(1) parallels sections 1176(b)(2) and (b)(3) in both structure and function. This construction suggests that Congress intended that it be treated in a parallel manner. Proposed § 160.410, accordingly, would do so.

Finally, we recognize that other affirmative defenses might be available in a particular case. In order not to preclude the raising of affirmative defenses that could legitimately be raised, the introductory text of proposed § 160.410 is drafted to permit a respondent to offer affirmative defenses other than those provided in section 1176(b).

a. Section 160.410(b)(1)—Affirmative Defense Based on Violation Being a Criminal Offense

Section 1176(b)(1) provides that the Secretary may not impose a civil money penalty “with respect to an act if the act constitutes an offense punishable under section 1177.” Section 1177(a) provides as follows:

A person who knowingly and in violation of this part—

(1) Uses or causes to be used a unique health identifier;

(2) Obtains individually identifiable health information relating to an individual; or

(3) Discloses individually identifiable health information relating to another person, shall be punished as provided in subsection (b).

Subsection (b) of section 1177, in turn, sets out three levels of penalties. The level of penalty varies depending on the circumstances under which the offense was committed.

The proposed rule simply refers to the statutory provision. As the criminal penalty provision that provides the basis for this defense is administered by the U.S. Department of Justice, we do not propose to elaborate upon it in this regulation.

b. Section 160.410(b)(2)—Affirmative Defense Based on Lack of Knowledge

Section 1176(b)(2) provides as follows:

A penalty may not be imposed under subsection (a) with respect to a provision of this part if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision.

For a covered entity to establish an affirmative defense under section 1176(b)(2), it must show that it did not have actual or constructive knowledge of the violation. What is required for such a showing raises several issues: (1) What “knowledge” will make the “lack of knowledge” defense no longer available; (2) when is the “knowledge” of an agent imputed to the covered entity; and (3) what constitutes “reasonable diligence.”

i. “Knowledge”

The first question is what must the covered entity “know” in order for the defense of section 1176(b)(2) to be no longer available. Specifically, if the covered entity knows of the facts that constitute the violation, but does not know that they constitute a violation, is the defense under section 1176(b)(2) no longer available?

A civil money penalty may not be imposed for a violation “if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know * * * that such person violated the provision.” This language on its face suggests that the knowledge involved must be knowledge that a “violation” has occurred, not just knowledge of the facts constituting the violation. Section 1176(b)(3) supports this reading. Under section 1176(b)(3)(A)(i), the cure period—i.e., the period in which the violation must be corrected if the covered entity is to avail itself of the defense under section 1176(b)(3)—begins to run “on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.” The duty to take corrective action under section 1176(b)(3), thus, flows from knowledge that “the failure to comply occurred.” We, thus, interpret this knowledge requirement to mean that the covered entity must have knowledge that a violation has occurred, not just knowledge of the facts underlying the violation. We use the statutory language in framing this requirement.

This reading of the statute would not reward ignorance that is careless or deliberate. The requirement of section 1176(b)(2) that the covered entity exercise “reasonable diligence,” discussed below, would make a lack of knowledge defense unavailable where a covered entity's ignorance arises from its failure to inform itself about its compliance obligations or to investigate complaints or other information it receives indicating likely noncompliance.

ii. Imputed Knowledge

In order to avail itself of the lack of knowledge defense, a corporate entity must show that (1) its responsible officers or managers did not know about the violation, and (2) even if an employee or other agent had actual knowledge of the violation, why that knowledge should not be imputed to the managers and, thus, to the corporate entity itself. Whether knowledge can be imputed to a covered entity's responsible officers or managers will be determined by principles of agency. We clarify this by providing in proposed § 160.410(b)(2) that such knowledge will be “determined by the federal common law of agency.” As noted in the discussion in section IV.C.1.b.i above, we would expect, as a general matter, to follow the principles set forth in the Restatement (Second) of Agency with respect to this issue. Under the general rule at section 272 of the Restatement, an agent's actual or constructive knowledge is imputed to the principal, subject to certain exceptions. Rest. 2nd of Agency(1958), comments a and b. Whether any of these exceptions are applicable would depend on the circumstances of each case. We solicit comment on this approach and, in particular, illustrations and explanations of cases where more or less specificity might be helpful.

iii. Reasonable Diligence

The defense under section 1176(b)(2) is available only if the covered entity “by exercising reasonable diligence would not have known ... that the [covered entity] violated the provision.” The question this language raises is what action is required in order for a covered entity to be able to show that it has exercised reasonable diligence and that its ignorance of the violation is, hence, excused.

The phrase “reasonable diligence” has applications in many areas of the law. “Reasonable diligence” is typically defined as “1. A fair degree of diligence expected from someone of ordinary prudence under circumstances like those at issue. 2. See due diligence(1).” Black's Law Dictionary (West, 7th edition, 1999). “Due diligence” is, in turn, defined as “1. The diligence reasonably expected from, and ordinarily exercised by, a person who seeks to satisfy a legal requirement or to discharge an obligation.—Also termed reasonable diligence.Id. In the context of section 1176(b)(2), these concepts equate, we believe, to the concept of “constructive knowledge.” As usually defined, “constructive knowledge” is the “knowledge that one using reasonable care or diligence should have, and therefore that is attributed by law to a given person.”Id.

The determination of whether a person acted with reasonable diligence is generally a factual one, since what is reasonable depends on the circumstances. Martin v. OSHRC (Milliken Co.), 947 F.2d 1483 (11th Cir. 1991);Bell Telephone Laboratories,Inc. v. Hughes Aircraft Co.,564 F.2d 654 (3rd Cir. 1977). The courts use a variety of formulations to articulate when a person will be deemed to have known—i.e., to have constructive knowledge—that a particular incident occurred. However, the various formulations have common elements. They identify a “prudent” or “reasonable” person and consider whether that person would, under similar circumstances, have become aware of the information in question. They consider how “available” the information is; for example, was the information in the covered entity's possession (such as in its electronic information system) or not. They consider whether there was “some reason to awaken inquiry and suggest investigation;” for example, had prior experience suggested that there could be problems, which a reasonable person would have investigated.

We considered three options for implementing the provisions at section 1176(b)(2). One approach would be simply to repeat the statutory language; a second approach would be to provide a more detailed statement of criteria for establishing reasonable diligence; and the third approach would be to provide examples of situations that would (or would not) constitute reasonable diligence. We selected the second in order to provide some guidance, but not unduly circumscribe future decisions. Adapting the Black's definition of due diligence to the present context, proposed § 160.410(a) would define “reasonable diligence” to mean “the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.” Factors to be considered in evaluating the applicability of this affirmative defense would include whether the covered entity took reasonable steps to learn of such violations and whether there were indications of possible violations, such as a complaint or other information made known to the entity, that a person seeking to satisfy a legal requirement would have investigated under similar circumstances.

c. Section 160.410(b)(3)—Affirmative Defense Based on Reasonable Cause

Section 1176(b)(3) provides as follows:

(A)In general. Except as provided in subparagraph (B), a penalty may not be imposed under subsection (a) if—

(i) The failure to comply was due to reasonable cause and not to willful neglect; and

(ii) The failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.

(B)Extension of period.

(i)No penalty. The period referred to in subparagraph (a)(ii) may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply.

These provisions raise several issues: (1) What is reasonable cause; (2) what is willful neglect; and (3) how should the cure period be determined.

i. Reasonable Cause

For the defense under section 1176 (b)(3) to be available, the failure to comply at issue must be “due to reasonable cause and not to willful neglect” (as well as corrected within the cure period). This language has a close analog in the Internal Revenue Code (IRC), which provides for an exemption from penalties for late filing where the late filing “is due to reasonable cause and not due to willful neglect.” 26 U.S.C. 6651(a). This IRC language was construed by the United States Supreme Court in United States v. Boyle, 469 U.S. 241, 245 (1985). The Internal Revenue Service (IRS) had articulated specific factors that would constitute reasonable cause for late filing; in discussing these factors, the Court noted that the underlying principle was whether the circumstances were beyond the taxpayer's control.

HHS has already adopted criteria interpreting paragraph (b)(3) that are not unlike those adopted by the IRS in connection with its late filing penalty statute. In the guidance published on July 24, 2003 (CMS Guidance), the criteria developed to address the October 16, 2003 compliance deadline problems for the Transactions Rule are similar in nature to those developed by the IRS. Like the IRS criteria, they premise the existence of reasonable cause on the existence of circumstances outside of the covered entity's control which make compliance with the Transactions Rule unreasonable.

We considered three options for implementing the reasonable cause language of section 1176(b)(3): repeating the statutory language; providing a more detailed statement of the criteria for establishing reasonable cause; or providing examples of situations that would (or would not) constitute reasonable cause. As with our decision about reasonable diligence, we took the second approach. Proposed § 160.410(a) would define “reasonable cause” as “circumstances that make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.” This definition is generally based on the view of the Supreme Court in Boyle, but it is tailored to the HIPAA context in which the judgment in question would be made. It describes with more specificity the test for determining whether reasonable cause exists, but does not limit this test by specific examples. Thus, establishing reasonable cause under section 1176(b)(3) would require demonstrating circumstances that would make it unreasonable to expect an entity exercising ordinary business care and prudence to comply with the particular requirement that has been violated. The determination of whether reasonable cause exists is generally, and under this definition would be, a factual one, since what is “reasonable” depends on the circumstances.

ii. Willful Neglect

For the defense under section 1176(b)(3) to be available, the failure of compliance must not be due to “willful neglect.” In Boyle, discussed above, the Supreme Court defined “willful neglect” as “conscious, intentional failure or reckless indifference” and indicated that this concept includes carelessness or other types of fault. 469 U.S. at 245. Since the definition of the term “willful neglect” is well settled, we propose to adapt this definition of the term in proposed § 160.410(a): “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” This definition reflects the concern that underlies the statutory language: where willful neglect caused the “failure to comply” in question, the penalty should not be excused.

The proposed definition is also consistent with the approach already taken by HHS in the CMS Guidance. In the CMS Guidance, HHS stated that, in determining whether noncompliance with the Transactions Rule would be penalized, it would consider the “good faith efforts” of the covered entities deploying contingency measures after October 16, 2003 as they work to come into compliance with the Transactions Rule. The presence of such “good faith” or diligent efforts to comply evidences the absence of willful neglect, because it demonstrates the absence of a “reckless indifference to the obligation to comply with the administrative simplification provision violated.”

The issue of whether there was willful neglect would be a factual inquiry separate from the question of whether reasonable cause existed, because section 1176(b)(3) requires both the presence of reasonable cause and theabsence of willful neglect. In the IRC cases discussed above, for example, proving the lack of willful neglect does not establish the existence of reasonable cause. However, a finding concerning one element may obviate the necessity of determining the other element, by ruling out the existence of a condition precedent for the affirmative defense. Thus, where it is found that reasonable cause does not exist, the presence or absence of willful neglect need not be determined; similarly, if it is found that willful neglect exists, the presence or absence of reasonable cause need not be determined.

iii. Determination of the Cure Period

The presence of reasonable cause and absence of willful neglect are not sufficient, in themselves, to establish an affirmative defense under section 1176(b)(3). The covered entity must also correct the violation during the 30-day period beginning when the person knew or should have known that the violation existed. The statute gives the Secretary the right to extend this period to the extent he determines appropriate based on the nature and the extent of the failure to comply. This language presents two issues with respect to the cure period: (1) When does the cure period begin; and (2) what limitations, if any, should be placed on the Secretary's ability to extend the cure period.

Beginning of the Cure Period. Section 1176(b)(3)(A) provides that the cure period begins “on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.” This language is the converse of section 1176(b)(2). These two provisions, accordingly, dictate a sequential analysis. The first question is whether the covered entity knew, or with reasonable diligence would have known, about the violation. If the covered entity was ignorant of the violation (i.e., it did not have actual or constructive knowledge of the violation), then no civil money penalty may be imposed for the period in which such ignorance existed. In such a situation, the covered entity's ignorance of the violation is a complete defense to imposition of the civil money penalty, so it is not necessary to reach the question of whether the grounds for a defense under section 1176(b)(3) are also met. However, as soon as the covered entity knows (or should have known) of the violation, then the cure period under section 1176(b)(3)(A)(ii) begins; simultaneously, the defense of ignorance stops being available to the covered entity. At that point, the question is whether the grounds for the “reasonable cause” defense (the presence of reasonable cause, the absence of willful neglect, and cure) exist.

We do not propose to elaborate on the statutory language with regard to when the cure period begins. The text of proposed § 160.410(b)(3), like the statute, uses the defined term “reasonable diligence” and, thus, builds on the analysis conducted under proposed § 160.410(b)(2).

Extension of the Cure Period. Section 1176(b)(3)(A)(i) provides that the cure period may be extended “as determined appropriate by the Secretary based on the nature and extent of the failure to comply.” This statutory language is a broad grant of discretion to the Secretary to determine what is “appropriate,” requiring only that the Secretary base his decision on the “nature and extent of the failure to comply.” The statutory language requires an analysis based on the specific circumstances of the particular failure to comply at issue. Given the enormous number of covered entities, the almost infinite possible combinations of violations and circumstances, the extensive and varying experiences of covered entities in coming into compliance, the newness of both their and our experience with respect to compliance with the HIPAA rules, and the brevity of the 30-day period during which changes are required, the Secretary should be afforded significant discretion to decide when it is appropriate to extend the cure period. Proposed § 160.410(b)(3)(ii)(B) accordingly follows the statutory language and would permit the Secretary to use the full discretion provided by the statute.

4. Section 160.412—Waiver

Section 1176(b)(4) of the Act provides for waiver of a civil money penalty in certain circumstances. Section 1176(b)(4) provides that, if the failure to comply is “due to reasonable cause and not to willful neglect,” a penalty that has not already been waived under section 1176(b)(3) “may be waived to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.” If there is reasonable cause and no willful neglect and violation has been timely cured, the imposition of the civil money penalty would be precluded under section 1176(b)(3). Therefore, waiver under this section would be available only where there is reasonable cause for the violation and no willful neglect, but the violation was not timely cured.

Section 1176(b)(4) affords a covered entity a statutory right to request a waiver. However, the Secretary is not required to grant such a request: the words “may be waived” indicate that the decision to grant the waiver is discretionary. Moreover, the language “to the extent that” and “excessive relative to” indicate that the Secretary must consider the facts of the case to determine whether, and by what amount, a penalty may be reduced.

While section 1176(b)(4) might appear to be subsumed by certain of the statutory factors that could be seen as mitigating factors, this provision duplicates neither those factors nor the affirmative defenses. In contrast to the statutory factors, which apply to determining the amount of a civil money penalty, section 1176(b)(4) comes formally into play once the penalty amount has been determined, because only after there is a specific proposed penalty amount can it be determined whether the penalty “would be excessive relative to the compliance failure involved.” Section 1176(b)(4) differs from the affirmative defenses in that it is not an absolute preclusion of civil money penalties; rather, waiver or reduction under section 1176(b)(4) is discretionary. Finally, in contrast to the mitigating factors and affirmative defenses, section 1176(b)(4) provides a ground on which a covered entity may request waiver or reduction of a penalty, once the penalty amount has been determined.

Proposed § 160.412 does not elaborate on the statute in any material way. This provision would provide the Secretary with the flexibility to utilize the discretion provided by the statutory language as necessary. We deem the statutory criterion itself reasonably capable of application, and, therefore, are not stating further criteria at this time.

5. Section 160.414—Limitations

Proposed § 160.414 was adopted by the April 17, 2003 interim final rule as § 160.522. We propose to move this section, which sets forth the 6-year limitation period provided for in section 1128A(c)(1), from subpart E to subpart D. We propose to do so because this provision applies generally to the imposition of civil money penalties and is not dependent on whether a hearing is requested. We also propose to change the language of this provision so that the date of the occurrence of the violation is the date from which the limitation is determined. We propose this change because the term “violation” is defined in this proposed rule, whereas it was not defined in the April 17, 2003interim final rule. Thus, the date of the violation can now be accurately used to calculate when “the occurrence took place,” as referenced in the statute. See also the discussion at section V.G below.

6. Section 160.416—Authority To Settle

Proposed § 160.416 was adopted by the April 17, 2003 interim final rule as § 160.510. We propose to move this section, which addresses the authority of the Secretary to settle any issue or case or to compromise any penalty imposed on a covered entity, from subpart E to subpart D. We propose to do so because this provision applies generally to the imposition of civil money penalties, and is not dependent on whether a hearing is requested. No change is made to the text of the provision.

7. Section 160.418—Penalty Not Exclusive

Proposed § 160.418 is new. It is based upon § 1003.109 of the OIG regulations. We propose to add this section to make clear that penalties imposed under this part are not intended to be exclusive where a violation under this part may also be a violation of, and subject the respondent to penalties under, another federal or a State law. Proposed § 160.418 would, however, recognize that, under section 1176(b)(1) of the Act, a penalty may not be imposed under section 1176(a) if the act constitutes an offense punishable under section 1177.

8. Section 160.420—Notice of Proposed Determination

The text of proposed § 160.420 was adopted by the April 17, 2003 interim final rule as § 160.514. We propose to move this section from subpart E, which sets out the procedures and rights of the parties to a hearing, to subpart D. We propose to do so because the notice provided for in this section must be given whenever a civil money penalty is proposed, regardless of whether a hearing is requested. No changes are proposed to paragraphs (a)(1) and (a)(3), (4), or to paragraph (b), except conforming changes. Paragraph (a)(2) would be revised by adding that, in the event the Secretary employs statistical sampling techniques under § 160.536, the sample relied upon and the methodology employed must be generally described in the notice of proposed determination. A new paragraph (a)(5) would require the notice to describe any circumstances described in § 160.408 that were considered in determining the amount of the proposed penalty; this provision corresponds to § 1003.109(a)(5) of the OIG regulations. The present paragraph (a)(5) would be renumbered as (a)(6). See also the discussion at sections V.H-V.J below.

9. Section 160.422—Failure To Request a Hearing

The text of proposed § 160.422 was adopted by the April 17, 2003 interim final rule as § 160.516. We would add language (“and the matter is not settled pursuant to § 160.416”) to recognize that the Secretary and the respondent may agree to a settlement after the Secretary has issued a notice of proposed determination. We also provide that the penalty is final upon receipt of the penalty notice, to make clear when subsequent actions, such as collection, may commence.

10. Section 160.424—Collection of Penalty

The text of § 160.424 was adopted by the April 17, 2003 interim final rule as § 160.518. We propose to move this section, which addresses how a final penalty is collected, from subpart E to subpart D. We propose to do so because this provision applies generally to the imposition of civil money penalties and is not dependent upon whether a hearing is requested.

11. Section 160.426—Notification of the Public and Other Agencies

Proposed § 160.426 would implement section 1128A(h) of the Act. When a penalty proposed by the Secretary becomes final, section 1128A(h) directs the Secretary to notify certain specified appropriate State or local agencies, organizations, and associations and to provide the reasons for the penalty. We propose to add the public generally, in order to make the information available to anyone who must make decisions with respect to covered entities. For instance, knowledge of the imposition of a civil money penalty for violation of the Privacy Rule could be important to health care consumers, as well as to covered entities throughout the industry, while information about the imposition of a civil money penalty for violation of the Transactions Rule or other HIPAA rules could be of interest to a covered entity's trading partners.

The regulatory language would provide for notification in such manner as the Secretary deems appropriate. Posting to an HHS Web site and/or the periodic publication of a notice in the Federal Register are among the methods which the Secretary is considering using for the efficient dissemination of such information. These methods would avoid the need for the Secretary to determine which entities, among a potentially large universe, should be notified and would also permit the general public served by covered entities upon whom civil money penalties have been imposed to be apprised of this fact, where that information is of interest to them. While the Secretary could provide notice to individual agencies where desired, the Secretary could, at his option, use a single public method of notice, such as posting to an HHS Web site, to satisfy the obligation to notify the specified agencies and the public. See also the discussion at V.B below.

D. Subpart E—Procedures for Hearings

As previously explained, the provisions of section 1128A of the Act apply to the imposition of a civil money penalty under section 1176 “in the same manner as” they apply to the imposition of civil money penalties under section 1128A itself. The provisions of subpart E are, as a consequence, based in large part upon, and are in many respects the same as, the OIG regulations. We propose to adapt, re-order, or combine the language of the OIG regulations in a number of places for clarity of presentation or to reflect concepts unique to the HIPAA provisions or rules. To avoid confusion, we have also employed certain language usages in order to make the usage in the rules consistent with that in the other HIPAA rules (for example, for mandatory duties, “must” or “will” instead of “shall” is used; for discretionary duties, “may” instead of “has the authority to” is used). We do not discuss those nonsubstantive changes below. Where we propose to materially change the language of the OIG regulations, however, we discuss our reasons for doing so.

As noted above, we have reorganized subparts C, D, and E so that there is a logical organization to the three subparts. Subpart E, as we propose to revise it, will address the pre-hearing and hearing phases of the enforcement process. We have discussed the sections that we have moved to subparts C and D in the discussion of those subparts. The proposed movement of sections out of subpart E and the introduction of new sections into subpart E, described below, necessitates the reordering and renumbering of other sections of the existing subpart E, so that the subpart is organized logically. We do not discuss such proposed reordering and renumbering, unless we propose to change substantially the text of the section in question.

In the April 17, 2003 interim final rule, we deferred consideration of certain provisions so that they could beaddressed through notice-and-comment rule making. Claims of privilege and other objections to the taking of testimony at investigational hearings are addressed in proposed § 160.314. The proposed rules relating to what constitutes “a violation of a provision of this part” and how the amount of civil money penalties will be determined are found in § 160.302 of the proposed subpart C and in §§ 160.402—160.408, respectively, of the proposed subpart D. We include in proposed subpart E the proposed rules that relate to the conduct of a hearing.

1. Section 160.500—Applicability

This section has been revised to reflect the more limited scope proposed for subpart E, resulting from the movement of many of the provisions in the April 17, 2003 interim final rule to proposed subparts C and D.

2. Section 160.502—Definitions

Most of the definitions in this section of the April 17, 2003 interim final rule have been moved either to § 160.103 or to § 160.302, and are discussed in connection with those sections. In addition, we propose to delete the term “entity” from this section. The term is used in various contexts throughout the HIPAA rules, and we believe that the definition in the April 17, 2003 interim final rule may prove confusing with respect to the other HIPAA rules.

A new definition is added to this section—a definition of the term “Board,” which stands for the HHS Departmental Appeals Board. The term “Board” is used instead of the term “DAB”, which is used in the OIG regulations, to make clear that the reviewing body is the panel of three judges that conducts appellate review of ALJ decisions for HHS. This term is defined because it appears in proposed § 160.548, discussed below.

3. Section 160.504—Hearing before an ALJ

This section, which is § 160.526 of the April 17, 2003 interim final rule, would be largely unchanged. We note that, for a hearing request dismissed under this section as failing to raise any issue that may be properly addressed in a hearing (such as a hearing request that only raises constitutional claims), this subpart provides the administrative review channel leading to judicial review of such claims. Thus, such a dismissal would have to be appealed to the Board, under proposed § 160.548, as a predicate to appeal to the federal courts.

The current § 160.526(a)(2) states that the Departmental party in a hearing is “the Secretary.” The term “Secretary” is defined at § 160.103 of the HIPAA rules as “the Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated.” The Secretary's authority to interpret and enforce the HIPAA rules has been delegated to OCR, in the case of the Privacy Rule, and to CMS, in the case of the non-privacy HIPAA rules. Thus, the Secretary's investigative authority and authority to make a proposed determination of liability for a civil money penalty are exercised by OCR and/or CMS, depending on the HIPAA rule or rules at issue. However, in proposed subpart E, the Secretary is performing diverse functions: the adjudicative function is being performed for the Secretary by the ALJ and the Board, and the decision reached through this adjudicative process becomes the decision of the Secretary; at the same time, OCR and/or CMS are acting for the Secretary in defending the proposed determination in the adjudication. The reference to “the Secretary” may, thus, be confusing, as what part of HHS is being referred to depends on the context.

Proposed § 160.504(a)(2) would clarify which part of HHS acts as the “party” in the hearing. Because which component of HHS will be the “party” in a particular case will depend on which rule is alleged to have been violated, and because a particular case could involve more than one HIPAA rule, we define the Secretarial party generically, by reference to the component with the delegated enforcement authority. We adapt the regulatory definition of “Secretary” to make it clear that the Secretarial party could consist of more than one officer or employee, so that it is possible for both CMS and OCR to be the Secretarial party in a particular case.

The last sentence of proposed § 160.504(b) (current § 160.526(b)) provides that the date of receipt of the notice of proposed determination is presumed to be 5 days after the date of the notice unless the respondent makes a reasonable showing to the contrary. This showing may be made even where the notice is sent by mail and is not precluded by the computation of time rule of proposed § 160.526(c) (current § 160.548(c)) establishing a 5-day allowance for mailing. See section V.K below for further discussion of this provision.

4. Section 160.506—Rights of the Parties

The text of paragraphs (a) and (b) of proposed § 160.506 was adopted at § 160.528 of the April 17, 2003 interim final rule, and no change, other than a conforming change, is proposed to those paragraphs. We propose to add a new paragraph (c) to address the issue of legal fees. Proposed subsection (c) adopts the same position taken in § 1005.3(b) of the OIG regulations, by recognizing that a party who is accompanied, represented or advised by an attorney is free to enter into a fee arrangement of that party's choosing. This provision is included to make clear that the Secretary is not limiting how much the respondent's attorney may charge in attorneys fees.

5. Section 160.508—Authority of the ALJ

The text of proposed § 160.508 was adopted by the April 17, 2003 interim final rule as § 160.530. No changes to paragraphs (a) and (b) are proposed. We propose to revise paragraph (c) by adding paragraphs (c)(1) and (5) to the list of limitations on the authority of the ALJ. Proposed paragraph (c)(1) would require the ALJ to follow federal statutes, regulations, and Secretarial delegations of authority, and to give deference to published guidance to the extent not inconsistent with statute or regulation. By “published guidance” we mean guidance that has been publicly disseminated, including posting on the CMS or OCR Web site. Although we recognize that such guidance is not controlling upon the courts, we believe that the ALJ and the Board (see the discussion below in connection with proposed § 160.548), as components of HHS, must afford deference to such guidance to ensure that, to the extent possible, consistent decisions and compliance guidance are provided by the Secretary to covered entities.

Proposed paragraph (c)(5) clarifies that ALJs may not review the Secretary's exercise of discretion whether to grant an extension or to provide technical assistance under section 1176(b)(3)(B) of the Act or the Secretary's exercise of discretion in the choice of variable(s) under proposed § 160.406. Proposed paragraphs (c)(1) and (5) together make clear that the purpose of the hearing, and the authority of the ALJ in conducting the hearing, would only be to review the proposed civil money penalty. Thus, the ALJ would not have authority to refuse to follow, or to find invalid, the authorities cited as the basis for the proposed civil money penalty. The ALJ also would not have authority to review the Secretary's exercise of discretion under section 1176(b)(3)(B) of the Act to grant an extension or to provide technical assistance, nor would the ALJ have authority to review the Secretary's choice of variable(s) indetermining the number of violations of an identical administrative simplification provision, as that choice is likewise committed to the Secretary's discretion. The ALJ could, however, review whether the variable(s), once chosen, were properly applied.

6. Section 160.512—Prehearing Conferences

Proposed § 160.512 would revise paragraph (a) to establish a minimum amount of notice (not less than 14 business days) that must be provided to the parties in the scheduling of prehearing conferences. We propose this limitation to address problems that have been experienced in the context of administrative hearings in other programs. Proposed § 160.512 would also revise paragraph (b)(11) to include the issue of the protection of individually identifiable health information as a matter that may be discussed at the prehearing conference, if appropriate. See also the discussion at section V.AA below, with regard to this provision.

7. Section 160.518—Exchange of Witness Lists, Witness Statements, and Exhibits

Proposed § 160.518 carries forward § 160.540 of the existing subpart E with one substantive change. It would revise paragraph (a) to provide time limits within which the exchange of witness lists, statements, and exhibits must occur prior to a hearing. Under proposed § 160.518(a), these items must be exchanged not more than 60, but not less than 15, days prior to the scheduled hearing. We are concerned that the information not be exchanged too early, lest the evidence become stale, and we are also concerned that the time period not be too short, depriving the parties of adequate time to prepare. Experience with administrative hearings in other programs suggests the need for this provision. See also the discussion at section V.R below.

8. Section 160.520—Subpoenas for Attendance at Hearing

Proposed § 160.520 would carry forward § 160.542 of the existing subpart E mainly unchanged. The current § 160.542(c) would be revised to clarify that when a subpoena is served on HHS, the Secretary may comply with the subpoena by designating any knowledgeable representative to testify. See also the discussion at sections V.W and V.X below.

9. Section 160.532—Collateral Estoppel

Proposed § 160.532 would adopt the doctrine of collateral estoppel applied in federal cases that once a court decides an issue of fact or law necessary to its judgment, the court's decision precludes the same parties from relitigating the same issue in another suit on a different cause of action. Allen v. McCurry,449 U.S. 90 (1980). The doctrine also applies to a final decision of an administrative agency, acting in a judicial capacity, that resolves disputed issues before it, which the parties have had a fair opportunity to fully litigate. Astoria Federal Savings Loan Ass'n v. Solimino,501 U.S. 104, 107-108 (1991). The proposed rule is modeled on § 1003.114(a) of the OIG regulations. Section 1003.114(b), relating to the issue preclusion arising out of a conviction or plea in a federal criminal case based upon fraud or false statements, appears inapplicable to enforcement of the HIPAA rules, and, hence, no comparable provision is proposed for inclusion in this Rule.

10. Section 160.534—The Hearing

The text of proposed § 160.534 was adopted by the April 17, 2003 interim final rule as § 160.554. No changes to paragraphs (a) and (c) are proposed. However, HHS proposes to add a new paragraph (b) allocating the burden of proof at the hearing.

Under the Administrative Procedure Act (APA), 5 U.S.C. 556(d), the burden of proof in ALJ hearings has two components—the burden of going forward and the burden of persuasion. The burden of going forward relates to the obligation to go forward initially with evidence that supports a prima facie case. The burden of going forward then shifts to the other party. The burden of persuasion relates to the obligation ultimately to convince the trier of fact that it is more likely than not that the advocated position is true. The party with the burden of persuasion loses in the situation where the evidence is in perfect balance.

Proposed § 160.534 would adopt the allocation of the burden of proof found in the OIG regulations and in administrative hearings generally, which is consistent with the APA. The respondent would bear the burden of proof with respect to (1) any affirmative defense, including those set out in section 1176(b) of the Act, as implemented by proposed § 160.410, (2) any challenge to the amount or scope of a proposed penalty under section 1128A(d), as implemented by proposed §§ 160.404—160.408, including mitigating factors, or (3) any contention that a proposed penalty should be reduced or waived under section 1176(b)(4), as implemented by § 160.412. The Secretary would have the burden of proof with respect to all other issues, including issues of liability and the factors considered as aggravating factors under proposed § 160.408 in determining the amount of penalties to be imposed. The burden of persuasion would be judged by a preponderance of the evidence (i.e., it is more likely than not that the position advocated is true).

It is also proposed to revise the current § 160.554(c) by adding a new paragraph (1) at proposed § 160.534(d). Proposed § 160.534(d)(1) would provide that, at a hearing under this part, any party may present items or information, during its case in chief, that were discovered after the date of the notice of proposed determination or request for a hearing, as applicable. The admissibility of such proffered evidence would be governed generally by the provisions of proposed § 160.540, and be subject to the 15-day rule for the exchange of trial exhibits, witness lists and statements set out at proposed § 160.518(a). Any such evidence would not be admissible, if offered by the Secretary, unless it is relevant and material to the findings of fact set forth in the notice of proposed determination, including circumstances that may increase such penalty. If any such evidence is offered by the respondent, it would not be admissible unless it is relevant and material to a specific admission, denial or explanation of a finding of fact, or to a specific circumstance or argument expressly stated in the respondent's request for hearing that are alleged to constitute grounds for any defense or the factual and legal basis for opposing or reducing the penalty. Proposed § 160.534(d) would allow the parties the opportunity to present items and information that are relevant and material exclusively to the issues actually in dispute as expressly set forth in the notice of proposed determination and request for hearing. Items and information that would be relevant and material evidence of other violations, and support the imposition of other or additional penalties would be inadmissible. Likewise, items or information that support defenses, arguments, legal theories, or contentions other than those expressly set forth in the notice of hearing, or which are not relevant and material to the admissions, denials or explanations therein made, would not be admissible. Proposed § 160.534(d)(2) would republish paragraph (c) of the present § 160.554.

11. Section 160.536—Statistical Sampling

Proposed § 160.536, on statistical sampling, is new. A similar provision appears at § 1003.133 of the OIGregulations, and the use of sampling and statistical methods is recognized under Rule 702 of the Federal Rules of Evidence. Proposed § 160.536 would permit the Secretary to introduce the results of a statistical sampling study as evidence of any variable under § 160.406(b) used to determine the number of violations of a particular administrative simplification provision, or, where appropriate, any factor considered in determining the amount of the civil money penalty under proposed § 160.408. If the estimation is based upon an appropriate sampling and employs valid statistical methods, it would constitute prima facie evidence of the number of violations or amount of the penalty sought that is a part of the Secretary's burden of proof. Such a showing would cause the burden of going forward to shift to the respondent, although the burden of persuasion would remain with the Secretary.

12. Section 160.542—The Record

This section is § 160.560 of the April 17, 2003 interim final rule. Since the section provides that the record of the proceedings be transcribed, we propose to add to paragraph (a) of this section a requirement that the cost of transcription of the record be borne equally by the parties, in the interest of fairness.

13. Section 160.546—ALJ Decision

Since we are proposing a process for administrative review of ALJ decisions (see section IV.D.14 below), the ALJ decision would be the initial decision of the Secretary, rather than the final decision of the Secretary as set forth in § 160.564(d) of the April 17, 2003 interim final rule. Thus, we propose to revise paragraph (d) to provide that the decision of the ALJ will be final and binding on the parties 60 days from the date of service of the ALJ decision, unless it is timely appealed by either party. See also the discussion at section V.U below, with respect to proposed § 160.546(b).

14. Section 160.548—Appeal of the ALJ Decision

The April 17, 2003 interim final rule, at § 160.564, makes the decision of the ALJ the final decision of the Secretary, thus permitting a respondent to file a petition for judicial review. In the preamble to the interim final rule, we noted that a second level of administrative review is generally available in Departmental hearings and that, while we had not provided for a second level of administrative review in the interim final rule, we intended to address the issue of further administrative review in this proposed rule. We do so now.

Proposed § 160.548 is modeled on the provisions that apply to appellate review under the OIG regulations. It provides that any party may appeal the initial decision of the ALJ to the HHS Departmental Appeals Board (Board) within 30 days of the date of service of the ALJ initial decision, unless extended for good cause. The appealing party must file a written brief specifying its exceptions to the initial decision. The opposing party may file an opposition brief, which is limited to the exceptions raised in the brief accompanying notice of appeal and any relevant issues not addressed in said exceptions and must be filed within 30 days of receiving the appealing party's notice of appeal and brief. The appealing party may, if permitted by the Board, file a reply brief. These briefs may be the only means that the parties will have to present their case to the Board, since there is no right to appear personally before the Board. The proposed rule provides that if a party demonstrates that additional evidence is material and relevant and there are reasonable grounds why such evidence was not introduced at the ALJ hearing, the Board may remand the case to the ALJ for consideration of the additional evidence.

In an appeal to the Board, the standard of review on a disputed issue of fact is whether the ALJ's initial decision is supported by substantial evidence on the record as a whole; on a disputed issue of law, the standard of review is whether the ALJ's initial decision is erroneous. The Board may decline to review the case; may affirm, increase (subject to the statutory caps), reduce, or reverse any penalty; or may remand a penalty determination to the ALJ.

We propose this process for administrative review of initial ALJ decisions to achieve consistency in civil money penalty decisions. Because hearings could be conducted by different ALJs, it is conceivable that different ALJs might decide the same or similar issues differently. Should this occur, it would be problematic for both covered entities and HHS. Provision for an internal, centralized review process should reduce the likelihood of inconsistent results. Indeed, provision for administrative review of ALJ decisions is common in other federal administrative hearing processes. Because the HIPAA rules affect such a large part of the health industry and the requirements of the various HIPAA regulatory schemes are new and interrelated, HHS considers it crucial that the decisions reached in the adjudicative process be consistent with other adjudicated decisions as well as with the policy decisions of the Secretary in the rules and in departmental guidance. Since only aggrieved respondents can appeal to the U.S. Court of Appeals under section 1128A(e), administrative review of ALJ decisions will help to ensure that the final decisions subject to judicial review represent a consistent interpretation of the HIPAA rules by the Secretary. While a process for administrative review of ALJ decisions will add cost and time to the process of imposing a civil money penalty for both HHS and covered entities, we believe that these disadvantages are outweighed by the compelling need to ensure consistency in the decisions of HHS with respect to such civil money penalties. Consistency will benefit both HHS and covered entities.

Paragraphs (i) and (j) of proposed § 160.548 address the issuance of the Board's decision on appeal. Under paragraph (i), the Board must serve its decision on the parties within 60 days after final briefs are filed. Under paragraph (j), the decision of the Board constitutes the final decision of the Secretary from which a petition for judicial review may be filed by a respondent aggrieved by the Board's decision. This option is the traditional process for administrative review of ALJ initial decisions regarding civil money penalties within HHS and is based on the process set forth in the OIG regulations. The decision of the Board becomes the final decision of the Secretary 60 days after service of the decision, except where the decision is to remand to the ALJ or a party requests reconsideration before the decision becomes final. Paragraph (j) provides that a party may request reconsideration of the Board's decision, provides a reconsideration process, and provides that the Board's reconsideration decision becomes final on service.

Proposed § 160.548(k) provides for a petition for judicial review of a final decision of the Secretary. Thus, we propose to remove § 160.568 of the April 17, 2003 interim final rule as duplicative. The right to petition for judicial review is not altered under this proposal, although an ALJ decision must be reviewed by the Board before a petition for judicial review can be filed by a respondent.

15. Section 160.552—Harmless Error

Proposed § 160.552 is new. It would adopt the “harmless error” rule that applies generally to civil litigation in federal courts. The provision provides,in general, that the ALJ and the Board at every stage of the proceeding will disregard any error or defect in the proceeding that does not affect the substantial rights of the parties. It is modeled on Rule 61, F.R.C.P., and on § 1005.23 of the OIG regulations. In its application, it would further promote the efficient resolution of cases where the proposed imposition of a civil money penalty is challenged.

V. Response to Public Comments

HHS requested comment on the April 17, 2003 interim final rule and received timely and substantive comments from 19 persons or organizations. We summarize those comments, and our responses to the comments, below.

A. Comment: Two comments disagreed with HHS's approach of encouraging voluntary compliance. One argued that such an approach is tantamount to no enforcement; the other argued that since the Secretary already has the authority to conduct compliance reviews, a complaint-driven approach fails to reflect the agency's statutory obligation to enforce the law and the mandate under section 1176 to impose civil money penalties for violations. It was also stated that while HHS's intention to resolve potential violations by informal means might be appropriate for minor violations, it is inappropriate for more serious violations or for covered entities that demonstrate repeated resistance to compliance.

Most persons who commented on the voluntary compliance approach supported it, however. Several of these comments urged HHS to focus on resolving issues quickly and informally, particularly with respect to alleged violations of the Transactions Rule. One comment asked for assurance that covered entities will face only one set of enforcement rules and procedures, given that two different components of HHS have enforcement responsibilities. Several organizations asked HHS to provide more guidance with respect to how covered entities can comply, and can demonstrate compliance, with the HIPAA rules.

Response: We do not agree that emphasizing voluntary compliance amounts to a policy of nonenforcement. To the contrary, our experience to date has been that covered entities are generally responsive to our investigative inquiries and act promptly to remedy deficiencies that are brought to their attention. The overarching goal of our enforcement program is to bring covered entities into compliance, so that the benefits of the HIPAA rules are fully realized. Securing voluntary compliance achieves this goal much more quickly and efficiently than would a process that was formal and adversarial from the start. This approach is consistent with the statute. As discussed above, one of the statutory defenses to a civil money penalty is the covered entity's taking corrective action on a timely basis, where reasonable cause for the noncompliance exists. See section 1176(b)(3)(A). As stated above, however, should informal, cooperative efforts fail, HHS would move forward with the civil money penalty remedy the statute provides.

The Enforcement Rule addresses the concern that covered entities not face multiple sets of enforcement rules and procedures, as it provides for uniform procedures that will apply to all of the HIPAA rules. With respect to the concerns about guidance, HHS agrees that the provision of guidance on an ongoing basis is vitally important. As noted above, HHS is continuing to develop guidance on the various HIPAA rules, and will be publishing such guidance on an ongoing basis on the following HHS Web sites:http://www.hhs.gov/ocr/hipaa/ for the Privacy Rule and http://www.cms.gov/hipaa/hipaa2/ for the other HIPAA rules.

B. Comment: Several comments suggested that information about complaints and other noncompliance issues should be made public to assist other covered entities in coming into compliance. One organization stated that the Enforcement Rule should include a requirement that the Secretary should annually report to Congress and the public on the number of complaints filed and their disposition.

Response: The statute provides for formal notification of a number of entities when a penalty is final. Proposed § 160.426 reflects this requirement and would provide for notification of the public in such circumstances. As previously noted, however, we expect most complaints to be resolved informally, and informal resolutions would not come within the process provided for by proposed § 160.426. OCR and CMS will consider whether compilation and release of analyses of complaint dispositions would be an appropriate use of limited resources; however, we do not propose to mandate such action by this rule.

C. Comment: One comment asked whether HHS anticipated developing a separate complaint mechanism for security complaints.

Response: CMS has developed complaint procedures for the complaints regarding the Transactions Rule and a complaint tool for making such complaints is on the Web at http://www.cms.hhs.gov/hipaa/hipaa2. As the compliance dates of the HIPAA rules other than the Privacy and the Transactions Rules arrive, it is expected that the complaint tool will be modified to permit the filing of complaints relating to compliance with those other rules.

D. Comment: One comment stated that additional protections are needed for investigational inquiries. The comment suggested that the rule should include the procedural protections of the OIG regulations, such as permission for witnesses to object to answering questions on the basis of privilege and to clarify their answers for the record.

Response: Proposed § 160.314(b) would revise § 160.504(b) to include such procedural protections.

E. Comment: One comment suggested that the rule contain a provision establishing the bases under which a complaint will be dismissed prior to a request for a hearing. Bases suggested were that the complaint has been litigated in another forum, the opportunity to contest the matter was available but not used in another forum, and another statutory remedy exists.

Response: Consistent with the practice under the OIG regulations, the rules provide for general settlement authority, rather than specific grounds for dismissal. See proposed § 160.416. In addition, the bases suggested in the comment would not be grounds, per se, for dismissal.

F. Comment: One comment asked HHS to clarify the circumstances under which it would investigate a covered entity that was not the subject of a complaint.

Response: We cannot project the variety of circumstances under which compliance reviews might be undertaken. Therefore, we do not propose to limit the situations in which this authority could be exercised.

G. Comment: Several comments objected to § 160.522. One argued that running the 6-year limitations period from the “latest act or omission” is a problem with respect to the 6-year record retention period provided for by the Privacy Rule, as covered entities might believe that they could destroy records that they would later need for defense purposes. It was also argued that the rule should clarify that actions may only be taken for violations which occur on or after the compliance date of the rule in question and that the date of the civil money penalty action is the date of the notice of proposed determination.

Response: We agree. Proposed § 160.414 would revise § 160.522 to provide that the period of limitations runs “from the date of the occurrence ofthe violation” and that the Secretary commences the action “in accordance with § 160.420, “ meaning that the action is considered to be commenced by (and, therefore, on) the date of the notice of proposed determination. The definition of the term “violation” at proposed § 160.302 builds in the concept of a duty to comply, since it defines that term as a “failure to comply with an administrative simplification provision;” the definition of the term “administrative simplification provision” in turn references the underlying HIPAA rules, which each explicitly state when the duty to comply begins.

With respect to the 6-year document retention requirement of § 164.530(j)(2), insofar as compliance issues arise out of complaints, it is unlikely that a covered entity would be required to defend itself against a stale complaint, in view of the requirement at proposed § 160.306(b)(3) that complaints be filed within 180 days of when the complainant knew or should have known of the occurrence of the violation. In any event, nothing in the Privacy Rule precludes covered entities from retaining documents for a longer period than § 164.530(j)(2) requires, if they wish to do so.

H. Comment: Nine comments expressed concern that § 160.514 does not specify to whom the notice of proposed determination must be addressed. The concern was that, because receipt is presumed 5 days after mailing, a notice of proposed determination which was sent to a large organization might not get to the proper official on a timely basis, thereby wasting some of the covered entity's time for response. Several comments suggested that the rule require delivery to the chief executive officer and, as appropriate, to the company's privacy officer, security officer, or chief information officer. A couple of comments suggested that the rule incorporate the service standards of Rule 4, F.R.C.P., and require service upon “an officer, a managing or general agent, or to any other agent authorized by statute to receive service.” Several comments expressed support for the use of certified mail.

Response: Like § 160.514, proposed § 160.420 does not identify the person(s) to whom the notice of proposed determination should be addressed, nor do we think it is necessary or feasible to do so. Rule 4, which applies under section 1128A(c), establishes who may be served and applies without need for further regulatory action. Because the size and other organizational circumstances of covered entities vary greatly, a rule that further limited or defined who must be served would most likely be inappropriate for some covered entities. Further, it is likely that a notice of proposed determination would be issued after significant prior contact with the covered entity, and we anticipate that our investigators would in any case be able to ascertain which officer would be the appropriate recipient of the notice.

I. Comment: Several comments also argued that § 160.514 should, like the analogous OIG regulations, require the notice of proposed determination to state the basis for the penalty calculation. Such information would help the covered entity understand the charges against it and prepare its defense. These comments recommended that the language in § 1003.109(a)(5) of the OIG regulations be used.

Response: We agree. A provision comparable to that in § 1003.109(a)(5) was omitted from § 160.514 because the interim final rule did not provide for the aggravating and mitigating factors referenced in this provision of the OIG regulations. The proposed rule, however, contains the factors that may be considered in determining the amount of the penalty. Accordingly, proposed § 160.420 follows the OIG regulations in this respect.

J. Comment: One comment stated that it was not clear how the notice of proposed determination would interface with § 160.312 and whether the written findings there end the informal resolution phase. The comment advocated that notice be provided before the notice of proposed determination.

Response: We agree that it is not clear how § 160.514 interfaces with the notice process described at § 160.312. At present, § 160.312(a)(2) provides that the Secretary may issue written findings documenting noncompliance, if noncompliance is found and not informally resolved. Thus, we propose to revise § 160.312 to make the interface between that section and proposed § 160.420 (currently § 160.514) seamless. Specifically, proposed § 160.312(a)(3)(ii) would provide that if the Secretary finds that a covered entity is not in compliance, the matter is not settled by informal means, and imposition of a civil money penalty is warranted, the Secretary will so inform the covered entity in a notice of proposed determination in accordance with § 160.420. The notice of proposed determination would constitute the formal notice that the matter had not been informally resolved and that HHS had decided to seek civil money penalties. Further, with respect to notice prior to the notice of proposed determination, proposed § 160.312(a)(3)(i) would provide that where noncompliance is indicated and the matter is not resolved by informal means, HHS would so inform the covered entity and give the covered entity an opportunity to submit written evidence of any affirmative defenses or mitigating factors, prior to issuing a notice of proposed determination.

K. Comment: Several comments objected to the presumption in § 160.526(b) that the date of receipt of the notice of proposed determination is 5 days after the date of the notice. They argued that this presumption could work a hardship, in combination with the 60-day time limit for requesting a hearing, if the notice went to the wrong person in the organization or otherwise went astray.

Response: Proposed § 160.504(b) retains the language of the interim final rule. We believe the concerns about hardship are misplaced. The requirement permits the ALJ to grant an extension of the 5-day time period if the respondent demonstrates that the presumption should not apply: “For purposes of this section, the respondent's date of receipt of the notice of proposed determination is presumed to be 5 days after the date of the notice unless the respondent makes a reasonable showing to the contrary to the ALJ.” This language tracks the comparable provision at § 1005.2(c) of the OIG regulations and has worked well.

L. Comment: A number of comments objected to the 60-day time limit in § 160.526(b) for a respondent to file its request for hearing, in combination with the specific detail required by that section. They objected to the time limit and the related requirement for specific response on several grounds: the level of specificity demanded requires the respondent to devise its entire defense, and, because the notice of proposed determination is the first notice the respondent has of the charges, 60 days is too short a time period in which to do this; the requirement requires more specificity of the respondent than of the Secretary, which is unfair; and the requirements, together with the 5-day presumption of receipt and the failure to specify who receives the notice of proposed determination, are unfair and a violation of a respondent's right to due process. It was generally recommended that the request for hearing requirement parallel § 1005.2 of the OIG regulations, which requires the request to be made within 60 days of receipt of the notice, but requires that the request for hearing state which findings of fact andconclusions of law are disputed and the basis for the dispute.

Response: The comments on this issue assume that a notice of proposed determination will be served on a respondent with no warning. This assumption is not reasonable under the procedures the proposed rule would establish, however. Proposed § 160.304 would require the Secretary to seek the cooperation of the covered entity in obtaining compliance to the extent practicable, which will necessitate communication about the noncompliance at issue. The investigation or compliance review process itself will necessarily disclose much about the noncompliance at issue to the facility, since the covered entity will typically be the primary source of information relevant to the investigation. If an investigation or compliance review indicates noncompliance, proposed § 160.312(a)(1) provides that the Secretary will attempt to reach a resolution of the matter satisfactory to the Secretary by informal means. Further, where noncompliance is indicated and the matter is not resolved by informal means, HHS will so inform the covered entity and give it the opportunity to submit written evidence of any affirmative defenses or mitigating factors, prior to issuing a notice of proposed determination. See proposed § 160.312(a)(3)(i). Thus, the covered entity necessarily will be made aware of, and have the opportunity to address, HHS's compliance concerns throughout the investigative period preceding the notice of proposed determination and should not be surprised by the matters described in the notice. For these reasons, we do not believe that the 60-day response time is inadequate.

M. Comment: One comment stated that settlements should be approved by the ALJ. Another asked whether settlements will be a viable path to resolution of disputes.

Response: Consistent with our commitment to obtaining voluntary compliance and the regulatory policies discussed in the preceding response, we expect that settlement of compliance issues will be frequent. We do not propose to have the ALJ approve such settlements, to preserve our ability to resolve compliance issues and achieve voluntary compliance through informal means. See proposed § 160.514.

N. Comment: Several comments queried whether covered entities would be held liable under the Enforcement Rule for violations by their business associates. Of particular concern were violations committed by health care clearinghouses.

Response: Under § 160.402 of the proposed rule, a covered entity would not be liable for the actions of its business associates where the covered entity has complied with the appropriate business associate provisions. See section IV.C.1.b. above for further discussion.

O. Comment: Several comments stated that the rule needs to state what a violation is, what the aggravating and mitigating circumstances are, how the total fine for violations is calculated, and what would constitute an acceptable defense and indicate an appropriate level of “due diligence.” One comment suggested that evidence of willingness to enter into a corrective action plan should be a mitigating factor. One comment noted that the full Enforcement Rule was needed before the April 17, 2003 interim final rule expires.

Response: We generally agree. The proposed rule addresses the violation and affirmative defense issues at §§ 160.402-160.410. Also, the April 17, 2003 interim final rule has been extended by separate regulatory action to permit ongoing enforcement while this rulemaking proceeds. Proposed § 160.408(d)(3) provides that the Secretary may consider, as an aggravating or mitigating factor, how the covered entity has responded to technical assistance from the Secretary provided in the context of a compliance effort, with respect to prior offenses.

P. Comment: One comment asked that the Enforcement Rule describe the procedures for referral to the Department of Justice of suspected criminal violations. Another comment asked that HHS attempt to ensure that the application of the criminal provisions by the Department of Justice was the same as the application of the civil provisions by HHS.

Response: The procedures for referral of criminal matters to the Department of Justice lie outside the scope of the Enforcement Rule, which implements only HHS's authority under section 1176 of the Act.

Q. Comment: One comment requested clarification of the statutory basis for imposing penalties for violations of the Privacy Rule, since section 264 is a footnote in the U.S. Code.

Response: Section 264 of the Act is codified as a note to 42 U.S.C. 1320d-2. We have always read section 264 as functionally a part of Part C. Section 264 and Part C cross-reference each other, and the terminology of section 264 is also the terminology of Part C (“standard”, “individually identifiable health information”, “implementation specification”). Further, the criminal penalty provisions of section 1177 would not make sense if they did not apply to the privacy standards, and section 1176 is, as discussed at IV.C.3 above, closely related to section 1177. The legislative history confirms this common-sense reading. See H. Rep. No. 496, 104th Cong., 2d Sess., 1996 U.S. Code Cong. Admin. News, p. 1865.

This reading of the statute accords with that of Congress. Section 1860D-31(h)(6)(A) of the Act, adopted by MMA, states that an endorsed discount drug card sponsor—

is a covered entity for purposes of applying part C of title XI and all regulatory provisions promulgated thereunder, including regulations (relating to privacy) adopted pursuant to the authority of the Secretary under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note).

R. Comment: With respect to prehearing proceedings, two comments stated that permitting the ALJ to require exchange of witness lists more than 15 days prior to the hearing could seriously infringe on the amount of time the covered entity has to prepare its case. It was also argued that 60 days is too short a period to prepare for the hearing. One comment stated that interrogatories should be allowed, because records may be incomplete or contain mistakes. One comment supported the requirement of § 160.540(b)(3) (proposed § 160.518(b)(3)), requiring the ALJ to recess the hearing for a reasonable time for an objecting party to prepare a response to witnesses or exhibits that were not exchanged prior to the hearing.

Response: The scheduling of a hearing will depend on the schedule of the ALJ to whom the case is assigned, among other factors. There is nothing in the Enforcement Rule that requires the scheduling of the hearing within a certain period of time following the request for hearing. Thus, we do not think that the provision for exchange of information earlier than 15 days prior to hearing should work a hardship on either side, and the ALJ should be able to establish a schedule that takes into consideration the needs of the parties. Indeed, we believe that this requirement will assist each party in presenting a well-prepared case that will result in an efficient and effective hearing. As the prehearing procedures permit both documentary and testimonial discovery, we do not permit interrogatories, which we believe would add extra time and burden to the preparation process without commensurate benefit.

S. Comment: Several comments urged that the rule should contain a procedure to permit the parties to waive the prehearing conference and the formalhearing and request that the case be submitted on documentary evidence and written argument, to make the process more efficient and less expensive.

Response: Proposed §§ 160.508(b)(13) and 160.512(b)(4), (5) would permit this.

T. Comment: One comment stated that the covered entity should have the burdens of going forward and persuasion on affirmative defenses and mitigating circumstances, while HHS should have the burdens of going forward and persuasion on allegations of violation.

Response: We agree. Proposed § 160.534(b) so provides.

U. Comment: Several comments stated that the “affirm, increase, or reduce the penalties imposed by the Secretary” language of § 160.564(b) would not permit the ALJ to decide that no violationoccurred.

Response: The language of § 160.564 of the April 17, 2003 interim final rule, which is now found at proposed § 160.546, will permit the ALJ to decide that no violation occurred. Proposed § 160.546(a) requires the ALJ to make findings of fact and conclusions of law. If these findings and conclusions support a determination that the respondent did not violate an administrative simplification provision, then no penalty may be imposed. The language in proposed § 160.546(b) permits an ALJ who determines that a respondent has violated an administrative simplification provision to act in regard to the penalty amount set forth in the notice of proposed determination, that is, to affirm, increase, or reduce the amount of the proposed penalty in accordance with the other applicable provisions of the regulations.

V. Comment: Several comments argued that statistical sampling would be inappropriate to establish the number of violations. It was argued that statistical sampling, as used in the OIG hearings, had been used improperly, in studies that had basic weaknesses, such as a too small sample size.

Response: Proposed § 160.536 provides for the use of statistical sampling, as a well-established evidentiary tool. Proposed § 160.536(b), which affords the opposing side the opportunity to rebut the statistical proof offered, provides a procedural safeguard to permit a respondent to challenge the reliability of any statistical proof offered.

W. Comment: Two comments suggested that respondents should be able to subpoena HHS witnesses with direct knowledge of the investigation or other matters at issue.

Response: Proposed § 160.520(c) provides that the Secretary must designate a representative who is “knowledgeable” to testify. It would disrupt the agency's operations if a respondent could subpoena any HHS official by name. The requirement that the HHS representative be knowledgeable should permit the presentation of informed testimony, while permitting the orderly conduct of government business to continue.

X. Comment: One comment stated that the rule should permit acceptance of testimony or a written statement from individuals whose privacy was violated, permit such individuals to testify, and require that such individuals be given 30 days notice of the hearing.

Response: The proposed rule would not preclude us from offering the testimony of such individuals, but the decision to do so is a litigation decision that must be reserved to the agency. We do not require that notice of the hearing be provided to the individuals whose privacy was violated, but such information is publicly available.

Y. Comment: A number of comments stated that agency review of the ALJ decision was needed or questioned why it was not provided. A few comments supported having the ALJ decision be the final agency action as resulting in a more efficient and expeditious process.

Response: We have proposed a second level of agency review, for the reasons set out at section IV.D.14 above.

Z. Comment: Two comments questioned the provision for set-off at § 160.518(c). One asked whether set-off would occur without state-level due process. The other was concerned about provision of notice. Both were concerned that set-off could have a devastating impact on those to whom it was applied.

Response: The right of set-off is provided for by section 1128A(f). Proposed § 160.424(c) accordingly retains it. We intend to follow applicable procedures in pursuing set-off.

AA. Comment: A couple of comments objected to § 160.560. It was stated that the rule should incorporate additional procedures to ensure that protected health information introduced into evidence is protected from review by outside parties, redactions should be made available to the parties for review, and OCR should be required to pay for the court reporter.

Response: The protection of protected health information, including by redaction of the record, is a matter than can be addressed in the prehearing conference. See proposed § 160.512(b)(11). We believe that the ALJ will be in the best position to determine what specific steps should be taken in a particular case to protect the privacy of any protected health information introduced into evidence. In the interest of fairness, proposed § 160.542(a) would apportion the cost of transcription of the record equally between the parties.

BB. Comment: One comment stated that § 160.558(g) should be revised to require the Secretary to include notice to the respondent where HHS intends to present in its case in chief evidence of past crimes or similar evidence to show motive, opportunity, intent, etc.

Response: Proposed § 160.540(g) would retain this provision. This provision tracks § 1005.17(g) of the OIG regulations, and we see no basis to depart from our practice in this regard.

VI. Impact Statement and Other Required Analyses

A. Paperwork Reduction Act

We reviewed this proposed rule to determine whether it raises issues that would subject it to the Paperwork Reduction Act (PRA). While the PRA applies to agencies and collections of information conducted or sponsored by those agencies, 5 CFR 1320.4(a) exempts collections of information that occur “during the conduct of * * * an administrative action, investigation, or audit involving an agency against specific individuals or entities,” except for investigations or audits “undertaken with reference to a category of individual or entities such as a class of licensees or an entire industry.” The proposed rule comes within this exemption, as it deals entirely with administrative investigations and actions against specific individuals or entities. Consequently, it need not be reviewed by the Office of Management and Budget under the authority of the PRA.

B. Executive Order 12866; Regulatory Flexibility Act; Section 1102, Social Security Act; Unfunded Mandates Reform Act of 1995; Small Business Regulatory Enforcement Fairness Act of 1996; Executive Order 13132

We have examined the impacts of this proposed rule as required by Executive Order 12866 (September 1993, Regulatory Planning and Review), the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-354), section 1102(b) of the Social Security Act, the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), the Small Business Regulatory Enforcement and Fairness Act, 5 U.S.C. 801et seq., and Executive Order 13132.

1. Executive Order 12866

Executive Order 12866 (as amended by Executive Order 13258, which merely reassigns responsibility of duties) directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 12866 defines, at section 3(f), several categories of “significant regulatory actions.” One category is “economically significant” rules, which are defined in section 3(f)(1) of the Order as rules that may “have an annual effect on the economy of $100 million or more, or adversely affect in a material way the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal governments or communities.” Another category, under section 3(f)(4) of the Order, consists of rules that are “significant regulatory actions” because they “raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in this Executive Order.” Executive Order 12866 requires a full economic impact analysis only for “economically significant” rules under section 3(f)(1).

We have concluded that this rule should be treated as a “significant regulatory action” within the meaning of section 3(f)(4) of Executive Order 12866, because the HIPAA provisions to be enforced have extremely broad implications for the Nation's health care system, and because of the novel issues presented by, and the uncertainties surrounding, compliance among covered entities. However, we have determined that the impact of this rule is not such that it reaches the economically significant threshold under section 3(f)(1) of the Order.

Estimating the impacts of this rule presents unique challenges. On its face, the rule simply describes how HHS plans to enforce the HIPAA provisions, and can be considered a procedural rule without any intrinsic impact. However, health care providers, insurers, and health care clearinghouses that are covered by the HIPAA provisions represent a large proportion of their respective economic sectors. Further, all are within the jurisdiction of the Enforcement Rule (which is a “significant regulatory action,” as noted above).

The actual economic impacts of implementing the HIPAA provisions are subsumed in each of the applicable substantive regulations (Privacy Rule, Security Rule, Transactions Rule, et cetera). The economic impacts properly attributable to this rule, however, are those stemming from changes to current practice as a result of the Enforcement Rule and the cost of new and additional responsibilities that are required to conform to the Rule. In general, these costs are limited to costs related to conducting and responding to the investigation of complaints concerning the alleged HIPAA violations over which HHS has jurisdiction and compliance reviews, conducting hearings, and levying and collecting civil money penalties. The cost of conducting and responding to investigations of privacy complaints and compliance reviews with respect to the Privacy Rule has already been covered by the impact analysis of the Privacy Rule. Here we extend these processes to the other HIPAA rules. For reasons outlined in the following narrative, we anticipate the impacts of the additional activities covered by this rule to fall below the $100 million annual threshold that would raise this rule to the definition of “economically significant,” but acknowledge there is much that is unknown underlying the assumptions that have led us to this conclusion. We discuss these assumptions below.

Affected Entities and Projected Costs. Because of its scope, purview, and potential application, the Enforcement Rule is a significant regulatory action within the meaning of section 3(f)(4) of Executive Order 12866. We believe that over 2.5 million health care providers, health plans, and health care clearinghouses will meet the definition of a covered entity.

It is difficult for us to determine or estimate the impact of the Enforcement Rule on covered entities. All covered entities are expected to comply with the HIPAA rules. Enhancing the likelihood of compliance is the fact that each substantive HIPAA rule (e.g., the Privacy Rule, the Security Rule, the Transactions Rule) has at least a twenty-six month period between publication of the final rule and the compliance date (60 days for APA Congressional review, plus 24 months for covered entities or 36 months for small health plans). Thus, covered entities have at least 26 months to prepare for implementation, and HHS has provided, and will continue to provide, ample educational opportunities for covered entities during these periods. We also note that, as evidenced by the CMS Guidance, discussed above, where HHS became aware of potential noncompliance problems with the Transactions Rule, it acted proactively to outline an approach to enforcement that would permit flexibility under certain circumstances and which would not penalize good faith efforts to come into compliance. Accordingly, noncompliance that would be pursued under the provisions of the proposed Enforcement Rule should be considered to be the exception, rather than the norm.

Further minimizing the impact of the Enforcement Rule is the fact that most compliance efforts undertaken under the provisions of the rule are expected to result from complaints, rather than compliance reviews. To date, complaints have involved only an infinitesimal percentage of the universe of covered entities. As of the end of July 2004, OCR has received over 7,500 complaints related to the Privacy Rule since the compliance date of April 14, 2003, and CMS has received 145 complaints related to the Transactions Rule since the compliance date of October 16, 2003.

The most expensive impacts of this rule will derive from those cases in which the covered entities exercise their rights of appeal under subpart E of part 160. Based on our experience with other civil money penalty cases, the costs of such cases can be expected to dwarf the costs of cases that are resolved prior to the hearing stage. However, again based on our experience in other civil money penalty cases, very few of the cases opened will proceed through that stage. That other Departmental experience is borne out by our experience with respect to the HIPAA complaints received to date. Of the privacy complaints received and processed by the end of July 2004, approximately 57% were resolved immediately due to lack of jurisdiction (e.g, the complaint pertained to events that occurred before the implementation date of the relevant HIPAA regulation, the complaint did not relate to a covered entity, et cetera) or because of action taken by the covered entity to resolve the complaint voluntarily; similarly, of the 145 transactions complaints received from October 2003 through July 2004, 60% were closed in that period. Thus, it seems reasonable to assume that the costs attributable to the provisions of this rule will, in most cases that are opened, be low.

We recognize that our experience to date reflects slightly over one year of experience under the Privacy Rule, and less than one year under the Transactions Rule. Data generated on cases that might lead to the imposition of a civil money penalty during this time frame may not be typical of what we will see over time. For example, thenumber of complaints that may be dismissed because they involve situations that occurred before the relevant compliance date should decrease with the passage of time. Similarly, we would expect the instances of noncompliance to decrease as covered entities gain experience in complying with the HIPAA rules; on the other hand, the number of complaints could increase as individuals and entities become more aware of the rules' requirements. As we acquire experience under the rules, we will have a more extensive database for evaluating the impacts of enforcement activities.

Benefits of the Enforcement Rule. We believe that the value of the benefits brought by the HIPAA provisions are sufficient to warrant appropriate enforcement efforts. The benefits of the underlying HIPAA rules have been previously estimated in connection with the Privacy and the Transactions Rules, and are significant. The Enforcement Rule will encourage voluntary compliance, and provide a means for enforcing compliance where it is not forthcoming voluntarily, thereby facilitating the achievement of the benefits of the other HIPAA rules. See,65 FR 50350-50351; 65 FR 82760, 82776-82779; 68 FR 8370-8371. The benefits of these protections far outweigh the costs of this enforcement regulation.

Summary. In most cases, if covered entities comply with the various HIPAA rules, they should not incur any significant additional costs as a result of the Enforcement Rule. This is based on the fact the costs intrinsic to most of the HIPAA rules and operating directions against which compliance is evaluated have been scored independently of this rule and the requirements have not changed. We recognize that the specific requirements against which compliance is evaluated are not yet well known and may evolve with experience under HIPAA, but we expect that covered entities have both the ability and expectation to maintain compliance, especially given our commitment to encouraging and facilitating voluntary compliance. While not straightforward to project, it seems likely that the number of times in which the full civil money penalty enforcement process will be invoked will be extremely small, based on the evidence to date.

2. Other Analyses

We also examined the impact of the proposed Rule as required by the Regulatory Flexibility Act (RFA). The RFA requires agencies to determine whether a rule will have a significant economic impact on a substantial number of small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and government jurisdictions; for health care entities, the size standard for a “small” entity ranges from $6 million to $29 million in revenues in any one year. Most hospitals and most other providers and suppliers are small entities, either by nonprofit status or by having revenues less than the applicable size standard in any one year. As discussed above, the incidence of noncompliance is expected to be low, and, as also discussed above, it is expected that most issues of noncompliance will be resolved with minimal enforcement action. Even though the burden of regulatory compliance often falls disproportionately on small entities, there is no evidence to suggest that small entities have a higher rate of noncompliance than large entities. The Secretary therefore certifies that this rule will not have a significant economic impact on a substantial number of small entities.

Section 1102(b) of the Act requires agencies to prepare a regulatory impact analysis if a rule may have a significant impact on the operations of a substantial number of small rural hospitals. This analysis must conform to the provisions of section 603 (proposed documents)/604 (final documents) of the RFA. For purposes of section 1102(b) of the Act, we define a small rural hospital as a hospital that is located outside of a Metropolitan Statistical Area and has fewer than 100 beds. This proposed rule would not have a significant impact on small rural hospitals. The rule would implement procedures necessary for the Secretary to enforce subtitle F of Title II of HIPAA. As noted earlier, we do not expect that covered entities will willfully be out of compliance in such a way that would result in an enforcement action proceeding through the hearing stage.

Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1531et seq., also requires that agencies assess anticipated costs and benefits before issuing any rule that may result in expenditure in any one year by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million. The Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), 5 U.S.C. 801et seq., requires that rules that will have an impact on the economy of $100 million or more per annum be submitted for Congressional review. For the reasons discussed above, this proposed rule would not impose a burden large enough to require a section 202 statement under the Unfunded Mandates Reform Act of 1995 or Congressional review under SBREFA.

Executive Order 13132 establishes certain requirements that an agency must meet when it adopts a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. This proposed rule does not have “Federalism implications.” The rule would not have “substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government.” As the Enforcement Rule is procedural in nature, its economic effects would not be substantial, as explained previously. Any preemption of State law that could occur would be a function of the underlying HIPAA rules, not the Enforcement Rule, which principally establishes the means by which the statutory civil money penalty provisions will be implemented. Therefore, the Enforcement Rule is not subject to Executive Order 13132 (Federalism).

Dated: April 8, 2005. Michael O. Leavitt,

Secretary.

List of subjects

Administrative practice and procedure, Computer technology, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health records, Hospitals, Investigations, Medicaid, Medical research, Medicare, Penalties, Privacy, Reporting and record keeping requirements, Security.

Administrative practice and procedure, Electronic information system, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health Insurance, Health records, Hospitals, Medicaid, Medical research, Medicare, Privacy, Reporting and record keeping requirements, Security.

For the reasons set forth in the preamble, the Department of Health and Human Services proposes to amend 45 CFR subtitle A, subchapter C, parts 160 and 164, as set forth below.

Part 160—general administrative requirements

1. The authority citation for part 160 is revised to read as follows:

Authority:

42 U.S.C. 1302(a), 42 U.S.C. 1320d-1320d-8, and sec. 264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).

2. Section § 160.103 is amended by adding the definition “Person” in alphabetical order to read as follows:

§ 160.103 * * * * *

Person means a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.

* * * * *

3. Revise subpart C of this part to read as follows:

Subpart c—compliance and investigations

Sec. 160.300 160.302 160.304 160.306 160.308 160.310 160.312 160.314 160.316

Subpart c—compliance and investigations

§ 160.300

This subpart applies to actions by the Secretary, covered entities, and others with respect to ascertaining the compliance by covered entities with, and the enforcement of, the applicable requirements of this part 160 and the applicable standards, requirements, and implementation specifications of parts 162 and 164 of this subchapter.

§ 160.302

As used in this subpart and subparts D and E of this part, the following terms have the following meanings:

Administrative simplification provision means any requirement or prohibition established by:

(1) 42 U.S.C. 1320d-1320d-4, 1320d-7, and 1320d-8;

(2) Section 264 of Pub. L. 104-191; or

(3) This subchapter.

ALJ means Administrative Law Judge.

Civil money penalty or penalty means the amount determined under § 160.404 of this part and includes the plural of these terms.

Respondent means a covered entity upon which the Secretary has imposed, or proposes to impose, a civil money penalty.

Violation or violate means, as the context may require, failure to comply with an administrative simplification provision.

§ 160.304

(a)Cooperation. The Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance with the applicable administrative simplification provisions.

(b)Assistance. The Secretary may provide technical assistance to covered entities to help them comply voluntarily with the applicable administrative simplification provisions.

§ 160.306

(a)Right to file a complaint. A person who believes a covered entity is not complying with the administrative simplification provisions may file a complaint with the Secretary.

(b)Requirements for filing complaints. Complaints under this section must meet the following requirements:

(1) A complaint must be filed in writing, either on paper or electronically.

(2) A complaint must name the person that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable administrative simplification provision(s).

(3) A complaint must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown.

(4) The Secretary may prescribe additional procedures for the filing of complaints, as well as the place and manner of filing, by notice in the Federal Register.

(c)Investigation. The Secretary may investigate complaints filed under this section. Such investigation may include a review of the pertinent policies, procedures, or practices of the covered entity and of the circumstances regarding any alleged violation.

§ 160.308

The Secretary may conduct compliance reviews to determine whether covered entities are complying with the applicable administrative simplification provisions.

§ 160.310

(a)Provide records and compliance reports. A covered entity must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the covered entity has complied or is complying with the applicable administrative simplification provisions.

(b)Cooperate with complaint investigations and compliance reviews. A covered entity must cooperate with the Secretary, if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of the covered entity to determine whether it is complying with the applicable administrative simplification provisions.

(c)Permit access to information.(1) A covered entity must permit access by the Secretary during normal business hours to its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance with the applicable administrative simplification provisions. If the Secretary determines that exigent circumstances exist, such as when documents may be hidden or destroyed, a covered entity must permit access by the Secretary at any time and without notice.

(2) If any information required of a covered entity under this section is in the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails or refuses to furnish the information, the covered entity must so certify and set forth what efforts it has made to obtain the information.

(3) Protected health information obtained by the Secretary in connection with an investigation or compliance review under this subpart will not be disclosed by the Secretary, except if necessary for ascertaining or enforcing compliance with the applicable administrative simplification provisions, or if otherwise required by law.

§ 160.312

(a)Resolution when noncompliance is indicated.(1) If an investigation of a complaint pursuant to § 160.306 or a compliance review pursuant to § 160.308 indicates noncompliance, the Secretary will attempt to reach a resolution of the matter satisfactory to the Secretary by informal means. Informal means may include demonstrated compliance or a completed corrective action plan or other agreement.

(2) If the matter is resolved by informal means, the Secretary will so inform the covered entity and, if thematter arose from a complaint, the complainant, in writing.

(3) If the matter is not resolved by informal means, the Secretary will—

(i) So inform the covered entity and provide the covered entity an opportunity to submit written evidence of any mitigating factors or affirmative defenses for consideration under §§ 160.408 and 160.410. The covered entity must submit any such evidence to the Secretary within 30 days (computed in the same manner as prescribed under § 160.526) of receipt of such notification; and

(ii) If, following action pursuant to paragraph (a)(3)(i) of this section, the Secretary finds that a civil money penalty should be imposed, inform the covered entity of such finding in a notice of proposed determination in accordance with § 160.420.

(b)Resolution when no violation is found. If, after an investigation pursuant to § 160.306 or a compliance review pursuant to § 160.308, the Secretary determines that further action is not warranted, the Secretary will so inform the covered entity and, if the matter arose from a complaint, the complainant, in writing.

§ 160.314

(a) The Secretary may issue subpoenas in accordance with 42 U.S.C. 405(d) and (e), 1320a-7a(j), and 1320d-5 to require the attendance and testimony of witnesses and the production of any other evidence during an investigation pursuant to this part. For purposes of this paragraph, a person other than a natural person is termed an “entity.”

(1) A subpoena issued under this paragraph must—

(i) State the name of the person (including the entity, if applicable) to whom the subpoena is addressed;

(ii) State the statutory authority for the subpoena;

(iii) Indicate the date, time, and place that the testimony will take place;

(iv) Include a reasonably specific description of any documents or items required to be produced; and

(v) If the subpoena is addressed to an entity, describe with reasonable particularity the subject matter on which testimony is required. In that event, the entity must designate one or more natural persons who will testify on its behalf, and must state as to each such person that person's name and address and the matters on which he or she will testify. The designated person must testify as to matters known or reasonably available to the entity.

(2) A subpoena under this section must be served by—

(i) Delivering a copy to the natural person named in the subpoena or to the entity named in the subpoena at its last principal place of business; or

(ii) Registered or certified mail addressed to the natural person at his or her last known dwelling place or to the entity at its last known principal place of business.

(3) A verified return by the natural person serving the subpoena setting forth the manner of service or, in the case of service by registered or certified mail, the signed return post office receipt, constitutes proof of service.

(4) Witnesses are entitled to the same fees and mileage as witnesses in the district courts of the United States (28 U.S.C. 1821 and 1825). Fees need not be paid at the time the subpoena is served.

(5) A subpoena under this section is enforceable through the district court of the United States for the district where the subpoenaed natural person resides or is found or where the entity transacts business.

(b) Investigational inquiries are non-public investigational proceedings conducted by the Secretary.

(1) Testimony at investigational inquiries will be taken under oath or affirmation.

(2) Attendance of non-witnesses is discretionary with the Secretary, except that a witness is entitled to be accompanied, represented, and advised by an attorney.

(3) Representatives of the Secretary are entitled to attend and ask questions.

(4) A witness will have the opportunity to clarify his or her answers on the record following questioning by the Secretary.

(5) Any claim of privilege must be asserted by the witness on the record.

(6) Objections must be asserted on the record. Errors of any kind that might be corrected if promptly presented will be deemed to be waived unless reasonable objection is made at the investigational inquiry. Except where the objection is on the grounds of privilege, the question will be answered on the record, subject to objection.

(7) If a witness refuses to answer any question not privileged or to produce requested documents or items, or engages in conduct likely to delay or obstruct the investigational inquiry, the Secretary may seek enforcement of the subpoena under paragraph (a)(5) of this section.

(8) The proceedings will be recorded and transcribed. The witness is entitled to a copy of the transcript, upon payment of prescribed costs, except that, for good cause, the witness may be limited to inspection of the official transcript of his or her testimony.

(9)(i) The transcript will be submitted to the witness for signature.

(A) Where the witness will be provided a copy of the transcript, the transcript will be submitted to the witness for signature. The witness may submit to the Secretary written proposed corrections to the transcript, with such corrections attached to the transcript. If the witness does not return a signed copy of the transcript or proposed corrections within 30 days (computed in the same manner as prescribed under § 160.526) of its being submitted to him or her for signature, the witness will be deemed to have agreed that the transcript is true and accurate.

(B) Where, as provided in paragraph (b)(8) of this section, the witness is limited to inspecting the transcript, the witness will have the opportunity at the time of inspection to propose corrections to the transcript, with corrections attached to the transcript. The witness will also have the opportunity to sign the transcript. If the witness does not sign the transcript or offer corrections within 30 days (computed in the same manner as prescribed under § 160.526 of this part) of receipt of notice of the opportunity to inspect the transcript, the witness will be deemed to have agreed that the transcript is true and accurate.

(ii) The Secretary's proposed corrections to the record of transcript will be attached to the transcript.

(c) Consistent with § 160.310(c)(3), testimony and other evidence obtained in an investigational inquiry may be used by HHS in any of its activities and may be used or offered into evidence in any administrative or judicial proceeding.

§ 160.316

A covered entity may not threaten, intimidate, coerce, discriminate against, or take any other retaliatory action against any individual or other person for—

(a) Filing of a complaint under § 160.306;

(b) Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under this part; or

(c) Opposing any act or practice made unlawful by this subchapter, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of protected health information in violation of subpart E of part 164 of this subchapter.

4. Amend 45 CFR part 160 by adding a new subpart D to read as follows:

Subpart d—imposition of civil money penalties

Sec. 160.400 160.402 160.404 160.406 160.408 160.410 160.412 160.414 160.416 160.418 160.420 160.422 160.424 160.426

Subpart d—imposition of civil money penalties

§ 160.400

This subpart applies to the imposition of a civil money penalty by the Secretary under 42 U.S.C. 1320d-5.

§ 160.402

(a)General rule. Subject to § 160.410, the Secretary will impose a civil money penalty upon a covered entity if the Secretary determines that the covered entity has violated an administrative simplification provision.

(b)Violation by more than one covered entity.(1) Except as provided in paragraph (b)(2) of this section, if the Secretary determines that more than one covered entity was responsible for a violation, the Secretary will impose a civil money penalty against each such covered entity.

(2) Each covered entity that is a member of an affiliated covered entity, in accordance with § 164.105(b) of this subchapter, is jointly and severally liable for a civil money penalty for a violation of part 164 of this subchapter based on an act or omission of the affiliated covered entity.

(c)Violation attributed to a covered entity. A covered entity is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member, acting within the scope of the agency, unless—

(1) The agent is a business associate of the covered entity;

(2) The covered entity has complied, with respect to such business associate, with the applicable requirements of §§ 164.308(b) and 164.502(e) of this subchapter; and

(3) The covered entity did not—

(i) Know of a pattern of activity or practice of the business associate, and

(ii) Fail to act as required by §§ 164.314(a)(1)(ii) and 164.504(e)(1)(ii) of this subchapter, as applicable.

§ 160.404

(a) The amount of a civil money penalty will be determined in accordance with paragraph (b) of this section and §§ 160.406, 160.408, and 160.412.

(b) The amount of a civil money penalty that may be imposed is subject to the following limitations:

(1) The Secretary may not impose a civil money penalty—

(i) In the amount of more than $100 for each violation; or

(ii) In excess of $25,000 for identical violations during a calendar year (January 1 through the following December 31).

(2) If a requirement or prohibition in one administrative simplification provision is repeated in a more general form in another administrative simplification provision in the same subpart, a civil money penalty may be imposed for a violation of only one of these administrative simplification provisions.

§ 160.406

(a)General rule. To determine the number of violations of an identical administrative simplification provision by a covered entity, the Secretary will apply, as he deems appropriate, any variables identified at paragraph (b) of this section, based upon:

(1) The facts and circumstances of the violation; and

(2) The underlying purpose of the subpart of this subchapter that is violated.

(b)Variables.(1) The number of times the covered entity failed to engage in required conduct or engaged in a prohibited act;

(2) The number of persons involved in, or affected by, the violation; or

(3) The duration of the violation counted in days.

§ 160.408

In determining the amount of any civil money penalty, the Secretary may consider as aggravating or mitigating factors, as appropriate, any of the following:

(a) The nature of the violation, in light of the purpose of the rule violated.

(b) The circumstances, including the consequences, of the violation, including but not limited to:

(1) The time period during which the violation(s) occurred;

(2) Whether the violation caused physical harm;

(3) Whether the violation hindered or facilitated an individual's ability to obtain health care; and

(4) Whether the violation resulted in financial harm.

(c) The degree of culpability of the covered entity, including but not limited to:

(1) Whether the violation was intentional; and

(2) Whether the violation was beyond the direct control of the covered entity.

(d) Any history of prior offenses of the covered entity, including but not limited to:

(1) Whether the current violation is the same or similar to prior violation(s);

(2) Whether and to what extent the covered entity has attempted to correct previous violations;

(3) How the covered entity has responded to technical assistance from the Secretary provided in the context of a compliance effort; and

(4) How the covered entity has responded to prior complaints.

(e) The financial condition of the covered entity, including but not limited to:

(1) Whether the covered entity had financial difficulties that affected its ability to comply;

(2) Whether the imposition of a civil money penalty would jeopardize the ability of the covered entity to continue to provide, or to pay for, health care; and

(3) The size of the covered entity.

(f) Such other matters as justice may require.

§ 160.410

(a) As used in this section, the following terms have the following meanings:

Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.

Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.

Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.

(b) The Secretary may not impose a civil money penalty on a covered entity for a violation if the covered entity establishes that an affirmative defense exists with respect to the violation, including the following:

(1) The violation is an act punishable under 42 U.S.C. 1320d-6;

(2) The covered entity establishes, to the satisfaction of the Secretary, that it did not have knowledge of the violation, determined in accordance with the federal common law of agency, and, by exercising reasonable diligence, would not have known that the violation occurred; or

(3) The violation is—

(i) Due to reasonable cause and not willful neglect; and

(ii) Corrected during either:

(A) The 30-day period beginning on the date the covered entity liable for the penalty knew, or by exercising reasonable diligence would have known, that the violation occurred; or

(B) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply.

§ 160.412

For violations described in § 160.410(b)(3)(i) that are not corrected within the period described in § 160.410(b)(3)(ii), the Secretary may waive the civil money penalty, in whole or in part, to the extent that payment of the penalty would be excessive relative to the violation.

§ 160.414

No action under this subpart may be entertained unless commenced by the Secretary, in accordance with § 160.420, within 6 years from the date of the occurrence of the violation.

§ 160.416

Nothing in this subpart limits the authority of the Secretary to settle any issue or case or to compromise any penalty.

§ 160.418

Except as otherwise provided by 42 U.S.C. 1320d-5(b)(1), a penalty imposed under this part is in addition to any other penalty prescribed by law.

§ 160.420

(a) If a penalty is proposed in accordance with this part, the Secretary must deliver, or send by certified mail with return receipt requested, to the respondent, written notice of the Secretary's intent to impose a penalty. This notice of proposed determination must include—

(1) Reference to the statutory basis for the penalty;

(2) A description of the findings of fact regarding the violations with respect to which the penalty is proposed (except in cases where the Secretary is relying upon a statistical sampling study in accordance with § 160.536, in which case the notice must describe the study relied upon and briefly describe the statistical sampling technique used by the Secretary);

(3) The reason(s) why the violation(s) subject(s) the respondent to a penalty;

(4) The amount of the proposed penalty;

(5) Any circumstances described in § 160.408 that were considered in determining the amount of the proposed penalty; and

(6) Instructions for responding to the notice, including a statement of the respondent's right to a hearing, a statement that failure to request a hearing within 60 days permits the imposition of the proposed penalty without the right to a hearing under § 160.504 or a right of appeal under § 160.548, and the address to which the hearing request must be sent.

(b) The respondent may request a hearing before an ALJ on the proposed penalty by filing a request in accordance with § 160.504.

§ 160.422

If the respondent does not request a hearing within the time prescribed by § 160.504 and the matter is not settled pursuant to § 160.416, the Secretary will impose the proposed penalty or any lesser penalty permitted by 42 U.S.C. 1320d-5. The Secretary will notify the respondent by certified mail, return receipt requested, of any penalty that has been imposed and of the means by which the respondent may satisfy the penalty, and the penalty is final on receipt of the notice. The respondent has no right to appeal a penalty under § 160.548 with respect to which the respondent has not timely requested a hearing.

§ 160.424

(a) Once a determination of the Secretary to impose a penalty has become final, the penalty will be collected by the Secretary, subject to the first sentence of 42 U.S.C. 1320a-7a(f).

(b) The penalty may be recovered in a civil action brought in the United States district court for the district where the respondent resides, is found, or is located.

(c) The amount of a penalty, when finally determined, or the amount agreed upon in compromise, may be deducted from any sum then or later owing by the United States, or by a State agency, to the respondent.

(d) Matters that were raised or that could have been raised in a hearing before an ALJ, or in an appeal under 42 U.S.C. 1320a-7a(e), may not be raised as a defense in a civil action by the United States to collect a penalty under this part.

§ 160.426

Whenever a proposed penalty becomes final, the Secretary will notify, in such manner as the Secretary deems appropriate, the public and the following organizations and entities thereof and the reason it was imposed: The appropriate State or local medical or professional organization, the appropriate State agency or agencies administering or supervising the administration of State health care programs (as defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and quality control peer review organization, and the appropriate State or local licensing agency or organization (including the agency specified in 42 U.S.C. 1395aa(a), 1396a(a)(33)).

5. Revise subpart E to read as follows:

Subpart e—procedures for hearings

Sec. 160.500 160.502 160.504 160.506 160.508 160.510 160.512 160.514 160.516 160.518 160.520 160.522 160.524 160.526 160.528 160.530 160.532 160.534 160.536 160.538 160.540 160.542 160.544 160.546 160.548 160.550 160.552

Subpart e—procedures for hearings

§ 160.500

This subpart applies to hearings conducted relating to the imposition of a civil money penalty by the Secretary under 42 U.S.C. 1320d-5.

§ 160.502

As used in this subpart, the following term has the following meaning:

Board means the members of the HHS Departmental Appeals Board, in the Office of the Secretary, who issue decisions in panels of three.

§ 160.504

(a) A respondent may request a hearing before an ALJ. The parties to the hearing proceeding consist of—

(1) The respondent; and

(2) The officer(s) or employee(s) of HHS to whom the enforcement authority involved has been delegated.

(b) The request for a hearing must be made in writing signed by the respondent or by the respondent's attorney and sent by certified mail, return receipt requested, to the address specified in the notice of proposed determination. The request for a hearing must be mailed within 60 days after notice of the proposed determination is received by the respondent. For purposes of this section, the respondent's date of receipt of the notice of proposed determination is presumed to be 5 days after the date of the notice unless the respondent makes a reasonable showing to the contrary to the ALJ.

(c) The request for a hearing must clearly and directly admit, deny, or explain each of the findings of fact contained in the notice of proposed determination with regard to which the respondent has any knowledge. If the respondent has no knowledge of a particular finding of fact and so states, the finding shall be deemed denied. The request for a hearing must also state the circumstances or arguments that the respondent alleges constitute the grounds for any defense and the factual and legal basis for opposing the penalty.

(d) The ALJ must dismiss a hearing request where—

(1) The respondent's hearing request is not filed as required by paragraphs (b) and (c) of this section;

(2) The respondent withdraws the request for a hearing;

(3) The respondent abandons the request for a hearing; or

(4) The respondent's hearing request fails to raise any issue that may properly be addressed in a hearing.

§ 160.506

(a) Except as otherwise limited by this subpart, each party may—

(1) Be accompanied, represented, and advised by an attorney;

(2) Participate in any conference held by the ALJ;

3) Conduct discovery of documents as permitted by this subpart;

(4) Agree to stipulations of fact or law that will be made part of the record;

(5) Present evidence relevant to the issues at the hearing;

(6) Present and cross-examine witnesses;

(7) Present oral arguments at the hearing as permitted by the ALJ; and

(8) Submit written briefs and proposed findings of fact and conclusions of law after the hearing.

(b) A party may appear in person or by a representative. Natural persons who appear as an attorney or other representative must conform to the standards of conduct and ethics required of practitioners before the courts of the United States.

(c) Fees for any services performed on behalf of a party by an attorney are not subject to the provisions of 42 U.S.C. 406, which authorizes the Secretary to specify or limit their fees.

§ 160.508

(a) The ALJ must conduct a fair and impartial hearing, avoid delay, maintain order, and ensure that a record of the proceeding is made.

(b) The ALJ may—

(1) Set and change the date, time and place of the hearing upon reasonable notice to the parties;

(2) Continue or recess the hearing in whole or in part for a reasonable period of time;

(3) Hold conferences to identify or simplify the issues, or to consider other matters that may aid in the expeditious disposition of the proceeding;

(4) Administer oaths and affirmations;

(5) Issue subpoenas requiring the attendance of witnesses at hearings and the production of documents at or in relation to hearings;

(6) Rule on motions and other procedural matters;

(7) Regulate the scope and timing of documentary discovery as permitted by this subpart;

(8) Regulate the course of the hearing and the conduct of representatives, parties, and witnesses;

(9) Examine witnesses;

(10) Receive, rule on, exclude, or limit evidence;

(11) Upon motion of a party, take official notice of facts;

(12) Conduct any conference, argument or hearing in person or, upon agreement of the parties, by telephone; and

(13) Upon motion of a party, decide cases, in whole or in part, by summary judgment where there is no disputed issue of material fact. A summary judgment decision constitutes a hearing on the record for the purposes of this subpart.

(c) The ALJ—

(1) May not find invalid or refuse to follow Federal statutes, regulations, or Secretarial delegations of authority and must give deference to published guidance to the extent not inconsistent with statute or regulation;

(2) May not enter an order in the nature of a directed verdict;

(3) May not compel settlement negotiations;

(4) May not enjoin any act of the Secretary; or

(5) May not review the exercise of discretion by the Secretary with respect to—

(i) Whether to grant an extension under § 160.410(b)(3)(ii)(B) or to provide technical assistance under 42 U.S.C. 1320d-5(b)(3)(B); and

(ii) Selection of variable(s) under § 160.406.

§ 160.510

No party or person (except employees of the ALJ's office) may communicate in any way with the ALJ on any matter at issue in a case, unless on notice and opportunity for both parties to participate. This provision does not prohibit a party or person from inquiring about the status of a case or asking routine questions concerning administrative functions or procedures.

§ 160.512

(a) The ALJ must schedule at least one prehearing conference, and may schedule additional prehearing conferences as appropriate, upon reasonable notice, which may not be less than 14 business days, to the parties.

(b) The ALJ may use prehearing conferences to discuss the following—

(1) Simplification of the issues;

(2) The necessity or desirability of amendments to the pleadings, including the need for a more definite statement;

(3) Stipulations and admissions of fact or as to the contents and authenticity of documents;

(4) Whether the parties can agree to submission of the case on a stipulated record;

(5) Whether a party chooses to waive appearance at an oral hearing and to submit only documentary evidence (subject to the objection of the other party) and written argument;

(6) Limitation of the number of witnesses;

(7) Scheduling dates for the exchange of witness lists and of proposed exhibits;

(8) Discovery of documents as permitted by this subpart;

(9) The time and place for the hearing;

(10) The potential for the settlement of the case by the parties; and

(11) Other matters as may tend to encourage the fair, just and expeditious disposition of the proceedings, including the protection of privacy of individually identifiable health information that may be submitted into evidence or otherwise used in the proceeding, if appropriate.

(c) The ALJ must issue an order containing the matters agreed upon by the parties or ordered by the ALJ at a prehearing conference.

§ 160.514

The Secretary has exclusive authority to settle any issue or case without the consent of the ALJ.

§ 160.516

(a) A party may make a request to another party for production of documents for inspection and copying that are relevant and material to the issues before the ALJ.

(b) For the purpose of this section, the term “documents” includes information, reports, answers, records, accounts, papers and other data and documentary evidence. Nothing contained in this section may be interpreted to require the creation of a document, except that requested data stored in an electronic data storage system must be produced in a form accessible to the requesting party.

(c) Requests for documents, requests for admissions, written interrogatories, depositions and any forms of discovery, other than those permitted under paragraph (a) of this section, are not authorized.

(d) This section may not be construed to require the disclosure of interview reports or statements obtained by any party, or on behalf of any party, of persons who will not be called as witnesses by that party, or analyses and summaries prepared in conjunction with the investigation or litigation of the case, or any otherwise privileged documents.

(e)(1) When a request for production of documents has been received, within 30 days the party receiving that request must either fully respond to the request, or state that the request is being objected to and the reasons for that objection. If objection is made to part of an item or category, the part must be specified. Upon receiving any objections, the party seeking production may then, within 30 days or any other time frame set by the ALJ, file a motion for an order compelling discovery. The party receiving a request for production may also file a motion for protective order any time before the date the production is due.

(2) The ALJ may grant a motion for protective order or deny a motion for an order compelling discovery if the ALJ finds that the discovery sought—

(i) Is irrelevant;

(ii) Is unduly costly or burdensome;

(iii) Will unduly delay the proceeding; or

(iv) Seeks privileged information.

(3) The ALJ may extend any of the time frames set forth in paragraph (e)(1) of this section.

(4) The burden of showing that discovery should be allowed is on the party seeking discovery.

§ 160.518

(a) The parties must exchange witness lists, copies of prior written statements of proposed witnesses, and copies of proposed hearing exhibits, including copies of any written statements that the party intends to offer in lieu of live testimony in accordance with § 160.538, not more than 60, and not less than 15, days before the scheduled hearing.

(b)(1) If, at any time, a party objects to the proposed admission of evidence not exchanged in accordance with paragraph (a) of this section, the ALJ must determine whether the failure to comply with paragraph (a) of this section should result in the exclusion of that evidence.

(2) Unless the ALJ finds that extraordinary circumstances justified the failure timely to exchange the information listed under paragraph (a) of this section, the ALJ must exclude from the party's case-in-chief—

(i) The testimony of any witness whose name does not appear on the witness list; and

(ii) Any exhibit not provided to the opposing party as specified in paragraph (a) of this section.

(3) If the ALJ finds that extraordinary circumstances existed, the ALJ must then determine whether the admission of that evidence would cause substantial prejudice to the objecting party.

(i) If the ALJ finds that there is no substantial prejudice, the evidence may be admitted.

(ii) If the ALJ finds that there is substantial prejudice, the ALJ may exclude the evidence, or, if he or she does not exclude the evidence, must postpone the hearing for such time as is necessary for the objecting party to prepare and respond to the evidence, unless the objecting party waives postponement.

(c) Unless the other party objects within a reasonable period of time before the hearing, documents exchanged in accordance with paragraph (a) of this section will be deemed to be authentic for the purpose of admissibility at the hearing.

§ 160.520

(a) A party wishing to procure the appearance and testimony of any person at the hearing may make a motion requesting the ALJ to issue a subpoena if the appearance and testimony are reasonably necessary for the presentation of a party's case.

(b) A subpoena requiring the attendance of a person in accordance with paragraph (a) of this section may also require the person (whether or not the person is a party) to produce relevant and material evidence at or before the hearing.

(c) When a subpoena is served by a respondent on a particular employee or official or particular office of HHS, the Secretary may comply by designating any knowledgeable HHS representative to appear and testify.

(d) A party seeking a subpoena must file a written motion not less than 30 days before the date fixed for the hearing, unless otherwise allowed by the ALJ for good cause shown. That motion must—

(1) Specify any evidence to be produced;

(2) Designate the witnesses; and

(3) Describe the address and location with sufficient particularity to permit those witnesses to be found.

(e) The subpoena must specify the time and place at which the witness is to appear and any evidence the witness is to produce.

(f) Within 15 days after the written motion requesting issuance of a subpoena is served, any party may file an opposition or other response.

(g) If the motion requesting issuance of a subpoena is granted, the party seeking the subpoena must serve it by delivery to the person named, or by certified mail addressed to that person at the person's last dwelling place or principal place of business.

(h) The person to whom the subpoena is directed may file with the ALJ a motion to quash the subpoena within 10 days after service.

(i) The exclusive remedy for contumacy by, or refusal to obey a subpoena duly served upon, any person is specified in 42 U.S.C. 405(e).

§ 160.522

The party requesting a subpoena must pay the cost of the fees and mileage of any witness subpoenaed in the amounts that would be payable to a witness in a proceeding in United States District Court. A check for witness fees and mileage must accompany the subpoena when served, except that, when a subpoena is issued on behalf of the Secretary, a check for witness fees and mileage need not accompany the subpoena.

§ 160.524

(a)Forms. (1) Unless the ALJ directs the parties to do otherwise, documentsfiled with the ALJ must include an original and two copies.

(2) Every pleading and paper filed in the proceeding must contain a caption setting forth the title of the action, the case number, and a designation of the paper, such as motion to quash subpoena.

(3) Every pleading and paper must be signed by and must contain the address and telephone number of the party or the person on whose behalf the paper was filed, or his or her representative.

(4) Papers are considered filed when they are mailed.

(b)Service. A party filing a document with the ALJ or the Board must, at the time of filing, serve a copy of the document on the other party. Service upon any party of any document must be made by delivering a copy, or placing a copy of the document in the United States mail, postage prepaid and addressed, or with a private delivery service, to the party's last known address. When a party is represented by an attorney, service must be made upon the attorney in lieu of the party.

(c)Proof of service. A certificate of the natural person serving the document by personal delivery or by mail, setting forth the manner of service, constitutes proof of service.

§ 160.526

(a) In computing any period of time under this subpart or in an order issued thereunder, the time begins with the day following the act, event or default, and includes the last day of the period unless it is a Saturday, Sunday, or legal holiday observed by the Federal Government, in which event it includes the next business day.

(b) When the period of time allowed is less than 7 days, intermediate Saturdays, Sundays, and legal holidays observed by the Federal Government must be excluded from the computation.

(c) Where a document has been served or issued by placing it in the mail, an additional 5 days must be added to the time permitted for any response. This paragraph does not apply to requests for hearing under § 160.504.

§ 160.528

(a) An application to the ALJ for an order or ruling must be by motion. Motions must state the relief sought, the authority relied upon and the facts alleged, and must be filed with the ALJ and served on all other parties.

(b) Except for motions made during a prehearing conference or at the hearing, all motions must be in writing. The ALJ may require that oral motions be reduced to writing.

(c) Within 10 days after a written motion is served, or such other time as may be fixed by the ALJ, any party may file a response to the motion.

(d) The ALJ may not grant a written motion before the time for filing responses has expired, except upon consent of the parties or following a hearing on the motion, but may overrule or deny the motion without awaiting a response.

(e) The ALJ must make a reasonable effort to dispose of all outstanding motions before the beginning of the hearing.

§ 160.530

The ALJ may sanction a person, including any party or attorney, for failing to comply with an order or procedure, for failing to defend an action or for other misconduct that interferes with the speedy, orderly or fair conduct of the hearing. The sanctions must reasonably relate to the severity and nature of the failure or misconduct. The sanctions may include—

(a) In the case of refusal to provide or permit discovery under the terms of this part, drawing negative factual inferences or treating the refusal as an admission by deeming the matter, or certain facts, to be established;

(b) Prohibiting a party from introducing certain evidence or otherwise supporting a particular claim or defense;

(c) Striking pleadings, in whole or in part;

(d) Staying the proceedings;

(e) Dismissal of the action;

(f) Entering a decision by default;

(g) Ordering the party or attorney to pay the attorney's fees and other costs caused by the failure or misconduct; and

(h) Refusing to consider any motion or other action that is not filed in a timely manner.

§ 160.532

When a final determination that the respondent violated an administrative simplification provision has been rendered in any proceeding in which the respondent was a party and had an opportunity to be heard, the respondent is bound by that determination in any proceeding under this part.

§ 160.534

(a) The ALJ must conduct a hearing on the record in order to determine whether the respondent should be found liable under this part.

(b)(1) The respondent has the burden of going forward and the burden of persuasion with respect to any:

(i) Affirmative defense pursuant to § 160.410;

(ii) Challenge to the amount of a proposed penalty pursuant to §§ 160.404-160.408, including any factors raised as mitigating factors; or

(iii) Claim that a proposed penalty should be reduced or waived pursuant to § 160.412.

(2) The Secretary has the burden of going forward and the burden of persuasion with respect to all other issues, including issues of liability and the existence of any factors considered as aggravating factors in determining the amount of the proposed penalty.

(3) The burden of persuasion will be judged by a preponderance of the evidence.

(c) The hearing must be open to the public unless otherwise ordered by the ALJ for good cause shown.

(d)(1) Subject to the 15-day rule under § 160.518(a) and the admissibility of evidence under § 160.540, either party may introduce, during its case in chief, items or information that arose or became known after the date of the issuance of the notice of proposed determination or the request for hearing, as applicable. Such items and information may not be admitted into evidence, if introduced—

(i) By the Secretary, unless they are material and relevant to the acts or omissions with respect to which the penalty is proposed in the notice of proposed determination pursuant to § 160.420, including circumstances that may increase penalties; or

(ii) By the respondent, unless they are material and relevant to an admission, denial or explanation of a finding of fact in the notice of proposed determination under § 160.420, or to a specific circumstance or argument expressly stated in the request for hearing under § 160.504, including circumstances that may reduce penalties.

(2) After both parties have presented their cases, evidence may be admitted in rebuttal even if not previously exchanged in accordance with § 160.518.

§ 160.536

(a) In meeting the burden of proof set forth in § 160.534, the Secretary may introduce the results of a statistical sampling study as evidence of the number of violations under § 160.406, or the factors considered in determining the amount of the civil money penalty under § 160.408. Such statistical sampling study, if based upon an appropriate sampling and computed by valid statistical methods, constitutes prima facie evidence of the number of violations and the existence of factors material to the proposed civil moneypenalty as described in §§ 160.406 and 160.408.

(b) Once the Secretary has made a prima facie case, as described in paragraph (a) of this section, the burden of going forward shifts to the respondent to produce evidence reasonably calculated to rebut the findings of the statistical sampling study. The Secretary will then be given the opportunity to rebut this evidence.

§ 160.538

(a) Except as provided in paragraph (b) of this section, testimony at the hearing must be given orally by witnesses under oath or affirmation.

(b) At the discretion of the ALJ, testimony of witnesses other than the testimony of expert witnesses may be admitted in the form of a written statement. Any such written statement must be provided to the other party, along with the last known address of the witness, in a manner that allows sufficient time for the other party to subpoena the witness for cross-examination at the hearing. Prior written statements of witnesses proposed to testify at the hearing must be exchanged as provided in § 160.518. The ALJ may, at his or her discretion, admit prior sworn testimony of experts that has been subject to adverse examination, such as a deposition or trial testimony.

(c) The ALJ must exercise reasonable control over the mode and order of interrogating witnesses and presenting evidence so as to:

(1) Make the interrogation and presentation effective for the ascertainment of the truth;

(2) Avoid repetition or needless consumption of time; and

(3) Protect witnesses from harassment or undue embarrassment.

(d) The ALJ must permit the parties to conduct cross-examination of witnesses as may be required for a full and true disclosure of the facts.

(e) The ALJ may order witnesses excluded so that they cannot hear the testimony of other witnesses, except that the ALJ may not order to be excluded—

(1) A party who is a natural person;

(2) In the case of a party that is not a natural person, the officer or employee of the party appearing for the entity pro se or designated as the party's representative; or

(3) A natural person whose presence is shown by a party to be essential to the presentation of its case, including a person engaged in assisting the attorney for the Secretary.

§ 160.540

(a) The ALJ must determine the admissibility of evidence.

(b) Except as provided in this subpart, the ALJ is not bound by the Federal Rules of Evidence. However, the ALJ may apply the Federal Rules of Evidence where appropriate, for example, to exclude unreliable evidence.

(c) The ALJ must exclude irrelevant or immaterial evidence.

(d) Although relevant, evidence may be excluded if its probative value is substantially outweighed by the danger of unfair prejudice, confusion of the issues, or by considerations of undue delay or needless presentation of cumulative evidence.

(e) Although relevant, evidence must be excluded if it is privileged under Federal law.

(f) Evidence concerning offers of compromise or settlement are inadmissible to the extent provided in Rule 408 of the Federal Rules of Evidence.

(g) Evidence of crimes, wrongs, or acts other than those at issue in the instant case is admissible in order to show motive, opportunity, intent, knowledge, preparation, identity, lack of mistake, or existence of a scheme. This evidence is admissible regardless of whether the crimes, wrongs, or acts occurred during the statute of limitations period applicable to the acts or omissions that constitute the basis for liability in the case and regardless of whether they were referenced in the Secretary's notice of proposed determination under § 160.420.

(h) The ALJ must permit the parties to introduce rebuttal witnesses and evidence.

(i) All documents and other evidence offered or taken for the record must be open to examination by both parties, unless otherwise ordered by the ALJ for good cause shown.

§ 160.542

(a) The hearing must be recorded and transcribed. Transcripts may be obtained following the hearing from the ALJ. Cost of transcription will be borne equally by the parties.

(b) The transcript of the testimony, exhibits, and other evidence admitted at the hearing, and all papers and requests filed in the proceeding constitute the record for decision by the ALJ and the Secretary.

(c) The record may be inspected and copied (upon payment of a reasonable fee) by any person, unless otherwise ordered by the ALJ for good cause shown.

(d) For good cause, the ALJ may order appropriate redactions made to the record.

§ 160.544

The ALJ may require the parties to file post-hearing briefs. In any event, any party may file a post-hearing brief. The ALJ must fix the time for filing the briefs. The time for filing may not exceed 60 days from the date the parties receive the transcript of the hearing or, if applicable, the stipulated record. The briefs may be accompanied by proposed findings of fact and conclusions of law. The ALJ may permit the parties to file reply briefs.

§ 160.546

(a) The ALJ must issue a decision, based only on the record, which must contain findings of fact and conclusions of law.

(b) The ALJ may affirm, increase, or reduce the penalties imposed by the Secretary.

(c) The ALJ must issue the decision to both parties within 60 days after the time for submission of post-hearing briefs and reply briefs, if permitted, has expired. If the ALJ fails to meet the deadline contained in this paragraph, he or she must notify the parties of the reason for the delay and set a new deadline.

(d) Unless the decision of the ALJ is timely appealed as provided for in § 160.548, the decision of the ALJ will be final and binding on the parties 60 days from the date of service of the ALJ's decision.

§ 160.548

(a) Any party may appeal the decision of the ALJ to the Board by filing a notice of appeal with the Board within 30 days of the date of service of the ALJ decision. The Board may extend the initial 30 day period for a period of time not to exceed 30 days if a party files with the Board a request for an extension within the initial 30 day period and shows good cause.

(b) If a party files a timely notice of appeal with the Board, the ALJ must forward the record of the proceeding to the Board.

(c) A notice of appeal must be accompanied by a written brief specifying exceptions to the initial decision and reasons supporting the exceptions. Any party may file a brief in opposition to the exceptions, which may raise any relevant issue not addressed in the exceptions, within 30 days of receiving the notice of appeal and the accompanying brief. The Board may permit the parties to file reply briefs.

(d) There is no right to appear personally before the Board or to appeal to the Board any interlocutory ruling by the ALJ.

(e) The Board may not consider any issue not raised in the parties' briefs, nor any issue in the briefs that could have been raised before the ALJ but was not.

(f) If any party demonstrates to the satisfaction of the Board that additional evidence not presented at such hearing is relevant and material and that there were reasonable grounds for the failure to adduce such evidence at the hearing, the Board may remand the matter to the ALJ for consideration of such additional evidence.

(g) The Board may decline to review the case, or may affirm, increase, reduce, reverse or remand any penalty determined by the ALJ.

(h) The standard of review on a disputed issue of fact is whether the initial decision of the ALJ is supported by substantial evidence on the whole record. The standard of review on a disputed issue of law is whether the decision is erroneous.

(i) Within 60 days after the time for submission of briefs and reply briefs, if permitted, has expired, the Board must serve on each party to the appeal a copy of the Board's decision and a statement describing the right of any respondent who is penalized to seek judicial review.

(j)(1) The Board's decision under paragraph (i) of this section, including a decision to decline review of the initial decision, becomes the final decision of the Secretary 60 days after the date of service of the Board's decision, except with respect to a decision to remand to the ALJ or if reconsideration is requested under this paragraph.

(2) The Board will reconsider its decision only if it determines that the decision contains a clear error of fact or error of law. New evidence will not be a basis for reconsideration unless the party demonstrates that the evidence is newly discovered and was not previously available.

(3) A party may file a motion for reconsideration with the Board before the date the decision becomes final under paragraph (j)(1) of this section. A motion for reconsideration must be accompanied by a written brief specifying any alleged error of fact or law and, if the party is relying on additional evidence, explaining why the evidence was not previously available. Any party may file a brief in opposition within 15 days of receiving the motion for reconsideration and the accompanying brief unless this time limit is extended by the Board for good cause shown. Reply briefs are not permitted.

(4) The Board must rule on the motion for reconsideration not later than 30 days from the date the opposition brief is due. If the Board denies the motion, the decision issued under paragraph (i) of this section becomes the final decision of the Secretary on the date of service of the ruling. If the Board grants the motion, the Board will issue a reconsidered decision, after such procedures as the Board determines necessary to address the effect of any error. The Board's decision on reconsideration becomes the final decision of the Secretary on the date of service of the decision, except with respect to a decision to remand to the ALJ.

(5) If service of a ruling or decision issued under this section is by mail, the date of service will be deemed to be 5 days from the date of mailing.

(k)(1) A respondent's petition for judicial review must be filed within 60 days of the date on which the decision of the Board becomes the final decision of the Secretary under paragraph (j) of this section.

(2) In compliance with 28 U.S.C. 2112(a), a copy of any petition for judicial review filed in any U.S. Court of Appeals challenging the final decision of the Secretary must be sent by certified mail, return receipt requested, to the General Counsel of HHS. The petition copy must be a copy showing that it has been time-stamped by the clerk of the court when the original was filed with the court.

(3) If the General Counsel of HHS received two or more petitions within 10 days after the final decision of the Secretary, the General Counsel will notify the U.S. Judicial Panel on Multidistrict Litigation of any petitions that were received within the 10 day period.

§ 160.550

(a) Pending judicial review, the respondent may file a request for stay of the effective date of any penalty with the ALJ. The request must be accompanied by a copy of the notice of appeal filed with the federal court. The filing of the request automatically stays the effective date of the penalty until such time as the ALJ rules upon the request.

(b) The ALJ may not grant a respondent's request for stay of any penalty unless the respondent posts a bond or provides other adequate security.

(c) The ALJ must rule upon a respondent's request for stay within 10 days of receipt.

§ 160.552

No error in either the admission or the exclusion of evidence, and no error or defect in any ruling or order or in any act done or omitted by the ALJ or by any of the parties is ground for vacating, modifying or otherwise disturbing an otherwise appropriate ruling or order or act, unless refusal to take such action appears to the ALJ or the Board inconsistent with substantial justice. The ALJ and the Board at every stage of the proceeding must disregard any error or defect in the proceeding that does not affect the substantial rights of the parties.

Part 164—security and privacy

1. The authority citation for part 164 is revised to read as follows:

Authority:

42 U.S.C. 1320d-1320d-8 and sec. 264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).

2. Revise § 164.530(g) to read as follows:

§ 164.530 * * * * *

(g) A covered entity—

(1) May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for by this subpart, including the filing of a complaint under this section; and

(2) Must refrain from intimidation and retaliation as provided in § 160.316 of this subchapter.

* * * * *

References

Loading most recent entriesloading

Feedback