[Federal Register Volume 64, Number 161 (Friday, August 20, 1999)] [Rules and Regulations] [Pages 45786-45807] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 99-21662] [[Page 45785]] _______________________________________________________________________ Part VI Department of Health and Human Services _______________________________________________________________________ Health Care Financing Administration _______________________________________________________________________ 45 CFR Parts 144, 146, 148, and 150 Federal Enforcement in Group and Individual Health Insurance Markets; Interim Rule Federal Register / Vol. 64, No. 161 / Friday, August 20, 1999 / Rules and Regulations [[Page 45786]] DEPARTMENT OF HEALTH AND HUMAN SERVICES Health Care Financing Administration 45 CFR Parts 144, 146, 148, and 150 [HCFA-2019-IFC] RIN 0938-AJ48 Federal Enforcement in Group and Individual Health Insurance Markets AGENCY: Health Care Financing Administration (HCFA), HHS. ACTION: Interim final rule with comment period. ----------------------------------------------------------------------- SUMMARY: This interim final rule with comment period details procedures for enforcing title XXVII of the Public Health Service Act as added by the Health Insurance Portability and Accountability Act of 1996, and as amended by the Mental Health Parity Act of 1996, the Newborns' and Mothers' Health Protection Act of 1996, and the Women's Health and Cancer Rights Act of 1998, in States that do not enact the legislation necessary to enforce or otherwise do not substantially enforce the requirements of these acts. This regulation also delineates the process for taking enforcement actions against non-Federal governmental plans and, in those States in which HCFA is directly enforcing the requirements of these acts, health insurance issuers that are not complying with those requirements. DATES: Effective date: September 20, 1999. Comments will be considered if we receive them at the appropriate address, as provided below, no later than 5 p.m. on October 19, 1999. ADDRESSES: Mail written comments (1 original and 3 copies) to the following address: Health Care Financing Administration, Department of Health and Human Services, Attention: HCFA-2019-IFC, P.O. Box 9016, Baltimore, MD 21244- 9016. If you prefer, you may deliver your written comments (1 original and 3 copies) to one of the following addresses: Room 309-G, Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington, DC, or Room C5-16-03, 7500 Security Boulevard, Baltimore, MD FOR FURTHER INFORMATION CONTACT: Rochelle Shevitz, (410) 786-1565. SUPPLEMENTARY INFORMATION: Comments, Procedures, and Availability of Copies Because of staff and resource limitations, we cannot accept comments by facsimile (FAX) transmission. In commenting, please refer to file code HCFA-2019-IFC. Comments received timely will be available for public inspection as they are received, generally beginning approximately 3 weeks after publication of a document, in Room 443-G of the Department's office at 200 Independence Avenue, SW., Washington, DC, on Monday through Friday of each week from 8:30 to 5 p.m. (phone: (202) 690-7890). Copies: To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Credit card orders can also be placed by calling the order desk at (202) 512-1800 or by faxing to (202) 512- 2250. The cost for each copy is $8. As an alternative, you can view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries and at many other public and academic libraries throughout the country that receive the Federal Register. I. Background Title I of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) created a new title XXVII of the Public Health Service (PHS) Act (42 U.S.C. 300gg, et seq.) that requires group health plans and health insurance issuers to provide certain guarantees for availability and renewability of health coverage in the group and individual health insurance markets. 1 --------------------------------------------------------------------------- \1\ HIPAA created a series of parallel provisions that were placed in the Employee Retirement Security Act (ERISA), which is within the jurisdiction of the Department of Labor; the Public Health Service Act (PHS), which is within the jurisdiction of the Department of Health and Human Services; and the Internal Revenue Code, which is within the jurisdiction of the Department of the Treasury. These ``shared provisions'' set forth Federal requirements relating to portability, access, and renewability of group health plans and group health insurance coverage provided by issuers. Specifically, the shared provisions contain rules limiting the use of preexisting condition exclusion periods, and prohibiting discrimination against participants and beneficiaries based on health status. Section 104 of Title I of HIPAA requires that the three departments ensure through an interagency memorandum of understanding (MOU) that regulations, rulings and interpretations issued by each of the departments relating to the same matter over which two or more departments have jurisdiction, are administered so as to have the same effect at all times. Section 104 also requires the departments, through the MOU, to provide for coordination of policies relating to enforcement of the same requirements in order to have a coordinated enforcement strategy that avoids duplication of enforcement efforts and assigns priorities in enforcement. The three departments recently signed the MOU. HIPAA also added certain provisions governing insurance in the group and individual markets, and with respect to non-Federal government plans which are contained only in the Public Health Service Act and thus are not within the regulatory jurisdiction of the Department of Labor or the Department of the Treasury. Section 101(b) of HIPAA provides that the Department of Labor is not authorized to enforce any of the portability requirements of part 7 of ERISA (the ``shared'' provisions) against a health insurance issuer offering health insurance coverage in connection with a group health plan, although individuals covered under ERISA can bring suit. Also, governmental plans, as defined in section 3(32) are exempt from ERISA, under section 4(1) of ERISA. Thus the scope of the MOU is limited, with respect to coordination of enforcement activities, to enforcement of shared provisions. Enforcement of these provisions constitutes only a relatively small portion of HCFA's responsibilities. --------------------------------------------------------------------------- The Newborns' and Mothers' Health Protection Act of 1996 amended the PHS Act to provide protections for mothers and their newborn children with regard to the length of hospital stay following childbirth. The Mental Health Parity Act of 1996 further amended title XXVII of the PHS Act to provide for parity in the application of certain annual and lifetime dollar limits on mental health benefits with annual and lifetime dollar limits on medical/surgical benefits. The Women's Health and Cancer Rights Act of 1998 amended the PHS Act to provide certain protections for patients who elect breast reconstruction in connection with a mastectomy (As used hereafter in this preamble, HIPAA refers to title XXVII of the PHS Act, as added by the Health Insurance Portability and Accountability Act of 1996, and later amended by the Mental Health Parity Act of 1996, the Newborns' and Mothers' Health Protection Act, and the Women's Health and Cancer Rights Act of 1998.) HIPAA added two preemption provisions to the PHS Act. With respect to HIPAA's preexisting condition exclusions rules and special enrollment rights contained in section 2701 of the PHS Act, State law cannot differ in any way from the Federal requirements, except to expand the protections in one of several ways specifically permitted by the statute (See section 2723(b). With respect to HIPAA's other requirements, for example, HIPAA's non-discrimination provisions, State laws are preempted only to the extent they prevent the application of any requirement of HIPAA. (See section 2723(a)). [[Page 45787]] HIPAA affirms that the States are the primary regulators of health insurance coverage in each State. However, in the event that a State either does not enact legislation that meets or exceeds the Federal health insurance requirements, if it or otherwise fails to substantially enforce the HIPAA standards, the Health Care Financing Administration (HCFA) enforces the HIPAA requirements that apply to health insurance issuers offering coverage within that State. HCFA is also responsible for enforcing the HIPAA requirements with respect to non-Federal governmental plans. Non-Federal governmental plans that are not provided through health insurance coverage may elect exemption from one or more requirements of HIPAA, but must comply with requirements regarding certification and disclosure of creditable coverage. II. Provisions of the Proposed Regulations Subpart A--General Provisions Section 150.101 Basis and Scope On April 8, 1997, we published regulations to implement HIPAA by adding 45 CFR parts 144, 146, and 148. The enforcement provisions of that rule are contained in Secs. 146.184, 148.200, and 148.202. Now that HCFA has had experience with direct Federal enforcement in some States, we have determined that it is necessary to provide more detail on the procedures that will be used to enforce HIPAA when a State does not do so. We are adding a new part that will revise and expand the provisions contained in Secs. 146.184, 148.200, and 148.202. Those sections are deleted. This new part, 45 CFR part 150, consists of four subparts. Subpart A explains the scope and basis of this regulation and presents definitions that supplement definitions located in 45 CFR 144.103 and 148.103. Subpart B describes how HCFA determines whether to assume enforcement authority in a State and explains the process for transferring such authority back to the State. Subpart C describes procedures for assessing civil money penalties. Examples of specific situations that may trigger the assessment are listed in Appendix A to Subpart C. Subpart D describes the administrative appeals process. Section 150.103 Definitions In order to convey the requirements of 45 CFR part 150, we are defining a number of terms that will be found at 45 CFR 150.103. Terms found at 45 CFR part 150 have the same meaning given to them in 45 CFR 144.103 and 148.103, unless otherwise indicated. Section 150.103 will include definitions of the following terms: amendment, endorsement or rider; application; certificate of insurance; complaint; group health insurance policy or group policy; individual health insurance policy or individual policy; plan document; and State law. Subpart B--HCFA Enforcement Processes for Determining Whether States Are Failing To Substantially Enforce HIPAA Requirements This subpart describes the steps we will take to determine whether a State is failing to substantially enforce HIPAA requirements and the notification procedures we will follow prior to beginning direct enforcement. Section 150.201 State Enforcement HIPAA affirmed the States' role as the primary regulator of health insurance in each State. Consistent with HIPAA, Sec. 150.201 will state that, except as provided in subpart B, each State enforces HIPAA requirements with respect to health insurance issuers that issue, sell, renew, or offer health insurance coverage in the State. Section 150.203 Circumstances Requiring HCFA Enforcement Federal enforcement is triggered in two instances: (1) A State notifies us that it has not enacted the necessary legislation to bring its laws into compliance with HIPAA requirements or that it is otherwise not substantially enforcing those requirements; or (2) a State does not notify us of its failure to substantially enforce HIPAA requirements, but we receive or obtain information that forms the basis for HCFA's determination that such a failure is occurring. When we receive such notification or make such a determination, we will discuss with State officials the requirements that are not substantially enforced and begin Federal enforcement of those requirements. With regard to the group health insurance market, section 2722(a)(2) of the PHS Act requires Federal enforcement of any ``provision (or provisions)'' that a State fails to substantially enforce. Therefore, it is possible that a State could enforce some group market provisions while HCFA enforces others. With regard to the individual market, section 2761(a)(2) of the PHS Act calls for Federal enforcement of the ``requirements of this part'' whenever a State fails to substantially enforce them. However, HCFA does not enforce those State laws that constitute an ``acceptable alternative mechanism'' (as defined in Sec. 148.128) for enforcing guaranteed availability regulations. In addition, HIPAA does not preempt State laws that afford greater protections to HIPAA-eligible individuals than HIPAA without preventing the application of a HIPAA requirement. Thus, in the individual market, it is also possible that HCFA will enforce some requirements while the State enforces others. The complexity of the situation varies from one State to another and requires careful consideration on a case-by-case basis. Section 150.205 Sources of Information Triggering an Investigation of State Enforcement The interim final regulations provide more specific guidance on situations in which there is no formal complaint, but other information indicates that a State's failure to substantially enforce may exist. Information regarding an alleged failure to enforce may come from a variety of sources, including, but not limited to--A complaint; Informal contacts with State officials; Communication with other individuals, such as brokers and agents, or consumers themselves; and Reports in the news media. When we receive information indicating that a failure to substantially enforce might exist in a particular State, we will write to the governor and the commissioner of insurance or chief insurance regulatory official of that State (and/or the official responsible for regulating HMOs if the alleged failure involves HMOs) to inquire about the status of HIPAA enforcement in the State. Further action on our part will be dictated by the nature of the State's answer. If a State informs us that it is enforcing all of the requirements of HIPAA and provides a satisfactory explanation of why there is no failure, we will take no further action unless there are further indications to contradict the State's assertion. Sections 150.207-150.219 Procedure for Determining That a State Fails to Substantially Enforce HIPAA Requirements If we receive a complaint indicating that a State is failing to substantially enforce the law, we will first make a preliminary assessment of whether the complainant who is adversely affected has made a reasonable effort to resolve the issue through any remedies available under State law (Sec. 150.209). We will contact the complainant to [[Page 45788]] determine actions already taken, including whether State officials have been notified and what action, if any, those officials have taken. We may also contact State officials informally to discuss the situation. If we receive information other than an individual complaint, we will initiate similar contact with State officials. In accordance with Sec. 150.211, we will send a written notice to the State if we find that there is a reasonable question as to whether the State is failing to substantially enforce HIPAA requirements. The notice will be addressed to-- (1) The governor or chief executive officer of the State; (2) The insurance commissioner or chief insurance regulatory official; and (3) If the alleged failure involves HMOs, the official responsible for regulating HMOs if different from the individual identified in (2). Under Sec. 150.213, the notice to the State will identify the requirement or requirements of HIPAA for which there is evidence of a potential failure to enforce and will describe the facts of any alleged violation by an issuer or the ways in which the State law fails to acceptably implement HIPAA. The letter will further explain that the consequence of a State's failure to substantially enforce those requirements is that HCFA will do so. The notice will give the State 30 days to respond unless an extension is granted. In the interim final regulations published on April 8, 1997, a response time of 45 days was allowed. This regulation shortens the response time to 30 days to lessen any adverse impact on consumers. This shorter response time appears to balance the States' prerogative to enact and enforce their own insurance laws with the consumer rights and protections that the Congress intended to guarantee when it enacted HIPAA. We invite comment on this change. We may extend the 30-day response period for good cause at a State's request (see Sec. 150.215). The length of the extension period granted may vary depending upon the specific circumstances of the situation; thus, the regulation does not set forth a prescribed extension period. Extensions will be granted based upon the circumstances, and at our discretion. Example: The State replies to our notice by stating that some State regulators had been unclear on the scope of their new responsibilities. Having recognized the problem, the State plans to train all affected regulatory staff as quickly as possible. However, it is unlikely that the State will be able to assure us within 30 days that full HIPAA enforcement is taking place. Therefore, the State requests an extension until staff training is completed. If, at the end of 30 days (and any extension), the State does not establish to our satisfaction that it is substantially enforcing the requirements described in the notice, we may, after further consultation with the appropriate State officials or their designees, send the State a notice of preliminary determination (see Sec. 150.217). The notice of preliminary determination will specify the HIPAA requirements that the State has failed to substantially enforce. The notice will afford the State a reasonable opportunity to present evidence of substantial enforcement. We will allow the State a reasonable opportunity--normally, 30 days--to correct its failure to substantially enforce the requirements identified in the preliminary determination. However, in accordance with Sec. 150.219, if we find that the State has not taken the necessary corrective action, we will issue a final written determination. The final determination will identify the HIPAA requirements that HCFA is enforcing. The notice will also specify the effective date of HCFA's enforcement. This date may be retroactive to apply so that civil monetary penalties, that HCFA later assesses, may take into account violations that occurred after the effective dates specified in HIPAA or a date that HCFA identifies as the point at which the State's failure to substantially enforce the specified requirements commenced. HCFA does not enforce a State law that was enacted as an alternative mechanism. However, in the case of a State that is found not to be implementing its acceptable alternative mechanism, and also is found not to be substantially enforcing the Federal fallback regulations on guaranteed availability, HCFA will enforce the HIPAA requirements as of the date that HCFA determines that the State has failed to enforce. HCFA does not enforce a State law that was enacted as an alternative mechanism. In cases where HCFA assumes enforcement responsibility in a State, the transition to Federal enforcement should be as smooth as possible in order to protect consumers and create as little disruption as possible for health insurance issuers. Section 150.221 Transition to State Enforcement When the State demonstrates that it is prepared to undertake substantial enforcement and if and when we determine that responsibility for enforcement should be returned to the State, we will enter into discussions with State officials to ensure that a smooth transition back to State enforcement is effected, especially with respect to the handling of consumer inquiries and complaints. To the extent practicable and legally permissible, we will make available to the State our records documenting issuer compliance, as well as other relevant areas of our enforcement operations, for incorporation into the records of the regulatory authority assuming jurisdiction. We invite comments on the transition procedures described in this subsection. Subpart C--HCFA Enforcement With Respect to Issuers and Non-Federal Governmental Plans--Civil Money Penalties This subpart describes the bases for imposing civil money penalties against non-Federal governmental plans, and, in those States in which we are enforcing the HIPAA requirements, against health insurance issuers that are not complying with the requirements of HIPAA. The basis for our enforcement actions are the requirements of 45 CFR parts 146 and 148 as set forth in the interim final rules published on April 8, 1997 in the Federal Register, as well as the rules published on December 22, 1997 (implementing the Mental Health Parity Act of 1996) and October 27, 1998 (implementing the Newborns' and Mothers' Health Protection Act of 1996), and the requirements in sections 2706 and 2752 of the PHS Act (relating to the Women's Health and Cancer Rights Act of 1998). Those rules explain practices to which issuers and non-Federal governmental plans are required to adhere. However, since publication of the April 8, 1997 rules, we have become aware of actions taken by issuers and other responsible entities that are inconsistent with several requirements of HIPAA but are not specifically addressed in the rules. We addressed some of these actions in Bulletin 98-01, discussed below. In an appendix to Subpart C we provide a list of business practices or situations, including those listed in the bulletin, that violate HIPAA and may trigger enforcement action. This list is not all-inclusive. Rather, it highlights the compliance problems that we have encountered most frequently. This subpart establishes an enforcement process that ensures the rights of individuals protected by HIPAA and provides for due consideration toward health insurance issuers and non-Federal governmental plans. This subpart explains the process [[Page 45789]] for investigating complaints to determine whether a violation has occurred, and, when necessary, the process for assessing a civil money penalty. In addition, this subpart provides suggestions to issuers and other responsible entities of possible ways to avoid civil money penalties through early identification of compliance problems. Section 150.301 General Rule Regarding the Imposition of Civil Money Penalties Section 150.301 states that any health insurance issuer or non- Federal governmental plan, or employer that sponsors a non-federal government plan, subject to our enforcement authority that fails to comply with HIPAA may be subject to a civil money penalty as described in this subpart. Section 150.303 Information Initiating Administrative Action or Investigation In accordance with Sec. 150.303, any individual or any entity acting on his or her behalf may request that we investigate the possible denial or abridgement of a HIPAA right. Complaints may be directed to any of our regional offices where the complaint will be either investigated or forwarded to the appropriate office for investigation. Information about all complaints received will be accessible to all HCFA staff involved in HIPAA enforcement in both the central and regional offices. Since many individuals protected by HIPAA will not initiate complaints because they are unaware of their rights under the law and therefore do not realize when their rights are being denied or abridged, HCFA will consider other information when determining whether a State is substantially enforcing HIPAA or when determining the compliance of an issuer or other responsible entity as defined in Sec. 150.305 (Determination of entity liable for civil money penalty). Essentially, ``other information'' means any information HCFA receives from any source that indicates that a potential violation of HIPAA has been committed by a health insurance issuer or other responsible entity. Other information includes any other indication that an issuer or non-Federal governmental plan fails to meet any requirement of HIPAA. Sources of information that we may rely upon include, but are not limited to: Reports and information collected from State insurance departments, the National Association of Insurance Commissioners, and other State, local, and Federal entities; Information received through HCFA's enforcement activities and from other sources that may include policy form review and market conduct examinations. Section 150.305 Determination of Entity Liable for Civil Money Penalty Health insurance issuers that issue, sell, renew, or offer coverage to either private employers that sponsor group health plans or to non- Federal governmental plan sponsors are responsible for compliance with HIPAA and applicable implementing regulations at 45 CFR part 146. Under Sec. 150.305, we consider a health insurance issuer to be subject to a civil money penalty if a group health insurance policy it sells is written, serviced, or administered in a manner that fails to comply with, or conflicts with, an applicable requirement of HIPAA. To the extent that a group health plan is subject to HIPAA, a health insurance issuer may be liable for the penalty even if a group health plan sponsor had expressly requested that the issuer provide a policy that does not comply with one or more requirements of HIPAA. In that situation, the issuer should inform the plan sponsor that it would be illegal to sell such a policy and refuse to structure the policy as requested. With regard to health insurance sold in the individual market, the issuer is the responsible entity and therefore liable for any assessed civil money penalty. To the extent that policies sold in the individual market are subject to the requirements of HIPAA, issuers are responsible for ensuring that their policies comply and are marketed and administered in accordance with those requirements and applicable implementing regulations at 45 CFR Part 148. In addition, when a policy does not comply with applicable HIPAA requirements, the issuer may be subject to a civil money penalty irrespective of whether the issuer sold the policy directly, or a broker or agent sold the policy on the issuer's behalf. Under section 2722(b)(1)(B) of the PHS Act, we have direct enforcement authority with respect to group health plans that are non- Federal governmental plans. A non-Federal governmental plan sponsored by one or multiple non-Federal governmental entities is subject to HIPAA to the same extent as any other group health plan, unless, in the case of a non-Federal governmental plan that is not provided through health insurance coverage, the plan sponsor(s) has (have) elected to exempt the plan from one or more HIPAA provisions (as permitted under 45 CFR 146.180, and section 2721(b)(2) of the PHS Act). When the sponsor of a non-Federal governmental plan does not elect to have its plan exempted from one or more HIPAA requirements and the plan fails to comply with one or more applicable provisions of HIPAA, we enforce the law, and either the plan or the non-Federal governmental employer sponsoring the plan is subject to a civil money penalty. In accordance with section 2722(b)(2)(B) of the PHS Act, if the plan is sponsored by a single non-Federal governmental employer, the non- Federal governmental employer is subject to the penalty; if the plan is sponsored by two or more non-Federal governmental employers, the plan is subject to the penalty. Separate civil money penalties may be assessed against an issuer and a non-Federal governmental plan or employer, depending upon the circumstances of the compliance failure(s). A civil money penalty, or penalties, will be determined in accordance with sections 150.317 through 150.325. Section 150.307 Notice to Responsible Entities Under Sec. 150.307, when we receive a complaint or other information indicating a possible violation of HIPAA, we will provide written notice to the responsible entity(ies) that describes the substance of the complaint or other information and any identifiable actions that need to be taken to come into compliance. The notice will also provide the responsible entities 30 days from the date of the notice in which to respond. Furthermore, the notice will state that a civil money penalty may be imposed if the entity fails to comply. Section 150.309 Request for Extension Section 150.309 will allow issuers and other responsible entities to request an extension of time to respond to the notice. We will consider granting the request provided: (1) The request for the extension is made in writing; (2) The issuer or other responsible entity can show good cause; and (3) A complete response can be provided within the additional time granted by HCFA. This section, which allows for additional time, will benefit both issuers and other responsible entities that are unable to respond to an inquiry from us within 30 days regarding a potential HIPAA violation. Failure to respond to a notice from HCFA within 30 days, or any extended time frame, may result in the assessment of a civil money penalty based upon the complaint or other information. This section reflects HCFA's interest in ensuring complete responses. However, in deciding [[Page 45790]] whether to grant the extension, HCFA will also consider the facts and circumstances of the situation to assure thet individuals are not adversely affected. Section 150.311 Responses to Allegations of Noncompliance Section 150.311 will state that in determining whether to assess a civil money penalty and the amount of any such penalty, HCFA will consider documentation provided by an issuer or other responsible entity. If documentation substantiates that the violation was corrected within 30 days of the first day that the responsible entity knew, or exercising reasonable diligence, could have known of the violation, then no civil money penalty may be imposed (see Sec. 150.341). However, if the correction is made beyond the 30 days, we will review all documentation supporting a responsible entity's efforts to comply with HIPAA and, under appropriate circumstances, take such efforts into account in our calculation of the amount of the penalty. In general, we view more favorably responses where the rights and protections afforded consumers are quickly and completely restored, and where the issuer or other responsible entity can demonstrate that adequate changes have been made to ensure future compliance. Examples of documentation that may be included in a response include: Relevant policy forms, advertising material, and other documents Other evidence refuting the alleged noncompliance Evidence showing the approximate cost to the affected individual(s) Evidence showing the number of individuals affected Evidence that the entity did not know, or exercising due diligence would not have known, of the violation Documentation proving that issued policies and/or certificates of coverage and plan documents were amended to comply with HIPAA and showing the date of such amendment Documentation of the issuance of forms that comply with HIPAA (with respect to any forms that were submitted and reviewed by us, such documentation may also include any final letter from us that closed the review) Evidence documenting the development and implementation of internal policies and procedures to ensure HIPAA compliance (including corporate compliance programs) Other evidence showing the entity's prior record of HIPAA compliance Section 150.313 Market Conduct Examinations In 1974 the National Association of Insurance Commissioners recommended the establishment of a ``separate and distinct'' program of surveillance to ensure fair treatment of insurance policyholders. Since then, these surveillance programs, known as ``market conduct examinations,'' have been an essential tool used by State insurance departments to confirm the compliance of issuers with various State insurance laws and regulations. Market conduct examinations differ from traditional financial audits performed on issuers by either regulators or the companies themselves. While financial audits are primarily concerned with the financial solvency of a company, market conduct examinations are primarily concerned with the issuer's compliance with legal requirements because the issuer's business practices impact consumers directly. For example, while an issuer may be judged financially strong through a financial audit, if this financial strength is obtained through non-compliant claim denials, the issuer could ``pass'' a financial audit, while ``failing'' a market conduct examination. Pursuant to guidelines of the National Association of Insurance Commissioners and State insurance laws, State insurance departments charge the expenses of a market conduct examination directly to the issuer. In contrast, HCFA will not require an issuer or other responsible entity to bear the expense of a market conduct examination. During a HCFA market conduct examination, HCFA will sample and, in some cases, review in their entirety specific records, information, and other documentation maintained by the issuer or other responsible entity to determine compliance with the specific requirements of HIPAA. HCFA market conduct examinations will differ from traditional State insurance department examinations in that the scope of HCFA's reviews will be much narrower, focusing on the provisions and requirements of HIPAA. For example, areas of HCFA examinations may include, but are not limited to: The issuer's, or non-Federal governmental plan's certificate of creditable coverage issuance procedures and practices; Claim denials based on pre-existing condition exclusion provisions of the issuer's, or the non-Federal governmental plans; The issuance of guaranteed available individual and small employer group products; or The guaranteed renewability of health insurance policies. A market conduct examination may be performed at HCFA's initiation, or upon request of a potential responsible entity. During the course of a complaint investigation, HCFA may determine that a pattern of noncompliance exists to warrant a market conduct examination. An issuer, or a non-Federal governmental plan, may request a market conduct examination to confirm compliance or to identify potential violations and initiate corrective action that may enable it to completely avoid imposition of a civil money penalty under Sec. 150.315 of this subpart. If we identify potential violations, we will provide notice to the issuer or other responsible entity of such defects and may present a proposed plan of correction. A market conduct examination may be performed through either on- site examinations, when appropriate; or ``in-house'' examinations or ``desk audits'' at a HCFA location. In general, on-site examinations are appropriate when we have reason to believe that, in order to obtain and have ready access to all of the information necessary to identify existing failures to comply with HIPAA or confirm the compliance of an issuer, or a non-Federal governmental plan, it is necessary for our examiners to be at a responsible entity's site. On-site examinations may also be appropriate when the market share of an issuer represents a significant portion of the marketplace in a State or when an issuer's entire program for HIPAA compliance is the subject of the examination. In general, a ``desk audit'' is sufficient to confirm a responsible entity's compliance with regard to a specific area(s) of compliance or when circumstances make an on-site examination impracticable. When HCFA identifies an issue that warrants investigation, HCFA will appoint one or more examiners to perform the examination and instruct them as to the scope of the examination. HCFA will observe the guidelines adopted by the NAIC and may employ additional guidelines as deemed appropriate. Upon completion of the market conduct examination, HCFA will develop a report that will address the results of the examination. Responsible entities will be advised of HCFA's position on each issue contained in the report. The purpose of the report is to identify areas of the business or operational affairs of the responsible entity that may need to be corrected. [[Page 45791]] Sections 150.315 Through 150.323 Provisions Relating to the Amount of Penalty These sections of the regulation establish the process for determining the amount of any penalty that is imposed on a responsible entity for a violation of a provision or requirement of HIPAA. The statute allows for a penalty that does not exceed $100 for each day for each individual with respect to each violation. The statute further requires at section 2722 that, in determining the amount of the penalty, the responsible entity's previous record of compliance as well as the gravity of the violation be taken into consideration. Therefore, in determining the amount of the penalty, we intend to use a process that takes into account both mitigating and aggravating circumstances. We will take into account evidence of the entity's efforts to comply with HIPAA in assessing the entity's previous record of compliance. This will be determined largely through documentation submitted by the responsible entity during the course of the investigation of the complaint or other information. We will consider the gravity of the violation by reviewing the frequency of the violation as well as the level of the financial impact on any affected individuals. Responsible entities that discover violations are encouraged to take all necessary steps to correct the violations and identify the individuals adversely affected and restore their rights. Under Sec. 150.319, those actions taken by responsible entities to correct the violations and restore individuals' rights will be considered mitigating circumstances and will be taken into account to reduce the penalty or assessment. Conversely, under Sec. 150.321, we will consider as aggravating circumstances instances in which violations that appear to be frequent have resulted in an obvious or significant financial and other impacts on affected individuals or cannot be adequately corrected. These parameters will be considered in determining the gravity of the violation. In determining the appropriate amount of the penalty and assessment to be imposed, we will take into account all mitigating and aggravating circumstances outlined by these sections. Section 150.325 Settlement Authority This section will state that nothing in Secs. 150.315 through 150.323 limits our authority to settle any issue or case or to reduce any penalty or assessment. Section 150.341 Limitations on Penalties This section explains that HCFA will not impose any civil money penalty on any failure if the failure was due to reasonable cause and not due to willful neglect and the failure was corrected within 30 days of the first day that any of the entities against whom the penalty would be imposed knew, or exercising reasonable diligence would have known, that the failure existed. The burden of establishing that the responsible entity did not know, and exercising reasonable diligence, could not have known that a failure existed, is on the responsible entity. Section 150.343 Notice of Proposed Penalty This section of the regulation further describes the information to be disclosed in the written notice of the proposed penalty to the responsible entity, including instructions to the responsible entity for responding and an explanation of the entity's right to a hearing if the responsible entity is appealing the proposed penalty. Section 150.345 Appeal of Proposed Penalty We include this section to direct the reader to our appeal procedures. Section 150.347 Failure to Request a Hearing This section of the regulation describes our responsibility to notify the entity in writing of the assessed penalty and the means by which to satisfy the judgment following the entity's failure to request a hearing within the specified period of time. Appendix A to Subpart C of Part 150--Examples of Violations This Appendix A includes examples of practices which, if undertaken by issuers, or non-federal governmental plans, may warrant the imposition of a civil money penalty. For convenience, the Appendix is divided into the group and individual markets and the types of violations are listed in numerical order by regulatory citation number in each of the two markets. Subpart D--Administrative Hearings This subpart describes the processes for administrative hearings and appeals of civil money penalties. Sections 150.401 Through 150.463 Sections 150.401 through 150.463 set forth the procedures for appeal of HCFA's assessment of a civil money penalty. The PHS Act provides that if a responsible entity appeals HCFA's assessment of a civil money penalty, the administrative law judge hearing the appeal makes the initial agency decision. Although the administrative law judge makes the initial agency decision, the considerations and factors set forth in this part are binding on the administrative law judge's decision. The administrative law judge may not add or disregard such considerations and factors in deciding whether assessment of a civil money penalty is appropriate, and the amount of such penalty. Section 150.457 sets forth the process through which the HCFA Administrator may vacate or modify the administrative law judge's decision. Section 150.459 provides that any responsible entity against whom a final assessment of a civil money penalty is made may appeal that assessment to the appropriate United States District Court. Section 150.465 Collection and Use of Penalty Funds This section describes to whom (HCFA) penalty funds are paid and how they may be used. Sections 144.101, 144.102, and 144.103 We are adding provisions to include the new part 150. We are also revising the definition of ``non-Federal governmental plan'' under Sec. 144.103 because the existing definition reiterates the definition in section 2791(d)(8)(C) of the PHS Act. This definition simply states that the term ``non-Federal governmental plan'' means ``a governmental plan that is not a Federal governmental plan.'' Section 2791(d)(8)(A) defines the term ``governmental plan'' as that term is defined under section 3(32) of ERISA. (Determining whether an entity is a ``governmental plan'' for purposes of section 3(32) of ERISA is within the jurisdiction of the Department of Labor.) Subparagraphs (B) and (C) of section 2791(d)(8), respectively, define ``Federal governmental plan'' and ``non-Federal governmental plan''. ERISA does not separately define these terms. Section 3(32) of ERISA, in pertinent part, defines the term ``governmental plan'' as ``a plan established or maintained for its employees by the Government of the United States, by the government of any State or political subdivision thereof, or by any agency or instrumentality of any of the foregoing.'' We have revised the definition of the term ``non-Federal governmental plan'' by adopting that portion of the ERISA definition of ``governmental plan'' that defines a non-Federal governmental plan. [[Page 45792]] Parts 146 and 148 We are deleting Secs. 146.184, 148.200, and 148.202, as these provisions are now in part 150. III. Collection of Information Requirements Under the Paperwork Reduction Act of 1995, we are required to provide a 60-day notice in the Federal Register and solicit public comment before a collection of information is submitted to the Office of Management and Budget (OMB) for review and approval. This document does not impose any information collection and record keeping requirements subject to the Paperwork Reduction Act (PRA). Consequently, it does not need to be reviewed by the Office of Management and Budget (OMB) under the authority of the PRA. IV. Response to Comments Because of the large number of items of correspondence we normally receive on Federal Register documents published for comment, we are not able to acknowledge or respond to them individually. We will consider all comments we receive by the date and time specified in the DATES section of this preamble, and, if we proceed with a subsequent document, we will respond to the major comments in the preamble to that document. V. Waiver of Proposed Rulemaking We ordinarily publish a notice of proposed rulemaking in the Federal Register and invite public comment on the proposed rule. The notice of proposed rulemaking includes a reference to the legal authority under which the rule is proposed, and the terms and substances of the proposed rule or a description of the subjects and issues involved. This procedure can be waived, however, if an agency finds good cause that a notice-and-comment procedure is impracticable, unnecessary, or contrary to the public interest and incorporates a statement of the finding and its reasons in the rule issued. We believe that dispensing with proposed rulemaking is in the public interest. Proposed rulemaking is also unnecessary. Accordingly, we are proceeding here directly with an interim final rule. The basic requirements of this interim final rule already exist in 45 CFR parts 146 and 148. Therefore, we are not adding anything that will impose new requirements. We do include provisions that will assist health insurance issuers, and non-Federal governmental plans/employers, by letting them know what they can do if we impose a civil money penalty; for example, refute our findings or request a hearing. This rule will also help individuals whose health insurance coverage is subject to part 146 or 148 in that we will be better able to enforce our rules and provide protections to individuals. Therefore, we find good cause to waive the notice of proposed rulemaking and to issue this rule as an interim final rule with comment period. We are, however, providing a 60-day comment period and will respond to comments we receive in any subsequent Federal Register document. VI. Regulatory Impact Statement A. Overall Impact We have examined the impacts of this rule as required by Executive Order 12866 and the Regulatory Flexibility Act (RFA) (Pub. L. 96-354). Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). A regulatory impact analysis (RIA) must be prepared for major rules with economically significant effects ($100 million or more annually). A discussion regarding the expected economic effects of this interim final rule is presented below. The RFA requires agencies to analyze options for regulatory relief of small businesses. For purposes of the RFA, small entities include small businesses and nonprofit organizations. Entities are considered small either because of nonprofit status or because of having revenues of $5 million or less annually. For purposes of the RFA, we consider it unlikely that many health insurance issuers will meet this definition of small entity. This interim final rule will also affect non-Federal governmental plans, but these plans do not meet the definition of a small entity. Section 202 of the Unfunded Mandates Reform Act of 1995 also requires that agencies assess anticipated costs and benefits before issuing any rule that may result in an annual expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million. Although this interim final rule will affect State and local governments and health insurance issuers in the private sector, such impact is expected to be minimal and less than $100 million in the aggregate. Set forth below is a discussion regarding the expected impact of this interim final rule. B. Anticipated Effects The Congress intended that the protections provided in HIPAA be afforded to all Americans, regardless of whether such protections are guaranteed by States or the Federal government. These regulations are intended to expand upon the basic process for Federal enforcement of HIPAA. Federal enforcement presently exists in California, Missouri and Rhode Island. We estimate that approximately 325 health insurance issuers offer health insurance coverage in these States and would therefore be affected by these regulations. While we recognize that direct Federal enforcement may become necessary in additional States, we are unable to predict the number of States or issuers affected in the future. We expect these regulations to impose a minimal burden on States, health insurance issuers, and non-Federal governmental plans/ employers but we invite comments from affected parties regarding the potential or real impact of these regulations. 1. Effects on State and Local Governments The primary impact of these regulations on States is to clarify the process by which we determine that Federal enforcement is necessary. As described in the regulations, which closely follow the statutory language, we determine that Federal enforcement is necessary when either a State notifies us of its failure to enact and/or enforce the necessary legislation; or we receive information or otherwise discover that a State is not substantially enforcing HIPAA. We are exercising our regulatory discretion where necessary to ensure that consumers are protected to the full extent of the law. The impact of our regulatory discretion with respect to States is discussed below. These regulations will also affect State and local governments to the extent that these governments provide health plans to their employees. These plans, designated as non-Federal governmental plans under HIPAA, are subject to our direct enforcement, but those that are self-funded are permitted to elect to be exempt from one or more HIPAA provisions, with the exception of the requirement that the plan issue certificates of creditable coverage. The impact of these regulations on non-Federal governmental plans is discussed below under subsection 2. These regulations, however, will not affect health plans provided by tribal governments because such entities are not covered by the PHS Act and are [[Page 45793]] therefore not subject to our direct enforcement. The interim final regulations published on April 8, 1997 (42 CFR Parts 144, 146, and 148) address the situation in which we learn of a State's failure to substantially enforce the HIPAA provisions by a ``complaint or other means.'' These interim final regulations clarify the scope of the term ``other means'' to include informal contact between us and State officials, a report in the news media, periodic communication by us with the States, periodic review of State health care legislation, or any other information that indicates a substantial failure to enforce. Since many individuals protected by HIPAA will not initiate complaints because they are unaware of their rights under the law and therefore do not realize when their rights are being denied or abridged, we cannot limit the basis of our investigation solely to complaints received from individuals. Therefore, we have clarified the definition of ``other information'' to include other forms of information so that we will learn about potential HIPAA violations and if necessary, initiate enforcement action as soon as possible. If we initiate an inquiry in a particular State, we may begin our inquiry by informally contacting appropriate State officials. If a State informs us that it is enforcing all of the HIPAA provisions and requirements, we will take no further action unless there are further indications to contradict the State's assertion. If we find that a State has failed to substantially enforce HIPAA, we will allow the State a reasonable opportunity to correct such a failure. It is only when other efforts have failed that we will initiate the formal determination process in a particular State. Thus, as permitted by current regulations, while we may initiate an inquiry in a State on information other than a complaint, these regulations that we are publishing today will provide flexibility for the State to respond to the inquiry and will allow the State a reasonable opportunity to enforce HIPAA. In the event that we determine that there is a reasonable basis for finding a State's failure to substantially enforce HIPAA, we will provide written notice to the chief executive officer of the State and other appropriate State officials. In the interim final regulations published on April 8, 1997 a response time of 45 days was allowed. This regulation shortens the response time to 30 days in order to lessen any adverse effect on individuals in that particular State. Individuals may not incur a break in coverage of more than 63 days without losing their right to HIPAA protections. Our primary concern is that individuals receive rights to which they are entitled under HIPAA. This shorter response time appears to strike a balance between the States' prerogative to regulate health insurance issuers and the rights of individuals that Congress intended to protect by enacting HIPAA. We have invited comments on this change. However, if a State is unable to respond to our inquiry within the 30-day response period, these regulations will allow us to extend the 30-day response period for good cause. We estimate that those States responding to an inquiry will incur some costs in providing information, whether orally or in writing, to demonstrate their enforcement of HIPAA. These regulations also provide a transition process from Federal enforcement back to State enforcement if and when HCFA determines that Federal enforcement is no longer necessary. The impact of these transitional processes is difficult to estimate at this time. We invite comments on this process and the possible impacts associated with it. 2. Effects of These Regulations on Non-Federal Governmental Plans State and local governmental plans may offer health insurance coverage to their members through an issuer or may self-insure their members. For those non-Federal governmental plans that offer health insurance coverage through an issuer, violations by the non-Federal governmental plan are subject to our enforcement. Violations by the issuer are subject to enforcement by the State unless HCFA is directly enforcing HIPAA requirements in that State. Those plans that self- insure their members (i.e., do not purchase insurance from an insurance issuer) are subject to our enforcement but are also permitted to elect exemptions from one or more HIPAA requirements. To date, approximately 615 self-insured non-Federal governmental plans have notified us of their intent to opt out of one or more HIPAA provisions. Since self- insured non-Federal governmental plans are permitted to elect exemption from one or more HIPAA provisions, we expect to find relatively few of these plans out of compliance with HIPAA. While the exact number of non-Federal governmental plans is not known at this time, we do not expect many more plans to exercise their right to opt out. In general, the effects of the regulations on health insurance issues as discussed below under subsection 3, also apply to non-Federal governmental plans/employers that are subject to HIPAA requirements. 3. Effects of the Regulations on Health Insurance Issuers Offering Individual or Group Health Insurance Coverage In those instances in which HCFA enforces HIPAA, we are responsible for enforcing HIPAA with respect to health insurance issuers. As stated above, we estimate that 325 health insurance issuers issue policies in those three States currently subject to Federal enforcement in the individual market, group market, or both (California, Missouri, and Rhode Island). These issuers will be primarily affected to the extent that they fail to comply with the HIPAA provisions and requirements. Issuers will be required to establish new relationships and communicate directly with Federal officials. Thus, issuers may incur some costs as they develop and maintain new processes for dealing with Federal regulators. However, in those States in which we have begun directly enforcing HIPAA, we have already held meetings with health insurance issuers and provided information about appropriate Federal officials and general enforcement processes. Thus, to some extent, new relationships between health insurance issuers and Federal officials have already been established in those States. Issuers in those States will therefore incur only minimal costs in maintaining these relationships. As part of our direct enforcement responsibilities, we may request additional information from issuers pursuant to a complaint or other information. This may impose a burden on issuers to the extent that they must submit additional information to us in response to a complaint. These interim final regulations will provide a process for doing so that is similar to the complaint resolution process currently in practice in many States. If a complaint or other information we receive indicates a potential violation, we will provide written notice to the issuer and provide 30 days from the date of the notice for the issuer to respond with additional information. This time frame may be more lenient than similar State requirements, which provide as few as 15 working days or 20 calendar days for the issuer's response. If the 30-day period is not sufficient, the issuer may request an extension for good cause. We will consider the potential impact of granting an extension on those individuals who may incur a significant break in coverage as a result of the extension. During an investigation of any potential violation, we will review and consider documentation provided that [[Page 45794]] demonstrates the issuers compliance with HIPAA. These interim final regulations will not require, but will suggest, documentation that an issuer may submit in response to the complaint allegation. If, in the course of an investigation of a potential violation, we discover a pattern of noncompliance or any other issue that warrants further investigation, we may initiate a market conduct examination of the issuer. If, during the course of our examination, we identify a potential violation(s), we will provide notice to the issuer of the violation and a proposed plan of correction. While the issuer that undergoes a market conduct examination may incur some costs in providing the documentation requested pursuant to that examination, the issuer may avoid the imposition of a civil money penalty or may be subject to a civil money penalty of a lesser amount. Although those health insurance issuers given notice of a potential violation may incur additional costs in responding to our inquiry, these costs are expected to be minimal and incurred only by a small number of issuers. Generally, consumers will first seek redress by the health insurance issuer and second by the State insurance department. Complaints are then forwarded to one of our regional offices and possibly our central office after the first two steps have been taken. Therefore, the number of complaints that will be brought to our attention will be relatively small given the universe of health insurance issuers. In those instances in which documents (e.g, new policy forms or marketing materials) must be modified to meet the HIPAA standards, issuers may have to resubmit these documents to the appropriate State officials to be reviewed for compliance with other applicable State laws. Thus, issuers may spend more time bringing new materials and products to the market. However, in the absence of Federal enforcement, these documents would have had to have been reviewed by State officials for compliance with applicable HIPAA standards, as well as those of other State laws. Under Federal enforcement, issuers are therefore required to submit to a separate regulatory body--the Federal government--only information they are already required to submit to the State, and are expected to incur minimal costs in doing so. In the event that an issuer is found to be in violation of HIPAA, the Secretary of the Department of Health and Human Services is authorized to impose civil money penalties of no more than $100 for each day for each violation for each affected individual. These regulations will provide further details regarding possible alternatives to the imposition of a civil money penalty, including returning adversely affected individuals to the same position in which they would have been had the violation not occurred. However, in the event that an issuer refuses to respond to or resolve a complaint or other inquiry in a satisfactory manner, we will assess the penalty and provide notice of this penalty to the health insurance issuer. In assessing the penalty, we will consider several mitigating factors, also enumerated in the current interim final regulations, which include the issuer's record of prior compliance and the gravity of the violation. We will also consider aggravating circumstances, including the frequency of the violation, the financial and other impacts of the violation on the average affected individual, or the issuer's inability to show that substantially all of the violations were corrected. Issuers will be permitted to request a hearing and may also request a settlement or alternative dispute resolution. 4. Effects on the Medicare and Medicaid Programs We do not expect that this rule will have any impact on Medicare expenditures or the solvency of the trust fund or on Medicaid program expenditures. 5. Federalism Under Executive Order 12612, this regulation will not significantly affect the States beyond what is required by HIPAA. It follows the intent and letter of the law and does not usurp State authority beyond what the HIPAA requires. This regulation describes only processes that must be undertaken to fulfill our obligation to conduct enforcement as required by the April 8, 1997 regulation. In addition, HIPAA follows a narrow preemption of State laws and does not preempt State laws that afford greater protections to HIPAA-eligible individuals. We have included various provisions throughout this regulation that demonstrate cooperation with the States. For example, States are afforded the opportunity to enforce HIPAA requirements, which is the preferred avenue of HIPPA implementation. If we receive information that a State is not substantially enforcing, we first ask whether State officials have been notified. We may also contact State officials informally to discuss the requirements that are allegedly not being enforced. If the State provides a satisfactory explanation that indicates it is enforcing the HIPAA requirements, we will take no further action unless we receive further information to validate the assertion that the State is failing to enforce the requirements. If there is a reasonable question regarding whether a State is failing to substantially enforce HIPAA requirements, we will send our preliminary determination to the chief executive officer of the State, as well as to other appropriate regulatory officials of the State. This preliminary determination will provide the State with a reasonable opportunity to present evidence of substantial enforcement, to take corrective action, and under certain specific circumstances, with an opportunity to request an extension. If we subsequently find that a State is not enforcing the HIPAA requirements, we will issue a final written determination that will identify the requirements that we will enforce and the effective date of our enforcement. Under certain circumstances it is even possible that States may enforce certain requirements while we enforce others. After we have assumed enforcement responsibility in a State, should the State demonstrate that it is prepared to begin its own enforcement we may, at our discretion, enter into discussions with State officials regarding the possibility of a transition back to State enforcement. In this case, to the extent permissible, we will make our records documenting compliance and enforcement available for incorporation into State records. C. Alternatives Considered Throughout the process of developing these regulations, we attempted to balance States' interest in regulating health insurance issuers and the rights of those individuals that the Congress intended to protect in enacting HIPAA. In those cases where we are exercising regulatory discretion (described above), we are allowing States the maximum amount of flexibility without jeopardizing the individual's rights to the HIPAA protections. Likewise, we are attempting to establish a process for investigating complaints and other information regarding potential HIPAA violations that serves as an effective deterrent to HIPAA violations. This process will provide ample notice to the issuer and other responsible entities under investigation and will provide guidance to issuers and other responsible entities that wish to comply with the HIPAA provisions. We expect these regulations to impose a minimal burden on States, health insurance issuers, and non-Federal governmental plans/employers but we invite [[Page 45795]] comments from affected parties regarding the potential or real impact of these regulations. D. Conclusion In accordance with the requirements of the RFA, we have performed the above analysis, and we believe that there will be minimal impact on small entities. We request comments on our findings. In accordance with the provisions of Executive Order 12866, this regulation was reviewed by the Office of Management and Budget. List of Subjects Affected 45 CFR Parts 144 and 146 Health care, Health insurance, Reporting and recordkeeping requirements. 45 CFR Part 148 Administrative practice and procedure, Health care, Health insurance, Penalties, Reporting and recordkeeping requirements. 45 CFR Part 150 Administrative practice and procedure, Health care, Health insurance, Penalties, Reporting and recordkeeping requirements. For the reasons set forth in the preamble, 45 CFR subtitle A, subchapter B, is amended as set forth below: A. Part 144 is amended as follows: PART 144--REQUIREMENTS RELATING TO HEALTH INSURANCE COVERAGE 1. The authority citation for part 144 continues to read as follows: Authority: Secs. 2701 through 2763, 2791, and 2792 of the Public Health Service Act (42 U.S.C. 300gg through 300gg-63, 300gg-91, and 300gg-92). 2. Section 144.101 is revised to read as follows: Sec. 144.101 Basis and purpose. (a) Part 146 of this subchapter implements sections 2701 through 2723 of the Public Health Service Act (PHS Act, 42 U.S.C. 300gg, et seq.). Its purpose is to improve access to group health insurance coverage, guarantee the renewability of all coverage in the group market, provide certain protections for mothers and newborns with respect to coverage for hospital stays in connection with childbirth, and provide parity between the application of annual and lifetime dollar limits to mental health benefits and those limits for other health benefits and to provide certain protections for patients who elect breast reconstruction in connection with a mastectomy. (b) Part 148 of this subchapter implements sections 2741 through 2763 of the PHS Act. Its purpose is to improve access to individual health insurance coverage for certain individuals who previously had group coverage, guarantee the renewability of all health insurance coverage in the individual market, and provide certain protections for mothers and newborns with respect to coverage for hospital stays in connection with childbirth, and to provide certain protections for patients who elect breast reconstruction in connection with a mastectomy. (c) Part 150 of this subchapter implements the enforcement provisions of sections 2722 and 2761 of the PHS Act with respect to the following: (1) States that fail to substantially enforce one or more provisions of part 146 concerning group health insurance or the requirements of part 148 of this subchapter concerning individual health insurance. (2) Insurance issuers in States described in paragraph (c)(1) of this section. (3) Group health plans that are non-Federal governmental plans. (d) Sections 2791 and 2792 of the PHS Act define terms used in the regulations in this subchapter and provide the basis for issuing these regulations. 3. In Sec. 144.102, paragraph (d) is added to read as follows: Sec. 144.102 Scope and applicability. * * * * * (d) Provisions relating to HCFA enforcement of one or more provisions of part 146 or the requirements of part 148, or both, are contained in part 150 of this subchapter. 4. In Sec. 144.103, the title, the introductory text, and the definition of non-Federal governmental plan are revised and a definition of ``HCFA'' is added to read as follows: Sec. 144.103 Definitions. For purposes of parts 146 (group market), 148 (individual market), and 150 (enforcement) of this subchapter, the following definitions apply unless otherwise provided: * * * * * HCFA means the Health Care Financing Administration. * * * * * Non-Federal governmental plan means a governmental plan established or maintained for its employees by the government of any State or political subdivision thereof, or by any agency or instrumentality of either. * * * * * PART 146--[AMENDED] B. Part 146 is amended as follows: 1. The authority citation continues to read as follows: Authority: Secs. 2701 through 2723, 2791, and 2792 of the PHS Act, 42 U.S.C. 300gg through 300gg-63, 300gg-91, and 300gg-92. Sec. 146.180 [Amended] 2. The cross-reference in Sec. 146.180(i)(2) to ``Sec. 146.184(d)(7)(iii)(B)'' is revised to read ``Sec. 150.341(a)(2).'' 3. The cross-reference in Sec. 146.180(i)(3) to ``Sec. 146.184'' is revised to read ``part 150 of this subchapter.'' Sec. 146.184 [Removed] 4. Section 146.184 is removed. PART 148--[AMENDED] C. Part 148 is amended as follows: 1. The authority citation continues to read as follows: Authority: Secs. 2741 through 2763, 2791, and 2792 of the Public Health Service Act (42 U.S.C. 300gg-41 through 300gg-63, 300gg-91, and 300gg-92). Sec. Sec. 148.200 and 148.202 [Removed] 2. Sections 148.200 and 148.202 are removed. D. Part 150 is added to read as follows: PART 150--HCFA ENFORCEMENT IN GROUP AND INDIVIDUAL INSURANCE MARKETS Subpart A--General Provisions Sec. 150.101 Basis and scope. 150.103 Definitions. Subpart B--HCFA Enforcement Processes For Determining Whether States Are Failing to Substantially Enforce HIPAA Requirements Sec. 150.201 State enforcement. 150.203 Circumstances requiring HCFA enforcement. 150.205 Sources of information triggering an investigation of State enforcement. 150.207 Procedure for determining that a State fails to substantially enforce HIPAA requirements. 150.209 Verification of exhaustion of remedies and contact with State officials. 150.211 Notice to the State. 150.213 Form and content of notice. 150.215 Extension for good cause. 150.217 Preliminary determination. 150.219 Final determination. 150.221 Transition to State enforcement. [[Page 45796]] Subpart C--HCFA Enforcement With Respect to Issuers and Non-Federal Governmental Plans--Civil Money Penalties 150.301 General rule regarding the imposition of civil money penalties. 150.303 Basis for initiating an investigation of a potential violation. 150.305 Determination of entity liable for civil money penalty. 150.307 Notice to responsible entities. 150.309 Request for extension. 150.311 Responses to allegations of noncompliance. 150.313 Market conduct examinations. 150.315 Amount of penalty--General. 150.317 Factors HCFA uses to determine the amount of penalty. 150.319 Determining the amount of the penalty--mitigating circumstances. 150.321 Determining the amount of penalty--aggravating circumstances. 150.323 Determining the amount of penalty--other matters as justice may require. 150.325 Settlement authority. 150.341 Limitations on penalties. 150.343 Notice of proposed penalty. 150.345 Appeal of proposed penalty. 150.347 Failure to request a hearing. Appendix A to Subpart C of Part 150--Examples of Violations Subpart D--Administrative Hearings 150.401 Definitions. 150.403 Scope of ALJ's authority. 150.405 Filing of request for hearing. 150.407 Form and content of request for hearing. 150.409 Amendment of notice of assessment or request for hearing. 150.411 Dismissal of request for hearing. 150.413 Settlement. 150.415 Intervention. 150.417 Issues to be heard and decided by ALJ. 150.419 Forms of hearing. 150.421 Appearance of counsel. 150.423 Communications with the ALJ. 150.425 Motions. 150.427 Form and service of submissions. 150.429 Computation of time and extensions of time. 150.431 Acknowledgment of request for hearing. 150.435 Discovery. 150.437 Submission of briefs and proposed hearing exhibits. 150.439 Effect of submission of proposed hearing exhibits. 150.441 Prehearing conferences. 150.443 Standard of proof. 150.445 Evidence. 150.447 The record. 150.449 Cost of transcripts. 150.451 Posthearing briefs. 150.453 ALJ decision. 150.455 Sanctions. 150.457 Review by Administrator. 150.459 Judicial review. 150.461 Failure to pay assessment. 150.463 Final order not subject to review. 150.465 Collection and use of penalty funds. Authority: Secs. 2701 through 2763, 2791, and 2792 of the PHS Act (42 U.S.C. 300gg through 300gg-63, 300gg-91, and 300gg-92). Subpart A--General Provisions Sec. 150.101 Basis and scope. (a) Basis. HCFA's enforcement authority under sections 2722 and 2761 of the PHS Act and its rulemaking authority under section 2792 of the PHS Act provide the basis for issuing regulations under this part 150. (b) Scope--(1) Enforcement with respect to group heath plans. The provisions of title XXVII of the PHS Act that apply to group health plans that are non-Federal governmental plans are enforced by HCFA using the procedures described in Sec. 150.301 et seq. (2) Enforcement with respect to health insurance issuers. The States have primary enforcement authority with respect to the requirements of title XXVII of the PHS Act that apply to health insurance issuers offering coverage in the group or individual health insurance market. If HCFA determines under subpart B of this part that a State is not substantially enforcing title XXVII of the PHS Act, including the implementing regulations in part 146 and part 148 of this subchapter, HCFA enforces them under subpart C of this part. Sec. 150.103 Definitions. The definitions that appear in part 144 of this subchapter apply to this part 150, unless stated otherwise. As used in this part: Amendment, endorsement, or rider means a document that modifies or changes the terms or benefits of an individual policy, group policy, or certificate of insurance. Application means a signed statement of facts by a potential insured that an issuer uses as a basis for its decision whether, and on what basis to insure an individual, or to issue a certificate of insurance, or that a non-Federal governmental health plan uses as a basis for a decision whether to enroll an individual under the plan. Certificate of insurance means the document issued to a person or entity covered under an insurance policy issued to a group health plan or an association or trust that summarizes the benefits and principal provisions of the policy. Complaint means any expression, written or oral, indicating a potential denial of any right or protection contained in HIPAA requirements (whether ultimately justified or not) by an individual, a personal representative or other entity acting on behalf of an individual, or any entity that believes such a right is being or has been denied an individual. Group health insurance policy or group policy means the legal document or contract issued by an issuer to a plan sponsor with respect to a group health plan (including a plan that is a non-Federal governmental plan) that contains the conditions and terms of the insurance that covers the group. HIPAA requirements means the requirements of title XXVII of the PHS Act and its implementing regulations in parts 146 and 148 of this subchapter. Individual health insurance policy or individual policy means the legal document or contract issued by the issuer to an individual that contains the conditions and terms of the insurance. Any association or trust arrangement that is not a group health plan as defined in Sec. 144.103 of this subchapter or does not provide coverage in connection with one or more group health plans is individual coverage subject to the requirements of part 148 of this subchapter. The term ``individual health insurance policy'' includes a policy that is---- (1) Issued to an association that makes coverage available to individuals other than in connection with one or more group health plans; or (2) Administered, or placed in a trust, and is not sold in connection with a group health plan subject to the provisions of part 146 of this subchapter. Plan document means the legal document that provides the terms of the plan to individuals covered under a group health plan, such as a non-Federal governmental health plan. State law means all laws, decisions, rules, regulations, or other State action having the effect of law, of any State as defined in Sec. 144.103 of this subchapter. A law of the United States applicable to the District of Columbia is treated as a State law rather than a law of the United States. Subpart B--HCFA Enforcement Processes for Determining Whether States Are Failing to Substantially Enforce HIPAA Requirements Sec. 150.201 State enforcement. Except as provided in subpart C of this part, each State enforces HIPAA requirements with respect to health insurance issuers that issue, sell, renew, or offer health insurance coverage in the State. Sec. 150.203 Circumstances requiring HCFA enforcement. HCFA enforces HIPAA requirements to the extent warranted (as determined by HCFA) in any of the following circumstances: [[Page 45797]] (a) Notification by State. A State notifies HCFA that it has not enacted legislation to enforce or that it is not otherwise enforcing HIPAA requirements. (b) Determination by HCFA. If HCFA receives or obtains information that a State may not be substantially enforcing HIPAA requirements, it may initiate the process described in this subchapter to determine whether the State is failing to substantially enforce these requirements. (c) Special rule for guaranteed availability in the individual market. If a State has notified HCFA that it is implementing an acceptable alternative mechanism in accordance with Sec. 148.128 of this subchapter instead of complying with the guaranteed availability requirements of Sec. 148.120, HCFA's determination focuses on the following: (1) Whether the State's mechanism meets the requirements for an acceptable alternative mechanism. (2) Whether the State is implementing the acceptable alternative mechanism. (d) Consequence of a State not implementing an alternative mechanism. If a State is not implementing an acceptable alternative mechanism, HCFA determines whether the State is substantially enforcing the requirements of Secs. 148.101 through 148.126 and Sec. 148.170 of this subchapter. Sec. 150.205 Sources of information triggering an investigation of State enforcement. Information that may trigger an investigation of State enforcement includes, but is not limited to, any of the following: (a) A complaint received by HCFA. (b) Information learned during informal contact between HCFA and State officials. (c) A report in the news media. (d) Information from the governors and commissioners of insurance of the various States regarding the status of their enforcement of HIPAA requirements. (e) Information obtained during periodic review of State health care legislation. HCFA may review State health care and insurance legislation and regulations to determine whether they are: (1) Consistent with HIPAA requirements. (2) Not pre-empted as provided in Sec. 146.143 (relating to group market provisions) and Sec. 148.120 (relating to individual market requirements) on the basis that they prevent the application of a HIPAA requirement. (f) Any other information that indicates a possible failure to substantially enforce. Sec. 150.207 Procedure for determining that a State fails to substantially enforce HIPAA requirements. Sections 150.209 through 150.219 describe the procedures HCFA follows to determine whether a State is substantially enforcing HIPAA requirements. Sec. 150.209 Verification of exhaustion of remedies and contact with State officials. If HCFA receives a complaint or other information indicating that a State is failing to enforce HIPAA requirements, HCFA assesses whether the affected individual or entity has made reasonable efforts to exhaust available State remedies. As part of its assessment, HCFA may contact State officials regarding the questions raised. Sec. 150.211 Notice to the State. If HCFA is satisfied that there is a reasonable question whether there has been a failure to substantially enforce HIPAA requirements, HCFA sends, in writing, the notice described in Sec. 150.213 of this part, to the following State officials: (a) The governor or chief executive officer of the State. (b) The insurance commissioner or chief insurance regulatory official. (c) If the alleged failure involves HMOs, the official responsible for regulating HMOs if different from the official listed in paragraph (b) of this section. Sec. 150.213 Form and content of notice. The notice provided to the State is in writing and does the following: (a) Identifies the HIPAA requirement or requirements that have allegedly not been substantially enforced. (b) Describes the factual basis for the allegation of a failure or failures to enforce HIPAA requirements. (c) Explains that the consequence of a State's failure to substantially enforce HIPAA requirements is that HCFA enforces them. (d) Advises the State that it has 30 days from the date of the notice to respond, unless the time for response is extended as described in Sec. 150.215 of this subpart. The State's response should include any information that the State wishes HCFA to consider in making the preliminary determination described in Sec. 150.217. Sec. 150.215 Extension for good cause. HCFA may extend, for good cause, the time the State has for responding to the notice described in Sec. 150.213 of this subpart. Examples of good cause include an agreement between HCFA and the State that there should be a public hearing on the State's enforcement, or evidence that the State is undertaking expedited enforcement activities. Sec. 150.217 Preliminary determination. If, at the end of the 30-day period (and any extension), the State has not established to HCFA's satisfaction that it is substantially enforcing the HIPAA requirements described in the notice, HCFA takes the following actions: (a) Consults with the appropriate State officials identified in Sec. 150.211 (or their designees). (b) Notifies the State of HCFA's preliminary determination that the State has failed to substantially enforce the requirements and that the failure is continuing. (c) Permits the State a reasonable opportunity to show evidence of substantial enforcement. Sec. 150.219 Final determination. If, after providing notice and a reasonable opportunity for the State to show that it has corrected any failure to substantially enforce, HCFA finds that the failure to substantially enforce has not been corrected, it will send the State a written notice of its final determination. The notice includes the following: (a) Identification of the HIPAA requirements that HCFA is enforcing. (b) The effective date of HCFA's enforcement. Sec. 150.221 Transition to State enforcement. (a) If HCFA determines that a State for which it has assumed enforcement authority has enacted and implemented legislation to enforce HIPAA requirements and also determines that it is appropriate to return enforcement authority to the State, HCFA will enter into discussions with State officials to ensure that a transition is effected with respect to the following: (1) Consumer complaints and inquiries. (2) Instructions to issuers. (3) Any other pertinent aspect of operations. (b) HCFA may also negotiate a process to ensure that, to the extent practicable, and as permitted by law, its records documenting issuer compliance and other relevant areas of HCFA's enforcement operations are made available for incorporation into the records of the State regulatory authority that will assume enforcement responsibility. [[Page 45798]] Subpart C--HCFA Enforcement With Respect to Issuers and Non-Federal Governmental Plans--Civil Money Penalties Sec. 150.301 General rule regarding the imposition of civil money penalties. If any health insurance issuer that is subject to HCFA's enforcement authority under Sec. 150.101(b)(2), or any non-Federal governmental plan (or employer that sponsors a non-Federal governmental plan) that is subject to HCFA's enforcement authority under Sec. 150.101(b)(1), fails to comply with HIPAA requirements, it may be subject to a civil money penalty as described in this subpart. Sec. 150.303 Basis for initiating an investigation of a potential violation. (a) Information. Any information that indicates that any issuer may be failing to meet the HIPAA requirements or that any non-Federal governmental plan that is a group health plan as defined in section 2791(a)(1) of the PHS Act and 45 CFR Sec. 144.103 may be failing to meet an applicable HIPAA requirement, may warrant an investigation. HCFA may consider, but is not limited to, the following sources or types of information: (1) Complaints. (2) Reports from State insurance departments, the National Association of Insurance Commissioners, and other Federal and State agencies. (3) Any other information that indicates potential noncompliance with HIPAA requirements. (b) Who may file a complaint. Any entity or individual, or any entity or personal representative acting on that individual's behalf, may file a complaint with HCFA if he or she believes that a right to which the aggrieved person is entitled under HIPAA requirements is being, or has been, denied or abridged as a result of any action or failure to act on the part of an issuer or other responsible entity as defined in Sec. 150.305. (c) Where a complaint should be directed. A complaint may be directed to any HCFA regional office. Sec. 150.305 Determination of entity liable for civil money penalty. If a failure to comply is established under this Part, the responsible entity, as determined under this section, is liable for any civil money penalty imposed. (a) Health insurance issuer is responsible entity--(1) Group health insurance policy. To the extent a group health insurance policy issued, sold, renewed, or offered to a private plan sponsor or a non-Federal governmental plan sponsor is subject to applicable HIPAA requirements, a health insurance issuer is subject to a civil money penalty, irrespective of whether a civil money penalty is imposed under paragraphs (b) or (c) of this section, if the policy itself or the manner in which the policy is marketed or administered fails to comply with an applicable HIPAA requirement. (2) Individual health insurance policy. To the extent an individual health insurance policy is subject to an applicable HIPAA requirement, a health insurance issuer is subject to a civil money penalty if the policy itself, or the manner in which the policy is marketed or administered, violates any applicable HIPAA requirement. (b) Non-Federal governmental plan is responsible entity. (1) Basic rule. If a non-Federal governmental plan is sponsored by two or more employers and fails to comply with an applicable HIPAA requirement, the plan is subject to a civil money penalty, irrespective of whether a civil money penalty is imposed under paragraph (a) of this section. The plan is the responsible entity irrespective of whether the plan is administered by a health insurance issuer, an employer sponsoring the plan, or a third-party administrator. (2) Exception. In the case of a non-Federal governmental plan that is not provided through health insurance coverage, this paragraph (b) does not apply to the extent that the non-Federal governmental employers have elected under Sec. 146.180 to exempt the plan from applicable HIPAA requirements. (c) Employer is responsible entity. (1) Basic rule. If a non- Federal governmental plan is sponsored by a single employer and fails to comply with an applicable HIPAA requirement, the employer is subject to a civil money penalty, irrespective of whether a civil money penalty is imposed under paragraph (a) of this section. The employer is the responsible entity irrespective of whether the plan is administered by a health insurance issuer, the employer, or a third-party administrator. (2) Exception. In the case of a non-Federal governmental plan that is not provided through health insurance coverage, this paragraph (c) does not apply to the extent the non-Federal governmental employer has elected under Sec. 146.180 to exempt the plan from applicable HIPAA requirements. (d) Actions or inactions of agent. A principal is liable for penalties assessed for the actions or inactions of its agent. Sec. 150.307 Notice to responsible entities. If an investigation under Sec. 150.303 indicates a potential violation, HCFA provides written notice to the responsible entity or entities identified under Sec. 150.305. The notice does the following: (a) Describes the substance of any complaint or other information. (See Appendix A to this subpart for examples of violations.) (b) Provides 30 days from the date of the notice for the responsible entity or entities to respond with additional information, including documentation of compliance as described in Sec. 150.311. (c) States that a civil money penalty may be assessed. Sec. 150.309 Request for extension. In circumstances in which an entity cannot prepare a response to HCFA within the 30 days provided in the notice, the entity may make a written request for an extension from HCFA detailing the reason for the extension request and showing good cause. If HCFA grants the extension, the responsible entity must respond to the notice within the time frame specified in HCFA's letter granting the extension of time. Failure to respond within 30 days, or within the extended time frame, may result in HCFA's imposition of a civil money penalty based upon the complaint or other information alleging or indicating a violation of HIPAA requirements. Sec. 150.311 Responses to allegations of noncompliance. In determining whether to impose a civil money penalty, HCFA reviews and considers documentation provided in any complaint or other information, as well as any additional information provided by the responsible entity to demonstrate that it has complied with HIPAA requirements. The following are examples of documentation that a potential responsible entity may submit for HCFA's consideration in determining whether a civil money penalty should be assessed and the amount of any civil money penalty: (a) Any individual policy, group policy, certificate of insurance, application, rider, amendment, endorsement, certificate of creditable coverage, advertising material, or any other documents if those documents form the basis of a complaint or allegation of noncompliance, or the basis for the responsible entity to refute the complaint or allegation. (b) Any other evidence that refutes an alleged noncompliance. [[Page 45799]] (c) Evidence that the entity did not know, and exercising due diligence could not have known, of the violation. (d) Documentation that the policies, certificates of insurance, or non-Federal governmental plan documents have been amended to comply with HIPAA requirements either by revision of the contracts or by the development of riders, amendments, or endorsements. (e) Documentation of the entity's issuance of conforming policies, certificates of insurance, plan documents, or amendments to policyholders or certificate holders before the issuance of the notice of intent to assess a penalty described in Sec. 150.307. (f) Evidence documenting the development and implementation of internal policies and procedures by an issuer, or non-Federal governmental health plan or employer, to ensure compliance with HIPAA requirements. Those policies and procedures may include or consist of a voluntary compliance program. Any such program should do the following: (1) Effectively articulate and demonstrate the fundamental mission of compliance and the issuer's, or non-Federal governmental health plan's or employer's, commitment to the compliance process. (2) Include the name of the individual in the organization responsible for compliance. (3) Include an effective monitoring system to identify practices that do not comply with HIPAA requirements and to provide reasonable assurance that fraud, abuse, and systemic errors are detected in a timely manner. (4) Address procedures to improve internal policies when noncompliant practices are identified. (g) Evidence documenting the entity's record of previous compliance with HIPAA requirements. Sec. 150.313 Market conduct examinations. (a) Definition. A market conduct examination means the examination of health insurance operations of an issuer, or the operation of a non- Federal governmental plan, involving the review of one or more (or a combination) of a responsible entity's business or operational affairs, or both, to verify compliance with HIPAA requirements. (b) General. If, based on the information described in Sec. 150.303, HCFA finds evidence that a specific entity may be in violation of a HIPAA requirement, HCFA may initiate a market conduct examination to determine whether the entity is out of compliance. HCFA may conduct the examinations either at the site of the issuer or other responsible entity or a site HCFA selects. When HCFA selects a site, it may direct the issuer or other responsible entity to forward any documentation HCFA considers relevant for purposes of the examination to that site. (c) Appointment of examiners. When HCFA identifies an issue that warrants investigation, HCFA will appoint one or more examiners to perform the examination and instruct them as to the scope of the examination. (d) Appointment of professionals and specialists. When conducting an examination under this part, HCFA may retain attorneys, independent actuaries, independent market conduct examiners, or other professionals and specialists as examiners. (e) Report of market conduct examination. (1) HCFA review. When HCFA receives a report, it will review the report, together with the examination work papers and any other relevant information, and prepare a final report. The final examination report will be provided to the issuer or other responsible entity. (2) Response from issuer or other responsible entity. With respect to each examination issue identified in the report, the issuer or other responsible entity may: (i) Concur with HCFA's position(s) as outlined in the report, explaining the plan of correction to be implemented. (ii) Dispute HCFA's position(s), clearly outlining the basis for its dispute and submitting illustrative examples where appropriate. (3) HCFA's reply to a response from an issuer or other responsible entity. Upon receipt of a response from the issuer or other responsible entity, HCFA will provide a letter containing its reply to each examination issue. HCFA's reply will consist of one of the following: (i) Concurrence with the issuer's or non-Federal governmental plan's position. (ii) Approval of the issuer's or non-Federal governmental plan's proposed plan of correction. (iii) Conditional approval of the issuer's or non-Federal governmental plan's proposed plan of correction, which will include any modifications HCFA requires. (iv) Notice to the issuer or non-Federal governmental plan that there exists a potential violation of HIPAA requirements. Sec. 150.315 Amount of penalty--General. A civil money penalty for each violation of 42 U.S.C. 300gg et seq. may not exceed $100 for each day, for each responsible entity, for each individual affected by the violation. Penalties imposed under this part are in addition to any other penalties prescribed or allowed by law. Sec. 150.317 Factors HCFA uses to determine the amount of penalty. In determining the amount of any penalty, HCFA takes into account the following: (a) The entity's previous record of compliance. This may include any of the following: (1) Any history of prior violations by the responsible entity, including whether, at any time before determination of the current violation or violations, HCFA or any State found the responsible entity liable for civil or administrative sanctions in connection with a violation of HIPAA requirements. (2) Documentation that the responsible entity has submitted its policy forms to HCFA for compliance review. (3) Evidence that the responsible entity has never had a complaint for noncompliance with HIPAA requirements filed with a State or HCFA. (4) Such other factors as justice may require. (b) The gravity of the violation. This may include any of the following: (1) The frequency of the violation, taking into consideration whether any violation is an isolated occurrence, represents a pattern, or is widespread. (2) The level of financial and other impacts on affected individuals. (3) Other factors as justice may require. Sec. 150. 319 Determining the amount of the penalty--mitigating circumstances. For every violation subject to a civil money penalty, if there are substantial or several mitigating circumstances, the aggregate amount of the penalty is set at an amount sufficiently below the maximum permitted by Sec. 150.315 to reflect that fact. As guidelines for taking into account the factors listed in Sec. 150.317, HCFA considers the following: (a) Record of prior compliance. It should be considered a mitigating circumstance if the responsible entity has done any of the following: (1) Before receipt of the notice issued under Sec. 150.307, implemented and followed a compliance plan as described in Sec. 150.311(f). (2) Had no previous complaints against it for noncompliance. (b) Gravity of the violation(s). It should be considered a mitigating circumstance if the responsible entity has done any of the following: [[Page 45800]] (1) Made adjustments to its business practices to come into compliance with HIPAA requirements so that the following occur: (i) All employers, employees, individuals and non-Federal governmental entities are identified that are or were issued any policy, certificate of insurance or plan document, or any form used in connection therewith that failed to comply. (ii) All employers, employees, individuals, and non-Federal governmental plans are identified that were denied coverage or were denied a right provided under HIPAA requirements. (iii) Each employer, employee, individual, or non-Federal governmental plan adversely affected by the violation has been, for example, offered coverage or provided a certificate of creditable coverage in a manner that complies with HIPAA requirements that were violated so that, to the extent practicable, that employer, employee, individual, or non-Federal governmental entity is in the same position that he, she, or it would have been in had the violation not occurred. (iv) The adjustments are completed in a timely manner. (2) Discovered areas of noncompliance without notice from HCFA and voluntarily reported that noncompliance, provided that the responsible entity submits the following: (i) Documentation verifying that the rights and protections of all individuals adversely affected by the noncompliance have been restored; and (ii) A plan of correction to prevent future similar violations. (3) Demonstrated that the violation is an isolated occurrence. (4) Demonstrated that the financial and other impacts on affected individuals is negligible or nonexistent. (5) Demonstrated that the noncompliance is correctable and that a high percentage of the violations were corrected. Sec. 150.321 Determining the amount of penalty--aggravating circumstances. For every violation subject to a civil money penalty, if there are substantial or several aggravating circumstances, HCFA sets the aggregate amount of the penalty at an amount sufficiently close to or at the maximum permitted by Sec. 150.315 to reflect that fact. HCFA considers the following circumstances to be aggravating circumstances: (a) The frequency of violation indicates a pattern of widespread occurrence. (b) The violation(s) resulted in significant financial and other impacts on the average affected individual. (c) The entity does not provide documentation showing that substantially all of the violations were corrected. Sec. 150.323 Determining the amount of penalty--other matters as justice may require. HCFA may take into account other circumstances of an aggravating or mitigating nature if, in the interests of justice, they require either a reduction or an increase of the penalty in order to assure the achievement of the purposes of this part, and if those circumstances relate to the entity's previous record of compliance or the gravity of the violation. Sec. 150.325 Settlement authority. Nothing in Secs. 150.315 through 150.323 limits the authority of HCFA to settle any issue or case described in the notice furnished in accordance with Sec. 150.307 or to compromise on any penalty provided for in Secs. 150.315 through 150.323. Sec. 150.341 Limitations on penalties. (a) Circumstances under which a civil money penalty is not imposed. HCFA does not impose any civil money penalty on any failure for the period of time during which none of the responsible entities knew, or exercising reasonable diligence would have known, of the failure. HCFA also does not impose a civil money penalty for the period of time after any of the responsible entities knew, or exercising reasonable diligence would have known of the failure, if the failure was due to reasonable cause and not due to willful neglect and the failure was corrected within 30 days of the first day that any of the entities against whom the penalty would be imposed knew, or exercising reasonable diligence would have known, that the failure existed. (b) Burden of establishing knowledge. The burden is on the responsible entity or entities to establish to HCFA's satisfaction that no responsible entity knew, or exercising reasonable diligence would have known, that the failure existed. Sec. 150.343 Notice of proposed penalty. If HCFA proposes to assess a penalty in accordance with this part, it delivers to the responsible entity, or sends to that entity by certified mail, return receipt requested, written notice of its intent to assess a penalty. The notice includes the following: (a) A description of the HIPAA requirements that HCFA has determined that the responsible entity violated. (b) A description of any complaint or other information upon which HCFA based its determination, including the basis for determining the number of affected individuals and the number of days for which the violations occurred. (c) The amount of the proposed penalty as of the date of the notice. (d) Any circumstances described in Secs. 150.317 through 150.323 that were considered when determining the amount of the proposed penalty. (e) A specific statement of the responsible entity's right to a hearing. (f) A statement that failure to request a hearing within 30 days permits the assessment of the proposed penalty without right of appeal in accordance with Sec. 150.347. Sec. 150.345 Appeal of proposed penalty. Any entity against which HCFA has assessed a penalty may appeal that penalty in accordance with Sec. 150.401 et seq. Sec. 150.347 Failure to request a hearing. If the responsible entity does not request a hearing within 30 days of the issuance of the notice described in Sec. 150.343, HCFA may assess the proposed civil money penalty, a less severe penalty, or a more severe penalty. HCFA notifies the responsible entity in writing of any penalty that has been assessed and of the means by which the responsible entity may satisfy the judgment. The responsible entity has no right to appeal a penalty with respect to which it has not requested a hearing in accordance with Sec. 150.405 unless the responsible entity can show good cause, as determined under Sec. 150.405(b), for failing to timely exercise its right to a hearing. Appendix A to Subpart C of Part 150--Examples of Violations This appendix lists actions in the group and individual markets for which HCFA may impose civil money penalties. This list is not all-inclusive. Note 1: All cross-references to sections of the Code of Federal Regulations are cross-references to sections in parts 144, 146, or 148 of this subchapter. Note 2: Except as otherwise expressly noted, all references to non-Federal governmental plans refer to non-Federal governmental plans that are not exempt from HIPAA requirements (as defined in Sec. 150.103) under section 2721(b)(2) of the PHS Act and Sec. 146.180. I. Basis for Imposition of Civil Money Penalties--Actions in the Group Market a. Failure to comply with the limitations on pre-existing condition exclusions (Sec. 146.111). [[Page 45801]] Violations of the limitations on preexisting condition exclusions, set forth in Sec. 146.111, includes those circumstances in which a non-Federal governmental plan or health insurance issuer offering group health insurance coverage does the following: (1) Imposes a preexisting condition exclusion period that exceeds 12 months or, in the case of a late enrollee, 18 months, from the enrollment date (the first day of coverage or the first day of the waiting period, if any). (2) Fails to reduce a pre-existing condition exclusion period by creditable coverage as provided in Secs. 146.111(a)(1)(iii) and 146.113. (3) Imposes a pre-existing condition exclusion period without first giving the two written notices required in Secs. 146.111(c) and 146.115(d). The first notice is a general notice to all plan participants of the existence and terms of any pre-existing condition exclusion under the plan, and the rights of individuals to demonstrate creditable coverage. The notice should explain the right of an individual to request a certificate from a previous plan or issuer, if necessary, and include a statement that the current plan or issuer will assist in obtaining a certificate from a previous plan or issuer, if necessary. The second notice is required to be sent to any individual who has presented evidence of creditable coverage, and to whom a pre-existing condition exclusion period will be applied. This second notice informs the individual of the plan's determination of any pre-existing condition exclusion period, the basis for such determination, a written explanation of any appeals procedures established by the plan or issuer, and a reasonable opportunity to submit additional evidence of creditable coverage. (4) Treats pregnancy as a pre-existing condition, as prohibited by Sec. 146.111(b)(4). For example, an issuer may not refuse to pay for prenatal care and delivery effective with the date maternity coverage began because the individual did not have maternity coverage at the time the pregnancy began. (5) Imposes a pre-existing condition exclusion with regard to a child who enrolls in a group health plan within 30 days of birth, adoption, or placement for adoption. (6) Imposes a pre-existing condition exclusion with regard to a child who was enrolled in another group health plan within 30 days of birth, adoption, or placement for adoption and who does not experience significant break in coverage. (7) Uses a pre-existing condition look-back period that exceeds the six-month period ending on the enrollment date in violation of Sec. 146.111(a)(1) of this chapter. (8) Determines whether a pre-existing condition exclusion applies by using a standard other than whether medical advice, diagnosis, care, or treatment was actually recommended or received during the look-back period. A determination that a reasonably prudent person would or should have sought medical care for the condition is an unacceptable standard by which to determine whether a pre-existing condition exclusion applies. (9) Uses genetic information as part of the definition of pre- existing condition in the absence of a diagnosis of the condition related to the genetic information. (10) Otherwise fails to comply with Sec. 146.111. b. Failure to comply with the provisions relating to creditable coverage (Sec. 146.113). Failure to comply with the Sec. 146.113 rules relating to creditable coverage includes those circumstances in which a non- Federal governmental plan or issuer offering group health insurance coverage does the following: (1) Fails to treat all forms of coverage listed in Sec. 146.113(a) as creditable coverage. (2) Counts creditable coverage in a manner inconsistent with the standard method described in Sec. 146.113(b) or the alternative method described in Sec. 146.113(c), if it elects to use the alternative method. (3) Treats an individual with fewer than 63 consecutive days without creditable coverage as having a significant break in coverage in violation of Sec. 146.113(b)(2)(iii). (4) Takes either a waiting period or an affiliation period into account when calculating a significant break in coverage, as prohibited by Sec. 146.113(b)(2)(iii). (5) Otherwise fails to comply with Sec. 146.113. c. Failure to comply with the provisions regarding certification and disclosure of previous coverage (Sec. 146.115). Except as provided in paragraph (c)(b), the plan sponsor of a self-funded non-Federal governmental plan may not elect to exempt its plan from the requirements of this paragraph. Failure to comply with the requirements in Sec. 146.115 regarding certification and disclosure of previous coverage includes those circumstances in which a non-Federal governmental plan or issuer offering group health insurance coverage does the following: (1) Fails to ensure that individuals who request certification receive it. (2) Fails to automatically provide certificates of creditable coverage promptly, either-- (i) When the individual ceases to be covered under the plan (whether or not COBRA continuation coverage is offered or elected); or (ii) When the COBRA continuation coverage is exhausted or is terminated by the individual, if COBRA continuation coverage was offered and was elected. (3) Fails to provide certificates of creditable coverage promptly upon request. (4) Fails to provide the required information in certificates of creditable coverage. (5) Fails to provide certificates of creditable coverage to dependents. (6) Fails to accept other evidence of creditable coverage as provided in Sec. 146.115(c). (The plan sponsor of a self-funded non- Federal governmental plan may elect to exempt its plan from the requirements of this paragraph (6)). (7) Otherwise fails to comply with Sec. 146.115. d. Failure to comply with the provisions regarding special enrollment periods (Sec. 146.117). Failure to comply with the Sec. 146.117 requirements regarding special enrollment periods includes those circumstances in which an issuer or a non-Federal governmental plan does the following: (1) Fails to permit employees and dependents to enroll for coverage if they satisfy the conditions of Sec. 146.117(a) or (b). (2) Fails to provide coverage on a timely basis to individuals protected by a special enrollment period as provided in Sec. 146.117. (3) Fails to provide the employee with a description of the plan's or issuer's special enrollment rules on or before the time the employee is offered the opportunity to enroll as provided in Sec. 146.117(c). (4) Otherwise fails to comply with Sec. 146.117. e. Failure to comply with the HMO affiliation period provisions (Sec. 146.119). Failure to comply with the Sec. 146.119 affiliation period requirements includes those circumstances in which an HMO that offers group health insurance coverage does the following: (1) Imposes a pre-existing condition exclusion period. (2) Charges a premium for months in an affiliation period. (3) Fails to impose an affiliation period uniformly without regard to any health status-related factor. (4) Imposes an affiliation period that is longer than 2 months (or 3 months for late enrollees), or one that begins later than the enrollment date or does not run concurrently with any waiting period. (5) Otherwise fails to comply with Sec. 146.119. f. Failure to comply with the provisions regarding nondiscrimination (Sec. 146.121). Failure to comply with the Sec. 146.121 prohibitions regarding nondiscrimination includes those circumstances in which an issuer or a non-Federal governmental plan does the following: (1) Applies rules of eligibility (including continued eligibility) to enroll under the terms of the plan based any of the health-status related factors described in Sec. 146.121(a). (2) Requires an individual as a condition of enrollment or re- enrollment to pay a higher premium than others similarly situated by reason of a health-status related factor of the individual or the individual's dependent. (3) Otherwise fails to comply with Sec. 146.121. g. Failure to comply with the provisions relating to benefits for mothers and newborns (Sec. 146.130) in States where the Sec. 146.130 standards are applicable. Failure of an issuer or a non-Federal governmental plan to comply with the standards in Sec. 146.130 relating to benefits for mothers and newborns includes the following: (1) Restricts benefits for a mother or her newborn to less than 48 hours following a vaginal delivery or less than 96 hours following a delivery by cesarean section, unless the attending provider decides, in consultation with the mother, to discharge the mother or newborn earlier. (2) Fails to calculate the length of stay from the time of delivery when delivery occurs in a hospital, or from the time of admission when delivery occurs outside the hospital. (3) Penalizes an attending provider for complying with the law. [[Page 45802]] (4) Offers incentives to an attending provider to provide care in a manner inconsistent with the provisions of Sec. 146.130. (5) Denies the mother or newborn eligibility or continued eligibility to enroll under the plan to avoid complying with Sec. 146.130. (6) Provides payments or rebates to mothers to encourage them to accept less than the minimum stay required. (7) Requires an attending provider to obtain authorization to prescribe a hospital length of stay of up to 48 hours (or 96 hours) after delivery. (8) Imposes deductibles, coinsurance, or other cost-sharing measures for any portion of a 48-hour (or 96-hour) hospital stay that are less favorable than those imposed on any preceding portion of the stay. (9) In the case of a non-Federal governmental plan, fails to provide participants and beneficiaries with a statement describing the requirements of the Newborns' and Mothers' Health Protection Act of 1996, using the language provided at Sec. 146.130(d)(2), not later than 60 days after the first day of the first plan year beginning on or after January 1, 1999. (10) Otherwise fails to comply with Sec. 146.130. h. Failure to comply with the provisions pertaining to parity in the application of certain limits to mental health benefits in the large group market (Sec. 146.136). Failure of a non-Federal governmental plan offered by a large employer or health insurance issuer offering health insurance coverage to large employers to comply with the Sec. 146.136 provisions pertaining to parity in the application of certain limits to mental health benefits (with respect to a plan that must comply with such provisions) includes the following: (1) Sale of a product by a health insurance issuer that fails to comply with the mental health parity provisions of Sec. 146.136. (2) Failure of a non-Federal governmental plan to comply with the annual and lifetime dollar limits provisions concerning mental health parity. i. Failure to comply with the Women's Health and Cancer Rights Act of 1998 (section 2706 of the PHS Act, 42 U.S.C. 300gg-06). j. Failure to comply with the provisions regarding guaranteed availability of coverage in the small group market (Sec. 146.150). Failure to provide guaranteed availability in the small group market as provided in Sec. 146.150 includes those circumstances in which a health insurance issuer offering any health insurance coverage to group health plans in the small group market does the following: (1) Fails to offer all products on a guaranteed availability basis to all small employers. (2) Fails to define a small employer using the definition at Sec. 144.103, unless otherwise provided under State law; that is, generally an employer with between 2 and 50 employees. (3) Fails to count as employees all individual employees that an employer wants to include in the group by applying a more restrictive definition of ``employee'' than is permitted by Sec. 144.103. (4) Fails to accept all employee dependents who are qualified under the terms of the employer's group health plan. (5) Sets agent commissions for sales to small employers so low as to discourage agents from marketing policies to, or enrolling, these groups so that a failure to offer coverage results. (6) Unreasonably delays the processing of applications submitted by small employers, so that a break in coverage of more than 63 days results. (7) Fails to offer to any small employer on a guaranteed availability basis any product that the issuer sells to small employers through one or more associations that are not bona fide associations, as defined in Sec. 144.103. The requirement to guarantee availability of such products to all small employers applies whether or not the small employer is a member of, or could qualify for membership in, that association. (8) Otherwise fails to comply with Sec. 146.150. k. Failure to comply with the requirements regarding guaranteed renewability in either the large or small group market (Sec. 146.152). Failure to provide guaranteed renewability of coverage as provided in Sec. 146.152 includes those circumstances in which a health insurance issuer offering health insurance coverage to a group health plan in the small or large group market does the following: (1) Fails to renew or continue in force coverage at the option of the plan sponsor unless one of the specific exceptions in Sec. 146.152(b) is met. (2) Fails to follow the requirements as described in Sec. 146.152(c)-(e) relating to the discontinuance of a particular product or withdrawal from the market of a particular product. (3) Fails to renew coverage of an individual employer who has been a member of an association when the individual employer ceases to be a member of the association, unless it is a bona fide association as defined in Sec. 144.103, and the issuer terminates coverage for all former members on a uniform basis. (4) Fails to act uniformly if the issuer cancels coverage. (5) Otherwise fails to comply with Sec. 146.152. l. Failure to comply with the requirements relating to disclosure of information (Sec. 146.160). Failure to make reasonable disclosure as provided in Sec. 146.160 includes those circumstances in which an issuer offering group health insurance coverage to a small employer, as defined in Sec. 144.103, does the following: (1) Fails to disclose all information concerning all products available from the issuer in the small group market as defined in Sec. 144.103. (2) Otherwise fails to comply with Sec. 146.160. II. Basis for Imposition of Civil Money Penalties--Actions in the Individual Market a. Failure to comply with the requirements regarding guaranteed availability of coverage (Sec. 148.120). In States that are not implementing an acceptable alternative mechanism described in Sec. 148.128, failure to provide guaranteed availability with no preexisting condition exclusion period as provided in Sec. 148.120 includes those circumstances in which an issuer does the following: (1) Fails to provide to eligible individuals, on a guaranteed availability basis, at least one of the following: (i) Enrollment in all individual market policies it actually markets. (ii) The two most popular policies described in Sec. 148.120(c)(2). (iii) Two representative policy forms as described in Sec. 148.120(c)(3). (2) Imposes any preexisting condition exclusion or affiliation period on eligible individuals under any policy that it sells on a guaranteed availability basis. (3) Sets agent commissions for sales to eligible individuals so low as to discourage agents from marketing policies to, or enrolling, these individuals so that a failure to offer coverage results. (4) Unreasonably delays the processing of applications submitted by eligible individuals. (5) Fails to offer to any eligible individual as defined in Sec. 148.103 (on a guaranteed availability basis with no preexisting condition exclusions) any product the issuer sells to individuals through one or more associations that are not bona fide associations, as defined in Sec. 144.103, unless the issuer has designated at least two other products (as its two most popular or its two representative policies) that it will sell to eligible individuals. (6) Denies an eligible individual a policy on the basis that the individual has had a significant break in coverage even though a substantially complete application was filed on or before the 63rd day after the prior group coverage ended. (7) Otherwise fails to comply with Sec. 148.120. b. Failure to comply with the requirements regarding guaranteed renewability of coverage (Sec. 148.122). Failure to provide guaranteed renewability as provided in Sec. 148.122 includes those circumstances in which an issuer does the following: (1) Fails to renew or continue in force coverage at the option of the individual, unless one of the specific exceptions in Sec. 148.122 is met. (2) Fails to follow the requirements relating to the discontinuance of a particular product or withdrawal from the market of a particular product as described in Sec. 148.122(d). (3) Fails to continue coverage at the option of the individual after the individual becomes eligible for Medicare. (4) Fails to renew coverage for an individual who has been a member of an association when the individual ceases to be a member of the association, unless the association is a bona fide association as defined in Sec. 144.103 and the issuer uniformly terminates coverage for all former members. (5) Otherwise fails to comply with Sec. 148.122. c. Failure to comply with the requirements regarding certification and disclosure of coverage (Sec. 148.124). Failure to comply with the requirements of Sec. 148.124 regarding certification and [[Page 45803]] disclosure of previous coverage includes those circumstances in which an issuer does any of the following: (1) Fails to provide automatic certificates of creditable coverage promptly. (2) Fails to disclose the required information in certificates of creditable coverage as provided in Sec. 148.124(b). (3) Fails to provide certificates of creditable coverage to dependents who are insured in the individual market and whose coverage ceases under an individual policy. (4) Fails to credit coverage or establish eligibility as provided in Sec. 148.124 solely because the individual is unable to obtain a certificate. This includes failing to accept, acknowledge, consider, or otherwise use other evidence of creditable coverage described in Sec. 146.115(c) submitted by, or on behalf of, an individual to establish that person is an eligible individual. (5) Otherwise fails to comply with Sec. 148.124. d. Failure to comply with the requirements regarding determination of an eligible individual (Sec. 148.126). Failure to determine, as provided in Sec. 148.126, that an applicant for health insurance is an eligible individual includes those circumstances in which an issuer does the following: (1) Fails to identify eligible individuals, to provide information regarding all coverage options, and to issue policies promptly. (2) Requires eligible individuals to specify their desire to invoke the requirements of part 148 or to explicitly request their rights under the law in order to obtain information about products available to them. (3) Otherwise fails to comply with Sec. 148.126. e. Failure to comply with the standards relating to benefits for mothers and newborns (Sec. 148.170). In States where the Sec. 148.170 standards are applicable (see Sec. 148.170(e)), failure to comply with the Sec. 148.170 standards relating to benefits for mothers and newborns includes those circumstances in which a health insurance issuer does the following: (1) Restricts benefits for a mother or her newborn to fewer than 48 hours following a vaginal delivery or fewer than 96 hours following a delivery by cesarean section, unless the attending provider decides, in consultation with the mother, to discharge the mother or newborn earlier. (2) Fails to calculate the length of stay from the time of delivery when delivery occurs in a hospital, or from the time of admission when delivery occurs outside the hospital. (3) Requires an attending provider to obtain authorization to prescribe a hospital length of stay of up to 48 hours (or 96 hours, if applicable) after delivery. (4) Imposes deductibles, coinsurance, or other cost-sharing measures for any portion of a 48-hour (or 96-hour, if applicable) hospital stay that are less favorable than those imposed on any preceding portion of the stay. (6) Penalizes a provider for complying with the law. (7) Offers incentives to a provider to provide care in a manner inconsistent with the provisions of Sec. 148.170 to avoid complying with Sec. 148.170. (8) Denies the mother or newborn eligibility or continued eligibility solely to avoid the requirements of Sec. 148.170. (9) Provides incentives to mothers to encourage them to accept less than the minimum stay requirement. (10) Fails to provide participants and beneficiaries with a statement describing the requirements of the Newborns' and Mothers' Health Protection Act of 1996, using the language provided at Sec. 148.170 (d)(2), not later than March 1, 1999. (11) Otherwise fails to comply with Sec. 148.170. f. Failure to comply with the Women's Health and Cancer Rights Act of 1998 (section 2752 of the PHS Act, 42 U.S.C. 300gg-52) and any additional implementing regulations. Subpart D--Administrative Hearings Sec. 150.401 Definitions. In this subpart, unless the context indicates otherwise: ALJ means administrative law judge of the Departmental Appeals Board of the Department of Health and Human Services. Filing date means the date postmarked by the U.S. Postal Service, deposited with a carrier for commercial delivery, or hand delivered. Hearing includes a hearing on a written record as well as an in- person or telephone hearing. Party means HCFA or the respondent. Receipt date means five days after the date of a document, unless there is a showing that it was in fact received later. Respondent means an entity that received a notice of proposed assessment of a civil money penalty issued pursuant to Sec. 150.343. Sec. 150.403 Scope of ALJ's authority. (a) The ALJ has the authority, including all of the authority conferred by the Administrative Procedure Act, to adopt whatever procedures may be necessary or proper to carry out in an efficient and effective manner the ALJ's duty to provide a fair and impartial hearing on the record and to issue an initial decision concerning the imposition of a civil money penalty. (b) The ALJ's authority includes the authority to modify, consistent with the Administrative Procedure Act (5 U.S.C. 552a), any hearing procedures set out in this subpart. (c) The ALJ does not have the authority to find invalid or refuse to follow Federal statutes or regulations. Sec. 150.405 Filing of request for hearing. (a) A respondent has a right to a hearing before an ALJ if it files a request for hearing that complies with Sec. 150.407(a), within 30 days after the date of issuance of either HCFA's notice of proposed assessment under Sec. 150.343 or notice that an alternative dispute resolution process has terminated. The request for hearing should be addressed as instructed in the notice of proposed determination. ``Date of issuance'' is five (5) days after the filing date, unless there is a showing that the document was received earlier. (b) The ALJ may extend the time for filing a request for hearing only if the ALJ finds that the respondent was prevented by events or circumstances beyond its control from filing its request within the time specified above. Any request for an extension of time must be made promptly by written motion. Sec. 150.407 Form and content of request for hearing. (a) The request for hearing must do the following: (1) Identify any factual or legal bases for the assessment with which the respondent disagrees. (2) Describe with reasonable specificity the basis for the disagreement, including any affirmative facts or legal arguments on which the respondent is relying. (b) The request for hearing must identify the relevant notice of assessment by date and attach a copy of the notice. Sec. 150.409 Amendment of notice of assessment or request for hearing. The ALJ may permit HCFA to amend its notice of assessment, or permit the respondent to amend a request for hearing that complies with Sec. 150.407(a), if the ALJ finds that no undue prejudice to either party will result. Sec. 150.411 Dismissal of request for hearing. An ALJ will order a request for hearing dismissed if the ALJ determines that: (a) The request for hearing was not filed within 30 days as specified by Sec. 150.405(a) or any extension of time granted by the ALJ pursuant to Sec. 150.405(b). (b) The request for hearing fails to meet the requirements of Sec. 150.407. (c) The entity that filed the request for hearing is not a respondent under Sec. 150.401. (d) The respondent has abandoned its request. (e) The respondent withdraws its request for hearing. Sec. 150.413 Settlement. HCFA has exclusive authority to settle any issue or any case, without the consent of the administrative law judge at any time before or after the administrative law judge's decision. [[Page 45804]] Sec. 150.415 Intervention. (a) The ALJ may grant the request of an entity, other than the respondent, to intervene if all of the following occur: (1) The entity has a significant interest relating to the subject matter of the case. (2) Disposition of the case will, as a practical matter, likely impair or impede the entity's ability to protect that interest. (3) The entity's interest is not adequately represented by the existing parties. (4) The intervention will not unduly delay or prejudice the adjudication of the rights of the existing parties. (b) A request for intervention must specify the grounds for intervention and the manner in which the entity seeks to participate in the proceedings. Any participation by an intervenor must be in the manner and by any deadline set by the ALJ. (c) The Department of Labor or the IRS may intervene without regard to paragraphs (a)(1) through (a)(3) of this section. Sec. 150.417 Issues to be heard and decided by ALJ. (a) The ALJ has the authority to hear and decide the following issues: (1) Whether a basis exists to assess a civil money penalty against the respondent. (2) Whether the amount of the assessed civil money penalty is reasonable. (b) In deciding whether the amount of a civil money penalty is reasonable, the ALJ-- (1) Applies the factors that are identified in Sec. 150.317. (2) May consider evidence of record relating to any factor that HCFA did not apply in making its initial determination, so long as that factor is identified in this subpart. (c) If the ALJ finds that a basis exists to assess a civil money penalty, the ALJ may sustain, reduce, or increase the penalty that HCFA assessed. Sec. 150.419 Forms of hearing. (a) All hearings before an ALJ are on the record. The ALJ may receive argument or testimony in writing, in person, or by telephone. The ALJ may receive testimony by telephone only if the ALJ determines that doing so is in the interest of justice and economy and that no party will be unduly prejudiced. The ALJ may require submission of a witness' direct testimony in writing only if the witness is available for cross-examination. (b) The ALJ may decide a case based solely on the written record where there is no disputed issue of material fact the resolution of which requires the receipt of oral testimony. Sec. 150.421 Appearance of counsel. Any attorney who is to appear on behalf of a party must promptly file, with the ALJ, a notice of appearance. Sec. 150.423 Communications with the ALJ. No party or person (except employees of the ALJ's office) may communicate in any way with the ALJ on any matter at issue in a case, unless on notice and opportunity for both parties to participate. This provision does not prohibit a party or person from inquiring about the status of a case or asking routine questions concerning administrative functions or procedures. Sec. 150.425 Motions. (a) Any request to the ALJ for an order or ruling must be by motion, stating the relief sought, the authority relied upon, and the facts alleged. All motions must be in writing, with a copy served on the opposing party, except in either of the following situations: (1) The motion is presented during an oral proceeding before an ALJ at which both parties have the opportunity to be present. (2) An extension of time is being requested by agreement of the parties or with waiver of objections by the opposing party. (b) Unless otherwise specified in this subpart, any response or opposition to a motion must be filed within 20 days of the party's receipt of the motion. The ALJ does not rule on a motion before the time for filing a response to the motion has expired except where the response is filed at an earlier date, where the opposing party consents to the motion being granted, or where the ALJ determines that the motion should be denied. Sec. 150.427 Form and service of submissions. (a) Every submission filed with the ALJ must be filed in triplicate, including one original of any signed documents, and include: (1) A caption on the first page, setting forth the title of the case, the docket number (if known), and a description of the submission (such as ``Motion for Discovery''). (2) The signatory's name, address, and telephone number. (3) A signed certificate of service, specifying each address to which a copy of the submission is sent, the date on which it is sent, and the method of service. (b) A party filing a submission with the ALJ must, at the time of filing, serve a copy of such submission on the opposing party. An intervenor filing a submission with the ALJ must, at the time of filing, serve a copy of the submission on all parties. Service must be made by mailing or hand delivering a copy of the submission to the opposing party. If a party is represented by an attorney, service must be made on the attorney. Sec. 150.429 Computation of time and extensions of time. (a) For purposes of this subpart, in computing any period of time, the time begins with the day following the act, event, or default and includes the last day of the period unless it is a Saturday, Sunday, or legal holiday observed by the Federal government, in which event it includes the next business day. When the period of time allowed is less than seven days, intermediate Saturdays, Sundays, and legal holidays observed by the Federal government are excluded from the computation. (b) The period of time for filing any responsive pleading or papers is determined by the date of receipt (as defined in Sec. 150.401) of the submission to which a response is being made. (c) The ALJ may grant extensions of the filing deadlines specified in these regulations or set by the ALJ for good cause shown (except that requests for extensions of time to file a request for hearing may be granted only on the grounds specified in section Sec. 150.405(b)). Sec. 150.431 Acknowledgment of request for hearing. After receipt of the request for hearing, the ALJ assigned to the case or someone acting on behalf of the ALJ will send a letter to the parties that acknowledges receipt of the request for hearing, identifies the docket number assigned to the case, provides instructions for filing submissions and other general information concerning procedures, and sets out the next steps in the case. Sec. 150.435 Discovery. (a) The parties must identify any need for discovery from the opposing party as soon as possible, but no later than the time for the reply specified in Sec. 150.437(c). Upon request of a party, the ALJ may stay proceedings for a reasonable period pending completion of discovery if the ALJ determines that a party would not be able to make the submissions required by Sec. 150.437 without discovery. The parties should attempt to resolve any discovery issues informally before seeking an order from the ALJ. (b) Discovery devices may include requests for production of documents, [[Page 45805]] requests for admission, interrogatories, depositions, and stipulations. The ALJ orders interrogatories or depositions only if these are the only means to develop the record adequately on an issue that the ALJ must resolve to decide the case. (c) Each discovery request must be responded to within 30 days of receipt, unless that period of time is extended for good cause by the ALJ. (d) A party to whom a discovery request is directed may object in writing for any of the following reasons: (1) Compliance with the request is unduly burdensome or expensive. (2) Compliance with the request will unduly delay the proceedings. (3) The request seeks information that is wholly outside of any matter in dispute. (4) The request seeks privileged information. Any party asserting a claim of privilege must sufficiently describe the information or document being withheld to show that the privilege applies. If an asserted privilege applies to only part of a document, a party withholding the entire document must state why the nonprivileged part is not segregable. (e) Any motion to compel discovery must be filed within 10 days after receipt of objections to the party's discovery request, within 10 days after the time for response to the discovery request has elapsed if no response is received, or within 10 days after receipt of an incomplete response to the discovery request. The motion must be reasonably specific as to the information or document sought and must state its relevance to the issues in the case. Sec. 150.437 Submission of briefs and proposed hearing exhibits. (a) Within 60 days of its receipt of the acknowledgment provided for in Sec. 150.431, the respondent must file the following with the ALJ: (1) A statement of its arguments concerning HCFA's notice of assessment (respondent's brief), including citations to the respondent's hearing exhibits provided in accordance with paragraph (a)(2) of this section. The brief may not address factual or legal bases for the assessment that the respondent did not identify as disputed in its request for hearing or in an amendment to that request permitted by the ALJ. (2) All documents (including any affidavits) supporting its arguments, tabbed and organized chronologically and accompanied by an indexed list identifying each document (respondent's proposed hearing exhibits). (3) A statement regarding whether there is a need for an in-person hearing and, if so, a list of proposed witnesses and a summary of their expected testimony that refers to any factual dispute to which the testimony will relate. (4) Any stipulations or admissions. (b) Within 30 days of its receipt of the respondent's submission required by paragraph (a) of this section, HCFA will file the following with the ALJ: (1) A statement responding to the respondent's brief, including the respondent's proposed hearing exhibits, if appropriate. The statement may include citations to HCFA's proposed hearing exhibits submitted in accordance with paragraph (b)(2) of this section. (2) Any documents supporting HCFA's response not already submitted as part of the respondent's proposed hearing exhibits, organized and indexed as indicated in paragraph (a)(2) of this section (HCFA's proposed hearing exhibits). (3) A statement regarding whether there is a need for an in-person hearing and, if so, a list of proposed witnesses and a summary of their expected testimony that refers to any factual dispute to which the testimony will relate. (4) Any admissions or stipulations. (c) Within 15 days of its receipt of HCFA's submission required by paragraph (b) of this section, the respondent may file with the ALJ a reply to HCFA's submission. Sec. 150.439 Effect of submission of proposed hearing exhibits. (a) Any proposed hearing exhibit submitted by a party in accordance with Sec. 150.437 is deemed part of the record unless the opposing party raises an objection to that exhibit and the ALJ rules to exclude it from the record. An objection must be raised either in writing prior to the prehearing conference provided for in Sec. 150.441 or at the prehearing conference. The ALJ may require a party to submit the original hearing exhibit on his or her own motion or in response to a challenge to the authenticity of a proposed hearing exhibit. (b) A party may introduce a proposed hearing exhibit following the times for submission specified in Sec. 150.437 only if the party establishes to the satisfaction of the ALJ that it could not have produced the exhibit earlier and that the opposing party will not be prejudiced. Sec. 150.441 Prehearing conferences. An ALJ may schedule one or more prehearing conferences (generally conducted by telephone) on the ALJ's own motion or at the request of either party for the purpose of any of the following: (a) Hearing argument on any outstanding discovery request. (b) Establishing a schedule for any supplements to the submissions required by Sec. 150.437 because of information obtained through discovery. (c) Hearing argument on a motion. (d) Discussing whether the parties can agree to submission of the case on a stipulated record. (e) Establishing a schedule for an in-person hearing, including setting deadlines for the submission of written direct testimony or for the written reports of experts. (f) Discussing whether the issues for a hearing can be simplified or narrowed. (g) Discussing potential settlement of the case. (h) Discussing any other procedural or substantive issues. Sec. 150.443 Standard of proof. (a) In all cases before an ALJ-- (1) HCFA has the burden of coming forward with evidence sufficient to establish a prima facie case; (2) The respondent has the burden of coming forward with evidence in response, once HCFA has established a prima facie case; and (3) HCFA has the burden of persuasion regarding facts material to the assessment; and (4) The respondent has the burden of persuasion regarding facts relating to an affirmative defense. (b) The preponderance of the evidence standard applies to all cases before the ALJ. Sec. 150.445 Evidence. (a) The ALJ will determine the admissibility of evidence. (b) Except as provided in this part, the ALJ will not be bound by the Federal Rules of Evidence. However, the ALJ may apply the Federal Rules of Evidence where appropriate; for example, to exclude unreliable evidence. (c) The ALJ excludes irrelevant or immaterial evidence. (d) Although relevant, evidence may be excluded if its probative value is substantially outweighed by the danger of unfair prejudice, confusion of the issues, or by considerations of undue delay or needless presentation of cumulative evidence. (e) Although relevant, evidence is excluded if it is privileged under Federal law. (f) Evidence concerning offers of compromise or settlement made in this [[Page 45806]] action will be inadmissible to the extent provided in the Federal Rules of Evidence. (g) Evidence of acts other than those at issue in the instant case is admissible in determining the amount of any civil money penalty if those acts are used under Secs. 150.317 and 150.323 of this part to consider the entity's prior record of compliance, or to show motive, opportunity, intent, knowledge, preparation, identity, or lack of mistake. This evidence is admissible regardless of whether the acts occurred during the statute of limitations period applicable to the acts that constitute the basis for liability in the case and regardless of whether HCFA's notice sent in accordance with Secs. 150.307 and 150.343 referred to them. (h) The ALJ will permit the parties to introduce rebuttal witnesses and evidence. (i) All documents and other evidence offered or taken for the record will be open to examination by all parties, unless the ALJ orders otherwise for good cause shown. (j) The ALJ may not consider evidence regarding the willingness and ability to enter into and successfully complete a corrective action plan when that evidence pertains to matters occurring after HCFA's notice under Sec. 150.307. Sec. 150.447 The record. (a) Any testimony that is taken in-person or by telephone is recorded and transcribed. The ALJ may order that other proceedings in a case, such as a prehearing conference or oral argument of a motion, be recorded and transcribed. (b) The transcript of any testimony, exhibits and other evidence that is admitted, and all pleadings and other documents that are filed in the case constitute the record for purposes of an ALJ decision. (c) For good cause, the ALJ may order appropriate redactions made to the record. Sec. 150.449 Cost of transcripts. Generally, each party is responsible for 50 percent of the transcript cost. Where there is an intervenor, the ALJ determines what percentage of the transcript cost is to be paid for by the intervenor. Sec. 150.451 Posthearing briefs. Each party is entitled to file proposed findings and conclusions, and supporting reasons, in a posthearing brief. The ALJ will establish the schedule by which such briefs must be filed. The ALJ may direct the parties to brief specific questions in a case and may impose page limits on posthearing briefs. Additionally, the ALJ may allow the parties to file posthearing reply briefs. Sec. 150.453 ALJ decision. The ALJ will issue an initial agency decision based only on the record and on applicable law; the decision will contain findings of fact and conclusions of law. The ALJ's decision is final and appealable after 30 days unless it is modified or vacated under Sec. 150.457. Sec. 150.455 Sanctions. (a) The ALJ may sanction a party or an attorney for failing to comply with an order or other directive or with a requirement of a regulation, for abandonment of a case, or for other actions that interfere with the speedy, orderly or fair conduct of the hearing. Any sanction that is imposed will relate reasonably to the severity and nature of the failure or action. (b) A sanction may include any of the following actions: (1) In the case of failure or refusal to provide or permit discovery, drawing negative fact inferences or treating such failure or refusal as an admission by deeming the matter, or certain facts, to be established. (2) Prohibiting a party from introducing certain evidence or otherwise advocating a particular claim or defense. (3) Striking pleadings, in whole or in part. (4) Staying the case. (5) Dismissing the case. (6) Entering a decision by default. (7) Refusing to consider any motion or other document that is not filed in a timely manner. (8) Taking other appropriate action. Sec. 150.457 Review by Administrator. (a) The Administrator of HCFA (which for purposes of this subsection may include his or her delegate), at his or her discretion, may review in whole or in part any initial agency decision issued under Sec. 150.453. (b) The Administrator may decide to review an initial agency decision if it appears from a preliminary review of the decision (or from a preliminary review of the record on which the initial agency decision was based, if available at the time) that: (1) The ALJ made an erroneous interpretation of law or regulation. (2) The initial agency decision is not supported by substantial evidence. (3) The ALJ has incorrectly assumed or denied jurisdiction or extended his or her authority to a degree not provided for by statute or regulation. (4) The ALJ decision requires clarification, amplification, or an alternative legal basis for the decision. (5) The ALJ decision otherwise requires modification, reversal, or remand. (c) Within 30 days of the date of the initial agency decision, the Administrator will mail a notice advising the respondent of any intent to review the decision in whole or in part. (d) Within 30 days of receipt of a notice that the Administrator intends to review an initial agency decision, the respondent may submit, in writing, to the Administrator any arguments in support of, or exceptions to, the initial agency decision. (e) This submission of the information indicated in paragraph (d) of this section must be limited to issues the Administrator has identified in his or her notice of intent to review, if the Administrator has given notice of an intent to review the initial agency decision only in part. A copy of this submission must be sent to the other party. (f) After receipt of any submissions made pursuant to paragraph (d) of this section and any additional submissions for which the Administrator may provide, the Administrator will affirm, reverse, modify, or remand the initial agency decision. The Administrator will mail a copy of his or her decision to the respondent. (g) The Administrator's decision will be based on the record on which the initial agency decision was based (as forwarded by the ALJ to the Administrator) and any materials submitted pursuant to paragraphs (b), (d), and (f) of this section. (h) The Administrator's decision may rely on decisions of any courts and other applicable law, whether or not cited in the initial agency decision. Sec. 150.459 Judicial review. (a) Filing of an action for review. Any responsible entity against whom a final order imposing a civil money penalty is entered may obtain review in the United States District Court for any district in which the entity is located or in the United States District Court for the District of Columbia by doing the following: (1) Filing a notice of appeal in that court within 30 days from the date of a final order. (2) Simultaneously sending a copy of the notice of appeal by registered mail to HCFA. (b) Certification of administrative record. HCFA promptly certifies and files with the court the record upon which the penalty was assessed. [[Page 45807]] (c) Standard of review. The findings of HCFA and the ALJ may not be set aside unless they are found to be unsupported by substantial evidence, as provided by 5 U.S.C. 706(2)(E). Sec. 150.461 Failure to pay assessment. If any entity fails to pay an assessment after it becomes a final order, or after the court has entered final judgment in favor of HCFA, HCFA refers the matter to the Attorney General, who brings an action against the entity in the appropriate United States district court to recover the amount assessed. Sec. 150.463 Final order not subject to review. In an action brought under Sec. 150.461, the validity and appropriateness of the final order described in Sec. 150.459 is not subject to review. Sec. 150.465 Collection and use of penalty funds. (a) Any funds collected under Sec. 150.461 are paid to HCFA. (b) The funds are available without appropriation until expended. (c) The funds may be used only for the purpose of enforcing the HIPAA requirements for which the penalty was assessed. Dated: April 16, 1999. Nancy-Ann Min DeParle, Administrator, Health Care Financing Administration. Dated May 25, 1999. Donna E. Shalala, Secretary. [FR Doc. 99-21662 Filed 8-19-99; 8:45 am] BILLING CODE 4120-01-P