[Federal Register Volume 70, Number 73 (Monday, April 18, 2005)]
[Proposed Rules]
[Pages 20224-20258]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-7512]



[[Page 20223]]

-----------------------------------------------------------------------

Part III





Department of Health and Human Services





-----------------------------------------------------------------------



Office of the Secretary



-----------------------------------------------------------------------



45 CFR Parts 160 and 164



HIPAA Administrative Simplification; Enforcement; Proposed Rule

  Federal Register / Vol. 70, No. 73 / Monday, April 18, 2005 / 
Proposed Rules  

[[Page 20224]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0991-AB29


HIPAA Administrative Simplification; Enforcement

AGENCY: Office of the Secretary, HHS.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Secretary of Health and Human Services is proposing rules 
for the imposition of civil money penalties on entities that violate 
rules adopted by the Secretary to implement the Administrative 
Simplification provisions of the Health Insurance Portability and 
Accountability Act of 1996, Pub. L. 104-191 (HIPAA). The proposed rule 
would amend the existing rules relating to the investigation of 
noncompliance to make them apply to all of the HIPAA Administrative 
Simplification rules, rather than exclusively to the privacy standards. 
It would also amend the existing rules relating to the process for 
imposition of civil money penalties. Among other matters, the proposed 
rules would clarify and elaborate upon the investigation process, bases 
for liability, determination of the penalty amount, grounds for waiver, 
conduct of the hearing, and the appeal process.

DATES: Comments on the proposed rule will be considered if we receive 
them at the appropriate address, as provided below, no later than June 
17, 2005.

ADDRESSES: You may submit comments by any of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Include agency name and ``RIN: 0991-AB29.''
     E-mail: [email protected]. Include ``RIN: 0991-
AB29'' in the subject line of the message.
     Mail: U.S. Department of Health and Human Services, Office 
of General Counsel, Attention: HIPAA Enforcement Rule, 330 Independence 
Ave., SW., Washington, DC 20201.
     Hand Delivery/Courier: Attention: HIPAA Enforcement Rule, 
Hubert H. Humphrey Building, 200 Independence Avenue, SW., Washington, 
DC 20201.
    Instructions: Because of staff and resource limitations, we cannot 
accept comments by facsimile (FAX) transmission. For detailed 
instructions on submitting comments and additional information on the 
rulemaking process, see the ``Public Participation'' heading of the 
SUPPLEMENTARY INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: Carol Conrad, (202) 690-1840.

SUPPLEMENTARY INFORMATION:

I. Public Participation

    We welcome comments from the public on all issues set forth in this 
rule to assist us in fully considering issues and developing policies. 
You can assist us by referencing the RIN number (RIN: 0991-AB29) and by 
preceding your discussion of any particular provision with a citation 
to the section of the proposed rule being discussed.

A. Inspection of Public Comments

    Comments received timely will be available for public inspection as 
they are received, generally beginning approximately 6 weeks after 
publication of this document, at the mail address provided above, 
Monday through Friday of each week from 8:30 a.m. to 4 p.m. To schedule 
an appointment to view public comments, call Karen Shaw, (202) 205-
0154.

B. Electronic Comments

    We will consider all electronic comments that include the full 
name, postal address, and affiliation (if applicable) of the sender and 
are submitted to either of the electronic addresses identified in the 
ADDRESSES section of this preamble. All comments must be incorporated 
in the e-mail message, because we may not be able to access 
attachments. Copies of electronically submitted comments will be 
available for public inspection as soon as practicable at the address 
provided, and subject to the process described, in the preceding 
paragraph.

C. Mailed Comments and Hand Delivered/Couriered Comments

    Mailed comments may be subject to delivery delays due to security 
procedures. Please allow sufficient time for mailed comments to be 
timely received in the event of delivery delays. Comments mailed to the 
address indicated for hand or courier delivery may be delayed and could 
be considered late.

D. Copies

    To order copies of the Federal Register containing this document, 
send your request to: New Orders, Superintendent of Documents, P.O. Box 
371954, Pittsburgh, PA 15250-7954. Specify the date of the issue 
requested and enclose a check or money order payable to the 
Superintendent of Documents, or enclose your Visa or Master Card number 
and expiration date. Credit card orders can also be placed by calling 
the order desk at (202) 512-1800 (or toll-free at 1-866-512-1800) or by 
faxing to (202) 512-2250. The cost for each copy is $10. As an 
alternative, you may view and photocopy the Federal Register document 
at most libraries designated as Federal Depository Libraries and at 
many other public and academic libraries throughout the country that 
receive the Federal Register.

E. Electronic Access

    This Federal Register document is available from the Federal 
Register online database through GPO Access, a service of the U.S. 
Government Printing Office. The web site address is: http://www.gpoaccess.gov/nara/index.html. This document is available 
electronically at the following web sites of the Department of Health 
and Human Services (HHS): http://www.hhs.gov/ocr/hipaa/ and http://www.cms.gov/hipaa/hipaa2.

F. Response to Comments

    Because of the large number of public comments we normally receive 
on Federal Register documents, we are not able to acknowledge or 
respond to them individually. We will consider all comments we receive 
in accordance with the methods described above and by the date 
specified in the DATES section of this preamble. When we proceed with a 
final rule, we will respond to comments in the preamble to that rule.

II. Background

    HHS proposes to amend or renumber existing rules that relate to 
compliance with, and enforcement of, the Administrative Simplification 
regulations (HIPAA rules) adopted by the Secretary of Health and Human 
Services (Secretary) under subtitle F of Title II of HIPAA (HIPAA 
provisions). These rules are codified at 45 CFR part 160, subparts C 
and E. In addition, this proposed rule would add a new subpart D to 
part 160. The new subpart D would contain additional rules relating to 
the imposition by the Secretary of civil money penalties on covered 
entities that violate the HIPAA rules. The full set of rules that will 
ultimately be codified at subparts C, D, and E of 45 CFR part 160 is 
collectively referred to in this proposed rule as the ``Enforcement 
Rule.'' Finally, HHS proposes conforming changes to subpart A of part 
160 and subpart E of part 164.
    The statutory and regulatory background of the proposed rule is set 
out below. A description of HHS's approach to enforcement of the HIPAA 
provisions and the HIPAA rules in general, the approach of this 
proposed

[[Page 20225]]

rule in particular, and each section of the proposed rule follows. The 
preamble concludes with HHS's analyses of impact and other issues under 
applicable law.

A. Statutory Background

    Subtitle F of Title II of HIPAA, entitled ``Administrative 
Simplification,'' requires the Secretary to adopt national standards 
for certain information-related activities of the health care industry. 
The purpose of subtitle F is to improve the Medicare program under 
title XVIII of the Social Security Act (Act), the Medicaid program 
under title XIX of the Act, and the efficiency and effectiveness of the 
health care system, by mandating the development of standards and 
requirements to enable the electronic exchange of certain health 
information. Section 262 of subtitle F added a new Part C to Title XI 
of the Act. Part C (sections 1171-1179 of the Act, 42 U.S.C. 1320d-
1320d-8) requires the Secretary to adopt national standards for certain 
financial and administrative transactions and various data elements to 
be used in those transactions, such as code sets and certain unique 
health identifiers. Recognizing that the industry trend toward 
computerizing health information, which HIPAA encourages, may increase 
the accessibility of that information, sections 262 and 264 of HIPAA 
also require the Secretary to adopt national standards to protect the 
security and privacy of the information.
    Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a), the HIPAA 
provisions apply only to--

    The following persons:
    (1) A health plan.
    (2) A health care clearinghouse.
    (3) A health care provider who transmits any health information 
in electronic form in connection with a transaction referred to in 
section 1173(a)(1).

These entities are collectively known as ``covered entities.'' An 
additional category of covered entities was added by the Medicare 
Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L. 
108-173) (MMA). As added by MMA, section 1860D-31(h)(6)(A) of the Act, 
42 U.S.C. 1395w-141(h)(6)(A), provides that:

a prescription drug card sponsor is a covered entity for purposes of 
applying part C of title XI and all regulatory provisions 
promulgated thereunder, including regulations (relating to privacy) 
adopted pursuant to the authority of the Secretary under section 
264(c) of the Health Insurance Portability and Accountability Act of 
1996 (42 U.S.C. 1320d-2 note).

    HIPAA requires certain consultations with industry as a predicate 
to the issuance of the HIPAA standards and provides that most covered 
entities have up to 2 years (small health plans have up to 3 years) to 
come into compliance with the standards, once adopted. The statute 
establishes civil money penalties and criminal penalties for 
violations. Act, sections 1172(c) (42 U.S.C. 1320d-1(c)), 1175(b) (42 
U.S.C. 1320d-4(b)), 1176 (42 U.S.C. 1320d-5), 1177 (42 U.S.C. 1320d-6). 
HHS enforces the civil money penalties, while the U.S. Department of 
Justice enforces the criminal penalties.
    HIPAA's civil money penalty provision, section 1176(a) of the Act, 
42 U.S.C. 1320d-5(a), authorizes the Secretary to impose a civil money 
penalty, as follows:

    (1) IN GENERAL. Except as provided in subsection (b), the 
Secretary shall impose on any person who violates a provision of 
this part [42 U.S.C. Sec.  1320d et seq.] a penalty of not more than 
$100 for each such violation, except that the total amount imposed 
on the person for all violations of an identical requirement or 
prohibition during a calendar year may not exceed $25,000.
    (2) PROCEDURES. The provisions of section 1128A [42 U.S.C. 
1320a-7a] (other than subsections (a) and (b) and the second 
sentence of subsection (f)) shall apply to the imposition of a civil 
money penalty under this subsection in the same manner as such 
provisions apply to the imposition of a penalty under such section 
1128A.

For simplicity, we refer throughout this preamble to this provision, 
the related provisions at section 1128A of the Act, and other related 
provisions of the Act, by their Social Security Act citations, rather 
than by their U.S. Code citations.
    Subsection (b) of section 1176 sets out limitations on the 
Secretary's authority to impose civil money penalties and also provides 
authority for waiving such penalties. Under section 1176(b)(1), a civil 
money penalty may not be imposed with respect to an act that 
``constitutes an offense punishable'' under the criminal penalty 
provision. Under section 1176(b)(2), a civil money penalty may not be 
imposed ``if it is established to the satisfaction of the Secretary 
that the person liable for the penalty did not know, and by exercising 
reasonable diligence would not have known, that such person violated 
the provision.'' Under section 1176(b)(3), a civil money penalty may 
not be imposed if the failure to comply was due ``to reasonable cause 
and not to willful neglect'' and is corrected within a certain time. 
Finally, under section 1176(b)(4), a civil money penalty may be reduced 
or entirely waived ``to the extent that the payment of such penalty 
would be excessive relative to the compliance failure involved.''
    As noted above, HIPAA incorporates by reference certain provisions 
of section 1128A of the Act. Those provisions, as relevant here, 
establish a number of requirements with respect to the imposition of 
civil money penalties. Under section 1128A(c)(1), the Secretary may not 
initiate a civil money penalty action ``later than six years after the 
date'' of the occurrence that forms the basis for the civil money 
penalty. Under section 1128A(c)(2), a person upon whom the Secretary 
seeks to impose a civil money penalty must be given written notice and 
an opportunity for a determination to be made ``on the record after a 
hearing at which the person is entitled to be represented by counsel, 
to present witnesses, and to cross-examine witnesses against the 
person.'' Section 1128A also provides, at subsections (c), (e), and 
(j), respectively, requirements for: service of the notice and 
authority for sanctions which the hearing officer may impose for 
misconduct in connection with the civil money penalty proceeding; 
judicial review of the Secretary's determination in the United States 
Court of Appeals for the circuit in which the person resides or 
maintains his/its principal place of business; and the issuance of 
subpoenas by the Secretary and the enforcement of those subpoenas. In 
addition, section 1128A of the Act contains provisions relating to 
liability for civil money penalties and how they are dealt with, once 
imposed. For example, section 1128A(d) provides that the Secretary must 
take into account certain factors ``in determining the amount * * * of 
any penalty,'' section 1128A(h) requires certain notifications once a 
civil money penalty is imposed, and section 1128A(l) makes a principal 
liable for penalties ``for the actions of the principal's agent acting 
within the scope of the agency.'' These provisions are discussed more 
fully below.

B. Regulatory Background

    As noted above, HIPAA requires the Secretary to adopt a number of 
national standards to facilitate the exchange, and protect the privacy 
and security, of certain health information. The Secretary has already 
adopted many of these HIPAA standards by regulation.
     Regulations implementing the statutory requirement for the 
adoption of standards for transactions and code sets, Health Insurance 
Reform: Standards for Electronic Transactions (Transactions Rule), were 
published on August 17, 2000 (65 FR 50312), and were modified on 
February 20, 2003 (68 FR 8381). The Transactions Rule

[[Page 20226]]

became effective on October 16, 2000, with an initial compliance date 
of October 16, 2002 for covered entities other than small health plans. 
The passage of the Administrative Simplification Compliance Act (ASCA), 
Pub. L. 107-105, in 2001 enabled covered entities to obtain an 
extension of the compliance date to October 16, 2003 by filing a 
compliance plan by October 15, 2002. If a covered entity (other than a 
small health plan) did not file such a plan, it was required to comply 
with the Transactions Rule by October 16, 2002. All covered entities 
were required to be in compliance with the Transactions Rule, as 
modified, by October 16, 2003.
     Regulations implementing the statutory requirement for the 
adoption of privacy standards, Standards for Privacy of Individually 
Identifiable Health Information (Privacy Rule), were published on 
December 28, 2000 (65 FR 82462). The Privacy Rule became effective on 
April 14, 2001. Modifications to simplify and increase the workability 
of the Privacy Rule were published on August 14, 2002 (67 FR 53182). 
Compliance with the Privacy Rule, as modified, was required by April 
14, 2003 for covered entities other than small health plans; small 
health plans were required to come into compliance by April 14, 2004.
    The Privacy Rule adopted rules relating to compliance and 
enforcement. These rules are codified at 45 CFR part 160, subpart C. 
Subpart C presently applies only to compliance with, and enforcement 
of, the Privacy Rule.
     Regulations implementing the statutory requirement for the 
adoption of an employer identifier standard, Health Insurance Reform: 
Standard Unique Employer Identifier (EIN Rule), were published on May 
31, 2002 (67 FR 38009) and became effective on July 30, 2002. The 
initial compliance date was July 30, 2004 for most covered entities; 
small health plans have until July 30, 2005 to come into compliance. 
These regulations were modified on January 23, 2004 (69 FR 3434), 
effective the same date.
     Regulations implementing the statutory requirement for the 
adoption of security standards, Health Insurance Reform: Security 
Standards, were published on February 20, 2003 (68 FR 8334), effective 
on April 21, 2003. The initial compliance date for covered entities 
other than small health plans is April 20, 2005; small health plans 
have until April 20, 2006 to come into compliance.
     An interim final rule promulgating procedural requirements 
for imposition of civil money penalties, Civil Money Penalties: 
Procedures for Investigations, Imposition of Penalties, and Hearings 
(April 17, 2003 interim final rule), was published on April 17, 2003 
(68 FR 18895), was effective on May 19, 2003, with a sunset date of 
September 16, 2004 (as corrected at 68 FR 22453, April 28, 2003). The 
April 17, 2003 interim final rule adopted a new subpart E of part 160. 
The sunset date of the April 17, 2003 interim final rule was extended 
to September 16, 2005 on September 15, 2004 (69 FR 55515).
     Regulations implementing the requirement to issue 
standards for a unique identifier for health care providers, HIPAA 
Administrative Simplification: Standard Unique Health Identifier for 
Health Care Providers (NPI Rule), were issued on January 23, 2004 (69 
FR 3434), effective on May 23, 2005. The compliance date is May 23, 
2007 for most covered entities; small health plans have until May 23, 
2008 to come into compliance.
    In addition to the foregoing regulations implementing the HIPAA 
provisions, HHS has adopted two other regulations that are relevant, 
for some covered entities, to compliance with those provisions.
     Section 3 of the ASCA amended section 1862 of the Act to 
require Medicare providers, with certain exceptions, to submit claims 
to Medicare electronically (and, thus, in conformity with the 
Transactions Rule) by October 16, 2003. Regulations implementing 
section 3, Medicare Program: Electronic Submission of Medicare Claims, 
were published on August 15, 2003 (68 FR 48805), effective on October 
16, 2003.
     Regulations implementing the Medicare Prescription Drug 
Discount Card program under MMA and the statutory provision that 
Medicare prescription drug discount card sponsors are covered entities 
under HIPAA, were issued on December 15, 2003 (68 FR 69840), effective 
the same date. These rules require such sponsors to comply with the 
HIPAA rules when they become sponsors, except and to the extent that 
the Secretary temporarily waives the Privacy Rule requirements, and 
provides some rules regarding how these entities are to comply with the 
HIPAA rules. The Secretary has indicated that he does not anticipate 
that it will be necessary to waive the Privacy Rule requirements and 
has not done so. 68 FR 69871.

III. General Approach

    As the discussion above makes clear, the duty to comply with 
certain HIPAA rules is now a reality for all covered entities. The 
immediacy of the compliance obligation brings with it the issue of how 
these rules will be enforced. Accordingly, we discuss below our general 
approach to enforcement, how the rules proposed below would fit in with 
the existing components of the Enforcement Rule, and the basic approach 
of the proposed rule.

A. HHS's General Approach to Enforcement

    One of the Secretary's priorities is ``One HHS'': HHS's public 
health and welfare mission and message must be consistent, and HHS 
should speak with one voice. Because of the Secretary's One HHS policy 
and because there is one statutory provision for imposing civil money 
penalties on covered entities that violate the HIPAA rules, there is 
one enforcement and compliance policy for the HIPAA rules. We are 
committed to promoting and encouraging voluntary compliance with the 
HIPAA rules through education, cooperation, and technical assistance.
    Many educational and technical assistance materials on HIPAA, 
including the HIPAA rules, are already available on HHS's Web sites. 
See http://www.hhs.gov/ocr/hipaa for the Privacy Rule and http://www.cms.gov/hipaa/hipaa2 for the other HIPAA rules. We continue to work 
on educational and technical assistance materials, including additional 
guidance on compliance and enforcement and targeted technical 
assistance materials focused on particular segments of the health care 
industry. We anticipate developing additional materials relevant to new 
HIPAA rules as the need arises.
    The authority for administering and enforcing compliance with the 
Privacy Rule has been delegated to the HHS Office for Civil Rights 
(OCR). 65 FR 82381 (December 28, 2000). The authority for administering 
and enforcing compliance with the non-privacy HIPAA rules has been 
delegated to the Centers for Medicare & Medicaid Services (CMS). 68 FR 
60694 (October 23, 2003).
    At present, our compliance and enforcement activities are primarily 
complaint-based. Although our enforcement efforts are focused on 
investigating complaints, they may also include conducting compliance 
reviews to determine if a covered entity is in compliance. When 
potential violations come to our attention through a complaint or a 
compliance review, OCR or CMS's Office of HIPAA Standards (OHS), as 
appropriate, attempts to resolve the matter informally. Many such 
matters are resolved at the initial stage of contact. However, even 
where a

[[Page 20227]]

matter is not resolved at this initial stage and the investigation 
continues, the matter can still be resolved through voluntary 
compliance (for example, by means of a corrective action plan); and OCR 
or CMS may provide technical assistance to help the covered entity 
achieve compliance. Resolving issues through such informal means is 
often the quickest and most effective means of ensuring that the 
benefits of the HIPAA rules are realized. However, if we are unable to 
obtain compliance effectively on matters within our jurisdiction 
through voluntary means, we may seek to impose civil money penalties. 
Moreover, matters subject to criminal penalties are referred to the 
Department of Justice.

B. HHS's Approach to the Enforcement Rule

    The Enforcement Rule would bring together and adopt rules governing 
the implementation of the civil money penalty authority of section 1176 
of the Act for all of the HIPAA rules. As previously noted, parts of 
the Enforcement Rule are already in place: subpart C of part 160 
establishes certain investigative procedures for the Privacy Rule, and 
subpart E establishes interim procedures for investigations and for the 
imposition of, and challenges to the imposition of, civil money 
penalties for all of the HIPAA rules. This proposed rule would complete 
the Enforcement Rule by addressing, among other issues, our policies 
for determining violations and calculating civil money penalties, how 
we will address the statutory limitations on the imposition of civil 
money penalties, and various procedural issues, such as provisions for 
appellate review within HHS of a hearing decision, burden of proof, and 
notification of other agencies of the imposition of a civil money 
penalty.
    In developing these regulations, several principles guided our 
choice of policies from among the available options. The Enforcement 
Rule should promote voluntary compliance with the HIPAA rules, be clear 
and easy to understand, provide consistent results in the interest of 
fairness, provide the Secretary with reasonable discretion, 
particularly in areas where the exercise of judgment is called for by 
the statute or rules, and avoid being overly prescriptive in areas 
where it would be helpful to gain experience with the practical impact 
of the HIPAA rules, to avoid unintended adverse effects.
    With respect to many of the Enforcement Rule's provisions, we were 
also mindful that section 1176(a) requires the Secretary to apply the 
incorporated provisions of section 1128A to the imposition of a civil 
money penalty under section 1176 ``in the same manner as'' they apply 
to the imposition of civil money penalties under section 1128A itself. 
As we explained in the preamble to the April 17, 2003 interim final 
rule, the imposition of civil money penalties under section 1128A is 
administered by the HHS Office of the Inspector General (OIG). 
Accordingly, the rules proposed below, like those in the current 
Subpart E, generally look to the regulations of the OIG that implement 
section 1128A, which are codified at 42 CFR parts 1003, 1005, and 1006 
(OIG regulations).
    The Enforcement Rule does not adopt standards, as that term is 
defined and interpreted under HIPAA. Thus, the requirement for industry 
consultations in section 1172(c) of the Act does not apply. For the 
same reason, HIPAA's time frames for compliance, set forth in section 
1175 of the Act, will not apply to the Enforcement Rule, when adopted 
in final form.

IV. Provisions of the Proposed Rule

    The proposed rule would revise 45 CFR part 160 as follows: it would 
revise the existing subpart C, adopt a new subpart D, and revise the 
existing subpart E; a minor amendment of subpart A is also proposed. 
Subpart A, which contains general provisions, would be amended to 
include a definition of ``person.'' Subpart C includes all provisions 
that relate to activities for determining compliance, including 
investigations and cooperation by covered entities. The proposed 
revisions of subpart C are largely technical, incorporating several 
provisions currently found in subpart E. We also propose to make 
subpart C applicable to the non-privacy HIPAA rules. The new subpart D 
would establish rules relating to the imposition of civil money 
penalties, including those which apply whether or not there is a 
hearing. Subpart D would also incorporate several provisions currently 
found in subpart E. Proposed subpart E would address the pre-hearing 
and hearing phases of the enforcement process. Many of the provisions 
of proposed subpart E were adopted by the April 17, 2003 interim final 
rule and would not be substantively changed, although they would, in 
general, be renumbered.
    Finally, a conforming change to the privacy standards in subpart E 
of part 164 is proposed. This conforming change is discussed in 
connection with proposed Sec.  160.316 at section IV.B.5 below.

A. Subpart A

    We propose to amend Sec.  160.103 to add a definition of the term 
``person.'' This would replace the definition of that term adopted by 
the April 17, 2003 interim final rule. We propose to place this 
definition in Sec.  160.103 so that it applies to all of the HIPAA 
rules. The term ``person'' appears throughout the HIPAA rules, and the 
definition of the term we propose is a universal one that should work 
in each of the contexts in which the term ``person'' occurs. If the 
proposed placement would create problems, commenters should bring that 
to our attention.
    In Sec.  160.502 of the April 17, 2003 interim final rule, we 
defined a ``person'' as ``a natural or legal person'' to clarify, in 
the context of administrative subpoenas, the distinction between an 
entity (defined as a ``legal person'') and natural persons who would 
testify on the entity's behalf. The proposed rule would revise and 
expand this definition.
    The statutory definition of a ``person'' that would otherwise apply 
to the HIPAA provisions is found in section 1101(3) of the Act. That 
section, which has been in the Act since it was originally enacted in 
1935, defines a person as ``an individual, a trust or estate, a 
partnership, or a corporation.'' However, Part C of title XI specifies 
that the class of ``persons'' to whom the HIPAA standards apply--health 
plans, certain health care providers, and health care clearinghouses--
includes certain State and federal programs, which are not included in 
the definition of ``person'' in section 1101(3). For example, section 
1171(2) defines a health care clearinghouse as a ``public or private'' 
entity. Under section 1171(3), a ``health care provider'' is defined to 
include a provider of services as defined in section 1861(u), for 
purposes of the Medicare program. The definition includes hospitals, 
which in turn include State or local government-owned hospitals. 
Finally, the definition of ``health plan'' in section 1171(5) includes 
State and federal health plans: section 1171(5)(A) includes a group 
health plan ``as defined in section 2791(a) of the Public Health 
Service Act,'' and this definition includes State and local 
governmental group health plans; section 1171(5)(E) includes ``the 
medicaid program under title XIX,'' which is a State program; and other 
provisions of section 1171(5) explicitly include as health plans 
various federal health plans, such as Medicare, the Federal Employee 
Benefit Health Plan, CHAMPUS, and the program of benefits for veterans. 
Section 1176, by its terms,

[[Page 20228]]

applies to ``any person who violates a provision of this part.'' 
Nothing in this language suggests that Congress intended to exempt any 
class of covered entities from liability for a civil money penalty 
under this section.
    Thus, to effectuate Congress's purpose in enacting the HIPAA 
provisions, it is necessary to define ``person'' sufficiently broadly 
to encompass the entities to which the HIPAA rules apply. The Supreme 
Court has recognized that this is a valid approach in appropriate 
instances. See, e.g., Lawson v. Suwanee S.S. Co., 336 U.S. 198 (1949). 
This proposed approach is also consistent with that taken by the OIG 
regulations, the preamble to which explained that it was necessary to 
expand the definition of ``person'' in the context of section 1128A of 
the Act to include States because of clear Congressional intent to 
include them in the class of entities subject to civil money penalties. 
48 FR 38837, 38828 (August 26, 1983).
    Accordingly, the proposed rule generally tracks the definition of 
``person'' in the OIG regulations. In particular, by defining the term 
as ``a natural person, trust or estate, partnership, corporation, 
professional association or corporation, or other entity, public or 
private,'' the proposed rule clarifies, consistent with the HIPAA 
provisions, that the term includes States and other public entities. 
However, we propose to adapt the language used in the OIG regulations 
by substituting the term ``natural person'' for the term ``individual'' 
in the definition of ``person'' in the OIG regulations. The term 
``individual'' is defined in Sec.  160.103 as ``the person who is the 
subject of protected health information.'' Since the term 
``individual'' has a defined, and narrower, meaning in the HIPAA rules 
than it does in the OIG regulations, the proposed rule uses the term 
``natural person'' to make the definition of ``person'' have the same 
scope as in the OIG regulations.

B. Subpart C--Compliance and Investigations

    We propose to amend subpart C to make the compliance and 
investigation provisions of the subpart--which at present apply only to 
the Privacy Rule--applicable to all of the HIPAA rules. In addition, we 
propose to include in subpart C the definitions that apply to subparts 
C, D, and E. In accordance with the organizational scheme described 
above, we also propose to move to subpart C from subpart E the 
provision relating to investigational subpoenas, which is currently 
codified at Sec.  160.504. The title of this subpart has also been 
changed (from ``Compliance and Enforcement'') to reflect the focus of 
this subpart within the larger Enforcement Rule. Finally, we propose to 
add to subpart C provisions prohibiting intimidation or retaliation 
that are currently found in the Privacy Rule but not in the other HIPAA 
rules. Aside from making conforming changes to Sec.  160.312, discussed 
at section IV.B.3 below, we propose to leave the substance of the 
existing provisions of subpart C unchanged. We solicit comment as to 
whether these provisions should be revised and, if so, in what manner.
1. Application of Subpart C to the Non-Privacy HIPAA Rules
    Subpart C is intended to provide a cooperative approach to 
obtaining compliance, including use of technical assistance and 
informal means to resolve disputes, and currently provides as follows. 
Section 160.304 provides that the Secretary will, to the extent 
practicable, seek the cooperation of covered entities in obtaining 
compliance and may provide technical assistance to this end. Section 
160.306 provides for the investigation of complaints by the Secretary 
and provides requirements relating to the filing of such complaints. 
Section 160.308 provides for the conduct of compliance reviews by the 
Secretary. Section 160.310 requires covered entities to keep and submit 
such records as the Secretary determines are necessary to determine 
compliance and cooperate with the Secretary in an investigation or 
compliance review. A covered entity must provide access during normal 
business hours to their books and records pertinent to ascertaining 
compliance; while we think such circumstances are very unlikely ever to 
arise, a covered entity is also required, where exigent circumstances 
exist, to permit such access at any time and without notice. This 
section also provides that the Secretary may disclose protected health 
information obtained in the course of an investigation or compliance 
review only if necessary for ascertaining or enforcing compliance with 
the applicable requirements of the Privacy Rule or if otherwise 
required by law. Section 160.312 addresses Secretarial action regarding 
complaints and compliance reviews. It provides that where noncompliance 
is indicated, the Secretary will attempt to resolve the matter by 
informal means wherever possible and provides for certain notifications 
to the covered entity (and the complainant, if the matter arose from a 
complaint).
    At present, subpart C applies only to the Privacy Rule. However, to 
simplify, clarify, and reduce the burden of the compliance process for 
covered entities, the proposed rule would make this subpart applicable 
to the other HIPAA rules as well. A uniform regulatory scheme would 
simplify the compliance and enforcement process in the event that a 
covered entity violates provisions of more than one HIPAA rule (for 
example, where violations of both the Privacy Rule and the Security 
Rule are at issue) and is also consistent with the Secretary's ``One 
HHS'' policy.
    Accordingly, we propose to amend the following sections of subpart 
C to make them applicable to all of the HIPAA rules: Sec.  160.300--
Applicability; Sec.  160.304--Principles for achieving compliance; 
Sec.  160.306--Complaints to the Secretary; Sec.  160.308--Compliance 
reviews; and Sec.  160.310--Responsibilities of covered entities. This 
would be accomplished by changing the present references in these 
sections from ``subpart E of part 164'' to the more inclusive, defined 
term, ``administrative simplification provision'' or ``administrative 
simplification provisions,'' as appropriate.
2. Section 160.302--Definitions
    Section 160.302 presently states that the terms used in subpart C 
that are defined in Sec.  164.501 have the same meaning as defined in 
that section. The terms that were initially defined in Sec.  164.501 
that would continue to be used in this subpart ( ``individual,'' 
``disclose,'' ``protected health information,'' ``use'') have 
subsequently been moved to Sec.  160.103. The term ``payment'' is used 
in this subpart, but not as defined in Sec.  164.501. Thus, we propose 
to delete this text, as it is no longer appropriate.
    We propose to move to Sec.  160.302 three definitions that were 
adopted in the April 17, 2003 interim final rule at Sec.  160.502: 
``ALJ'', ``civil money penalty or penalty'', and ``respondent.'' These 
terms are placed at the outset of the provisions that address 
compliance and enforcement for clarity, since they are used in more 
than one of the subparts that address compliance and enforcement. We do 
not discuss these terms, as we do not propose to change them. We 
discuss below two new terms which we propose to add to Sec.  160.302 
and which are likewise used throughout subparts C, D, and E: 
``administrative simplification provision'' and ``violation or 
violate.''

[[Page 20229]]

a. ``Administrative Simplification Provision''
    Section 1176(a)(1) provides that, except as provided in section 
1176(b), the Secretary shall impose ``on any person who violates a 
provision of this part a penalty of not more than $100 for each such 
violation, except that the total amount imposed on the person for all 
violations of an identical requirement or prohibition during a calendar 
year may not exceed $25,000.'' (Emphasis added.) Based on this 
statutory language, and also taking into account the structures of each 
of the HIPAA rules, HHS considered a number of different options for 
defining the term ``provision of this part'' in section 1176(a)(1) as 
it applies to the HIPAA rules.
    The HIPAA rules generally are comprised of standards, 
implementation specifications, and requirements and prohibitions. 
However, the structure and composition of the HIPAA rules with respect 
to these elements vary. The Privacy Rule is generally comprised of 
standards that contain implementation specifications and other 
requirements or prohibitions. The identifier rules (the EIN Rule and 
the NPI Rule) contain standards and implementation specifications, and 
all requirements that apply to covered entities are in a standard or an 
implementation specification. In the Security Rule, most requirements 
are in standards or their related implementation specifications, but 
some requirements are freestanding. The Transactions Rule contains 
requirements and prohibitions, not all of which are contained in 
standards and implementation specifications, and adopts standards that 
are also implementation specifications. The provisions of subpart C of 
part 160 that apply to covered entities are framed as requirements. The 
HIPAA rules are silent as to which of these elements is a ``provision 
of this part'' that may be violated and for which civil money penalties 
may be assessed.
    We propose to define a new term--``administrative simplification 
provision''--to express the scope and application of the compliance and 
investigation provisions, as well as the enforcement and penalty 
provisions. This proposed provision interprets ``provision of this 
part'' in section 1176 to refer to any requirement or prohibition 
established by the statute or any of the HIPAA rules that are adopted 
under the statute.
    In determining how to define a ``provision of this part'' that 
could be violated, we considered options in light of our goal of 
implementing a unified approach with respect to all of the HIPAA rules. 
Given the variation in structure of the HIPAA rules, we sought an 
approach which would be flexible enough to apply to all the rules but 
which would not be too complex. Accordingly, we decided against an 
approach that would define the ``provision of this part'' that could be 
violated as either any ``standard,'' or any ``implementation 
specification,'' or both. These approaches would not have captured 
stand-alone requirements or prohibitions--i.e., those requirements and 
prohibitions in the HIPAA rules that fall outside of the structure of a 
standard or implementation specification. For example, in the 
Transactions Rule, the prohibition on a health plan delaying or 
rejecting a transaction that is a standard transaction (Sec.  
162.925(a)(2)), which implements the statutory prohibition at section 
1175(a)(1)(B), is a stand-alone requirement. It would be anomalous to 
create an enforcement scheme that, in effect, insulated this provision 
from enforcement. These options would also have resulted in complexity 
and inconsistency in the application of the Enforcement Rule to each of 
the HIPAA rules, given their varied structures with respect to 
standards and implementation specifications.
    Instead, we propose to define a ``provision of this part'' that can 
be violated as any ``requirement or prohibition'' found within the 
rules, regardless of whether the requirement or prohibition falls 
within a standard, implementation specification, or elsewhere in the 
rules. This definition flows directly from the statutory language in 
section 1176(a)(1) of the Act, which refers to ``violations of an 
identical requirement or prohibition.'' It is also a definition that 
can be applied consistently across the HIPAA rules, regardless of how 
they are structured or titled. Accordingly, we propose to define the 
term ``administrative simplification provision'' in Sec.  160.302 to 
mean any requirement or prohibition established by the HIPAA provisions 
or HIPAA rules: ``* * * any requirement or prohibition established by: 
(1) 42 U.S.C. 1320d-1320d4, 1320d-7, and 1320d-8; (2) Section 264 of 
Pub. L. 104-191; or (3) This subchapter.'' This definition would 
include those provisions in subpart C which apply to covered entities.
b. ``Violation'' or ``Violate''
    Building on this proposed definition of ``administrative 
simplification provision,'' we propose to define a ``violation'' (or 
``to violate'') to mean a ``failure to comply with an administrative 
simplification provision.'' Like the proposed definition of 
``administrative simplification provision,'' the proposed definition of 
``violation'' flows directly from the statutory language: subsections 
(b)(3) and (b)(4) of section 1176 equate a ``violation'' with a 
``failure to comply.'' The proposed definition is likewise one that can 
be applied consistently across the HIPAA rules. This proposed 
definition would make no distinction between commissions and 
omissions--that is, a violation occurs when a covered entity fails to 
take an action required by a HIPAA rule, as well as when a covered 
entity takes an action prohibited by a HIPAA rule.
3. Section 160.312--Secretarial Action Regarding Complaints and 
Compliance Reviews
    Section 160.312(a) currently provides that the Secretary will 
inform the covered entity and the complainant, if applicable, if an 
investigation or compliance review indicates a failure to comply and 
attempt to resolve the matter by informal means whenever possible. If 
the Secretary determines that the matter cannot be resolved by informal 
means, the Secretary may issue findings to the covered entity and, if 
applicable, the complainant.
    Like the current Sec.  160.312(a), proposed Sec.  160.312(a)(1) 
provides that, where noncompliance is indicated, the Secretary would 
seek to reach a resolution of the matter satisfactory to the Secretary 
by informal means. Informal means would include demonstrated 
compliance, or a completed corrective action plan or other agreement. 
Under this provision, entering into a corrective action plan or other 
agreement would not, in and of itself, resolve the noncompliance; 
rather, the full performance by the covered entity of its obligations 
under the corrective action plan or other agreement would be necessary 
to resolve the noncompliance.
    Proposed Sec. Sec.  160.312(a)(2) and (3) address what 
notifications will be provided by the Secretary where noncompliance is 
indicated, based on an investigation or compliance review. Notification 
under this paragraph would not be required where the only contacts made 
were with the complainant, to determine whether the complaint warrants 
investigation. Paragraph (a)(2) provides for written notice to the 
covered entity and, if the matter arose from a complaint, the 
complainant, where the matter is resolved by informal means. If the 
matter is not resolved by informal means, paragraph (a)(3)(i) requires 
the Secretary to so inform the covered entity and provide the covered

[[Page 20230]]

entity an opportunity to submit written evidence of any mitigating 
factors or affirmative defenses for consideration under Sec. Sec.  
160.408 and 160.410; the covered entity must submit any such evidence 
to the Secretary within 30 days of receipt of such notification. 
Paragraph (a)(3)(ii) would revise the current Sec.  160.312(a)(2) to 
avoid confusion with the notice of proposed determination process 
provided for at proposed Sec.  160.420. Where a matter is not resolved 
by informal means and the Secretary finds that imposition of a civil 
money penalty is warranted, the formal finding would be contained in 
the notice of proposed determination issued under proposed Sec.  
160.420. See also the discussion at section V.J below.
    Paragraph (b) of the current Sec.  160.312 provides that if the 
Secretary finds after an investigation or compliance review that no 
further action is warranted, the Secretary will so inform the covered 
entity and, if the matter arose from a complaint, the complainant. This 
section does not apply where no investigation or compliance review has 
been initiated, such as where a complaint has been dismissed due to 
lack of jurisdiction. Paragraph (b) would remain largely unchanged.
4. Section 160.314--Investigational Subpoenas and Inquiries
    The text of Sec.  160.314 was adopted by the April 17, 2003 interim 
final rule as Sec.  160.504. We propose to move this section to subpart 
C, consistent with our overall approach of organizing subparts C, D, 
and E to reflect the stages of the enforcement process. Since the 
investigational subpoenas and inquiries occur prior to the imposition 
of a civil money penalty, we propose to move the rules relating to them 
to subpart C, where other rules related to this stage of the process 
are located. This organizational arrangement should facilitate use of 
the Rule by covered entities and others.
    One substantive change is proposed to paragraph (a). We would add 
to the introductory language of this paragraph a sentence which states 
that, for the purposes of paragraph (a), a person other than a natural 
person is termed an ``entity.'' This permits us to avoid creating a 
definition of the term ``entity'' that would have a broader application 
and might be incorrect in other contexts, but preserves the utility of 
the definition in this specific context. The term ``entity'' would no 
longer be a defined term for the rest of the Rule, unlike the approach 
taken in Sec.  160.502 of the April 17, 2003 interim final rule.
    Proposed paragraphs (b)(1), (2) and (8) are unchanged from the 
current paragraphs (b)(1)--(3) of Sec.  160.504. We propose to add new 
paragraphs (3) through (7) and (9) to Sec.  160.314(b) and also to add 
a new paragraph (c). Together, these additions would clarify the manner 
in which investigational inquiries will be conducted, and how testimony 
given, and evidence obtained, during such an investigation may be used.
    The new paragraphs are based upon similar provisions in 42 CFR 
1006.4. Proposed Sec. Sec.  160.314(b)(3)--(7) describe the rights of 
the Secretary and the witness in the inquiry process: representatives 
of the Secretary are entitled to attend and ask questions, a witness 
may clarify his or her answers on the record following questioning by 
the Secretary, the witness must place any claim of privilege on the 
record, what requirements apply to the assertion of objections, and 
under what circumstances and how the Secretary may seek enforcement of 
the subpoena. Proposed Sec.  160.314(b)(8) (currently Sec.  
160.504(b)(3) and which, as noted above, has not changed) recognizes 
that investigational inquiries are non-public proceedings. Accordingly, 
a witness's right to retain a copy of the transcript of his or her 
testimony may be limited for good cause (5 U.S.C. 555(c)). Proposed 
Sec.  160.314(b)(9) explains what would happen in such a case: The 
witness would nonetheless be entitled to inspect the transcript and to 
propose any corrections. If the witness is provided a copy of the 
transcript, paragraph (b)(9)(i) would provide for the opportunity to 
review the transcript and offer proposed corrections. This provision is 
consistent with the practice under Rule 30(e) of the Federal Rules of 
Civil Procedure (F.R.C.P.). Paragraph (b)(9)(ii) would allow the 
Secretary to attach corrections to the transcript of a witness's 
testimonial interview if the record transcribing the interview is 
incorrect. Consistent with the practice under the OIG regulations, this 
provision would not permit the Secretary to propose substantive changes 
to the witness's testimony.
    Proposed Sec.  160.314(c) provides that, consistent with Sec.  
160.310, testimony and other evidence obtained in an investigational 
inquiry may be used by HHS in any of its activities and may be used or 
offered into evidence in any administrative or judicial proceeding. 
This provision follows Sec.  1006.4(h) of the OIG regulations, but is 
tailored to be consistent with the existing Sec.  160.310(c)(3). Under 
this provision, evidence obtained in an investigational inquiry could 
be used in any of HHS's activities and could be used or offered into 
evidence in any administrative or judicial proceeding, except to the 
extent it consists of protected health information. Evidence that is 
protected health information may be disclosed only ``if necessary for 
ascertaining or enforcing compliance with the applicable administrative 
simplification provisions, or if otherwise required by law,'' as 
provided at Sec.  160.310(c).
5. Section 160.316--Refraining From Intimidation or Retaliation
    Proposed Sec.  160.316 would prohibit covered entities from 
threatening, intimidating, coercing, discriminating against, or taking 
any other retaliatory action against individuals or other persons 
(including other covered entities) who complain to HHS or otherwise 
assist or cooperate in the enforcement processes created by this rule. 
This provision is taken from Sec.  164.530(g)(2) of the Privacy Rule, 
with only minor changes designed to adapt the provision to the new 
subparts which this rule would add. The intent of this addition to 
subpart C is to make these non-retaliation provisions applicable to all 
of the HIPAA rules, not just the Privacy Rule. The placement of these 
provisions in subpart C accomplishes this.
    Section 164.530(g) would retain existing provisions which provide 
that a covered entity may not intimidate, threaten, coerce, 
discriminate against, or take other retaliatory action against an 
individual for exercising his or her rights or for participating in any 
process established by the Privacy Rule, including filing a complaint 
with a covered entity. A conforming change to Sec.  164.530(g) of the 
Privacy Rule is proposed, to cross-reference proposed Sec.  160.316.
    As with other provisions of subpart C that impose requirements or 
prohibitions on covered entities, the provisions of Sec.  160.316 are 
``administrative simplification provisions.'' Thus, a violation of a 
requirement or prohibition of this section would be a basis for 
imposition of a civil money penalty.

C. Subpart D--Imposition of Civil Money Penalties

    Proposed subpart D addresses the issuance of a notice of proposed 
determination to impose a civil money penalty and other events that 
would be relevant thereafter, whether or not a hearing follows the 
issuance of the notice of proposed determination. This subpart also 
would contain provisions on identifying violations, determining the 
number of violations, calculating civil money penalties for such 
violations, and establishing affirmative

[[Page 20231]]

defenses to the imposition of civil money penalties. It would, thus, 
implement the provisions of section 1176, as well as related provisions 
of section 1128A. As noted above, many provisions of the Rule are based 
in large part upon the OIG regulations, but, as with subpart E, we 
propose to adapt the OIG language to reflect issues presented by, or 
the authority underlying, the HIPAA rules.
1. Section 160.402--Basis for a Civil Money Penalty
    Proposed Sec.  160.402(a) would require the Secretary to impose a 
civil money penalty on any covered entity which the Secretary 
determines has violated an administrative simplification provision, 
unless the covered entity establishes that an affirmative defense, as 
provided for by Sec.  160.410, exists. See the discussion at section 
IV.C.3 below. This provision is based on the language in section 
1176(a) that ``* * * the Secretary shall impose on any person who 
violates a provision of this part a penalty * * *''. This proposed 
provision interprets ``provision of this part'' in section 1176(a)(1) 
to refer to any requirement or prohibition established by the statute 
or any of the HIPAA rules that are adopted under the statute. See the 
discussion of the definitions of ``administrative simplification 
provision'' and ``violation'' in section IV.B.2 above.
    The use of the term ``shall impose'' in section 1176(a) is more 
than a mere conveyance of authority to the Secretary to impose a 
penalty for a violation of an administrative simplification provision. 
If the Secretary finds in a notice of proposed determination that a 
covered entity has violated an administrative simplification provision, 
he is required to impose a penalty unless a basis for not imposing the 
penalty under section 1176 exists. Section 1176(a) does not limit the 
Secretary's discretion to encourage a covered entity to come into 
compliance voluntarily, to close a case without issuing a notice of 
proposed determination if voluntary compliance is obtained, or to set 
the amount of the penalty below the statutory caps. Nor does section 
1176(a) limit the Secretary's discretion to settle any matter, 
including cases in which a civil money penalty has been proposed or 
which are in hearing. The first sentence of section 1128A(f) of the 
Act, which is incorporated by reference in section 1176, states, in 
part, ``Civil money penalties * * * imposed under this section may be 
compromised by the Secretary * * *''. Therefore, the Secretary may 
settle a case even after a civil money penalty has been proposed.
a. Section 160.402(b)--Violations by More than One Covered Entity
    The proposed rule includes a provision, at Sec.  160.402(b), that 
addresses what would happen if multiple covered entities were 
responsible for violating a HIPAA provision. Proposed Sec.  
160.402(b)(1) provides that, except with respect to covered entities 
that are members of an affiliated covered entity, if the Secretary 
determines that more than one covered entity was responsible for 
violating an administrative simplification provision, the Secretary 
will impose a civil money penalty against each such covered entity. 
Proposed Sec.  160.402(b)(2) provides that each covered entity that is 
a member of an affiliated covered entity would be jointly and severally 
liable for a civil money penalty for a violation by the affiliated 
covered entity.
    Proposed Sec.  160.402(b)(1) is based on a similar provision in the 
OIG regulations at 42 CFR 1003.102(d). It differs from the OIG 
provision in that this proposed provision requires the imposition of a 
penalty on each covered entity that the Secretary determines has 
violated an administrative simplification provision, rather than giving 
the Secretary discretion to determine whether to impose a civil money 
penalty on one or all. This is based on the statutory language in 
section 1176(a) which states that the Secretary ``* * * shall impose a 
penalty * * *'' when there is a determination that an entity has 
violated a HIPAA provision. As discussed above, the language in the 
statute mandates the imposition of a penalty in appropriate situations 
where there has been a finding of a violation. However, nothing in this 
section would limit the Secretary's ability to exercise enforcement 
discretion to investigate only one covered entity, to encourage one or 
more covered entities to come into compliance, to close a case against 
one or more covered entities without issuing a notice of proposed 
determination if voluntary compliance is obtained, or to set the amount 
of the penalty differently for each covered entity when multiple 
covered entities are responsible for violating an administrative 
simplification provision, to the extent section 1176 and this Rule 
would allow.
    With the exception of affiliated covered entity arrangements, this 
provision may apply to any two covered entities, including, but not 
limited to, those that are part of a joint arrangement, such as an 
organized health care arrangement. The determination of whether or not 
an entity is responsible for the violation would be based on the facts. 
Simply being part of a joint arrangement would not, in and of itself, 
make a covered entity responsible for a violation by another entity in 
the joint arrangement, although it may be a factor considered in the 
analysis.
    Proposed Sec.  160.402(b)(2) provides that each covered entity that 
is a member of an affiliated covered entity would be jointly and 
severally liable for a civil money penalty for a violation by the 
affiliated covered entity. An affiliated covered entity is a group of 
covered entities under common ownership or control, which have elected 
to be treated as if they were one covered entity for purposes of 
compliance with the Security and Privacy Rules. See 45 CFR 164.105(b). 
Electing to become an affiliated covered entity may reduce the 
administrative burden and create certain efficiencies with respect to 
compliance. There is no requirement to form an affiliated covered 
entity; the entities that choose to form an affiliated covered entity 
must designate themselves as such and must document the designation in 
writing.
    The December 2000 Privacy Rule stated as follows with respect to 
the liability of the component covered entities of an affiliated 
covered entity: ``The covered entities that together make up the 
affiliated covered entity are separately subject to liability under 
this rule.'' 65 FR 82503. We clarify this language in the proposed 
rule. Under proposed Sec.  160.402(b)(2), each covered entity that is a 
member of an affiliated covered entity would be jointly and severally 
liable for a civil money penalty for a violation by the affiliated 
covered entity. This means that we could enforce a violation of the 
Security Rule or Privacy Rule by an affiliated covered entity against 
any covered entity member of the affiliated covered entity separately 
or against all of the covered entity members of the affiliated covered 
entity jointly. The reason for joint and several liability is that the 
affiliated covered entity is treated, under the Security and Privacy 
Rules, as one entity. Thus, it may be impossible to know or prove which 
covered entity within an affiliated covered entity is responsible for a 
violation, particularly in the case of a failure to act. For example, 
if an affiliated covered entity fails to appoint a privacy official as 
required by Sec.  164.530(a)(1)(i), it may be impossible to identify 
one entity as responsible for the omission.
    Proposed Sec.  160.402(b)(2) differs from proposed Sec.  
160.402(b)(1) in two ways. First, no covered entity in an affiliated 
covered entity could avoid a civil money penalty by demonstrating that 
it

[[Page 20232]]

was not responsible for the act or omission constituting the violation 
or that another covered entity member of the affiliated covered entity 
was the culpable entity. Second, the maximum penalty that could be 
imposed on all members of the affiliated covered entity for identical 
violations in a calendar year would be the maximum allowed for one 
covered entity--$25,000. By contrast, under Sec.  160.402(b)(1), if 
more than one covered entity were responsible for a violation of an 
administrative simplification provision, each covered entity would be 
treated as separately violating the provision, and each could be 
assessed the maximum penalty of $25,000 in a calendar year for 
sufficient identical violations.
b. Section 160.402(c)--Violations Attributed to a Covered Entity
    Under section 1176(a)(2), ``the provisions of section 1128A * * * 
shall apply to the imposition of a civil money penalty under [HIPAA] in 
the same manner as such provisions apply to the imposition of a penalty 
under such section 1128A.'' Section 1128A(l) of the Act addresses the 
liability of a covered entity for violations committed by an agent. It 
states that ``a principal is liable for penalties * * * under this 
section for the actions of the principal's agents acting within the 
scope of the agency.'' This is similar to the traditional rule of 
agency in which principals are vicariously liable for the acts of their 
agents acting within the scope of their authority. See Meyer v. Holley, 
537 U.S. 280 (2003). The preamble to the December 2000 Privacy Rule 
discussed the applicability of section 1128A(l) as follows:

we note that section 1128A(l) of the Social Security Act, which 
applies to the imposition of civil monetary penalties under HIPAA, 
provides that a principal is liable for penalties for the actions of 
its agent acting within the scope of the agency. Therefore, a 
covered entity will generally be responsible for the actions of its 
employees such as where the employee discloses protected health 
information in violation of the regulation.

65 FR 82603.
    We clarify in proposed Sec.  160.402(c) that, in the context of the 
HIPAA rules, this means that a covered entity generally can be held 
liable for a civil money penalty based on the actions of any agent, 
including an employee or other workforce member, acting within the 
scope of the agency or employment. A business associate will often be 
an agent of a covered entity, but, as discussed below, a covered entity 
that complies with the HIPAA rules governing business associates will 
not be held liable for a business associate's actions that violate the 
rules.
i. Federal Common Law of Agency
    A principal's liability for the actions of its agents is generally 
governed by State law. However, the Supreme Court has provided that the 
federal common law of agency may be applied where there is a strong 
governmental interest in nationwide uniformity and a predictable 
standard and when the federal rule in question is interpreting a 
federal statute. Burlington Indus. v. Ellerth, 524 U.S. 742 (1998). 
Here, there is a strong interest in nationwide uniformity. The 
fundamental goal of the HIPAA provisions is to achieve standardization 
of certain health care transactions, to standardize certain security 
practices, and to set a federal floor of privacy practices, in order to 
increase the efficiency and effectiveness of the health care system. 
Therefore, it is essential for HHS to apply one consistent body of law 
regardless of where an action is brought. The same considerations 
support a strong federal interest in the predictable operation of the 
standards, to ensure that the various covered entities operating 
thereunder can do so consistently so as to facilitate the legitimate 
exchange of information. Finally, the HIPAA rules interpret a federal 
statute, the HIPAA provisions. Thus, the tests for application of the 
federal common law of agency are met here. Accordingly, proposed Sec.  
160.402(c) contains specific language to make clear that the federal 
law of agency applies.
    Where the federal common law of agency applies, the courts often 
look to the Restatement (Second) of Agency (1958) (Restatement) as a 
basis for explaining the common law's application. While the 
determination of whether an agent is acting within the scope of its 
authority must be decided on a case-by-case basis, the Restatement 
provides guidelines for this determination. Section 229 of the 
Restatement provides:

    (1) To be within the scope of the employment, conduct must be of 
the same general nature as that authorized, or incidental to the 
conduct authorized.
    (2) In determining whether or not the conduct, although not 
authorized, is nevertheless so similar to or incidental to the 
conduct authorized as to be within the scope of employment, the 
following matters of fact are to be considered;
    (a) Whether or not the act is one commonly done by such 
servants;
    (b) The time, place and purpose of the act;
    (c) The previous relations between the master and the servant;
    (d) The extent to which the business of the master is 
apportioned between different servants;
    (e) Whether or not the act is outside the enterprise of the 
master or, if within the enterprise, has not been entrusted to any 
servant;
    (f) Whether or not the master has reason to expect that such an 
act will be done;
    (g) The similarity in quality of the act done to the act 
authorized;
    (h) Whether or not the instrumentality by which the harm is done 
has been furnished by the master to the servant;
    (i) The extent of departure from the normal method of 
accomplishing an authorized result; and
    (j) Whether or not the act is seriously criminal.

    In some cases, under federal agency law, a principal may be liable 
for an agent's acts even if the agent acts outside the scope of its 
authority. Rest. 2nd Agency Sec.  219(2). However, proposed Sec.  
160.402(c) would follow section 1128A(l), which limits liability for 
the actions of an agent to those actions that are within the scope of 
the agency.
ii. Agents
    Various categories of persons may be agents of a covered entity. 
These are workforce members, business associates, and others. 
``Workforce'' is defined as ``employees, volunteers, trainees, and 
other persons whose conduct, in the performance of work for a covered 
entity, is under the direct control of such entity, whether or not they 
are paid by the covered entity.'' 45 CFR 160.103. Because of the 
``direct control'' language of the rule, we believe that all workforce 
members, including those who are not employees, are agents of a covered 
entity. This conclusion is consistent with the requirements at 
Sec. Sec.  164.308(a)(5) and 164.530(b) for a covered entity to train 
all workforce members and with the requirement at Sec.  164.514(d)(2) 
for a covered entity to adopt minimum necessary policies and procedures 
for use of protected health information by all workforce members. The 
workforce may include an independent contractor; as explained in the 
preamble to the Privacy Rule, independent contractors ``may or may not 
be workforce members.'' 65 FR 82480. Under the proposed rule, a covered 
entity could be liable for a civil money penalty for a violation by any 
workforce member, whether an employee, contractor, volunteer, trainee, 
etc., acting within the scope of his or her employment or agency. We 
specifically request comment on whether there are categories of 
workforce members whom it would be

[[Page 20233]]

inappropriate to treat as agents under Sec.  160.402(c).
    The definition of the term ``business associate,'' set forth at 
Sec.  160.103, includes any agents of a covered entity, other than 
members of its workforce, that perform on its behalf any function or 
activity regulated by the HIPAA rules or perform certain specified 
services for the covered entity that involve the use or disclosure of 
protected health information. Under the Security and Privacy Rules, the 
covered entity may disclose protected health information to the 
business associate, and allow the business associate to create or 
receive protected health information on its behalf, if the covered 
entity complies with relevant requirements to obtain satisfactory 
assurances that the business associate will appropriately safeguard the 
information. In particular, Sec. Sec.  164.308(b) and 164.502(e) of the 
HIPAA rules require covered entities using the services of business 
associates to obtain satisfactory assurances, by a written contract or 
other arrangement, that the business associate will safeguard the 
protected health information. If the covered entity complies with these 
requirements, then it can protect itself from what could otherwise be 
liability for actions of its agent business associates that violate the 
HIPAA rules. As specified in Sec. Sec.  164.314(a)(1)(ii) and 
164.504(e)(1)(ii), even if a covered entity knows of a pattern of 
activity or practice by the business associate that constitutes a 
material breach or violation of the business associate's obligations 
under the contract, the covered entity will not be considered to be in 
violation of the regulations if it takes certain actions. If the 
covered entity fails to take these steps, however, it is outside the 
safe harbor provided by the Security and Privacy Rules and may be 
subject to penalty.
    Some business associates are also covered entities. Health care 
clearinghouses are one example of this situation, but a covered health 
care provider or a health plan may also act as a business associate of 
another covered entity. The business associate provisions of the 
Security and Privacy Rules provide that where one covered entity acts 
as the business associate of another covered entity and violates the 
satisfactory assurances it provided as a business associate, it is 
separately liable for violation of the business associate provisions of 
the Security and Privacy Rules. See Sec. Sec.  164.308(b)(3) and 
164.502(e)(1)(iii). If the act or omission that resulted in a breach of 
the business associate contract by the covered entity business 
associate would also constitute a violation of an underlying provision 
of the Security or Privacy Rule by that covered entity business 
associate, it would be in violation of the underlying provision as 
well.
    To make this proposed rule consistent with the business associate 
provisions of the HIPAA rules, the proposed rule would carve out from 
the provision for vicarious liability those actions by a business 
associate that would be shielded by the business associate provisions 
of the Security and Privacy Rules. Thus, a covered entity that is in 
compliance with the business associate provisions of the Security and 
Privacy Rules would not be liable for a violation of those rules by the 
business associate, even though the business associate is the covered 
entity's agent and was acting within the scope of its agency when it 
violated the rule. We recognize that in many cases, a business 
associate contract may establish an agency relationship. However, there 
may also be situations in which the business associate may not be an 
agent. For example, the Privacy Rule permits a covered entity to rely, 
if such reliance is reasonable, on the request of a professional who is 
a business associate as the minimum necessary. This suggests that a 
business associate may not always be sufficiently under the direct 
control of the covered entity to qualify as an agent.
    HHS has issued guidance stating that a covered entity is not 
required to monitor the activities of its business associate:

    The HIPAA Privacy Rule requires covered entities to enter into 
written contracts or other arrangements with business associates 
which protect the privacy of protected health information; but 
covered entities are not required to monitor or oversee the means by 
which their business associate carry out privacy safeguards or the 
extent to which the business associate abides by the privacy 
requirements of the contract. Nor is the covered entity responsible 
or liable for the actions of its business associates. However, if a 
covered entity finds out about a material breach or violation of the 
contract by the business associate, it must take reasonable steps to 
cure the breach or end the violation, and, if unsuccessful, 
terminate the contract with the business associate. If termination 
is not feasible (e.g., where there are no other viable business 
alternatives for the covered entity), the covered entity must report 
the problem to the Department of Health and Human Services Office 
for Civil Rights.

FAQ Answer ID  236 at www.hhs.gov/ocr/hipaa, entitled ``Is a 
covered entity liable for, or required to monitor, the actions of its 
business associates?'' (Click on the link for Answers to Your 
Frequently Asked Questions, and then select and search on the 
subcategory for Business Associates.) Proposed Sec.  160.402(c) is 
consistent with this guidance. If the covered entity complies with the 
applicable business associate provisions, the covered entity will not 
be held liable for the actions of its business associate. 
Concomitantly, if the covered entity fails to comply with those 
provisions, such as by not entering into the requisite arrangements or 
contracts, or by not taking reasonable steps to cure the breach or end 
the violation, it could be held liable under proposed Sec.  160.402(c) 
for the actions of its business associate agent.
2. Sections 160.404, 160.406, 160.408--Calculation of Penalties
a. Section 160.404--Amount of a Civil Money Penalty
    Section 1176(a)(1) establishes maximum penalty amounts for 
violations. The statute provides a maximum penalty of ``not more than 
$100'' for each violation (see section IV.B.2 above for the discussion 
of ``violation''), and the penalty imposed on a covered entity ``for 
all violations of an identical requirement or prohibition during a 
calendar year may not exceed $25,000.''
    The statute establishes only maximum penalty amounts, so the 
Secretary has the discretion to impose penalties that are less than the 
statutory maximum. This proposed regulation would not establish minimum 
penalties. Under proposed Sec.  160.404(a), the penalty amount would be 
determined through the method provided for in proposed Sec.  160.406, 
using the factors set forth in proposed Sec.  160.408, and subject to 
the statutory caps reflected in proposed Sec.  160.404(b) and any 
reduction under proposed Sec.  160.412.
    Proposed Sec.  160.404 would follow the language of the statute and 
establish the maximum penalties for a violation and for identical 
violations during a calendar year, as set forth in the statute--up to 
$100 per violation and up to $25,000 for identical violations in a 
calendar year. Proposed Sec.  160.404(b) makes clear that the term 
``calendar year'' means the period from January 1 through the following 
December 31.
    An identical violation is a violation of the same requirement or 
prohibition in one of the HIPAA rules or in the statute. It is based on 
the provision of the regulation or statute that has been violated and 
not on whether the violations relate to the same individual's protected 
health information, the same transaction, or are with the same trading 
partner. For example, assume that a health plan includes in its trading 
partner

[[Page 20234]]

agreements a provision that requires the submission of a data element 
that is not included in the implementation guides for transactions 
covered by the agreement and requires 7,500 different trading partners 
to sign such agreements in a calendar year. Inclusion of the provision 
violates Sec.  162.915(b), which prohibits covered entities from 
entering into a trading partner agreement which adds any data element 
or segments to the maximum defined data set. If the penalty is assessed 
at $100/violation, the total penalty for all such violations would 
amount to $750,000 ($100 x 7500). However, the maximum penalty that may 
be assessed for the calendar year for those violations is $25,000, 
because they all relate to the same prohibition. This is the case even 
though the violations involve 7,500 different trading partners.
b. Section 160.404(b)(2)--Violations of Repeated or Overlapping 
Provisions in a HIPAA Rule
    Some requirements or prohibitions in the provisions of a HIPAA rule 
may be repeated in, or may overlap, other provisions in the same rule. 
We propose Sec.  160.404(b)(2) to make clear that a violation of a more 
specific requirement or prohibition, such as one contained within an 
implementation specification, is not also counted, for purposes of 
determining civil money penalties, as an automatic violation of a 
broader requirement or prohibition that entirely encompasses the more 
specific one, in that such duplicative requirements generally reflect 
considerations of drafting and not of substance. Under this proposal, 
the Secretary could impose a civil money penalty for violation of 
either the general or the specific requirement, but not both.
    For example, if, after the applicable compliance date for the 
Security Rule, a covered entity violates the requirement to implement 
policies and procedures for facility access controls at Sec.  
164.310(a)(1), the covered entity will also have violated the Security 
Rule's provision at Sec.  164.316(a), which is the general standard 
requiring the implementation of policies and procedures. Similarly, if 
a covered entity fails to implement minimum necessary policies and 
procedures for uses of protected health information as required by the 
implementation specification at Sec.  164.514(d)(2) of the Privacy 
Rule, the covered entity also has violated the minimum necessary 
standard at Sec.  164.514(d)(1), which requires compliance with the 
implementation specification. In these two examples, the proposed 
provision would treat the act or omission as a violation of only one of 
the identified administrative simplification provisions, not both, for 
purposes of imposing civil money penalties.
    Proposed Sec.  160.404(b)(2) would not apply where a covered 
entity's action results in violations of multiple, differing 
requirements or prohibitions within the same HIPAA rule, however. The 
following is an example: due to inadequate safeguards, a covered entity 
uses protected health information in a manner prohibited by the Privacy 
Rule. Civil money penalties may be imposed on the covered entity for 
its violation of the use provision in Sec.  164.502(a), as well as for 
its violation of the safeguards requirement in Sec.  164.530(c).
    Proposed Sec.  160.404(b)(2) would also not apply where a covered 
entity's action may result in a violation of more than one HIPAA rule; 
for example, failure to adopt administrative safeguards may violate 
both the Privacy Rule (Sec.  164.530(c)) and the Security Rule (Sec.  
164.308). In such a case, more than one regulatory standard has been 
violated, and the Secretary may assess a penalty under both HIPAA 
rules. The proposed provision is limited to duplicate provisions in the 
same subpart, or HIPAA rule, and would not apply to limit civil money 
penalties for violations of more than one HIPAA rule.
    Proposed Sec.  160.404(b)(2) would also not preclude assessing 
civil money penalties for multiple violations of an identical 
requirement or prohibition.
c. Section 160.406--Number of Violations
    As stated above, section 1176(a) provides a maximum penalty for 
identical violations by a covered entity in a calendar year. However, 
in many cases, it may not be clear exactly how to quantify the number 
of violations. Furthermore, the types of requirements and prohibitions 
vary among and within the HIPAA rules--for example, requirements to 
adopt policies and procedures versus requirements to conduct 
transactions in standard format.
    There are various possible measures, or variables, that can be used 
to count violations, and different laws use one or multiple approaches. 
See, e.g., 42 CFR part 488, subpart F. In the context of the HIPAA 
rules, there are three basic variables that seem reasonable to use in 
calculating the number of violations that have occurred--(1) the number 
of impermissible actions or failures to take required actions, (2) the 
number of persons involved, and (3) the amount of time during which the 
violation occurred.
i. Variables
    Actions--The number of violations could be based on the number of 
times a covered entity takes a prohibited action (commission) or the 
number of times a covered entity fails to take a required action 
(omission). The ``action'' variable seems likely to be a workable 
variable for determining the number of violations where the acts in 
question are discrete and/or repetitive, such as could be the case with 
the Transactions Rule. However, the ``action'' variable may have a very 
different result in other circumstances. For example, if a covered 
entity fails to implement a required policy, there is only one failure 
to act, and, therefore, using this variable, the number of violations 
of the requirement would be one, even though such a failure to act 
might have extended over a long period of time, be intentional, and 
have serious consequences for other entities or individuals. Thus, the 
``action'' variable might not be appropriate in many circumstances.
    Persons--The number of violations could be measured in terms of the 
number of persons involved or affected. Persons may be natural persons 
or entities, and violations could be counted in terms of one of four 
categories of persons.
     Individuals who are the subject of protected health 
information--for example, the number of individuals who did not receive 
access to their records.
     Employees for whom the covered entity has an obligation--
for example, the number of employees who improperly took one or more 
impermissible actions, such as improperly using protected health 
information.
     Persons who receive information in violation of the 
rules--for example, the number of employees who have access to 
protected health information but who should not have such access, 
either in violation of the covered entity's minimum necessary policies 
or in violation of its access control security procedures.
     Other persons affected by the violation--for example, the 
number of providers affected by an impermissible health plan 
requirement that providers use codes not permitted under subpart J of 
the Transactions Rule.
    Using the ``person'' variable to determine the number of violations 
of a HIPAA rule may or may not be an appropriate approach, depending on 
the purpose of the regulatory provision. For example, counting by the 
``person'' variable may not be appropriate for

[[Page 20235]]

purposes of counting violations of most of the Transactions Rule 
requirements.
    Time--When violations are continuous, they could be calculated in 
terms of a unit of time, such as calendar days. For example, inclusion 
of a term in a trading partner agreement that is not permitted by Sec.  
162.915 would be one action, if counted as an action, but, if counted 
by time, the number of violations would depend on how long the 
impermissible agreement was in effect and what unit of time was applied 
to count the number of violations. However, using a time variable makes 
less sense for violations that are distinct and repetitive, such as 
many Transactions Rule violations would be. For example, if a covered 
entity conducted 3000 transactions that were not in standard form over 
a two-day period and another covered entity conducted two transactions 
that were not in standard form over a two-day period, each set of facts 
would result in two violations under a ``per day'' approach.
ii. Determining the Number of Violations
    Proposed Sec.  160.406 would establish the general rule that the 
Secretary will determine the number of violations of an identical 
requirement or prohibition by a covered entity by applying any of the 
variables of action, person, or time, as follows: (1) The number of 
times the covered entity failed to engage in required conduct or 
engaged in a prohibited act; (2) the number of persons involved in, or 
affected by, the violation; or (3) the duration of the violation, 
counted in days (because many of the HIPAA requirements are in terms of 
days, this seems to be the most appropriate unit of time to use). 
Paragraph (a) of this section would require the Secretary to determine 
the appropriate variable or variables for counting the number of 
violations based on the specific facts and circumstances related to the 
violation, and take into consideration the underlying purpose of the 
particular HIPAA rule that is violated. More than one variable could be 
used to determine the number of violations (for example, the number of 
people affected times the time (number of days) over which the 
violation occurred). Because of the range of circumstances that can be 
presented in determining the number of violations and the very 
different nature of the HIPAA rules that may be implicated by those 
violations, the Secretary would have discretion in determining which 
variable or variables were appropriate for determining the number of 
violations rather than being required to use a rigid formula, which 
could produce arbitrary results. Under this proposal, the policy for 
determining which variable(s) to use for which type of violation would 
be developed in the context of specific cases rather than established 
by regulation. Subsequent cases would be decided consistently with 
prior similar cases. This option would defer more specific decisions 
regarding the appropriate variable(s) for counting penalties to such 
time as a case raising the HIPAA provision occurs.
    Several approaches were considered in deciding how to determine the 
number of violations:
     Use one variable for all of the HIPAA rules. While this 
approach has greater consistency, the variation among the rules in 
terms of their types of requirements and prohibitions makes it 
difficult to identify one variable that would work equally well in each 
rule.
     Use one variable or approach for each individual HIPAA 
rule. This approach would also have greater consistency and certainty. 
However, it would not address the variations within HIPAA rules and 
could be confusing when a covered entity violated more than one rule.
     Categorize requirements and prohibitions and assign 
variables to each. This approach would increase certainty and 
consistency across all of the HIPAA rules but would likely result in a 
complex scheme that might operate unfairly.
    After weighing the advantages and disadvantages of each approach, 
it was determined that it would be preferable to determine the 
appropriate variable(s) for particular types of violations based on the 
context of a specific case. We welcome comments on this approach, the 
options that were considered, and other potential options for 
determining the number of violations.
d. Section 160.408--Factors Considered in Determining the Amount of a 
Civil Money Penalty
    Section 1176(a)(2) states that, with some exceptions, the 
provisions of section 1128A of the Act shall apply to the imposition of 
a civil money penalty under section 1176 ``in the same manner as'' such 
provisions apply to the imposition of a civil money penalty under 
section 1128A. Section 1128A(d) requires that--

in determining the amount of * * * any penalty, * * * the Secretary 
shall take into account--
    (1) The nature of the claims and the circumstances under which 
they were presented,
    (2) The degree of culpability, history of prior offenses and 
financial condition of the person presenting the claims, and
(3) Such other matters as justice may require.

    This language establishes factors to be considered in determining 
the ultimate amount of a civil money penalty. Because section 1176 
requires that civil money penalties be imposed in the same manner as 
civil money penalties are imposed under section 1128A, such factors 
should be applied to determining the amount of a civil money penalty 
for HIPAA violations. This approach is consistent with the approach 
taken in other regulations that cross-reference section 1128A, which 
rely on these factors for purposes of determining civil money penalty 
amounts. See, e.g., 42 CFR 488.438.
    The factors listed in section 1128A(d) were drafted to apply to 
violations involving claims for payment under federally funded health 
programs. Because HIPAA violations will usually not be about specific 
claims, HHS proposes to tailor the section 1128A(d) factors to the 
HIPAA rules and break them into their component elements for ease of 
understanding and application, as follows: (1) The nature of the 
violation; (2) the circumstances under which the violation occurred; 
(3) degree of culpability; (4) history of prior offenses; (5) financial 
condition of the covered entity; and (6) such other matters as justice 
may require.
    Many regulations that implement section 1128A, such as the OIG 
regulations, further particularize the statutory factors by providing 
discrete criteria. Consistent with these other regulations, and in 
order to provide more guidance to covered entities as to the factors 
that would be used in calculating civil money penalties for violations 
of the HIPAA rules, we propose a more specific list of circumstances 
that would be considered in calculating penalty amounts. Therefore, 
proposed Sec.  160.408 provides detailed factors, within the categories 
stated above, to consider in determining the amount of a civil money 
penalty, as follows:
    (1) The nature of the violation, when considered in light of the 
purposes of the rule violated.
    (2) The circumstances under which the violation occurred and the 
consequences, including the time period during which the violation(s) 
occurred, whether the violation caused physical harm, whether the 
violation hindered or facilitated an individual's ability to obtain 
health care, and whether the violation resulted in financial harm.
    (3) The degree of culpability of the covered entity, including 
whether the violation was intentional, and whether the violation was 
beyond the direct control of the covered entity.

[[Page 20236]]

    (4) Any history of prior offenses of the covered entity, including 
whether the current violation is the same or similar to prior 
violation(s), whether and to what extent the covered entity has 
attempted to correct previous violations, how the covered entity has 
responded to technical assistance from the Secretary provided in the 
context of a compliance effort, and how the covered entity has 
responded to prior complaints. This could include any violations that 
have been brought to the covered entity's attention, including 
complaints raised by individuals directly to the covered entity, 
violations of which the covered entity became aware on its own, and 
violations that have been raised in the context of a complaint to the 
Secretary.
    (5) The financial condition of the covered entity, including 
whether the covered entity had financial difficulties that affected its 
ability to comply, whether the imposition of a civil money penalty 
would jeopardize the ability of the covered entity to continue to 
provide, or to pay for, health care, and the size of the covered 
entity.
    (6) Such other matters as justice may require.
    In many regulations that implement section 1128A, including the OIG 
regulations, the statutory factors and/or the discrete criteria are 
designated as either aggravating or mitigating. See, e.g., 42 CFR 
1003.106(b)-(d). For example, in some of these regulations, history of 
prior offenses is listed as an aggravating factor. See, e.g., 42 CFR 
1003.106(b)(3). However, because the Enforcement Rule will apply to a 
number of rules and an enormous number of entities and circumstances, 
factors may be aggravating or mitigating, depending on the context. For 
example, the factor ``time period during which the violation(s) 
occurred'' could be an aggravating circumstance where the covered 
entity decided not to comply at all with a HIPAA provision, but be a 
mitigating circumstance where a covered entity quickly found and 
corrected repetitive noncompliance. Thus, we do not propose to label 
any of these factors as aggravating or mitigating. Rather, proposed 
Sec.  160.408 lists factors that may be considered by the Secretary as 
aggravating or mitigating in determining the amount of the civil money 
penalty to impose. The proposed approach would allow the Secretary to 
choose whether to consider a particular factor and how to consider each 
factor as appropriate in each situation to avoid unfair or 
inappropriate results. It also would keep the rule simple and makes 
possible a list of factors to consider in determining penalties that 
can work in all cases.
    We propose to leave to the Secretary's discretion the decision 
regarding when aggravating and mitigating factors will be taken into 
account in determining the amount of the civil money penalty. This 
approach is consistent with other regulations implementing section 
1128A, which do not explain how or at what point in the process these 
factors apply. See, e.g., 42 CFR 488.438.
3. Section 160.410--Affirmative Defenses to the Imposition of a Civil 
Money Penalty
    Proposed Sec.  160.410 implements section 1176(b)(1)--(3) of the 
Act, which specify certain limitations with respect to when civil money 
penalties may be imposed. Paragraphs (1), (2), and (3) of section 
1176(b) each state that, if the conditions described in those 
paragraphs are met, ``a penalty may not be imposed under subsection 
(a)'' of section 1176. Under section 1176(b)(1), a civil money penalty 
may not be imposed with respect to an act that would be punishable by a 
criminal penalty under section 1177 of the Act. Under section 
1176(b)(2), a civil money penalty may not be imposed if it is 
established to the satisfaction of the Secretary that the person who 
would be liable for the civil money penalty ``did not know, and by 
exercising reasonable diligence would not have known'' that the person 
violated the provision. Under section 1176(b)(3), a civil money penalty 
may not be imposed if the failure to comply ``was due to reasonable 
cause and not to willful neglect'' and is corrected within a certain 
period.
    Where it is shown that one or more of these grounds exists with 
respect to a violation for which a civil money penalty is sought, such 
a showing bars the imposition of a civil money penalty for the 
violation. The provisions at section 1176(b)(1), (2), and (3), thus, 
constitute complete defenses to the imposition of a civil money 
penalty. As such, they meet the definition of an affirmative defense: 
``A defendant's assertion raising new facts and arguments that, if 
true, will defeat the plaintiff's or prosecution's claim, even if all 
allegations in the complaint are true.'' Black's Law Dictionary (West, 
7th ed. 1999).
    Accordingly, proposed Sec.  160.410 would characterize the 
limitations under section 1176(b)(1), (2), and (3) as ``affirmative 
defenses,'' to make clear that they must be raised in the first 
instance by the respondent. See the discussion at section IV.D.10 below 
regarding proposed Sec.  160.534, with respect to the burden of proof. 
However, characterizing these grounds as affirmative defenses would not 
prevent the Secretary from concluding, based on information already in 
his possession, that one of these limitations applied. If the Secretary 
were to conclude, based on his investigation or on information provided 
by the covered entity under proposed Sec.  160.312(a)(3)(i), that one 
or more of these limitations applied with respect to a violation, the 
Secretary would not pursue the civil money penalty action with respect 
to the violation. However, proposed Sec.  160.410 assumes the situation 
where the Secretary, through OCR or CMS, has concluded that none of the 
statutory limitations at section 1176(b)(1), (2), or (3) applies to a 
particular case and has, accordingly, issued a notice of proposed 
determination to impose a civil money penalty. The purpose of Sec.  
160.410, therefore, is to describe what the respondent must show in 
order to establish such a defense in the proceeding that could then 
follow.
    The grounds stated in sections 1176(b)(2) and (b)(3) are grounds 
about which the covered entity would be knowledgeable and could produce 
evidence. Treating them as affirmative defenses is consistent with how 
similar language in other statutes has been implemented. For example, 
similar language in section 102 of HIPAA has been treated as an 
affirmative defense: Under the implementing regulations at 45 CFR 
150.341(b), the burden of persuasion is on the entity to establish that 
no responsible entity knew, or, exercising reasonable diligence, would 
have known of the violation. Examples of a similar assignment of burden 
in connection with similar statutory language are found elsewhere. See, 
e.g., 26 CFR 301.6651-1(c), implementing 26 U.S.C. 6651 (a failure to 
timely file a tax return ``is due to reasonable cause and not due to 
willful neglect * * * ''), requires ``an affirmative showing of all 
facts alleged as a reasonable cause * * * '' by the taxpayer; 8 CFR 
280.5, 280.51, implementing 8 U.S.C. 1323 (remission of penalty for 
bringing in illegal aliens if the person ``could not have ascertained, 
by the exercise of reasonable diligence, that * * * ''), place the 
burden on the party seeking remission; 11 U.S.C. 110 (penalties for 
persons who fraudulently prepare bankruptcy petitions except where 
failure is ``due to reasonable cause'') has been treated as an 
affirmative defense, U.S. Trustee v. Womack, 201 B.R. 511, 518 (E.D. 
Ark. 1996).
    Under section 1176(b)(1), a civil money penalty may not be imposed 
if the act in question ``constitutes an offense punishable under 
section 1177.'' While it might appear unlikely that a

[[Page 20237]]

covered entity would raise this as an affirmative defense, section 
1176(b)(1) parallels sections 1176(b)(2) and (b)(3) in both structure 
and function. This construction suggests that Congress intended that it 
be treated in a parallel manner. Proposed Sec.  160.410, accordingly, 
would do so.
    Finally, we recognize that other affirmative defenses might be 
available in a particular case. In order not to preclude the raising of 
affirmative defenses that could legitimately be raised, the 
introductory text of proposed Sec.  160.410 is drafted to permit a 
respondent to offer affirmative defenses other than those provided in 
section 1176(b).
a. Section 160.410(b)(1)--Affirmative Defense Based on Violation Being 
a Criminal Offense
    Section 1176(b)(1) provides that the Secretary may not impose a 
civil money penalty ``with respect to an act if the act constitutes an 
offense punishable under section 1177.'' Section 1177(a) provides as 
follows:

    A person who knowingly and in violation of this part--
    (1) Uses or causes to be used a unique health identifier;
    (2) Obtains individually identifiable health information 
relating to an individual; or
    (3) Discloses individually identifiable health information 
relating to another person, shall be punished as provided in 
subsection (b).

Subsection (b) of section 1177, in turn, sets out three levels of 
penalties. The level of penalty varies depending on the circumstances 
under which the offense was committed.
    The proposed rule simply refers to the statutory provision. As the 
criminal penalty provision that provides the basis for this defense is 
administered by the U.S. Department of Justice, we do not propose to 
elaborate upon it in this regulation.
b. Section 160.410(b)(2)--Affirmative Defense Based on Lack of 
Knowledge
    Section 1176(b)(2) provides as follows:
    A penalty may not be imposed under subsection (a) with respect 
to a provision of this part if it is established to the satisfaction 
of the Secretary that the person liable for the penalty did not 
know, and by exercising reasonable diligence would not have known, 
that such person violated the provision.

For a covered entity to establish an affirmative defense under section 
1176(b)(2), it must show that it did not have actual or constructive 
knowledge of the violation. What is required for such a showing raises 
several issues: (1) What ``knowledge'' will make the ``lack of 
knowledge'' defense no longer available; (2) when is the ``knowledge'' 
of an agent imputed to the covered entity; and (3) what constitutes 
``reasonable diligence.''
i. ``Knowledge''
    The first question is what must the covered entity ``know'' in 
order for the defense of section 1176(b)(2) to be no longer available. 
Specifically, if the covered entity knows of the facts that constitute 
the violation, but does not know that they constitute a violation, is 
the defense under section 1176(b)(2) no longer available?
    A civil money penalty may not be imposed for a violation ``if it is 
established to the satisfaction of the Secretary that the person liable 
for the penalty did not know * * * that such person violated the 
provision.'' This language on its face suggests that the knowledge 
involved must be knowledge that a ``violation'' has occurred, not just 
knowledge of the facts constituting the violation. Section 1176(b)(3) 
supports this reading. Under section 1176(b)(3)(A)(i), the cure 
period--i.e., the period in which the violation must be corrected if 
the covered entity is to avail itself of the defense under section 
1176(b)(3)--begins to run ``on the first date the person liable for the 
penalty knew, or by exercising reasonable diligence would have known, 
that the failure to comply occurred.'' The duty to take corrective 
action under section 1176(b)(3), thus, flows from knowledge that ``the 
failure to comply occurred.'' We, thus, interpret this knowledge 
requirement to mean that the covered entity must have knowledge that a 
violation has occurred, not just knowledge of the facts underlying the 
violation. We use the statutory language in framing this requirement.
    This reading of the statute would not reward ignorance that is 
careless or deliberate. The requirement of section 1176(b)(2) that the 
covered entity exercise ``reasonable diligence,'' discussed below, 
would make a lack of knowledge defense unavailable where a covered 
entity's ignorance arises from its failure to inform itself about its 
compliance obligations or to investigate complaints or other 
information it receives indicating likely noncompliance.
ii. Imputed Knowledge
    In order to avail itself of the lack of knowledge defense, a 
corporate entity must show that (1) its responsible officers or 
managers did not know about the violation, and (2) even if an employee 
or other agent had actual knowledge of the violation, why that 
knowledge should not be imputed to the managers and, thus, to the 
corporate entity itself. Whether knowledge can be imputed to a covered 
entity's responsible officers or managers will be determined by 
principles of agency. We clarify this by providing in proposed Sec.  
160.410(b)(2) that such knowledge will be ``determined by the federal 
common law of agency.'' As noted in the discussion in section 
IV.C.1.b.i above, we would expect, as a general matter, to follow the 
principles set forth in the Restatement (Second) of Agency with respect 
to this issue. Under the general rule at section 272 of the 
Restatement, an agent's actual or constructive knowledge is imputed to 
the principal, subject to certain exceptions. Rest. 2nd of Agency 
(1958), comments a and b. Whether any of these exceptions are 
applicable would depend on the circumstances of each case. We solicit 
comment on this approach and, in particular, illustrations and 
explanations of cases where more or less specificity might be helpful.
iii. Reasonable Diligence
    The defense under section 1176(b)(2) is available only if the 
covered entity ``by exercising reasonable diligence would not have 
known ... that the [covered entity] violated the provision.'' The 
question this language raises is what action is required in order for a 
covered entity to be able to show that it has exercised reasonable 
diligence and that its ignorance of the violation is, hence, excused.
    The phrase ``reasonable diligence'' has applications in many areas 
of the law. ``Reasonable diligence'' is typically defined as ``1. A 
fair degree of diligence expected from someone of ordinary prudence 
under circumstances like those at issue. 2. See due diligence (1).'' 
Black's Law Dictionary (West, 7th edition, 1999). ``Due diligence'' is, 
in turn, defined as ``1. The diligence reasonably expected from, and 
ordinarily exercised by, a person who seeks to satisfy a legal 
requirement or to discharge an obligation.--Also termed reasonable 
diligence.'' Id. In the context of section 1176(b)(2), these concepts 
equate, we believe, to the concept of ``constructive knowledge.'' As 
usually defined, ``constructive knowledge'' is the ``knowledge that one 
using reasonable care or diligence should have, and therefore that is 
attributed by law to a given person.'' Id.
    The determination of whether a person acted with reasonable 
diligence is generally a factual one, since what is reasonable depends 
on the circumstances. Martin v. OSHRC (Milliken & Co.), 947 F.2d 1483 
(11th Cir. 1991); Bell Telephone Laboratories,

[[Page 20238]]

Inc. v. Hughes Aircraft Co., 564 F.2d 654 (3rd Cir. 1977). The courts 
use a variety of formulations to articulate when a person will be 
deemed to have known--i.e., to have constructive knowledge--that a 
particular incident occurred. However, the various formulations have 
common elements. They identify a ``prudent'' or ``reasonable'' person 
and consider whether that person would, under similar circumstances, 
have become aware of the information in question. They consider how 
``available'' the information is; for example, was the information in 
the covered entity's possession (such as in its electronic information 
system) or not. They consider whether there was ``some reason to awaken 
inquiry and suggest investigation;'' for example, had prior experience 
suggested that there could be problems, which a reasonable person would 
have investigated.
    We considered three options for implementing the provisions at 
section 1176(b)(2). One approach would be simply to repeat the 
statutory language; a second approach would be to provide a more 
detailed statement of criteria for establishing reasonable diligence; 
and the third approach would be to provide examples of situations that 
would (or would not) constitute reasonable diligence. We selected the 
second in order to provide some guidance, but not unduly circumscribe 
future decisions. Adapting the Black's definition of due diligence to 
the present context, proposed Sec.  160.410(a) would define 
``reasonable diligence'' to mean ``the business care and prudence 
expected from a person seeking to satisfy a legal requirement under 
similar circumstances.'' Factors to be considered in evaluating the 
applicability of this affirmative defense would include whether the 
covered entity took reasonable steps to learn of such violations and 
whether there were indications of possible violations, such as a 
complaint or other information made known to the entity, that a person 
seeking to satisfy a legal requirement would have investigated under 
similar circumstances.
c. Section 160.410(b)(3)--Affirmative Defense Based on Reasonable Cause
    Section 1176(b)(3) provides as follows:
    (A) In general. Except as provided in subparagraph (B), a 
penalty may not be imposed under subsection (a) if--
    (i) The failure to comply was due to reasonable cause and not to 
willful neglect; and
    (ii) The failure to comply is corrected during the 30-day period 
beginning on the first date the person liable for the penalty knew, 
or by exercising reasonable diligence would have known, that the 
failure to comply occurred.
    (B) Extension of period.
    (i) No penalty. The period referred to in subparagraph (a)(ii) 
may be extended as determined appropriate by the Secretary based on 
the nature and extent of the failure to comply.

These provisions raise several issues: (1) What is reasonable cause; 
(2) what is willful neglect; and (3) how should the cure period be 
determined.
i. Reasonable Cause
    For the defense under section 1176 (b)(3) to be available, the 
failure to comply at issue must be ``due to reasonable cause and not to 
willful neglect'' (as well as corrected within the cure period). This 
language has a close analog in the Internal Revenue Code (IRC), which 
provides for an exemption from penalties for late filing where the late 
filing ``is due to reasonable cause and not due to willful neglect.'' 
26 U.S.C. 6651(a). This IRC language was construed by the United States 
Supreme Court in United States v. Boyle, 469 U.S. 241, 245 (1985). The 
Internal Revenue Service (IRS) had articulated specific factors that 
would constitute reasonable cause for late filing; in discussing these 
factors, the Court noted that the underlying principle was whether the 
circumstances were beyond the taxpayer's control.
    HHS has already adopted criteria interpreting paragraph (b)(3) that 
are not unlike those adopted by the IRS in connection with its late 
filing penalty statute. In the guidance published on July 24, 2003 (CMS 
Guidance), the criteria developed to address the October 16, 2003 
compliance deadline problems for the Transactions Rule are similar in 
nature to those developed by the IRS. Like the IRS criteria, they 
premise the existence of reasonable cause on the existence of 
circumstances outside of the covered entity's control which make 
compliance with the Transactions Rule unreasonable.
    We considered three options for implementing the reasonable cause 
language of section 1176(b)(3): repeating the statutory language; 
providing a more detailed statement of the criteria for establishing 
reasonable cause; or providing examples of situations that would (or 
would not) constitute reasonable cause. As with our decision about 
reasonable diligence, we took the second approach. Proposed Sec.  
160.410(a) would define ``reasonable cause'' as ``circumstances that 
make it unreasonable for the covered entity, despite the exercise of 
ordinary business care and prudence, to comply with the administrative 
simplification provision violated.'' This definition is generally based 
on the view of the Supreme Court in Boyle, but it is tailored to the 
HIPAA context in which the judgment in question would be made. It 
describes with more specificity the test for determining whether 
reasonable cause exists, but does not limit this test by specific 
examples. Thus, establishing reasonable cause under section 1176(b)(3) 
would require demonstrating circumstances that would make it 
unreasonable to expect an entity exercising ordinary business care and 
prudence to comply with the particular requirement that has been 
violated. The determination of whether reasonable cause exists is 
generally, and under this definition would be, a factual one, since 
what is ``reasonable'' depends on the circumstances.
ii. Willful Neglect
    For the defense under section 1176(b)(3) to be available, the 
failure of compliance must not be due to ``willful neglect.'' In Boyle, 
discussed above, the Supreme Court defined ``willful neglect'' as 
``conscious, intentional failure or reckless indifference'' and 
indicated that this concept includes carelessness or other types of 
fault. 469 U.S. at 245. Since the definition of the term ``willful 
neglect'' is well settled, we propose to adapt this definition of the 
term in proposed Sec.  160.410(a): ``conscious, intentional failure or 
reckless indifference to the obligation to comply with the 
administrative simplification provision violated.'' This definition 
reflects the concern that underlies the statutory language: where 
willful neglect caused the ``failure to comply'' in question, the 
penalty should not be excused.
    The proposed definition is also consistent with the approach 
already taken by HHS in the CMS Guidance. In the CMS Guidance, HHS 
stated that, in determining whether noncompliance with the Transactions 
Rule would be penalized, it would consider the ``good faith efforts'' 
of the covered entities deploying contingency measures after October 
16, 2003 as they work to come into compliance with the Transactions 
Rule. The presence of such ``good faith'' or diligent efforts to comply 
evidences the absence of willful neglect, because it demonstrates the 
absence of a ``reckless indifference to the obligation to comply with 
the administrative simplification provision violated.''
    The issue of whether there was willful neglect would be a factual 
inquiry separate from the question of whether reasonable cause existed, 
because section 1176(b)(3) requires both the presence of reasonable 
cause and the

[[Page 20239]]

absence of willful neglect. In the IRC cases discussed above, for 
example, proving the lack of willful neglect does not establish the 
existence of reasonable cause. However, a finding concerning one 
element may obviate the necessity of determining the other element, by 
ruling out the existence of a condition precedent for the affirmative 
defense. Thus, where it is found that reasonable cause does not exist, 
the presence or absence of willful neglect need not be determined; 
similarly, if it is found that willful neglect exists, the presence or 
absence of reasonable cause need not be determined.
iii. Determination of the Cure Period
    The presence of reasonable cause and absence of willful neglect are 
not sufficient, in themselves, to establish an affirmative defense 
under section 1176(b)(3). The covered entity must also correct the 
violation during the 30-day period beginning when the person knew or 
should have known that the violation existed. The statute gives the 
Secretary the right to extend this period to the extent he determines 
appropriate based on the nature and the extent of the failure to 
comply. This language presents two issues with respect to the cure 
period: (1) When does the cure period begin; and (2) what limitations, 
if any, should be placed on the Secretary's ability to extend the cure 
period.
    Beginning of the Cure Period. Section 1176(b)(3)(A) provides that 
the cure period begins ``on the first date the person liable for the 
penalty knew, or by exercising reasonable diligence would have known, 
that the failure to comply occurred.'' This language is the converse of 
section 1176(b)(2). These two provisions, accordingly, dictate a 
sequential analysis. The first question is whether the covered entity 
knew, or with reasonable diligence would have known, about the 
violation. If the covered entity was ignorant of the violation (i.e., 
it did not have actual or constructive knowledge of the violation), 
then no civil money penalty may be imposed for the period in which such 
ignorance existed. In such a situation, the covered entity's ignorance 
of the violation is a complete defense to imposition of the civil money 
penalty, so it is not necessary to reach the question of whether the 
grounds for a defense under section 1176(b)(3) are also met. However, 
as soon as the covered entity knows (or should have known) of the 
violation, then the cure period under section 1176(b)(3)(A)(ii) begins; 
simultaneously, the defense of ignorance stops being available to the 
covered entity. At that point, the question is whether the grounds for 
the ``reasonable cause'' defense (the presence of reasonable cause, the 
absence of willful neglect, and cure) exist.
    We do not propose to elaborate on the statutory language with 
regard to when the cure period begins. The text of proposed Sec.  
160.410(b)(3), like the statute, uses the defined term ``reasonable 
diligence'' and, thus, builds on the analysis conducted under proposed 
Sec.  160.410(b)(2).
    Extension of the Cure Period. Section 1176(b)(3)(A)(i) provides 
that the cure period may be extended ``as determined appropriate by the 
Secretary based on the nature and extent of the failure to comply.'' 
This statutory language is a broad grant of discretion to the Secretary 
to determine what is ``appropriate,'' requiring only that the Secretary 
base his decision on the ``nature and extent of the failure to 
comply.'' The statutory language requires an analysis based on the 
specific circumstances of the particular failure to comply at issue. 
Given the enormous number of covered entities, the almost infinite 
possible combinations of violations and circumstances, the extensive 
and varying experiences of covered entities in coming into compliance, 
the newness of both their and our experience with respect to compliance 
with the HIPAA rules, and the brevity of the 30-day period during which 
changes are required, the Secretary should be afforded significant 
discretion to decide when it is appropriate to extend the cure period. 
Proposed Sec.  160.410(b)(3)(ii)(B) accordingly follows the statutory 
language and would permit the Secretary to use the full discretion 
provided by the statute.
4. Section 160.412--Waiver
    Section 1176(b)(4) of the Act provides for waiver of a civil money 
penalty in certain circumstances. Section 1176(b)(4) provides that, if 
the failure to comply is ``due to reasonable cause and not to willful 
neglect,'' a penalty that has not already been waived under section 
1176(b)(3) ``may be waived to the extent that the payment of such 
penalty would be excessive relative to the compliance failure 
involved.'' If there is reasonable cause and no willful neglect and 
violation has been timely cured, the imposition of the civil money 
penalty would be precluded under section 1176(b)(3). Therefore, waiver 
under this section would be available only where there is reasonable 
cause for the violation and no willful neglect, but the violation was 
not timely cured.
    Section 1176(b)(4) affords a covered entity a statutory right to 
request a waiver. However, the Secretary is not required to grant such 
a request: the words ``may be waived'' indicate that the decision to 
grant the waiver is discretionary. Moreover, the language ``to the 
extent that'' and ``excessive relative to'' indicate that the Secretary 
must consider the facts of the case to determine whether, and by what 
amount, a penalty may be reduced.
    While section 1176(b)(4) might appear to be subsumed by certain of 
the statutory factors that could be seen as mitigating factors, this 
provision duplicates neither those factors nor the affirmative 
defenses. In contrast to the statutory factors, which apply to 
determining the amount of a civil money penalty, section 1176(b)(4) 
comes formally into play once the penalty amount has been determined, 
because only after there is a specific proposed penalty amount can it 
be determined whether the penalty ``would be excessive relative to the 
compliance failure involved.'' Section 1176(b)(4) differs from the 
affirmative defenses in that it is not an absolute preclusion of civil 
money penalties; rather, waiver or reduction under section 1176(b)(4) 
is discretionary. Finally, in contrast to the mitigating factors and 
affirmative defenses, section 1176(b)(4) provides a ground on which a 
covered entity may request waiver or reduction of a penalty, once the 
penalty amount has been determined.
    Proposed Sec.  160.412 does not elaborate on the statute in any 
material way. This provision would provide the Secretary with the 
flexibility to utilize the discretion provided by the statutory 
language as necessary. We deem the statutory criterion itself 
reasonably capable of application, and, therefore, are not stating 
further criteria at this time.
5. Section 160.414--Limitations
    Proposed Sec.  160.414 was adopted by the April 17, 2003 interim 
final rule as Sec.  160.522. We propose to move this section, which 
sets forth the 6-year limitation period provided for in section 
1128A(c)(1), from subpart E to subpart D. We propose to do so because 
this provision applies generally to the imposition of civil money 
penalties and is not dependent on whether a hearing is requested. We 
also propose to change the language of this provision so that the date 
of the occurrence of the violation is the date from which the 
limitation is determined. We propose this change because the term 
``violation'' is defined in this proposed rule, whereas it was not 
defined in the April 17, 2003

[[Page 20240]]

interim final rule. Thus, the date of the violation can now be 
accurately used to calculate when ``the occurrence took place,'' as 
referenced in the statute. See also the discussion at section V.G 
below.
6. Section 160.416--Authority To Settle
    Proposed Sec.  160.416 was adopted by the April 17, 2003 interim 
final rule as Sec.  160.510. We propose to move this section, which 
addresses the authority of the Secretary to settle any issue or case or 
to compromise any penalty imposed on a covered entity, from subpart E 
to subpart D. We propose to do so because this provision applies 
generally to the imposition of civil money penalties, and is not 
dependent on whether a hearing is requested. No change is made to the 
text of the provision.
7. Section 160.418--Penalty Not Exclusive
    Proposed Sec.  160.418 is new. It is based upon Sec.  1003.109 of 
the OIG regulations. We propose to add this section to make clear that 
penalties imposed under this part are not intended to be exclusive 
where a violation under this part may also be a violation of, and 
subject the respondent to penalties under, another federal or a State 
law. Proposed Sec.  160.418 would, however, recognize that, under 
section 1176(b)(1) of the Act, a penalty may not be imposed under 
section 1176(a) if the act constitutes an offense punishable under 
section 1177.
8. Section 160.420--Notice of Proposed Determination
    The text of proposed Sec.  160.420 was adopted by the April 17, 
2003 interim final rule as Sec.  160.514. We propose to move this 
section from subpart E, which sets out the procedures and rights of the 
parties to a hearing, to subpart D. We propose to do so because the 
notice provided for in this section must be given whenever a civil 
money penalty is proposed, regardless of whether a hearing is 
requested. No changes are proposed to paragraphs (a)(1) and (a)(3), 
(4), or to paragraph (b), except conforming changes. Paragraph (a)(2) 
would be revised by adding that, in the event the Secretary employs 
statistical sampling techniques under Sec.  160.536, the sample relied 
upon and the methodology employed must be generally described in the 
notice of proposed determination. A new paragraph (a)(5) would require 
the notice to describe any circumstances described in Sec.  160.408 
that were considered in determining the amount of the proposed penalty; 
this provision corresponds to Sec.  1003.109(a)(5) of the OIG 
regulations. The present paragraph (a)(5) would be renumbered as 
(a)(6). See also the discussion at sections V.H-V.J below.
9. Section 160.422--Failure To Request a Hearing
    The text of proposed Sec.  160.422 was adopted by the April 17, 
2003 interim final rule as Sec.  160.516. We would add language (``and 
the matter is not settled pursuant to Sec.  160.416'') to recognize 
that the Secretary and the respondent may agree to a settlement after 
the Secretary has issued a notice of proposed determination. We also 
provide that the penalty is final upon receipt of the penalty notice, 
to make clear when subsequent actions, such as collection, may 
commence.
10. Section 160.424--Collection of Penalty
    The text of Sec.  160.424 was adopted by the April 17, 2003 interim 
final rule as Sec.  160.518. We propose to move this section, which 
addresses how a final penalty is collected, from subpart E to subpart 
D. We propose to do so because this provision applies generally to the 
imposition of civil money penalties and is not dependent upon whether a 
hearing is requested.
11. Section 160.426--Notification of the Public and Other Agencies
    Proposed Sec.  160.426 would implement section 1128A(h) of the Act. 
When a penalty proposed by the Secretary becomes final, section 
1128A(h) directs the Secretary to notify certain specified appropriate 
State or local agencies, organizations, and associations and to provide 
the reasons for the penalty. We propose to add the public generally, in 
order to make the information available to anyone who must make 
decisions with respect to covered entities. For instance, knowledge of 
the imposition of a civil money penalty for violation of the Privacy 
Rule could be important to health care consumers, as well as to covered 
entities throughout the industry, while information about the 
imposition of a civil money penalty for violation of the Transactions 
Rule or other HIPAA rules could be of interest to a covered entity's 
trading partners.
    The regulatory language would provide for notification in such 
manner as the Secretary deems appropriate. Posting to an HHS Web site 
and/or the periodic publication of a notice in the Federal Register are 
among the methods which the Secretary is considering using for the 
efficient dissemination of such information. These methods would avoid 
the need for the Secretary to determine which entities, among a 
potentially large universe, should be notified and would also permit 
the general public served by covered entities upon whom civil money 
penalties have been imposed to be apprised of this fact, where that 
information is of interest to them. While the Secretary could provide 
notice to individual agencies where desired, the Secretary could, at 
his option, use a single public method of notice, such as posting to an 
HHS Web site, to satisfy the obligation to notify the specified 
agencies and the public. See also the discussion at V.B below.

D. Subpart E--Procedures for Hearings

    As previously explained, the provisions of section 1128A of the Act 
apply to the imposition of a civil money penalty under section 1176 
``in the same manner as'' they apply to the imposition of civil money 
penalties under section 1128A itself. The provisions of subpart E are, 
as a consequence, based in large part upon, and are in many respects 
the same as, the OIG regulations. We propose to adapt, re-order, or 
combine the language of the OIG regulations in a number of places for 
clarity of presentation or to reflect concepts unique to the HIPAA 
provisions or rules. To avoid confusion, we have also employed certain 
language usages in order to make the usage in the rules consistent with 
that in the other HIPAA rules (for example, for mandatory duties, 
``must'' or ``will'' instead of ``shall'' is used; for discretionary 
duties, ``may'' instead of ``has the authority to'' is used). We do not 
discuss those nonsubstantive changes below. Where we propose to 
materially change the language of the OIG regulations, however, we 
discuss our reasons for doing so.
    As noted above, we have reorganized subparts C, D, and E so that 
there is a logical organization to the three subparts. Subpart E, as we 
propose to revise it, will address the pre-hearing and hearing phases 
of the enforcement process. We have discussed the sections that we have 
moved to subparts C and D in the discussion of those subparts. The 
proposed movement of sections out of subpart E and the introduction of 
new sections into subpart E, described below, necessitates the 
reordering and renumbering of other sections of the existing subpart E, 
so that the subpart is organized logically. We do not discuss such 
proposed reordering and renumbering, unless we propose to change 
substantially the text of the section in question.
    In the April 17, 2003 interim final rule, we deferred consideration 
of certain provisions so that they could be

[[Page 20241]]

addressed through notice-and-comment rule making. Claims of privilege 
and other objections to the taking of testimony at investigational 
hearings are addressed in proposed Sec.  160.314. The proposed rules 
relating to what constitutes ``a violation of a provision of this 
part'' and how the amount of civil money penalties will be determined 
are found in Sec.  160.302 of the proposed subpart C and in Sec. Sec.  
160.402--160.408, respectively, of the proposed subpart D. We include 
in proposed subpart E the proposed rules that relate to the conduct of 
a hearing.
1. Section 160.500--Applicability
    This section has been revised to reflect the more limited scope 
proposed for subpart E, resulting from the movement of many of the 
provisions in the April 17, 2003 interim final rule to proposed 
subparts C and D.
2. Section 160.502--Definitions
    Most of the definitions in this section of the April 17, 2003 
interim final rule have been moved either to Sec.  160.103 or to Sec.  
160.302, and are discussed in connection with those sections. In 
addition, we propose to delete the term ``entity'' from this section. 
The term is used in various contexts throughout the HIPAA rules, and we 
believe that the definition in the April 17, 2003 interim final rule 
may prove confusing with respect to the other HIPAA rules.
    A new definition is added to this section--a definition of the term 
``Board,'' which stands for the HHS Departmental Appeals Board. The 
term ``Board'' is used instead of the term ``DAB'', which is used in 
the OIG regulations, to make clear that the reviewing body is the panel 
of three judges that conducts appellate review of ALJ decisions for 
HHS. This term is defined because it appears in proposed Sec.  160.548, 
discussed below.
3. Section 160.504--Hearing before an ALJ
    This section, which is Sec.  160.526 of the April 17, 2003 interim 
final rule, would be largely unchanged. We note that, for a hearing 
request dismissed under this section as failing to raise any issue that 
may be properly addressed in a hearing (such as a hearing request that 
only raises constitutional claims), this subpart provides the 
administrative review channel leading to judicial review of such 
claims. Thus, such a dismissal would have to be appealed to the Board, 
under proposed Sec.  160.548, as a predicate to appeal to the federal 
courts.
    The current Sec.  160.526(a)(2) states that the Departmental party 
in a hearing is ``the Secretary.'' The term ``Secretary'' is defined at 
Sec.  160.103 of the HIPAA rules as ``the Secretary of Health and Human 
Services or any other officer or employee of HHS to whom the authority 
involved has been delegated.'' The Secretary's authority to interpret 
and enforce the HIPAA rules has been delegated to OCR, in the case of 
the Privacy Rule, and to CMS, in the case of the non-privacy HIPAA 
rules. Thus, the Secretary's investigative authority and authority to 
make a proposed determination of liability for a civil money penalty 
are exercised by OCR and/or CMS, depending on the HIPAA rule or rules 
at issue. However, in proposed subpart E, the Secretary is performing 
diverse functions: the adjudicative function is being performed for the 
Secretary by the ALJ and the Board, and the decision reached through 
this adjudicative process becomes the decision of the Secretary; at the 
same time, OCR and/or CMS are acting for the Secretary in defending the 
proposed determination in the adjudication. The reference to ``the 
Secretary'' may, thus, be confusing, as what part of HHS is being 
referred to depends on the context.
    Proposed Sec.  160.504(a)(2) would clarify which part of HHS acts 
as the ``party'' in the hearing. Because which component of HHS will be 
the ``party'' in a particular case will depend on which rule is alleged 
to have been violated, and because a particular case could involve more 
than one HIPAA rule, we define the Secretarial party generically, by 
reference to the component with the delegated enforcement authority. We 
adapt the regulatory definition of ``Secretary'' to make it clear that 
the Secretarial party could consist of more than one officer or 
employee, so that it is possible for both CMS and OCR to be the 
Secretarial party in a particular case.
    The last sentence of proposed Sec.  160.504(b) (current Sec.  
160.526(b)) provides that the date of receipt of the notice of proposed 
determination is presumed to be 5 days after the date of the notice 
unless the respondent makes a reasonable showing to the contrary. This 
showing may be made even where the notice is sent by mail and is not 
precluded by the computation of time rule of proposed Sec.  160.526(c) 
(current Sec.  160.548(c)) establishing a 5-day allowance for mailing. 
See section V.K below for further discussion of this provision.
4. Section 160.506--Rights of the Parties
    The text of paragraphs (a) and (b) of proposed Sec.  160.506 was 
adopted at Sec.  160.528 of the April 17, 2003 interim final rule, and 
no change, other than a conforming change, is proposed to those 
paragraphs. We propose to add a new paragraph (c) to address the issue 
of legal fees. Proposed subsection (c) adopts the same position taken 
in Sec.  1005.3(b) of the OIG regulations, by recognizing that a party 
who is accompanied, represented or advised by an attorney is free to 
enter into a fee arrangement of that party's choosing. This provision 
is included to make clear that the Secretary is not limiting how much 
the respondent's attorney may charge in attorneys fees.
5. Section 160.508--Authority of the ALJ
    The text of proposed Sec.  160.508 was adopted by the April 17, 
2003 interim final rule as Sec.  160.530. No changes to paragraphs (a) 
and (b) are proposed. We propose to revise paragraph (c) by adding 
paragraphs (c)(1) and (5) to the list of limitations on the authority 
of the ALJ. Proposed paragraph (c)(1) would require the ALJ to follow 
federal statutes, regulations, and Secretarial delegations of 
authority, and to give deference to published guidance to the extent 
not inconsistent with statute or regulation. By ``published guidance'' 
we mean guidance that has been publicly disseminated, including posting 
on the CMS or OCR Web site. Although we recognize that such guidance is 
not controlling upon the courts, we believe that the ALJ and the Board 
(see the discussion below in connection with proposed Sec.  160.548), 
as components of HHS, must afford deference to such guidance to ensure 
that, to the extent possible, consistent decisions and compliance 
guidance are provided by the Secretary to covered entities.
    Proposed paragraph (c)(5) clarifies that ALJs may not review the 
Secretary's exercise of discretion whether to grant an extension or to 
provide technical assistance under section 1176(b)(3)(B) of the Act or 
the Secretary's exercise of discretion in the choice of variable(s) 
under proposed Sec.  160.406. Proposed paragraphs (c)(1) and (5) 
together make clear that the purpose of the hearing, and the authority 
of the ALJ in conducting the hearing, would only be to review the 
proposed civil money penalty. Thus, the ALJ would not have authority to 
refuse to follow, or to find invalid, the authorities cited as the 
basis for the proposed civil money penalty. The ALJ also would not have 
authority to review the Secretary's exercise of discretion under 
section 1176(b)(3)(B) of the Act to grant an extension or to provide 
technical assistance, nor would the ALJ have authority to review the 
Secretary's choice of variable(s) in

[[Page 20242]]

determining the number of violations of an identical administrative 
simplification provision, as that choice is likewise committed to the 
Secretary's discretion. The ALJ could, however, review whether the 
variable(s), once chosen, were properly applied.
6. Section 160.512--Prehearing Conferences
    Proposed Sec.  160.512 would revise paragraph (a) to establish a 
minimum amount of notice (not less than 14 business days) that must be 
provided to the parties in the scheduling of prehearing conferences. We 
propose this limitation to address problems that have been experienced 
in the context of administrative hearings in other programs. Proposed 
Sec.  160.512 would also revise paragraph (b)(11) to include the issue 
of the protection of individually identifiable health information as a 
matter that may be discussed at the prehearing conference, if 
appropriate. See also the discussion at section V.AA below, with regard 
to this provision.
7. Section 160.518--Exchange of Witness Lists, Witness Statements, and 
Exhibits
    Proposed Sec.  160.518 carries forward Sec.  160.540 of the 
existing subpart E with one substantive change. It would revise 
paragraph (a) to provide time limits within which the exchange of 
witness lists, statements, and exhibits must occur prior to a hearing. 
Under proposed Sec.  160.518(a), these items must be exchanged not more 
than 60, but not less than 15, days prior to the scheduled hearing. We 
are concerned that the information not be exchanged too early, lest the 
evidence become stale, and we are also concerned that the time period 
not be too short, depriving the parties of adequate time to prepare. 
Experience with administrative hearings in other programs suggests the 
need for this provision. See also the discussion at section V.R below.
8. Section 160.520--Subpoenas for Attendance at Hearing
    Proposed Sec.  160.520 would carry forward Sec.  160.542 of the 
existing subpart E mainly unchanged. The current Sec.  160.542(c) would 
be revised to clarify that when a subpoena is served on HHS, the 
Secretary may comply with the subpoena by designating any knowledgeable 
representative to testify. See also the discussion at sections V.W and 
V.X below.
9. Section 160.532--Collateral Estoppel
    Proposed Sec.  160.532 would adopt the doctrine of collateral 
estoppel applied in federal cases that once a court decides an issue of 
fact or law necessary to its judgment, the court's decision precludes 
the same parties from relitigating the same issue in another suit on a 
different cause of action. Allen v. McCurry, 449 U.S. 90 (1980). The 
doctrine also applies to a final decision of an administrative agency, 
acting in a judicial capacity, that resolves disputed issues before it, 
which the parties have had a fair opportunity to fully litigate. 
Astoria Federal Savings & Loan Ass'n v. Solimino, 501 U.S. 104, 107-108 
(1991). The proposed rule is modeled on Sec.  1003.114(a) of the OIG 
regulations. Section 1003.114(b), relating to the issue preclusion 
arising out of a conviction or plea in a federal criminal case based 
upon fraud or false statements, appears inapplicable to enforcement of 
the HIPAA rules, and, hence, no comparable provision is proposed for 
inclusion in this Rule.
10. Section 160.534--The Hearing
    The text of proposed Sec.  160.534 was adopted by the April 17, 
2003 interim final rule as Sec.  160.554. No changes to paragraphs (a) 
and (c) are proposed. However, HHS proposes to add a new paragraph (b) 
allocating the burden of proof at the hearing.
    Under the Administrative Procedure Act (APA), 5 U.S.C. 556(d), the 
burden of proof in ALJ hearings has two components--the burden of going 
forward and the burden of persuasion. The burden of going forward 
relates to the obligation to go forward initially with evidence that 
supports a prima facie case. The burden of going forward then shifts to 
the other party. The burden of persuasion relates to the obligation 
ultimately to convince the trier of fact that it is more likely than 
not that the advocated position is true. The party with the burden of 
persuasion loses in the situation where the evidence is in perfect 
balance.
    Proposed Sec.  160.534 would adopt the allocation of the burden of 
proof found in the OIG regulations and in administrative hearings 
generally, which is consistent with the APA. The respondent would bear 
the burden of proof with respect to (1) any affirmative defense, 
including those set out in section 1176(b) of the Act, as implemented 
by proposed Sec.  160.410, (2) any challenge to the amount or scope of 
a proposed penalty under section 1128A(d), as implemented by proposed 
Sec. Sec.  160.404--160.408, including mitigating factors, or (3) any 
contention that a proposed penalty should be reduced or waived under 
section 1176(b)(4), as implemented by Sec.  160.412. The Secretary 
would have the burden of proof with respect to all other issues, 
including issues of liability and the factors considered as aggravating 
factors under proposed Sec.  160.408 in determining the amount of 
penalties to be imposed. The burden of persuasion would be judged by a 
preponderance of the evidence (i.e., it is more likely than not that 
the position advocated is true).
    It is also proposed to revise the current Sec.  160.554(c) by 
adding a new paragraph (1) at proposed Sec.  160.534(d). Proposed Sec.  
160.534(d)(1) would provide that, at a hearing under this part, any 
party may present items or information, during its case in chief, that 
were discovered after the date of the notice of proposed determination 
or request for a hearing, as applicable. The admissibility of such 
proffered evidence would be governed generally by the provisions of 
proposed Sec.  160.540, and be subject to the 15-day rule for the 
exchange of trial exhibits, witness lists and statements set out at 
proposed Sec.  160.518(a). Any such evidence would not be admissible, 
if offered by the Secretary, unless it is relevant and material to the 
findings of fact set forth in the notice of proposed determination, 
including circumstances that may increase such penalty. If any such 
evidence is offered by the respondent, it would not be admissible 
unless it is relevant and material to a specific admission, denial or 
explanation of a finding of fact, or to a specific circumstance or 
argument expressly stated in the respondent's request for hearing that 
are alleged to constitute grounds for any defense or the factual and 
legal basis for opposing or reducing the penalty. Proposed Sec.  
160.534(d) would allow the parties the opportunity to present items and 
information that are relevant and material exclusively to the issues 
actually in dispute as expressly set forth in the notice of proposed 
determination and request for hearing. Items and information that would 
be relevant and material evidence of other violations, and support the 
imposition of other or additional penalties would be inadmissible. 
Likewise, items or information that support defenses, arguments, legal 
theories, or contentions other than those expressly set forth in the 
notice of hearing, or which are not relevant and material to the 
admissions, denials or explanations therein made, would not be 
admissible. Proposed Sec.  160.534(d)(2) would republish paragraph (c) 
of the present Sec.  160.554.
11. Section 160.536--Statistical Sampling
    Proposed Sec.  160.536, on statistical sampling, is new. A similar 
provision appears at Sec.  1003.133 of the OIG

[[Page 20243]]

regulations, and the use of sampling and statistical methods is 
recognized under Rule 702 of the Federal Rules of Evidence. Proposed 
Sec.  160.536 would permit the Secretary to introduce the results of a 
statistical sampling study as evidence of any variable under Sec.  
160.406(b) used to determine the number of violations of a particular 
administrative simplification provision, or, where appropriate, any 
factor considered in determining the amount of the civil money penalty 
under proposed Sec.  160.408. If the estimation is based upon an 
appropriate sampling and employs valid statistical methods, it would 
constitute prima facie evidence of the number of violations or amount 
of the penalty sought that is a part of the Secretary's burden of 
proof. Such a showing would cause the burden of going forward to shift 
to the respondent, although the burden of persuasion would remain with 
the Secretary.
12. Section 160.542--The Record
    This section is Sec.  160.560 of the April 17, 2003 interim final 
rule. Since the section provides that the record of the proceedings be 
transcribed, we propose to add to paragraph (a) of this section a 
requirement that the cost of transcription of the record be borne 
equally by the parties, in the interest of fairness.
13. Section 160.546--ALJ Decision
    Since we are proposing a process for administrative review of ALJ 
decisions (see section IV.D.14 below), the ALJ decision would be the 
initial decision of the Secretary, rather than the final decision of 
the Secretary as set forth in Sec.  160.564(d) of the April 17, 2003 
interim final rule. Thus, we propose to revise paragraph (d) to provide 
that the decision of the ALJ will be final and binding on the parties 
60 days from the date of service of the ALJ decision, unless it is 
timely appealed by either party. See also the discussion at section V.U 
below, with respect to proposed Sec.  160.546(b).
14. Section 160.548--Appeal of the ALJ Decision
    The April 17, 2003 interim final rule, at Sec.  160.564, makes the 
decision of the ALJ the final decision of the Secretary, thus 
permitting a respondent to file a petition for judicial review. In the 
preamble to the interim final rule, we noted that a second level of 
administrative review is generally available in Departmental hearings 
and that, while we had not provided for a second level of 
administrative review in the interim final rule, we intended to address 
the issue of further administrative review in this proposed rule. We do 
so now.
    Proposed Sec.  160.548 is modeled on the provisions that apply to 
appellate review under the OIG regulations. It provides that any party 
may appeal the initial decision of the ALJ to the HHS Departmental 
Appeals Board (Board) within 30 days of the date of service of the ALJ 
initial decision, unless extended for good cause. The appealing party 
must file a written brief specifying its exceptions to the initial 
decision. The opposing party may file an opposition brief, which is 
limited to the exceptions raised in the brief accompanying notice of 
appeal and any relevant issues not addressed in said exceptions and 
must be filed within 30 days of receiving the appealing party's notice 
of appeal and brief. The appealing party may, if permitted by the 
Board, file a reply brief. These briefs may be the only means that the 
parties will have to present their case to the Board, since there is no 
right to appear personally before the Board. The proposed rule provides 
that if a party demonstrates that additional evidence is material and 
relevant and there are reasonable grounds why such evidence was not 
introduced at the ALJ hearing, the Board may remand the case to the ALJ 
for consideration of the additional evidence.
    In an appeal to the Board, the standard of review on a disputed 
issue of fact is whether the ALJ's initial decision is supported by 
substantial evidence on the record as a whole; on a disputed issue of 
law, the standard of review is whether the ALJ's initial decision is 
erroneous. The Board may decline to review the case; may affirm, 
increase (subject to the statutory caps), reduce, or reverse any 
penalty; or may remand a penalty determination to the ALJ.
    We propose this process for administrative review of initial ALJ 
decisions to achieve consistency in civil money penalty decisions. 
Because hearings could be conducted by different ALJs, it is 
conceivable that different ALJs might decide the same or similar issues 
differently. Should this occur, it would be problematic for both 
covered entities and HHS. Provision for an internal, centralized review 
process should reduce the likelihood of inconsistent results. Indeed, 
provision for administrative review of ALJ decisions is common in other 
federal administrative hearing processes. Because the HIPAA rules 
affect such a large part of the health industry and the requirements of 
the various HIPAA regulatory schemes are new and interrelated, HHS 
considers it crucial that the decisions reached in the adjudicative 
process be consistent with other adjudicated decisions as well as with 
the policy decisions of the Secretary in the rules and in departmental 
guidance. Since only aggrieved respondents can appeal to the U.S. Court 
of Appeals under section 1128A(e), administrative review of ALJ 
decisions will help to ensure that the final decisions subject to 
judicial review represent a consistent interpretation of the HIPAA 
rules by the Secretary. While a process for administrative review of 
ALJ decisions will add cost and time to the process of imposing a civil 
money penalty for both HHS and covered entities, we believe that these 
disadvantages are outweighed by the compelling need to ensure 
consistency in the decisions of HHS with respect to such civil money 
penalties. Consistency will benefit both HHS and covered entities.
    Paragraphs (i) and (j) of proposed Sec.  160.548 address the 
issuance of the Board's decision on appeal. Under paragraph (i), the 
Board must serve its decision on the parties within 60 days after final 
briefs are filed. Under paragraph (j), the decision of the Board 
constitutes the final decision of the Secretary from which a petition 
for judicial review may be filed by a respondent aggrieved by the 
Board's decision. This option is the traditional process for 
administrative review of ALJ initial decisions regarding civil money 
penalties within HHS and is based on the process set forth in the OIG 
regulations. The decision of the Board becomes the final decision of 
the Secretary 60 days after service of the decision, except where the 
decision is to remand to the ALJ or a party requests reconsideration 
before the decision becomes final. Paragraph (j) provides that a party 
may request reconsideration of the Board's decision, provides a 
reconsideration process, and provides that the Board's reconsideration 
decision becomes final on service.
    Proposed Sec.  160.548(k) provides for a petition for judicial 
review of a final decision of the Secretary. Thus, we propose to remove 
Sec.  160.568 of the April 17, 2003 interim final rule as duplicative. 
The right to petition for judicial review is not altered under this 
proposal, although an ALJ decision must be reviewed by the Board before 
a petition for judicial review can be filed by a respondent.
15. Section 160.552--Harmless Error
    Proposed Sec.  160.552 is new. It would adopt the ``harmless 
error'' rule that applies generally to civil litigation in federal 
courts. The provision provides,

[[Page 20244]]

in general, that the ALJ and the Board at every stage of the proceeding 
will disregard any error or defect in the proceeding that does not 
affect the substantial rights of the parties. It is modeled on Rule 61, 
F.R.C.P., and on Sec.  1005.23 of the OIG regulations. In its 
application, it would further promote the efficient resolution of cases 
where the proposed imposition of a civil money penalty is challenged.

V. Response to Public Comments

    HHS requested comment on the April 17, 2003 interim final rule and 
received timely and substantive comments from 19 persons or 
organizations. We summarize those comments, and our responses to the 
comments, below.
    A. Comment: Two comments disagreed with HHS's approach of 
encouraging voluntary compliance. One argued that such an approach is 
tantamount to no enforcement; the other argued that since the Secretary 
already has the authority to conduct compliance reviews, a complaint-
driven approach fails to reflect the agency's statutory obligation to 
enforce the law and the mandate under section 1176 to impose civil 
money penalties for violations. It was also stated that while HHS's 
intention to resolve potential violations by informal means might be 
appropriate for minor violations, it is inappropriate for more serious 
violations or for covered entities that demonstrate repeated resistance 
to compliance.
    Most persons who commented on the voluntary compliance approach 
supported it, however. Several of these comments urged HHS to focus on 
resolving issues quickly and informally, particularly with respect to 
alleged violations of the Transactions Rule. One comment asked for 
assurance that covered entities will face only one set of enforcement 
rules and procedures, given that two different components of HHS have 
enforcement responsibilities. Several organizations asked HHS to 
provide more guidance with respect to how covered entities can comply, 
and can demonstrate compliance, with the HIPAA rules.
    Response: We do not agree that emphasizing voluntary compliance 
amounts to a policy of nonenforcement. To the contrary, our experience 
to date has been that covered entities are generally responsive to our 
investigative inquiries and act promptly to remedy deficiencies that 
are brought to their attention. The overarching goal of our enforcement 
program is to bring covered entities into compliance, so that the 
benefits of the HIPAA rules are fully realized. Securing voluntary 
compliance achieves this goal much more quickly and efficiently than 
would a process that was formal and adversarial from the start. This 
approach is consistent with the statute. As discussed above, one of the 
statutory defenses to a civil money penalty is the covered entity's 
taking corrective action on a timely basis, where reasonable cause for 
the noncompliance exists. See section 1176(b)(3)(A). As stated above, 
however, should informal, cooperative efforts fail, HHS would move 
forward with the civil money penalty remedy the statute provides.
    The Enforcement Rule addresses the concern that covered entities 
not face multiple sets of enforcement rules and procedures, as it 
provides for uniform procedures that will apply to all of the HIPAA 
rules. With respect to the concerns about guidance, HHS agrees that the 
provision of guidance on an ongoing basis is vitally important. As 
noted above, HHS is continuing to develop guidance on the various HIPAA 
rules, and will be publishing such guidance on an ongoing basis on the 
following HHS Web sites: http://www.hhs.gov/ocr/hipaa/ for the Privacy 
Rule and http://www.cms.gov/hipaa/hipaa2/ for the other HIPAA rules.
    B. Comment: Several comments suggested that information about 
complaints and other noncompliance issues should be made public to 
assist other covered entities in coming into compliance. One 
organization stated that the Enforcement Rule should include a 
requirement that the Secretary should annually report to Congress and 
the public on the number of complaints filed and their disposition.
    Response: The statute provides for formal notification of a number 
of entities when a penalty is final. Proposed Sec.  160.426 reflects 
this requirement and would provide for notification of the public in 
such circumstances. As previously noted, however, we expect most 
complaints to be resolved informally, and informal resolutions would 
not come within the process provided for by proposed Sec.  160.426. OCR 
and CMS will consider whether compilation and release of analyses of 
complaint dispositions would be an appropriate use of limited 
resources; however, we do not propose to mandate such action by this 
rule.
    C. Comment: One comment asked whether HHS anticipated developing a 
separate complaint mechanism for security complaints.
    Response: CMS has developed complaint procedures for the complaints 
regarding the Transactions Rule and a complaint tool for making such 
complaints is on the Web at http://www.cms.hhs.gov/hipaa/hipaa2. As the 
compliance dates of the HIPAA rules other than the Privacy and the 
Transactions Rules arrive, it is expected that the complaint tool will 
be modified to permit the filing of complaints relating to compliance 
with those other rules.
    D. Comment: One comment stated that additional protections are 
needed for investigational inquiries. The comment suggested that the 
rule should include the procedural protections of the OIG regulations, 
such as permission for witnesses to object to answering questions on 
the basis of privilege and to clarify their answers for the record.
    Response: Proposed Sec.  160.314(b) would revise Sec.  160.504(b) 
to include such procedural protections.
    E. Comment: One comment suggested that the rule contain a provision 
establishing the bases under which a complaint will be dismissed prior 
to a request for a hearing. Bases suggested were that the complaint has 
been litigated in another forum, the opportunity to contest the matter 
was available but not used in another forum, and another statutory 
remedy exists.
    Response: Consistent with the practice under the OIG regulations, 
the rules provide for general settlement authority, rather than 
specific grounds for dismissal. See proposed Sec.  160.416. In 
addition, the bases suggested in the comment would not be grounds, per 
se, for dismissal.
    F. Comment: One comment asked HHS to clarify the circumstances 
under which it would investigate a covered entity that was not the 
subject of a complaint.
    Response: We cannot project the variety of circumstances under 
which compliance reviews might be undertaken. Therefore, we do not 
propose to limit the situations in which this authority could be 
exercised.
    G. Comment: Several comments objected to Sec.  160.522. One argued 
that running the 6-year limitations period from the ``latest act or 
omission'' is a problem with respect to the 6-year record retention 
period provided for by the Privacy Rule, as covered entities might 
believe that they could destroy records that they would later need for 
defense purposes. It was also argued that the rule should clarify that 
actions may only be taken for violations which occur on or after the 
compliance date of the rule in question and that the date of the civil 
money penalty action is the date of the notice of proposed 
determination.
    Response: We agree. Proposed Sec.  160.414 would revise Sec.  
160.522 to provide that the period of limitations runs ``from the date 
of the occurrence of

[[Page 20245]]

the violation'' and that the Secretary commences the action ``in 
accordance with Sec.  160.420, `` meaning that the action is considered 
to be commenced by (and, therefore, on) the date of the notice of 
proposed determination. The definition of the term ``violation'' at 
proposed Sec.  160.302 builds in the concept of a duty to comply, since 
it defines that term as a ``failure to comply with an administrative 
simplification provision;'' the definition of the term ``administrative 
simplification provision'' in turn references the underlying HIPAA 
rules, which each explicitly state when the duty to comply begins.
    With respect to the 6-year document retention requirement of Sec.  
164.530(j)(2), insofar as compliance issues arise out of complaints, it 
is unlikely that a covered entity would be required to defend itself 
against a stale complaint, in view of the requirement at proposed Sec.  
160.306(b)(3) that complaints be filed within 180 days of when the 
complainant knew or should have known of the occurrence of the 
violation. In any event, nothing in the Privacy Rule precludes covered 
entities from retaining documents for a longer period than Sec.  
164.530(j)(2) requires, if they wish to do so.
    H. Comment: Nine comments expressed concern that Sec.  160.514 does 
not specify to whom the notice of proposed determination must be 
addressed. The concern was that, because receipt is presumed 5 days 
after mailing, a notice of proposed determination which was sent to a 
large organization might not get to the proper official on a timely 
basis, thereby wasting some of the covered entity's time for response. 
Several comments suggested that the rule require delivery to the chief 
executive officer and, as appropriate, to the company's privacy 
officer, security officer, or chief information officer. A couple of 
comments suggested that the rule incorporate the service standards of 
Rule 4, F.R.C.P., and require service upon ``an officer, a managing or 
general agent, or to any other agent authorized by statute to receive 
service.'' Several comments expressed support for the use of certified 
mail.
    Response: Like Sec.  160.514, proposed Sec.  160.420 does not 
identify the person(s) to whom the notice of proposed determination 
should be addressed, nor do we think it is necessary or feasible to do 
so. Rule 4, which applies under section 1128A(c), establishes who may 
be served and applies without need for further regulatory action. 
Because the size and other organizational circumstances of covered 
entities vary greatly, a rule that further limited or defined who must 
be served would most likely be inappropriate for some covered entities. 
Further, it is likely that a notice of proposed determination would be 
issued after significant prior contact with the covered entity, and we 
anticipate that our investigators would in any case be able to 
ascertain which officer would be the appropriate recipient of the 
notice.
    I. Comment: Several comments also argued that Sec.  160.514 should, 
like the analogous OIG regulations, require the notice of proposed 
determination to state the basis for the penalty calculation. Such 
information would help the covered entity understand the charges 
against it and prepare its defense. These comments recommended that the 
language in Sec.  1003.109(a)(5) of the OIG regulations be used.
    Response: We agree. A provision comparable to that in Sec.  
1003.109(a)(5) was omitted from Sec.  160.514 because the interim final 
rule did not provide for the aggravating and mitigating factors 
referenced in this provision of the OIG regulations. The proposed rule, 
however, contains the factors that may be considered in determining the 
amount of the penalty. Accordingly, proposed Sec.  160.420 follows the 
OIG regulations in this respect.
    J. Comment: One comment stated that it was not clear how the notice 
of proposed determination would interface with Sec.  160.312 and 
whether the written findings there end the informal resolution phase. 
The comment advocated that notice be provided before the notice of 
proposed determination.
    Response: We agree that it is not clear how Sec.  160.514 
interfaces with the notice process described at Sec.  160.312. At 
present, Sec.  160.312(a)(2) provides that the Secretary may issue 
written findings documenting noncompliance, if noncompliance is found 
and not informally resolved. Thus, we propose to revise Sec.  160.312 
to make the interface between that section and proposed Sec.  160.420 
(currently Sec.  160.514) seamless. Specifically, proposed Sec.  
160.312(a)(3)(ii) would provide that if the Secretary finds that a 
covered entity is not in compliance, the matter is not settled by 
informal means, and imposition of a civil money penalty is warranted, 
the Secretary will so inform the covered entity in a notice of proposed 
determination in accordance with Sec.  160.420. The notice of proposed 
determination would constitute the formal notice that the matter had 
not been informally resolved and that HHS had decided to seek civil 
money penalties. Further, with respect to notice prior to the notice of 
proposed determination, proposed Sec.  160.312(a)(3)(i) would provide 
that where noncompliance is indicated and the matter is not resolved by 
informal means, HHS would so inform the covered entity and give the 
covered entity an opportunity to submit written evidence of any 
affirmative defenses or mitigating factors, prior to issuing a notice 
of proposed determination.
    K. Comment: Several comments objected to the presumption in Sec.  
160.526(b) that the date of receipt of the notice of proposed 
determination is 5 days after the date of the notice. They argued that 
this presumption could work a hardship, in combination with the 60-day 
time limit for requesting a hearing, if the notice went to the wrong 
person in the organization or otherwise went astray.
    Response: Proposed Sec.  160.504(b) retains the language of the 
interim final rule. We believe the concerns about hardship are 
misplaced. The requirement permits the ALJ to grant an extension of the 
5-day time period if the respondent demonstrates that the presumption 
should not apply: ``For purposes of this section, the respondent's date 
of receipt of the notice of proposed determination is presumed to be 5 
days after the date of the notice unless the respondent makes a 
reasonable showing to the contrary to the ALJ.'' This language tracks 
the comparable provision at Sec.  1005.2(c) of the OIG regulations and 
has worked well.
    L. Comment: A number of comments objected to the 60-day time limit 
in Sec.  160.526(b) for a respondent to file its request for hearing, 
in combination with the specific detail required by that section. They 
objected to the time limit and the related requirement for specific 
response on several grounds: the level of specificity demanded requires 
the respondent to devise its entire defense, and, because the notice of 
proposed determination is the first notice the respondent has of the 
charges, 60 days is too short a time period in which to do this; the 
requirement requires more specificity of the respondent than of the 
Secretary, which is unfair; and the requirements, together with the 5-
day presumption of receipt and the failure to specify who receives the 
notice of proposed determination, are unfair and a violation of a 
respondent's right to due process. It was generally recommended that 
the request for hearing requirement parallel Sec.  1005.2 of the OIG 
regulations, which requires the request to be made within 60 days of 
receipt of the notice, but requires that the request for hearing state 
which findings of fact and

[[Page 20246]]

conclusions of law are disputed and the basis for the dispute.
    Response: The comments on this issue assume that a notice of 
proposed determination will be served on a respondent with no warning. 
This assumption is not reasonable under the procedures the proposed 
rule would establish, however. Proposed Sec.  160.304 would require the 
Secretary to seek the cooperation of the covered entity in obtaining 
compliance to the extent practicable, which will necessitate 
communication about the noncompliance at issue. The investigation or 
compliance review process itself will necessarily disclose much about 
the noncompliance at issue to the facility, since the covered entity 
will typically be the primary source of information relevant to the 
investigation. If an investigation or compliance review indicates 
noncompliance, proposed Sec.  160.312(a)(1) provides that the Secretary 
will attempt to reach a resolution of the matter satisfactory to the 
Secretary by informal means. Further, where noncompliance is indicated 
and the matter is not resolved by informal means, HHS will so inform 
the covered entity and give it the opportunity to submit written 
evidence of any affirmative defenses or mitigating factors, prior to 
issuing a notice of proposed determination. See proposed Sec.  
160.312(a)(3)(i). Thus, the covered entity necessarily will be made 
aware of, and have the opportunity to address, HHS's compliance 
concerns throughout the investigative period preceding the notice of 
proposed determination and should not be surprised by the matters 
described in the notice. For these reasons, we do not believe that the 
60-day response time is inadequate.
    M. Comment: One comment stated that settlements should be approved 
by the ALJ. Another asked whether settlements will be a viable path to 
resolution of disputes.
    Response: Consistent with our commitment to obtaining voluntary 
compliance and the regulatory policies discussed in the preceding 
response, we expect that settlement of compliance issues will be 
frequent. We do not propose to have the ALJ approve such settlements, 
to preserve our ability to resolve compliance issues and achieve 
voluntary compliance through informal means. See proposed Sec.  
160.514.
    N. Comment: Several comments queried whether covered entities would 
be held liable under the Enforcement Rule for violations by their 
business associates. Of particular concern were violations committed by 
health care clearinghouses.
    Response: Under Sec.  160.402 of the proposed rule, a covered 
entity would not be liable for the actions of its business associates 
where the covered entity has complied with the appropriate business 
associate provisions. See section IV.C.1.b. above for further 
discussion.
    O. Comment: Several comments stated that the rule needs to state 
what a violation is, what the aggravating and mitigating circumstances 
are, how the total fine for violations is calculated, and what would 
constitute an acceptable defense and indicate an appropriate level of 
``due diligence.'' One comment suggested that evidence of willingness 
to enter into a corrective action plan should be a mitigating factor. 
One comment noted that the full Enforcement Rule was needed before the 
April 17, 2003 interim final rule expires.
    Response: We generally agree. The proposed rule addresses the 
violation and affirmative defense issues at Sec. Sec.  160.402-160.410. 
Also, the April 17, 2003 interim final rule has been extended by 
separate regulatory action to permit ongoing enforcement while this 
rulemaking proceeds. Proposed Sec.  160.408(d)(3) provides that the 
Secretary may consider, as an aggravating or mitigating factor, how the 
covered entity has responded to technical assistance from the Secretary 
provided in the context of a compliance effort, with respect to prior 
offenses.
    P. Comment: One comment asked that the Enforcement Rule describe 
the procedures for referral to the Department of Justice of suspected 
criminal violations. Another comment asked that HHS attempt to ensure 
that the application of the criminal provisions by the Department of 
Justice was the same as the application of the civil provisions by HHS.
    Response: The procedures for referral of criminal matters to the 
Department of Justice lie outside the scope of the Enforcement Rule, 
which implements only HHS's authority under section 1176 of the Act.
    Q. Comment: One comment requested clarification of the statutory 
basis for imposing penalties for violations of the Privacy Rule, since 
section 264 is a footnote in the U.S. Code.
    Response: Section 264 of the Act is codified as a note to 42 U.S.C. 
1320d-2. We have always read section 264 as functionally a part of Part 
C. Section 264 and Part C cross-reference each other, and the 
terminology of section 264 is also the terminology of Part C 
(``standard'', ``individually identifiable health information'', 
``implementation specification''). Further, the criminal penalty 
provisions of section 1177 would not make sense if they did not apply 
to the privacy standards, and section 1176 is, as discussed at IV.C.3 
above, closely related to section 1177. The legislative history 
confirms this common-sense reading. See H. Rep. No. 496, 104th Cong., 
2d Sess., 1996 U.S. Code Cong. & Admin. News, p. 1865.
    This reading of the statute accords with that of Congress. Section 
1860D-31(h)(6)(A) of the Act, adopted by MMA, states that an endorsed 
discount drug card sponsor--

is a covered entity for purposes of applying part C of title XI and 
all regulatory provisions promulgated thereunder, including 
regulations (relating to privacy) adopted pursuant to the authority 
of the Secretary under section 264(c) of the Health Insurance 
Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note).

    R. Comment: With respect to prehearing proceedings, two comments 
stated that permitting the ALJ to require exchange of witness lists 
more than 15 days prior to the hearing could seriously infringe on the 
amount of time the covered entity has to prepare its case. It was also 
argued that 60 days is too short a period to prepare for the hearing. 
One comment stated that interrogatories should be allowed, because 
records may be incomplete or contain mistakes. One comment supported 
the requirement of Sec.  160.540(b)(3) (proposed Sec.  160.518(b)(3)), 
requiring the ALJ to recess the hearing for a reasonable time for an 
objecting party to prepare a response to witnesses or exhibits that 
were not exchanged prior to the hearing.
    Response: The scheduling of a hearing will depend on the schedule 
of the ALJ to whom the case is assigned, among other factors. There is 
nothing in the Enforcement Rule that requires the scheduling of the 
hearing within a certain period of time following the request for 
hearing. Thus, we do not think that the provision for exchange of 
information earlier than 15 days prior to hearing should work a 
hardship on either side, and the ALJ should be able to establish a 
schedule that takes into consideration the needs of the parties. 
Indeed, we believe that this requirement will assist each party in 
presenting a well-prepared case that will result in an efficient and 
effective hearing. As the prehearing procedures permit both documentary 
and testimonial discovery, we do not permit interrogatories, which we 
believe would add extra time and burden to the preparation process 
without commensurate benefit.
    S. Comment: Several comments urged that the rule should contain a 
procedure to permit the parties to waive the prehearing conference and 
the formal

[[Page 20247]]

hearing and request that the case be submitted on documentary evidence 
and written argument, to make the process more efficient and less 
expensive.
    Response: Proposed Sec. Sec.  160.508(b)(13) and 160.512(b)(4), (5) 
would permit this.
    T. Comment: One comment stated that the covered entity should have 
the burdens of going forward and persuasion on affirmative defenses and 
mitigating circumstances, while HHS should have the burdens of going 
forward and persuasion on allegations of violation.
    Response: We agree. Proposed Sec.  160.534(b) so provides.
    U. Comment: Several comments stated that the ``affirm, increase, or 
reduce the penalties imposed by the Secretary'' language of Sec.  
160.564(b) would not permit the ALJ to decide that no violation 
occurred.
    Response: The language of Sec.  160.564 of the April 17, 2003 
interim final rule, which is now found at proposed Sec.  160.546, will 
permit the ALJ to decide that no violation occurred. Proposed Sec.  
160.546(a) requires the ALJ to make findings of fact and conclusions of 
law. If these findings and conclusions support a determination that the 
respondent did not violate an administrative simplification provision, 
then no penalty may be imposed. The language in proposed Sec.  
160.546(b) permits an ALJ who determines that a respondent has violated 
an administrative simplification provision to act in regard to the 
penalty amount set forth in the notice of proposed determination, that 
is, to affirm, increase, or reduce the amount of the proposed penalty 
in accordance with the other applicable provisions of the regulations.
    V. Comment: Several comments argued that statistical sampling would 
be inappropriate to establish the number of violations. It was argued 
that statistical sampling, as used in the OIG hearings, had been used 
improperly, in studies that had basic weaknesses, such as a too small 
sample size.
    Response: Proposed Sec.  160.536 provides for the use of 
statistical sampling, as a well-established evidentiary tool. Proposed 
Sec.  160.536(b), which affords the opposing side the opportunity to 
rebut the statistical proof offered, provides a procedural safeguard to 
permit a respondent to challenge the reliability of any statistical 
proof offered.
    W. Comment: Two comments suggested that respondents should be able 
to subpoena HHS witnesses with direct knowledge of the investigation or 
other matters at issue.
    Response: Proposed Sec.  160.520(c) provides that the Secretary 
must designate a representative who is ``knowledgeable'' to testify. It 
would disrupt the agency's operations if a respondent could subpoena 
any HHS official by name. The requirement that the HHS representative 
be knowledgeable should permit the presentation of informed testimony, 
while permitting the orderly conduct of government business to 
continue.
    X. Comment: One comment stated that the rule should permit 
acceptance of testimony or a written statement from individuals whose 
privacy was violated, permit such individuals to testify, and require 
that such individuals be given 30 days notice of the hearing.
    Response: The proposed rule would not preclude us from offering the 
testimony of such individuals, but the decision to do so is a 
litigation decision that must be reserved to the agency. We do not 
require that notice of the hearing be provided to the individuals whose 
privacy was violated, but such information is publicly available.
    Y. Comment: A number of comments stated that agency review of the 
ALJ decision was needed or questioned why it was not provided. A few 
comments supported having the ALJ decision be the final agency action 
as resulting in a more efficient and expeditious process.
    Response: We have proposed a second level of agency review, for the 
reasons set out at section IV.D.14 above.
    Z. Comment: Two comments questioned the provision for set-off at 
Sec.  160.518(c). One asked whether set-off would occur without state-
level due process. The other was concerned about provision of notice. 
Both were concerned that set-off could have a devastating impact on 
those to whom it was applied.
    Response: The right of set-off is provided for by section 1128A(f). 
Proposed Sec.  160.424(c) accordingly retains it. We intend to follow 
applicable procedures in pursuing set-off.
    AA. Comment: A couple of comments objected to Sec.  160.560. It was 
stated that the rule should incorporate additional procedures to ensure 
that protected health information introduced into evidence is protected 
from review by outside parties, redactions should be made available to 
the parties for review, and OCR should be required to pay for the court 
reporter.
    Response: The protection of protected health information, including 
by redaction of the record, is a matter than can be addressed in the 
prehearing conference. See proposed Sec.  160.512(b)(11). We believe 
that the ALJ will be in the best position to determine what specific 
steps should be taken in a particular case to protect the privacy of 
any protected health information introduced into evidence. In the 
interest of fairness, proposed Sec.  160.542(a) would apportion the 
cost of transcription of the record equally between the parties.
    BB. Comment: One comment stated that Sec.  160.558(g) should be 
revised to require the Secretary to include notice to the respondent 
where HHS intends to present in its case in chief evidence of past 
crimes or similar evidence to show motive, opportunity, intent, etc.
    Response: Proposed Sec.  160.540(g) would retain this provision. 
This provision tracks Sec.  1005.17(g) of the OIG regulations, and we 
see no basis to depart from our practice in this regard.

VI. Impact Statement and Other Required Analyses

A. Paperwork Reduction Act

    We reviewed this proposed rule to determine whether it raises 
issues that would subject it to the Paperwork Reduction Act (PRA). 
While the PRA applies to agencies and collections of information 
conducted or sponsored by those agencies, 5 CFR 1320.4(a) exempts 
collections of information that occur ``during the conduct of * * * an 
administrative action, investigation, or audit involving an agency 
against specific individuals or entities,'' except for investigations 
or audits ``undertaken with reference to a category of individual or 
entities such as a class of licensees or an entire industry.'' The 
proposed rule comes within this exemption, as it deals entirely with 
administrative investigations and actions against specific individuals 
or entities. Consequently, it need not be reviewed by the Office of 
Management and Budget under the authority of the PRA.

B. Executive Order 12866; Regulatory Flexibility Act; Section 1102, 
Social Security Act; Unfunded Mandates Reform Act of 1995; Small 
Business Regulatory Enforcement Fairness Act of 1996; Executive Order 
13132

    We have examined the impacts of this proposed rule as required by 
Executive Order 12866 (September 1993, Regulatory Planning and Review), 
the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96-
354), section 1102(b) of the Social Security Act, the Unfunded Mandates 
Reform Act of 1995 (Pub. L. 104-4), the Small Business Regulatory 
Enforcement and Fairness Act, 5 U.S.C. 801 et seq., and Executive Order 
13132.

[[Page 20248]]

1. Executive Order 12866
    Executive Order 12866 (as amended by Executive Order 13258, which 
merely reassigns responsibility of duties) directs agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 12866 defines, at section 3(f), several categories of 
``significant regulatory actions.'' One category is ``economically 
significant'' rules, which are defined in section 3(f)(1) of the Order 
as rules that may ``have an annual effect on the economy of $100 
million or more, or adversely affect in a material way the economy, 
productivity, competition, jobs, the environment, public health or 
safety, or State, local, or tribal governments or communities.'' 
Another category, under section 3(f)(4) of the Order, consists of rules 
that are ``significant regulatory actions'' because they ``raise novel 
legal or policy issues arising out of legal mandates, the President's 
priorities, or the principles set forth in this Executive Order.'' 
Executive Order 12866 requires a full economic impact analysis only for 
``economically significant'' rules under section 3(f)(1).
    We have concluded that this rule should be treated as a 
``significant regulatory action'' within the meaning of section 3(f)(4) 
of Executive Order 12866, because the HIPAA provisions to be enforced 
have extremely broad implications for the Nation's health care system, 
and because of the novel issues presented by, and the uncertainties 
surrounding, compliance among covered entities. However, we have 
determined that the impact of this rule is not such that it reaches the 
economically significant threshold under section 3(f)(1) of the Order.
    Estimating the impacts of this rule presents unique challenges. On 
its face, the rule simply describes how HHS plans to enforce the HIPAA 
provisions, and can be considered a procedural rule without any 
intrinsic impact. However, health care providers, insurers, and health 
care clearinghouses that are covered by the HIPAA provisions represent 
a large proportion of their respective economic sectors. Further, all 
are within the jurisdiction of the Enforcement Rule (which is a 
``significant regulatory action,'' as noted above).
    The actual economic impacts of implementing the HIPAA provisions 
are subsumed in each of the applicable substantive regulations (Privacy 
Rule, Security Rule, Transactions Rule, et cetera). The economic 
impacts properly attributable to this rule, however, are those stemming 
from changes to current practice as a result of the Enforcement Rule 
and the cost of new and additional responsibilities that are required 
to conform to the Rule. In general, these costs are limited to costs 
related to conducting and responding to the investigation of complaints 
concerning the alleged HIPAA violations over which HHS has jurisdiction 
and compliance reviews, conducting hearings, and levying and collecting 
civil money penalties. The cost of conducting and responding to 
investigations of privacy complaints and compliance reviews with 
respect to the Privacy Rule has already been covered by the impact 
analysis of the Privacy Rule. Here we extend these processes to the 
other HIPAA rules. For reasons outlined in the following narrative, we 
anticipate the impacts of the additional activities covered by this 
rule to fall below the $100 million annual threshold that would raise 
this rule to the definition of ``economically significant,'' but 
acknowledge there is much that is unknown underlying the assumptions 
that have led us to this conclusion. We discuss these assumptions 
below.
    Affected Entities and Projected Costs. Because of its scope, 
purview, and potential application, the Enforcement Rule is a 
significant regulatory action within the meaning of section 3(f)(4) of 
Executive Order 12866. We believe that over 2.5 million health care 
providers, health plans, and health care clearinghouses will meet the 
definition of a covered entity.
    It is difficult for us to determine or estimate the impact of the 
Enforcement Rule on covered entities. All covered entities are expected 
to comply with the HIPAA rules. Enhancing the likelihood of compliance 
is the fact that each substantive HIPAA rule (e.g., the Privacy Rule, 
the Security Rule, the Transactions Rule) has at least a twenty-six 
month period between publication of the final rule and the compliance 
date (60 days for APA Congressional review, plus 24 months for covered 
entities or 36 months for small health plans). Thus, covered entities 
have at least 26 months to prepare for implementation, and HHS has 
provided, and will continue to provide, ample educational opportunities 
for covered entities during these periods. We also note that, as 
evidenced by the CMS Guidance, discussed above, where HHS became aware 
of potential noncompliance problems with the Transactions Rule, it 
acted proactively to outline an approach to enforcement that would 
permit flexibility under certain circumstances and which would not 
penalize good faith efforts to come into compliance. Accordingly, 
noncompliance that would be pursued under the provisions of the 
proposed Enforcement Rule should be considered to be the exception, 
rather than the norm.
    Further minimizing the impact of the Enforcement Rule is the fact 
that most compliance efforts undertaken under the provisions of the 
rule are expected to result from complaints, rather than compliance 
reviews. To date, complaints have involved only an infinitesimal 
percentage of the universe of covered entities. As of the end of July 
2004, OCR has received over 7,500 complaints related to the Privacy 
Rule since the compliance date of April 14, 2003, and CMS has received 
145 complaints related to the Transactions Rule since the compliance 
date of October 16, 2003.
    The most expensive impacts of this rule will derive from those 
cases in which the covered entities exercise their rights of appeal 
under subpart E of part 160. Based on our experience with other civil 
money penalty cases, the costs of such cases can be expected to dwarf 
the costs of cases that are resolved prior to the hearing stage. 
However, again based on our experience in other civil money penalty 
cases, very few of the cases opened will proceed through that stage. 
That other Departmental experience is borne out by our experience with 
respect to the HIPAA complaints received to date. Of the privacy 
complaints received and processed by the end of July 2004, 
approximately 57% were resolved immediately due to lack of jurisdiction 
(e.g, the complaint pertained to events that occurred before the 
implementation date of the relevant HIPAA regulation, the complaint did 
not relate to a covered entity, et cetera) or because of action taken 
by the covered entity to resolve the complaint voluntarily; similarly, 
of the 145 transactions complaints received from October 2003 through 
July 2004, 60% were closed in that period. Thus, it seems reasonable to 
assume that the costs attributable to the provisions of this rule will, 
in most cases that are opened, be low.
    We recognize that our experience to date reflects slightly over one 
year of experience under the Privacy Rule, and less than one year under 
the Transactions Rule. Data generated on cases that might lead to the 
imposition of a civil money penalty during this time frame may not be 
typical of what we will see over time. For example, the

[[Page 20249]]

number of complaints that may be dismissed because they involve 
situations that occurred before the relevant compliance date should 
decrease with the passage of time. Similarly, we would expect the 
instances of noncompliance to decrease as covered entities gain 
experience in complying with the HIPAA rules; on the other hand, the 
number of complaints could increase as individuals and entities become 
more aware of the rules' requirements. As we acquire experience under 
the rules, we will have a more extensive database for evaluating the 
impacts of enforcement activities.
    Benefits of the Enforcement Rule. We believe that the value of the 
benefits brought by the HIPAA provisions are sufficient to warrant 
appropriate enforcement efforts. The benefits of the underlying HIPAA 
rules have been previously estimated in connection with the Privacy and 
the Transactions Rules, and are significant. The Enforcement Rule will 
encourage voluntary compliance, and provide a means for enforcing 
compliance where it is not forthcoming voluntarily, thereby 
facilitating the achievement of the benefits of the other HIPAA rules. 
See, 65 FR 50350-50351; 65 FR 82760, 82776-82779; 68 FR 8370-8371. The 
benefits of these protections far outweigh the costs of this 
enforcement regulation.
    Summary. In most cases, if covered entities comply with the various 
HIPAA rules, they should not incur any significant additional costs as 
a result of the Enforcement Rule. This is based on the fact the costs 
intrinsic to most of the HIPAA rules and operating directions against 
which compliance is evaluated have been scored independently of this 
rule and the requirements have not changed. We recognize that the 
specific requirements against which compliance is evaluated are not yet 
well known and may evolve with experience under HIPAA, but we expect 
that covered entities have both the ability and expectation to maintain 
compliance, especially given our commitment to encouraging and 
facilitating voluntary compliance. While not straightforward to 
project, it seems likely that the number of times in which the full 
civil money penalty enforcement process will be invoked will be 
extremely small, based on the evidence to date.
2. Other Analyses
    We also examined the impact of the proposed Rule as required by the 
Regulatory Flexibility Act (RFA). The RFA requires agencies to 
determine whether a rule will have a significant economic impact on a 
substantial number of small entities. For purposes of the RFA, small 
entities include small businesses, nonprofit organizations, and 
government jurisdictions; for health care entities, the size standard 
for a ``small'' entity ranges from $6 million to $29 million in 
revenues in any one year. Most hospitals and most other providers and 
suppliers are small entities, either by nonprofit status or by having 
revenues less than the applicable size standard in any one year. As 
discussed above, the incidence of noncompliance is expected to be low, 
and, as also discussed above, it is expected that most issues of 
noncompliance will be resolved with minimal enforcement action. Even 
though the burden of regulatory compliance often falls 
disproportionately on small entities, there is no evidence to suggest 
that small entities have a higher rate of noncompliance than large 
entities. The Secretary therefore certifies that this rule will not 
have a significant economic impact on a substantial number of small 
entities.
    Section 1102(b) of the Act requires agencies to prepare a 
regulatory impact analysis if a rule may have a significant impact on 
the operations of a substantial number of small rural hospitals. This 
analysis must conform to the provisions of section 603 (proposed 
documents)/604 (final documents) of the RFA. For purposes of section 
1102(b) of the Act, we define a small rural hospital as a hospital that 
is located outside of a Metropolitan Statistical Area and has fewer 
than 100 beds. This proposed rule would not have a significant impact 
on small rural hospitals. The rule would implement procedures necessary 
for the Secretary to enforce subtitle F of Title II of HIPAA. As noted 
earlier, we do not expect that covered entities will willfully be out 
of compliance in such a way that would result in an enforcement action 
proceeding through the hearing stage.
    Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 
1531 et seq., also requires that agencies assess anticipated costs and 
benefits before issuing any rule that may result in expenditure in any 
one year by State, local, or tribal governments, in the aggregate, or 
by the private sector, of $100 million. The Small Business Regulatory 
Enforcement Fairness Act of 1996 (SBREFA), 5 U.S.C. 801 et seq., 
requires that rules that will have an impact on the economy of $100 
million or more per annum be submitted for Congressional review. For 
the reasons discussed above, this proposed rule would not impose a 
burden large enough to require a section 202 statement under the 
Unfunded Mandates Reform Act of 1995 or Congressional review under 
SBREFA.
    Executive Order 13132 establishes certain requirements that an 
agency must meet when it adopts a proposed rule (and subsequent final 
rule) that imposes substantial direct requirement costs on State and 
local governments, preempts State law, or otherwise has Federalism 
implications. This proposed rule does not have ``Federalism 
implications.'' The rule would not have ``substantial direct effects on 
the States, on the relationship between the national government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government.'' As the Enforcement Rule is procedural 
in nature, its economic effects would not be substantial, as explained 
previously. Any preemption of State law that could occur would be a 
function of the underlying HIPAA rules, not the Enforcement Rule, which 
principally establishes the means by which the statutory civil money 
penalty provisions will be implemented. Therefore, the Enforcement Rule 
is not subject to Executive Order 13132 (Federalism).

    Dated: April 8, 2005.
Michael O. Leavitt,
Secretary.

List of Subjects

45 CFR Part 160

    Administrative practice and procedure, Computer technology, 
Electronic transactions, Employer benefit plan, Health, Health care, 
Health facilities, Health insurance, Health records, Hospitals, 
Investigations, Medicaid, Medical research, Medicare, Penalties, 
Privacy, Reporting and record keeping requirements, Security.

45 CFR Part 164

    Administrative practice and procedure, Electronic information 
system, Electronic transactions, Employer benefit plan, Health, Health 
care, Health facilities, Health Insurance, Health records, Hospitals, 
Medicaid, Medical research, Medicare, Privacy, Reporting and record 
keeping requirements, Security.
    For the reasons set forth in the preamble, the Department of Health 
and Human Services proposes to amend 45 CFR subtitle A, subchapter C, 
parts 160 and 164, as set forth below.

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

    1. The authority citation for part 160 is revised to read as 
follows:


[[Page 20250]]


    Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d-1320d-8, and sec. 
264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 
(note)).
    2. Section Sec.  160.103 is amended by adding the definition 
``Person'' in alphabetical order to read as follows:


Sec.  160.103  Definitions.

* * * * *
    Person means a natural person, trust or estate, partnership, 
corporation, professional association or corporation, or other entity, 
public or private.
* * * * *
    3. Revise subpart C of this part to read as follows:

Subpart C--Compliance and Investigations

Sec.
160.300 Applicability.
160.302 Definitions.
160.304 Principles for achieving compliance.
160.306 Complaints to the Secretary.
160.308 Compliance reviews.
160.310 Responsibilities of covered entities.
160.312 Secretarial action regarding complaints and compliance 
reviews.
160.314 Investigational subpoenas and inquiries.
160.316 Refraining from intimidation or retaliation.

Subpart C--Compliance and Investigations


Sec.  160.300  Applicability.

    This subpart applies to actions by the Secretary, covered entities, 
and others with respect to ascertaining the compliance by covered 
entities with, and the enforcement of, the applicable requirements of 
this part 160 and the applicable standards, requirements, and 
implementation specifications of parts 162 and 164 of this subchapter.


Sec.  160.302  Definitions.

    As used in this subpart and subparts D and E of this part, the 
following terms have the following meanings:
    Administrative simplification provision means any requirement or 
prohibition established by:
    (1) 42 U.S.C. 1320d-1320d-4, 1320d-7, and 1320d-8;
    (2) Section 264 of Pub. L. 104-191; or
    (3) This subchapter.
    ALJ means Administrative Law Judge.
    Civil money penalty or penalty means the amount determined under 
Sec.  160.404 of this part and includes the plural of these terms.
    Respondent means a covered entity upon which the Secretary has 
imposed, or proposes to impose, a civil money penalty.
    Violation or violate means, as the context may require, failure to 
comply with an administrative simplification provision.


Sec.  160.304  Principles for achieving compliance.

    (a) Cooperation. The Secretary will, to the extent practicable, 
seek the cooperation of covered entities in obtaining compliance with 
the applicable administrative simplification provisions.
    (b) Assistance. The Secretary may provide technical assistance to 
covered entities to help them comply voluntarily with the applicable 
administrative simplification provisions.


Sec.  160.306  Complaints to the Secretary.

    (a) Right to file a complaint. A person who believes a covered 
entity is not complying with the administrative simplification 
provisions may file a complaint with the Secretary.
    (b) Requirements for filing complaints. Complaints under this 
section must meet the following requirements:
    (1) A complaint must be filed in writing, either on paper or 
electronically.
    (2) A complaint must name the person that is the subject of the 
complaint and describe the acts or omissions believed to be in 
violation of the applicable administrative simplification provision(s).
    (3) A complaint must be filed within 180 days of when the 
complainant knew or should have known that the act or omission 
complained of occurred, unless this time limit is waived by the 
Secretary for good cause shown.
    (4) The Secretary may prescribe additional procedures for the 
filing of complaints, as well as the place and manner of filing, by 
notice in the Federal Register.
    (c) Investigation. The Secretary may investigate complaints filed 
under this section. Such investigation may include a review of the 
pertinent policies, procedures, or practices of the covered entity and 
of the circumstances regarding any alleged violation.


Sec.  160.308  Compliance reviews.

    The Secretary may conduct compliance reviews to determine whether 
covered entities are complying with the applicable administrative 
simplification provisions.


Sec.  160.310  Responsibilities of covered entities.

    (a) Provide records and compliance reports. A covered entity must 
keep such records and submit such compliance reports, in such time and 
manner and containing such information, as the Secretary may determine 
to be necessary to enable the Secretary to ascertain whether the 
covered entity has complied or is complying with the applicable 
administrative simplification provisions.
    (b) Cooperate with complaint investigations and compliance reviews. 
A covered entity must cooperate with the Secretary, if the Secretary 
undertakes an investigation or compliance review of the policies, 
procedures, or practices of the covered entity to determine whether it 
is complying with the applicable administrative simplification 
provisions.
    (c) Permit access to information. (1) A covered entity must permit 
access by the Secretary during normal business hours to its facilities, 
books, records, accounts, and other sources of information, including 
protected health information, that are pertinent to ascertaining 
compliance with the applicable administrative simplification 
provisions. If the Secretary determines that exigent circumstances 
exist, such as when documents may be hidden or destroyed, a covered 
entity must permit access by the Secretary at any time and without 
notice.
    (2) If any information required of a covered entity under this 
section is in the exclusive possession of any other agency, 
institution, or person and the other agency, institution, or person 
fails or refuses to furnish the information, the covered entity must so 
certify and set forth what efforts it has made to obtain the 
information.
    (3) Protected health information obtained by the Secretary in 
connection with an investigation or compliance review under this 
subpart will not be disclosed by the Secretary, except if necessary for 
ascertaining or enforcing compliance with the applicable administrative 
simplification provisions, or if otherwise required by law.


Sec.  160.312  Secretarial action regarding complaints and compliance 
reviews.

    (a) Resolution when noncompliance is indicated. (1) If an 
investigation of a complaint pursuant to Sec.  160.306 or a compliance 
review pursuant to Sec.  160.308 indicates noncompliance, the Secretary 
will attempt to reach a resolution of the matter satisfactory to the 
Secretary by informal means. Informal means may include demonstrated 
compliance or a completed corrective action plan or other agreement.
    (2) If the matter is resolved by informal means, the Secretary will 
so inform the covered entity and, if the

[[Page 20251]]

matter arose from a complaint, the complainant, in writing.
    (3) If the matter is not resolved by informal means, the Secretary 
will--
    (i) So inform the covered entity and provide the covered entity an 
opportunity to submit written evidence of any mitigating factors or 
affirmative defenses for consideration under Sec. Sec.  160.408 and 
160.410. The covered entity must submit any such evidence to the 
Secretary within 30 days (computed in the same manner as prescribed 
under Sec.  160.526) of receipt of such notification; and
    (ii) If, following action pursuant to paragraph (a)(3)(i) of this 
section, the Secretary finds that a civil money penalty should be 
imposed, inform the covered entity of such finding in a notice of 
proposed determination in accordance with Sec.  160.420.
    (b) Resolution when no violation is found. If, after an 
investigation pursuant to Sec.  160.306 or a compliance review pursuant 
to Sec.  160.308, the Secretary determines that further action is not 
warranted, the Secretary will so inform the covered entity and, if the 
matter arose from a complaint, the complainant, in writing.


Sec.  160.314  Investigational subpoenas and inquiries.

    (a) The Secretary may issue subpoenas in accordance with 42 U.S.C. 
405(d) and (e), 1320a-7a(j), and 1320d-5 to require the attendance and 
testimony of witnesses and the production of any other evidence during 
an investigation pursuant to this part. For purposes of this paragraph, 
a person other than a natural person is termed an ``entity.''
    (1) A subpoena issued under this paragraph must--
    (i) State the name of the person (including the entity, if 
applicable) to whom the subpoena is addressed;
    (ii) State the statutory authority for the subpoena;
    (iii) Indicate the date, time, and place that the testimony will 
take place;
    (iv) Include a reasonably specific description of any documents or 
items required to be produced; and
    (v) If the subpoena is addressed to an entity, describe with 
reasonable particularity the subject matter on which testimony is 
required. In that event, the entity must designate one or more natural 
persons who will testify on its behalf, and must state as to each such 
person that person's name and address and the matters on which he or 
she will testify. The designated person must testify as to matters 
known or reasonably available to the entity.
    (2) A subpoena under this section must be served by--
    (i) Delivering a copy to the natural person named in the subpoena 
or to the entity named in the subpoena at its last principal place of 
business; or
    (ii) Registered or certified mail addressed to the natural person 
at his or her last known dwelling place or to the entity at its last 
known principal place of business.
    (3) A verified return by the natural person serving the subpoena 
setting forth the manner of service or, in the case of service by 
registered or certified mail, the signed return post office receipt, 
constitutes proof of service.
    (4) Witnesses are entitled to the same fees and mileage as 
witnesses in the district courts of the United States (28 U.S.C. 1821 
and 1825). Fees need not be paid at the time the subpoena is served.
    (5) A subpoena under this section is enforceable through the 
district court of the United States for the district where the 
subpoenaed natural person resides or is found or where the entity 
transacts business.
    (b) Investigational inquiries are non-public investigational 
proceedings conducted by the Secretary.
    (1) Testimony at investigational inquiries will be taken under oath 
or affirmation.
    (2) Attendance of non-witnesses is discretionary with the 
Secretary, except that a witness is entitled to be accompanied, 
represented, and advised by an attorney.
    (3) Representatives of the Secretary are entitled to attend and ask 
questions.
    (4) A witness will have the opportunity to clarify his or her 
answers on the record following questioning by the Secretary.
    (5) Any claim of privilege must be asserted by the witness on the 
record.
    (6) Objections must be asserted on the record. Errors of any kind 
that might be corrected if promptly presented will be deemed to be 
waived unless reasonable objection is made at the investigational 
inquiry. Except where the objection is on the grounds of privilege, the 
question will be answered on the record, subject to objection.
    (7) If a witness refuses to answer any question not privileged or 
to produce requested documents or items, or engages in conduct likely 
to delay or obstruct the investigational inquiry, the Secretary may 
seek enforcement of the subpoena under paragraph (a)(5) of this 
section.
    (8) The proceedings will be recorded and transcribed. The witness 
is entitled to a copy of the transcript, upon payment of prescribed 
costs, except that, for good cause, the witness may be limited to 
inspection of the official transcript of his or her testimony.
    (9)(i) The transcript will be submitted to the witness for 
signature.
    (A) Where the witness will be provided a copy of the transcript, 
the transcript will be submitted to the witness for signature. The 
witness may submit to the Secretary written proposed corrections to the 
transcript, with such corrections attached to the transcript. If the 
witness does not return a signed copy of the transcript or proposed 
corrections within 30 days (computed in the same manner as prescribed 
under Sec.  160.526) of its being submitted to him or her for 
signature, the witness will be deemed to have agreed that the 
transcript is true and accurate.
    (B) Where, as provided in paragraph (b)(8) of this section, the 
witness is limited to inspecting the transcript, the witness will have 
the opportunity at the time of inspection to propose corrections to the 
transcript, with corrections attached to the transcript. The witness 
will also have the opportunity to sign the transcript. If the witness 
does not sign the transcript or offer corrections within 30 days 
(computed in the same manner as prescribed under Sec.  160.526 of this 
part) of receipt of notice of the opportunity to inspect the 
transcript, the witness will be deemed to have agreed that the 
transcript is true and accurate.
    (ii) The Secretary's proposed corrections to the record of 
transcript will be attached to the transcript.
    (c) Consistent with Sec.  160.310(c)(3), testimony and other 
evidence obtained in an investigational inquiry may be used by HHS in 
any of its activities and may be used or offered into evidence in any 
administrative or judicial proceeding.


Sec.  160.316  Refraining from intimidation or retaliation.

    A covered entity may not threaten, intimidate, coerce, discriminate 
against, or take any other retaliatory action against any individual or 
other person for--
    (a) Filing of a complaint under Sec.  160.306;
    (b) Testifying, assisting, or participating in an investigation, 
compliance review, proceeding, or hearing under this part; or
    (c) Opposing any act or practice made unlawful by this subchapter, 
provided the individual or person has a good faith belief that the 
practice opposed is unlawful, and the manner of opposition is 
reasonable and does not involve a disclosure of protected health 
information in violation of subpart E of part 164 of this subchapter.

[[Page 20252]]

    4. Amend 45 CFR part 160 by adding a new subpart D to read as 
follows:
Subpart D--Imposition of Civil Money Penalties
Sec.
160.400 Applicability.
160.402 Basis for a civil money penalty.
160.404 Amount of a civil money penalty.
160.406 Number of violations.
160.408 Factors considered in determining the amount of a civil 
money penalty.
160.410 Affirmative defenses.
160.412 Waiver.
160.414 Limitations.
160.416 Authority to settle.
160.418 Penalty not exclusive.
160.420 Notice of proposed determination.
160.422 Failure to request a hearing.
160.424 Collection of penalty.
160.426 Notification of the public and other agencies.

Subpart D--Imposition of Civil Money Penalties


Sec.  160.400  Applicability.

    This subpart applies to the imposition of a civil money penalty by 
the Secretary under 42 U.S.C. 1320d-5.


Sec.  160.402  Basis for a civil money penalty.

    (a) General rule. Subject to Sec.  160.410, the Secretary will 
impose a civil money penalty upon a covered entity if the Secretary 
determines that the covered entity has violated an administrative 
simplification provision.
    (b) Violation by more than one covered entity. (1) Except as 
provided in paragraph (b)(2) of this section, if the Secretary 
determines that more than one covered entity was responsible for a 
violation, the Secretary will impose a civil money penalty against each 
such covered entity.
    (2) Each covered entity that is a member of an affiliated covered 
entity, in accordance with Sec.  164.105(b) of this subchapter, is 
jointly and severally liable for a civil money penalty for a violation 
of part 164 of this subchapter based on an act or omission of the 
affiliated covered entity.
    (c) Violation attributed to a covered entity. A covered entity is 
liable, in accordance with the federal common law of agency, for a 
civil money penalty for a violation based on the act or omission of any 
agent of the covered entity, including a workforce member, acting 
within the scope of the agency, unless--
    (1) The agent is a business associate of the covered entity;
    (2) The covered entity has complied, with respect to such business 
associate, with the applicable requirements of Sec. Sec.  164.308(b) 
and 164.502(e) of this subchapter; and
    (3) The covered entity did not--
    (i) Know of a pattern of activity or practice of the business 
associate, and
    (ii) Fail to act as required by Sec. Sec.  164.314(a)(1)(ii) and 
164.504(e)(1)(ii) of this subchapter, as applicable.


Sec.  160.404  Amount of a civil money penalty.

    (a) The amount of a civil money penalty will be determined in 
accordance with paragraph (b) of this section and Sec. Sec.  160.406, 
160.408, and 160.412.
    (b) The amount of a civil money penalty that may be imposed is 
subject to the following limitations:
    (1) The Secretary may not impose a civil money penalty--
    (i) In the amount of more than $100 for each violation; or
    (ii) In excess of $25,000 for identical violations during a 
calendar year (January 1 through the following December 31).
    (2) If a requirement or prohibition in one administrative 
simplification provision is repeated in a more general form in another 
administrative simplification provision in the same subpart, a civil 
money penalty may be imposed for a violation of only one of these 
administrative simplification provisions.


Sec.  160.406  Number of violations.

    (a) General rule. To determine the number of violations of an 
identical administrative simplification provision by a covered entity, 
the Secretary will apply, as he deems appropriate, any variables 
identified at paragraph (b) of this section, based upon:
    (1) The facts and circumstances of the violation; and
    (2) The underlying purpose of the subpart of this subchapter that 
is violated.
    (b) Variables. (1) The number of times the covered entity failed to 
engage in required conduct or engaged in a prohibited act;
    (2) The number of persons involved in, or affected by, the 
violation; or
    (3) The duration of the violation counted in days.


Sec.  160.408  Factors considered in determining the amount of a civil 
money penalty.

    In determining the amount of any civil money penalty, the Secretary 
may consider as aggravating or mitigating factors, as appropriate, any 
of the following:
    (a) The nature of the violation, in light of the purpose of the 
rule violated.
    (b) The circumstances, including the consequences, of the 
violation, including but not limited to:
    (1) The time period during which the violation(s) occurred;
    (2) Whether the violation caused physical harm;
    (3) Whether the violation hindered or facilitated an individual's 
ability to obtain health care; and
    (4) Whether the violation resulted in financial harm.
    (c) The degree of culpability of the covered entity, including but 
not limited to:
    (1) Whether the violation was intentional; and
    (2) Whether the violation was beyond the direct control of the 
covered entity.
    (d) Any history of prior offenses of the covered entity, including 
but not limited to:
    (1) Whether the current violation is the same or similar to prior 
violation(s);
    (2) Whether and to what extent the covered entity has attempted to 
correct previous violations;
    (3) How the covered entity has responded to technical assistance 
from the Secretary provided in the context of a compliance effort; and
    (4) How the covered entity has responded to prior complaints.
    (e) The financial condition of the covered entity, including but 
not limited to:
    (1) Whether the covered entity had financial difficulties that 
affected its ability to comply;
    (2) Whether the imposition of a civil money penalty would 
jeopardize the ability of the covered entity to continue to provide, or 
to pay for, health care; and
    (3) The size of the covered entity.
    (f) Such other matters as justice may require.


Sec.  160.410  Affirmative defenses.

    (a) As used in this section, the following terms have the following 
meanings:
    Reasonable cause means circumstances that would make it 
unreasonable for the covered entity, despite the exercise of ordinary 
business care and prudence, to comply with the administrative 
simplification provision violated.
    Reasonable diligence means the business care and prudence expected 
from a person seeking to satisfy a legal requirement under similar 
circumstances.
    Willful neglect means conscious, intentional failure or reckless 
indifference to the obligation to comply with the administrative 
simplification provision violated.
    (b) The Secretary may not impose a civil money penalty on a covered 
entity for a violation if the covered entity establishes that an 
affirmative defense exists with respect to the violation, including the 
following:

[[Page 20253]]

    (1) The violation is an act punishable under 42 U.S.C. 1320d-6;
    (2) The covered entity establishes, to the satisfaction of the 
Secretary, that it did not have knowledge of the violation, determined 
in accordance with the federal common law of agency, and, by exercising 
reasonable diligence, would not have known that the violation occurred; 
or
    (3) The violation is--
    (i) Due to reasonable cause and not willful neglect; and
    (ii) Corrected during either:
    (A) The 30-day period beginning on the date the covered entity 
liable for the penalty knew, or by exercising reasonable diligence 
would have known, that the violation occurred; or
    (B) Such additional period as the Secretary determines to be 
appropriate based on the nature and extent of the failure to comply.


Sec.  160.412  Waiver.

    For violations described in Sec.  160.410(b)(3)(i) that are not 
corrected within the period described in Sec.  160.410(b)(3)(ii), the 
Secretary may waive the civil money penalty, in whole or in part, to 
the extent that payment of the penalty would be excessive relative to 
the violation.


Sec.  160.414  Limitations.

    No action under this subpart may be entertained unless commenced by 
the Secretary, in accordance with Sec.  160.420, within 6 years from 
the date of the occurrence of the violation.


Sec.  160.416  Authority to settle.

    Nothing in this subpart limits the authority of the Secretary to 
settle any issue or case or to compromise any penalty.


Sec.  160.418  Penalty not exclusive.

    Except as otherwise provided by 42 U.S.C. 1320d-5(b)(1), a penalty 
imposed under this part is in addition to any other penalty prescribed 
by law.


Sec.  160.420  Notice of proposed determination.

    (a) If a penalty is proposed in accordance with this part, the 
Secretary must deliver, or send by certified mail with return receipt 
requested, to the respondent, written notice of the Secretary's intent 
to impose a penalty. This notice of proposed determination must 
include--
    (1) Reference to the statutory basis for the penalty;
    (2) A description of the findings of fact regarding the violations 
with respect to which the penalty is proposed (except in cases where 
the Secretary is relying upon a statistical sampling study in 
accordance with Sec.  160.536, in which case the notice must describe 
the study relied upon and briefly describe the statistical sampling 
technique used by the Secretary);
    (3) The reason(s) why the violation(s) subject(s) the respondent to 
a penalty;
    (4) The amount of the proposed penalty;
    (5) Any circumstances described in Sec.  160.408 that were 
considered in determining the amount of the proposed penalty; and
    (6) Instructions for responding to the notice, including a 
statement of the respondent's right to a hearing, a statement that 
failure to request a hearing within 60 days permits the imposition of 
the proposed penalty without the right to a hearing under Sec.  160.504 
or a right of appeal under Sec.  160.548, and the address to which the 
hearing request must be sent.
    (b) The respondent may request a hearing before an ALJ on the 
proposed penalty by filing a request in accordance with Sec.  160.504.


Sec.  160.422  Failure to request a hearing.

    If the respondent does not request a hearing within the time 
prescribed by Sec.  160.504 and the matter is not settled pursuant to 
Sec.  160.416, the Secretary will impose the proposed penalty or any 
lesser penalty permitted by 42 U.S.C. 1320d-5. The Secretary will 
notify the respondent by certified mail, return receipt requested, of 
any penalty that has been imposed and of the means by which the 
respondent may satisfy the penalty, and the penalty is final on receipt 
of the notice. The respondent has no right to appeal a penalty under 
Sec.  160.548 with respect to which the respondent has not timely 
requested a hearing.


Sec.  160.424  Collection of penalty.

    (a) Once a determination of the Secretary to impose a penalty has 
become final, the penalty will be collected by the Secretary, subject 
to the first sentence of 42 U.S.C. 1320a-7a(f).
    (b) The penalty may be recovered in a civil action brought in the 
United States district court for the district where the respondent 
resides, is found, or is located.
    (c) The amount of a penalty, when finally determined, or the amount 
agreed upon in compromise, may be deducted from any sum then or later 
owing by the United States, or by a State agency, to the respondent.
    (d) Matters that were raised or that could have been raised in a 
hearing before an ALJ, or in an appeal under 42 U.S.C. 1320a-7a(e), may 
not be raised as a defense in a civil action by the United States to 
collect a penalty under this part.


Sec.  160.426  Notification of the public and other agencies.

    Whenever a proposed penalty becomes final, the Secretary will 
notify, in such manner as the Secretary deems appropriate, the public 
and the following organizations and entities thereof and the reason it 
was imposed: The appropriate State or local medical or professional 
organization, the appropriate State agency or agencies administering or 
supervising the administration of State health care programs (as 
defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and 
quality control peer review organization, and the appropriate State or 
local licensing agency or organization (including the agency specified 
in 42 U.S.C. 1395aa(a), 1396a(a)(33)).
    5. Revise subpart E to read as follows:
Subpart E--Procedures for Hearings
Sec.
160.500 Applicability.
160.502 Definitions.
160.504 Hearing before an ALJ.
160.506 Rights of the parties.
160.508 Authority of the ALJ.
160.510 Ex parte contacts.
160.512 Prehearing conferences.
160.514 Authority to settle.
160.516 Discovery.
160.518 Exchange of witness lists, witness statements, and exhibits.
160.520 Subpoenas for attendance at hearing.
160.522 Fees.
160.524 Form, filing, and service of papers.
160.526 Computation of time.
160.528 Motions.
160.530 Sanctions.
160.532 Collateral estoppel.
160.534 The hearing.
160.536 Statistical sampling.
160.538 Witnesses.
160.540 Evidence.
160.542 The record.
160.544 Post hearing briefs.
160.546 ALJ decision.
160.548 Appeal of the ALJ decision.
160.550 Stay of the Secretary's decision.
160.552 Harmless error.

Subpart E--Procedures for Hearings


Sec.  160.500  Applicability.

    This subpart applies to hearings conducted relating to the 
imposition of a civil money penalty by the Secretary under 42 U.S.C. 
1320d-5.


Sec.  160.502  Definitions.

    As used in this subpart, the following term has the following 
meaning:
    Board means the members of the HHS Departmental Appeals Board, in 
the Office of the Secretary, who issue decisions in panels of three.

[[Page 20254]]

Sec.  160.504  Hearing before an ALJ.

    (a) A respondent may request a hearing before an ALJ. The parties 
to the hearing proceeding consist of--
    (1) The respondent; and
    (2) The officer(s) or employee(s) of HHS to whom the enforcement 
authority involved has been delegated.
    (b) The request for a hearing must be made in writing signed by the 
respondent or by the respondent's attorney and sent by certified mail, 
return receipt requested, to the address specified in the notice of 
proposed determination. The request for a hearing must be mailed within 
60 days after notice of the proposed determination is received by the 
respondent. For purposes of this section, the respondent's date of 
receipt of the notice of proposed determination is presumed to be 5 
days after the date of the notice unless the respondent makes a 
reasonable showing to the contrary to the ALJ.
    (c) The request for a hearing must clearly and directly admit, 
deny, or explain each of the findings of fact contained in the notice 
of proposed determination with regard to which the respondent has any 
knowledge. If the respondent has no knowledge of a particular finding 
of fact and so states, the finding shall be deemed denied. The request 
for a hearing must also state the circumstances or arguments that the 
respondent alleges constitute the grounds for any defense and the 
factual and legal basis for opposing the penalty.
    (d) The ALJ must dismiss a hearing request where--
    (1) The respondent's hearing request is not filed as required by 
paragraphs (b) and (c) of this section;
    (2) The respondent withdraws the request for a hearing;
    (3) The respondent abandons the request for a hearing; or
    (4) The respondent's hearing request fails to raise any issue that 
may properly be addressed in a hearing.


Sec.  160.506  Rights of the parties.

    (a) Except as otherwise limited by this subpart, each party may--
    (1) Be accompanied, represented, and advised by an attorney;
    (2) Participate in any conference held by the ALJ;
    3) Conduct discovery of documents as permitted by this subpart;
    (4) Agree to stipulations of fact or law that will be made part of 
the record;
    (5) Present evidence relevant to the issues at the hearing;
    (6) Present and cross-examine witnesses;
    (7) Present oral arguments at the hearing as permitted by the ALJ; 
and
    (8) Submit written briefs and proposed findings of fact and 
conclusions of law after the hearing.
    (b) A party may appear in person or by a representative. Natural 
persons who appear as an attorney or other representative must conform 
to the standards of conduct and ethics required of practitioners before 
the courts of the United States.
    (c) Fees for any services performed on behalf of a party by an 
attorney are not subject to the provisions of 42 U.S.C. 406, which 
authorizes the Secretary to specify or limit their fees.


Sec.  160.508  Authority of the ALJ.

    (a) The ALJ must conduct a fair and impartial hearing, avoid delay, 
maintain order, and ensure that a record of the proceeding is made.
    (b) The ALJ may--
    (1) Set and change the date, time and place of the hearing upon 
reasonable notice to the parties;
    (2) Continue or recess the hearing in whole or in part for a 
reasonable period of time;
    (3) Hold conferences to identify or simplify the issues, or to 
consider other matters that may aid in the expeditious disposition of 
the proceeding;
    (4) Administer oaths and affirmations;
    (5) Issue subpoenas requiring the attendance of witnesses at 
hearings and the production of documents at or in relation to hearings;
    (6) Rule on motions and other procedural matters;
    (7) Regulate the scope and timing of documentary discovery as 
permitted by this subpart;
    (8) Regulate the course of the hearing and the conduct of 
representatives, parties, and witnesses;
    (9) Examine witnesses;
    (10) Receive, rule on, exclude, or limit evidence;
    (11) Upon motion of a party, take official notice of facts;
    (12) Conduct any conference, argument or hearing in person or, upon 
agreement of the parties, by telephone; and
    (13) Upon motion of a party, decide cases, in whole or in part, by 
summary judgment where there is no disputed issue of material fact. A 
summary judgment decision constitutes a hearing on the record for the 
purposes of this subpart.
    (c) The ALJ--
    (1) May not find invalid or refuse to follow Federal statutes, 
regulations, or Secretarial delegations of authority and must give 
deference to published guidance to the extent not inconsistent with 
statute or regulation;
    (2) May not enter an order in the nature of a directed verdict;
    (3) May not compel settlement negotiations;
    (4) May not enjoin any act of the Secretary; or
    (5) May not review the exercise of discretion by the Secretary with 
respect to--
    (i) Whether to grant an extension under Sec.  160.410(b)(3)(ii)(B) 
or to provide technical assistance under 42 U.S.C. 1320d-5(b)(3)(B); 
and
    (ii) Selection of variable(s) under Sec.  160.406.


Sec.  160.510  Ex parte contacts.

    No party or person (except employees of the ALJ's office) may 
communicate in any way with the ALJ on any matter at issue in a case, 
unless on notice and opportunity for both parties to participate. This 
provision does not prohibit a party or person from inquiring about the 
status of a case or asking routine questions concerning administrative 
functions or procedures.


Sec.  160.512  Prehearing conferences.

    (a) The ALJ must schedule at least one prehearing conference, and 
may schedule additional prehearing conferences as appropriate, upon 
reasonable notice, which may not be less than 14 business days, to the 
parties.
    (b) The ALJ may use prehearing conferences to discuss the 
following--
    (1) Simplification of the issues;
    (2) The necessity or desirability of amendments to the pleadings, 
including the need for a more definite statement;
    (3) Stipulations and admissions of fact or as to the contents and 
authenticity of documents;
    (4) Whether the parties can agree to submission of the case on a 
stipulated record;
    (5) Whether a party chooses to waive appearance at an oral hearing 
and to submit only documentary evidence (subject to the objection of 
the other party) and written argument;
    (6) Limitation of the number of witnesses;
    (7) Scheduling dates for the exchange of witness lists and of 
proposed exhibits;
    (8) Discovery of documents as permitted by this subpart;
    (9) The time and place for the hearing;
    (10) The potential for the settlement of the case by the parties; 
and
    (11) Other matters as may tend to encourage the fair, just and 
expeditious disposition of the proceedings, including the protection of 
privacy of individually identifiable health information that may be 
submitted into evidence or otherwise used in the proceeding, if 
appropriate.

[[Page 20255]]

    (c) The ALJ must issue an order containing the matters agreed upon 
by the parties or ordered by the ALJ at a prehearing conference.


Sec.  160.514  Authority to settle.

    The Secretary has exclusive authority to settle any issue or case 
without the consent of the ALJ.


Sec.  160.516  Discovery.

    (a) A party may make a request to another party for production of 
documents for inspection and copying that are relevant and material to 
the issues before the ALJ.
    (b) For the purpose of this section, the term ``documents'' 
includes information, reports, answers, records, accounts, papers and 
other data and documentary evidence. Nothing contained in this section 
may be interpreted to require the creation of a document, except that 
requested data stored in an electronic data storage system must be 
produced in a form accessible to the requesting party.
    (c) Requests for documents, requests for admissions, written 
interrogatories, depositions and any forms of discovery, other than 
those permitted under paragraph (a) of this section, are not 
authorized.
    (d) This section may not be construed to require the disclosure of 
interview reports or statements obtained by any party, or on behalf of 
any party, of persons who will not be called as witnesses by that 
party, or analyses and summaries prepared in conjunction with the 
investigation or litigation of the case, or any otherwise privileged 
documents.
    (e)(1) When a request for production of documents has been 
received, within 30 days the party receiving that request must either 
fully respond to the request, or state that the request is being 
objected to and the reasons for that objection. If objection is made to 
part of an item or category, the part must be specified. Upon receiving 
any objections, the party seeking production may then, within 30 days 
or any other time frame set by the ALJ, file a motion for an order 
compelling discovery. The party receiving a request for production may 
also file a motion for protective order any time before the date the 
production is due.
    (2) The ALJ may grant a motion for protective order or deny a 
motion for an order compelling discovery if the ALJ finds that the 
discovery sought--
    (i) Is irrelevant;
    (ii) Is unduly costly or burdensome;
    (iii) Will unduly delay the proceeding; or
    (iv) Seeks privileged information.
    (3) The ALJ may extend any of the time frames set forth in 
paragraph (e)(1) of this section.
    (4) The burden of showing that discovery should be allowed is on 
the party seeking discovery.


Sec.  160.518  Exchange of witness lists, witness statements, and 
exhibits.

    (a) The parties must exchange witness lists, copies of prior 
written statements of proposed witnesses, and copies of proposed 
hearing exhibits, including copies of any written statements that the 
party intends to offer in lieu of live testimony in accordance with 
Sec.  160.538, not more than 60, and not less than 15, days before the 
scheduled hearing.
    (b)(1) If, at any time, a party objects to the proposed admission 
of evidence not exchanged in accordance with paragraph (a) of this 
section, the ALJ must determine whether the failure to comply with 
paragraph (a) of this section should result in the exclusion of that 
evidence.
    (2) Unless the ALJ finds that extraordinary circumstances justified 
the failure timely to exchange the information listed under paragraph 
(a) of this section, the ALJ must exclude from the party's case-in-
chief--
    (i) The testimony of any witness whose name does not appear on the 
witness list; and
    (ii) Any exhibit not provided to the opposing party as specified in 
paragraph (a) of this section.
    (3) If the ALJ finds that extraordinary circumstances existed, the 
ALJ must then determine whether the admission of that evidence would 
cause substantial prejudice to the objecting party.
    (i) If the ALJ finds that there is no substantial prejudice, the 
evidence may be admitted.
    (ii) If the ALJ finds that there is substantial prejudice, the ALJ 
may exclude the evidence, or, if he or she does not exclude the 
evidence, must postpone the hearing for such time as is necessary for 
the objecting party to prepare and respond to the evidence, unless the 
objecting party waives postponement.
    (c) Unless the other party objects within a reasonable period of 
time before the hearing, documents exchanged in accordance with 
paragraph (a) of this section will be deemed to be authentic for the 
purpose of admissibility at the hearing.


Sec.  160.520  Subpoenas for attendance at hearing.

    (a) A party wishing to procure the appearance and testimony of any 
person at the hearing may make a motion requesting the ALJ to issue a 
subpoena if the appearance and testimony are reasonably necessary for 
the presentation of a party's case.
    (b) A subpoena requiring the attendance of a person in accordance 
with paragraph (a) of this section may also require the person (whether 
or not the person is a party) to produce relevant and material evidence 
at or before the hearing.
    (c) When a subpoena is served by a respondent on a particular 
employee or official or particular office of HHS, the Secretary may 
comply by designating any knowledgeable HHS representative to appear 
and testify.
    (d) A party seeking a subpoena must file a written motion not less 
than 30 days before the date fixed for the hearing, unless otherwise 
allowed by the ALJ for good cause shown. That motion must--
    (1) Specify any evidence to be produced;
    (2) Designate the witnesses; and
    (3) Describe the address and location with sufficient particularity 
to permit those witnesses to be found.
    (e) The subpoena must specify the time and place at which the 
witness is to appear and any evidence the witness is to produce.
    (f) Within 15 days after the written motion requesting issuance of 
a subpoena is served, any party may file an opposition or other 
response.
    (g) If the motion requesting issuance of a subpoena is granted, the 
party seeking the subpoena must serve it by delivery to the person 
named, or by certified mail addressed to that person at the person's 
last dwelling place or principal place of business.
    (h) The person to whom the subpoena is directed may file with the 
ALJ a motion to quash the subpoena within 10 days after service.
    (i) The exclusive remedy for contumacy by, or refusal to obey a 
subpoena duly served upon, any person is specified in 42 U.S.C. 405(e).


Sec.  160.522  Fees.

    The party requesting a subpoena must pay the cost of the fees and 
mileage of any witness subpoenaed in the amounts that would be payable 
to a witness in a proceeding in United States District Court. A check 
for witness fees and mileage must accompany the subpoena when served, 
except that, when a subpoena is issued on behalf of the Secretary, a 
check for witness fees and mileage need not accompany the subpoena.


Sec.  160.524  Form, filing, and service of papers.

    (a) Forms. (1) Unless the ALJ directs the parties to do otherwise, 
documents

[[Page 20256]]

filed with the ALJ must include an original and two copies.
    (2) Every pleading and paper filed in the proceeding must contain a 
caption setting forth the title of the action, the case number, and a 
designation of the paper, such as motion to quash subpoena.
    (3) Every pleading and paper must be signed by and must contain the 
address and telephone number of the party or the person on whose behalf 
the paper was filed, or his or her representative.
    (4) Papers are considered filed when they are mailed.
    (b) Service. A party filing a document with the ALJ or the Board 
must, at the time of filing, serve a copy of the document on the other 
party. Service upon any party of any document must be made by 
delivering a copy, or placing a copy of the document in the United 
States mail, postage prepaid and addressed, or with a private delivery 
service, to the party's last known address. When a party is represented 
by an attorney, service must be made upon the attorney in lieu of the 
party.
    (c) Proof of service. A certificate of the natural person serving 
the document by personal delivery or by mail, setting forth the manner 
of service, constitutes proof of service.


Sec.  160.526  Computation of time.

    (a) In computing any period of time under this subpart or in an 
order issued thereunder, the time begins with the day following the 
act, event or default, and includes the last day of the period unless 
it is a Saturday, Sunday, or legal holiday observed by the Federal 
Government, in which event it includes the next business day.
    (b) When the period of time allowed is less than 7 days, 
intermediate Saturdays, Sundays, and legal holidays observed by the 
Federal Government must be excluded from the computation.
    (c) Where a document has been served or issued by placing it in the 
mail, an additional 5 days must be added to the time permitted for any 
response. This paragraph does not apply to requests for hearing under 
Sec.  160.504.


Sec.  160.528  Motions.

    (a) An application to the ALJ for an order or ruling must be by 
motion. Motions must state the relief sought, the authority relied upon 
and the facts alleged, and must be filed with the ALJ and served on all 
other parties.
    (b) Except for motions made during a prehearing conference or at 
the hearing, all motions must be in writing. The ALJ may require that 
oral motions be reduced to writing.
    (c) Within 10 days after a written motion is served, or such other 
time as may be fixed by the ALJ, any party may file a response to the 
motion.
    (d) The ALJ may not grant a written motion before the time for 
filing responses has expired, except upon consent of the parties or 
following a hearing on the motion, but may overrule or deny the motion 
without awaiting a response.
    (e) The ALJ must make a reasonable effort to dispose of all 
outstanding motions before the beginning of the hearing.


Sec.  160.530  Sanctions.

    The ALJ may sanction a person, including any party or attorney, for 
failing to comply with an order or procedure, for failing to defend an 
action or for other misconduct that interferes with the speedy, orderly 
or fair conduct of the hearing. The sanctions must reasonably relate to 
the severity and nature of the failure or misconduct. The sanctions may 
include--
    (a) In the case of refusal to provide or permit discovery under the 
terms of this part, drawing negative factual inferences or treating the 
refusal as an admission by deeming the matter, or certain facts, to be 
established;
    (b) Prohibiting a party from introducing certain evidence or 
otherwise supporting a particular claim or defense;
    (c) Striking pleadings, in whole or in part;
    (d) Staying the proceedings;
    (e) Dismissal of the action;
    (f) Entering a decision by default;
    (g) Ordering the party or attorney to pay the attorney's fees and 
other costs caused by the failure or misconduct; and
    (h) Refusing to consider any motion or other action that is not 
filed in a timely manner.


Sec.  160.532  Collateral estoppel.

    When a final determination that the respondent violated an 
administrative simplification provision has been rendered in any 
proceeding in which the respondent was a party and had an opportunity 
to be heard, the respondent is bound by that determination in any 
proceeding under this part.


Sec.  160.534  The hearing.

    (a) The ALJ must conduct a hearing on the record in order to 
determine whether the respondent should be found liable under this 
part.
    (b)(1) The respondent has the burden of going forward and the 
burden of persuasion with respect to any:
    (i) Affirmative defense pursuant to Sec.  160.410;
    (ii) Challenge to the amount of a proposed penalty pursuant to 
Sec. Sec.  160.404-160.408, including any factors raised as mitigating 
factors; or
    (iii) Claim that a proposed penalty should be reduced or waived 
pursuant to Sec.  160.412.
    (2) The Secretary has the burden of going forward and the burden of 
persuasion with respect to all other issues, including issues of 
liability and the existence of any factors considered as aggravating 
factors in determining the amount of the proposed penalty.
    (3) The burden of persuasion will be judged by a preponderance of 
the evidence.
    (c) The hearing must be open to the public unless otherwise ordered 
by the ALJ for good cause shown.
    (d)(1) Subject to the 15-day rule under Sec.  160.518(a) and the 
admissibility of evidence under Sec.  160.540, either party may 
introduce, during its case in chief, items or information that arose or 
became known after the date of the issuance of the notice of proposed 
determination or the request for hearing, as applicable. Such items and 
information may not be admitted into evidence, if introduced--
    (i) By the Secretary, unless they are material and relevant to the 
acts or omissions with respect to which the penalty is proposed in the 
notice of proposed determination pursuant to Sec.  160.420, including 
circumstances that may increase penalties; or
    (ii) By the respondent, unless they are material and relevant to an 
admission, denial or explanation of a finding of fact in the notice of 
proposed determination under Sec.  160.420, or to a specific 
circumstance or argument expressly stated in the request for hearing 
under Sec.  160.504, including circumstances that may reduce penalties.
    (2) After both parties have presented their cases, evidence may be 
admitted in rebuttal even if not previously exchanged in accordance 
with Sec.  160.518.


Sec.  160.536  Statistical sampling.

    (a) In meeting the burden of proof set forth in Sec.  160.534, the 
Secretary may introduce the results of a statistical sampling study as 
evidence of the number of violations under Sec.  160.406, or the 
factors considered in determining the amount of the civil money penalty 
under Sec.  160.408. Such statistical sampling study, if based upon an 
appropriate sampling and computed by valid statistical methods, 
constitutes prima facie evidence of the number of violations and the 
existence of factors material to the proposed civil money

[[Page 20257]]

penalty as described in Sec. Sec.  160.406 and 160.408.
    (b) Once the Secretary has made a prima facie case, as described in 
paragraph (a) of this section, the burden of going forward shifts to 
the respondent to produce evidence reasonably calculated to rebut the 
findings of the statistical sampling study. The Secretary will then be 
given the opportunity to rebut this evidence.


Sec.  160.538  Witnesses.

    (a) Except as provided in paragraph (b) of this section, testimony 
at the hearing must be given orally by witnesses under oath or 
affirmation.
    (b) At the discretion of the ALJ, testimony of witnesses other than 
the testimony of expert witnesses may be admitted in the form of a 
written statement. Any such written statement must be provided to the 
other party, along with the last known address of the witness, in a 
manner that allows sufficient time for the other party to subpoena the 
witness for cross-examination at the hearing. Prior written statements 
of witnesses proposed to testify at the hearing must be exchanged as 
provided in Sec.  160.518. The ALJ may, at his or her discretion, admit 
prior sworn testimony of experts that has been subject to adverse 
examination, such as a deposition or trial testimony.
    (c) The ALJ must exercise reasonable control over the mode and 
order of interrogating witnesses and presenting evidence so as to:
    (1) Make the interrogation and presentation effective for the 
ascertainment of the truth;
    (2) Avoid repetition or needless consumption of time; and
    (3) Protect witnesses from harassment or undue embarrassment.
    (d) The ALJ must permit the parties to conduct cross-examination of 
witnesses as may be required for a full and true disclosure of the 
facts.
    (e) The ALJ may order witnesses excluded so that they cannot hear 
the testimony of other witnesses, except that the ALJ may not order to 
be excluded--
    (1) A party who is a natural person;
    (2) In the case of a party that is not a natural person, the 
officer or employee of the party appearing for the entity pro se or 
designated as the party's representative; or
    (3) A natural person whose presence is shown by a party to be 
essential to the presentation of its case, including a person engaged 
in assisting the attorney for the Secretary.


Sec.  160.540  Evidence.

    (a) The ALJ must determine the admissibility of evidence.
    (b) Except as provided in this subpart, the ALJ is not bound by the 
Federal Rules of Evidence. However, the ALJ may apply the Federal Rules 
of Evidence where appropriate, for example, to exclude unreliable 
evidence.
    (c) The ALJ must exclude irrelevant or immaterial evidence.
    (d) Although relevant, evidence may be excluded if its probative 
value is substantially outweighed by the danger of unfair prejudice, 
confusion of the issues, or by considerations of undue delay or 
needless presentation of cumulative evidence.
    (e) Although relevant, evidence must be excluded if it is 
privileged under Federal law.
    (f) Evidence concerning offers of compromise or settlement are 
inadmissible to the extent provided in Rule 408 of the Federal Rules of 
Evidence.
    (g) Evidence of crimes, wrongs, or acts other than those at issue 
in the instant case is admissible in order to show motive, opportunity, 
intent, knowledge, preparation, identity, lack of mistake, or existence 
of a scheme. This evidence is admissible regardless of whether the 
crimes, wrongs, or acts occurred during the statute of limitations 
period applicable to the acts or omissions that constitute the basis 
for liability in the case and regardless of whether they were 
referenced in the Secretary's notice of proposed determination under 
Sec.  160.420.
    (h) The ALJ must permit the parties to introduce rebuttal witnesses 
and evidence.
    (i) All documents and other evidence offered or taken for the 
record must be open to examination by both parties, unless otherwise 
ordered by the ALJ for good cause shown.


Sec.  160.542  The record.

    (a) The hearing must be recorded and transcribed. Transcripts may 
be obtained following the hearing from the ALJ. Cost of transcription 
will be borne equally by the parties.
    (b) The transcript of the testimony, exhibits, and other evidence 
admitted at the hearing, and all papers and requests filed in the 
proceeding constitute the record for decision by the ALJ and the 
Secretary.
    (c) The record may be inspected and copied (upon payment of a 
reasonable fee) by any person, unless otherwise ordered by the ALJ for 
good cause shown.
    (d) For good cause, the ALJ may order appropriate redactions made 
to the record.


Sec.  160.544  Post hearing briefs.

    The ALJ may require the parties to file post-hearing briefs. In any 
event, any party may file a post-hearing brief. The ALJ must fix the 
time for filing the briefs. The time for filing may not exceed 60 days 
from the date the parties receive the transcript of the hearing or, if 
applicable, the stipulated record. The briefs may be accompanied by 
proposed findings of fact and conclusions of law. The ALJ may permit 
the parties to file reply briefs.


Sec.  160.546  ALJ decision.

    (a) The ALJ must issue a decision, based only on the record, which 
must contain findings of fact and conclusions of law.
    (b) The ALJ may affirm, increase, or reduce the penalties imposed 
by the Secretary.
    (c) The ALJ must issue the decision to both parties within 60 days 
after the time for submission of post-hearing briefs and reply briefs, 
if permitted, has expired. If the ALJ fails to meet the deadline 
contained in this paragraph, he or she must notify the parties of the 
reason for the delay and set a new deadline.
    (d) Unless the decision of the ALJ is timely appealed as provided 
for in Sec.  160.548, the decision of the ALJ will be final and binding 
on the parties 60 days from the date of service of the ALJ's decision.


Sec.  160.548  Appeal of the ALJ decision.

    (a) Any party may appeal the decision of the ALJ to the Board by 
filing a notice of appeal with the Board within 30 days of the date of 
service of the ALJ decision. The Board may extend the initial 30 day 
period for a period of time not to exceed 30 days if a party files with 
the Board a request for an extension within the initial 30 day period 
and shows good cause.
    (b) If a party files a timely notice of appeal with the Board, the 
ALJ must forward the record of the proceeding to the Board.
    (c) A notice of appeal must be accompanied by a written brief 
specifying exceptions to the initial decision and reasons supporting 
the exceptions. Any party may file a brief in opposition to the 
exceptions, which may raise any relevant issue not addressed in the 
exceptions, within 30 days of receiving the notice of appeal and the 
accompanying brief. The Board may permit the parties to file reply 
briefs.

[[Page 20258]]

    (d) There is no right to appear personally before the Board or to 
appeal to the Board any interlocutory ruling by the ALJ.
    (e) The Board may not consider any issue not raised in the parties' 
briefs, nor any issue in the briefs that could have been raised before 
the ALJ but was not.
    (f) If any party demonstrates to the satisfaction of the Board that 
additional evidence not presented at such hearing is relevant and 
material and that there were reasonable grounds for the failure to 
adduce such evidence at the hearing, the Board may remand the matter to 
the ALJ for consideration of such additional evidence.
    (g) The Board may decline to review the case, or may affirm, 
increase, reduce, reverse or remand any penalty determined by the ALJ.
    (h) The standard of review on a disputed issue of fact is whether 
the initial decision of the ALJ is supported by substantial evidence on 
the whole record. The standard of review on a disputed issue of law is 
whether the decision is erroneous.
    (i) Within 60 days after the time for submission of briefs and 
reply briefs, if permitted, has expired, the Board must serve on each 
party to the appeal a copy of the Board's decision and a statement 
describing the right of any respondent who is penalized to seek 
judicial review.
    (j)(1) The Board's decision under paragraph (i) of this section, 
including a decision to decline review of the initial decision, becomes 
the final decision of the Secretary 60 days after the date of service 
of the Board's decision, except with respect to a decision to remand to 
the ALJ or if reconsideration is requested under this paragraph.
    (2) The Board will reconsider its decision only if it determines 
that the decision contains a clear error of fact or error of law. New 
evidence will not be a basis for reconsideration unless the party 
demonstrates that the evidence is newly discovered and was not 
previously available.
    (3) A party may file a motion for reconsideration with the Board 
before the date the decision becomes final under paragraph (j)(1) of 
this section. A motion for reconsideration must be accompanied by a 
written brief specifying any alleged error of fact or law and, if the 
party is relying on additional evidence, explaining why the evidence 
was not previously available. Any party may file a brief in opposition 
within 15 days of receiving the motion for reconsideration and the 
accompanying brief unless this time limit is extended by the Board for 
good cause shown. Reply briefs are not permitted.
    (4) The Board must rule on the motion for reconsideration not later 
than 30 days from the date the opposition brief is due. If the Board 
denies the motion, the decision issued under paragraph (i) of this 
section becomes the final decision of the Secretary on the date of 
service of the ruling. If the Board grants the motion, the Board will 
issue a reconsidered decision, after such procedures as the Board 
determines necessary to address the effect of any error. The Board's 
decision on reconsideration becomes the final decision of the Secretary 
on the date of service of the decision, except with respect to a 
decision to remand to the ALJ.
    (5) If service of a ruling or decision issued under this section is 
by mail, the date of service will be deemed to be 5 days from the date 
of mailing.
    (k)(1) A respondent's petition for judicial review must be filed 
within 60 days of the date on which the decision of the Board becomes 
the final decision of the Secretary under paragraph (j) of this 
section.
    (2) In compliance with 28 U.S.C. 2112(a), a copy of any petition 
for judicial review filed in any U.S. Court of Appeals challenging the 
final decision of the Secretary must be sent by certified mail, return 
receipt requested, to the General Counsel of HHS. The petition copy 
must be a copy showing that it has been time-stamped by the clerk of 
the court when the original was filed with the court.
    (3) If the General Counsel of HHS received two or more petitions 
within 10 days after the final decision of the Secretary, the General 
Counsel will notify the U.S. Judicial Panel on Multidistrict Litigation 
of any petitions that were received within the 10 day period.


Sec.  160.550  Stay of the Secretary's decision.

    (a) Pending judicial review, the respondent may file a request for 
stay of the effective date of any penalty with the ALJ. The request 
must be accompanied by a copy of the notice of appeal filed with the 
federal court. The filing of the request automatically stays the 
effective date of the penalty until such time as the ALJ rules upon the 
request.
    (b) The ALJ may not grant a respondent's request for stay of any 
penalty unless the respondent posts a bond or provides other adequate 
security.
    (c) The ALJ must rule upon a respondent's request for stay within 
10 days of receipt.


Sec.  160.552  Harmless error.

    No error in either the admission or the exclusion of evidence, and 
no error or defect in any ruling or order or in any act done or omitted 
by the ALJ or by any of the parties is ground for vacating, modifying 
or otherwise disturbing an otherwise appropriate ruling or order or 
act, unless refusal to take such action appears to the ALJ or the Board 
inconsistent with substantial justice. The ALJ and the Board at every 
stage of the proceeding must disregard any error or defect in the 
proceeding that does not affect the substantial rights of the parties.

PART 164--SECURITY AND PRIVACY

    1. The authority citation for part 164 is revised to read as 
follows:

    Authority: 42 U.S.C. 1320d-1320d-8 and sec. 264, Pub. L. 104-
191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)).

    2. Revise Sec.  164.530(g) to read as follows:


Sec.  164.530  Standard: refraining from intimidating or retaliatory 
acts.

* * * * *
    (g) A covered entity--
    (1) May not intimidate, threaten, coerce, discriminate against, or 
take other retaliatory action against any individual for the exercise 
by the individual of any right established, or for participation in any 
process provided for by this subpart, including the filing of a 
complaint under this section; and
    (2) Must refrain from intimidation and retaliation as provided in 
Sec.  160.316 of this subchapter.
* * * * *
[FR Doc. 05-7512 Filed 4-14-05; 8:45 am]
BILLING CODE 4153-01-P