[Federal Register Volume 74, Number 209 (Friday, October 30, 2009)]
[Rules and Regulations]
[Pages 56123-56131]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-26203]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Part 160
RIN 0991-AB55
HIPAA Administrative Simplification: Enforcement
AGENCY: Office of the Secretary, HHS.
ACTION: Interim final rule; request for comments
-----------------------------------------------------------------------
SUMMARY: The Secretary of the Department of Health and Human Services
(HHS) adopts this interim final rule to conform the enforcement
regulations promulgated under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) to the effective statutory revisions
made pursuant to the Health Information Technology for Economic and
Clinical Health Act (the HITECH Act), which was enacted as part of the
American Recovery and Reinvestment Act of 2009 (ARRA). More
specifically, this interim final rule amends HIPAA's enforcement
regulations, as they relate to the imposition of civil money penalties,
to incorporate the HITECH Act's categories of violations, tiered ranges
of civil money penalty amounts, and revised limitations on the
Secretary's authority to impose civil money penalties for established
violations of HIPAA's Administrative Simplification rules (HIPAA
rules). This interim final rule does not make amendments with respect
to those enforcement provisions of the HITECH Act that are not yet
effective under the applicable statutory provisions. Such amendments
will be subject to forthcoming rulemaking(s).
DATES: Effective Date: This interim final rule is effective November
30, 2009. Comment Date: Comments on this interim final rule will be
considered if received at the appropriate address, as provided below,
no later than December 29, 2009.
ADDRESSES: Please submit comments to any one of the addresses specified
below:
Federal eRulemaking Portal: You may submit electronic
comments at http://www.regulations.gov.
Regular, Express, or Overnight Mail: You may mail written
comments to the following address only: U.S. Department of Health and
Human Services, Office for Civil Rights, Attention: HIPAA Enforcement
Rule IFR (RIN 0991-AB55), Hubert H. Humphrey Building, Room 509F, 200
Independence Avenue, SW., Washington, DC 20201.
Hand Delivery or Courier: If you prefer, you may deliver
(by hand or courier) your written comments to the following address
only: Office for Civil Rights, Attention: HIPAA Enforcement Rule IFR
(RIN 0991-AB55), Hubert H. Humphrey Building, Room 509F, 200
Independence Avenue, SW., Washington, DC 20201.
FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.
SUPPLEMENTARY INFORMATION:
I. Public Participation
A. Instructions for Submission of Public Comments
Please follow these instructions when submitting public comments.
Please use only one of these methods.
Federal eRulemaking Portal: Follow the instructions for
submitting electronic comments at http://www.regulations.gov.
Attachments will be accepted in Microsoft Word, WordPerfect, or Excel
format, though Microsoft Word format is preferred.
Regular, Express, or Overnight Mail: Submit one original
and two copies of mailed, written comments. Please allow
[[Page 56124]]
sufficient time for timely receipt of mailed comments, as delivery may
be subject to delay due to security procedures.
Hand Delivery or Courier: Submit one original and two
copies if delivering written comments by hand or by courier. Because
access to the interior of the Hubert H. Humphrey Building is not
readily available to persons without federal government identification,
commenters are encouraged to leave their comments in the mail drop
slots located in the main lobby of the building.
B. Inspection of Public Comments
All comments received before the close of the comment period will
be available for public inspection, including any personally
identifiable or confidential business information contained within each
comment. We will post all comments received before the close of the
comment period at http://www.regulations.gov.
II. Background
This interim final rule amends the sections within 45 CFR part 160
that relate to the authority of the Secretary of the HHS (the
Secretary) to impose civil money penalties on entities that violate the
HIPAA rules adopted under subtitle F of title II of HIPAA. The interim
final rule amends subpart D of part 160 to conform its language to the
revisions that became effective on February 18, 2009, under section
1176 of the Social Security Act (the Act), 42 U.S.C. 1320d-5, which was
revised pursuant to section 13410(d) of the HITECH Act, Public Law 111-
5, 123 Stat. 115, and correspondingly amends the ``Statutory basis and
purpose'' section in subpart A. HHS issues these amendments as an
interim final rule with request for comments to immediately provide
regulated entities with additional notice as to how the Secretary's
civil money penalty authority has been strengthened by the HITECH Act
and to explain HHS' implementation of such authority with respect to
violations occurring on or after February 18, 2009. HHS also pursues
this expedited rulemaking to avoid any public misunderstanding or undue
delay with respect to implementing Congress' intent to strengthen
enforcement of the HIPAA rules.
We set out below the statutory and regulatory background for this
interim final rule and follow with a description of our approach to
this rulemaking. We then discuss each section of the interim final
rule, request comments from the public, and conclude with our analyses
of impact and other issues considered under applicable law.
A. Statutory Background
HIPAA Prior to the HITECH ACT
Subtitle F of title II of HIPAA, entitled ``Administrative
Simplification,'' was enacted in 1996, for the purpose of improving the
Medicare program under title XVIII of the Act, the Medicaid program
under title XIX of the Act, and the efficiency and effectiveness of the
health care system by encouraging the development of a health
information system through the establishment of standards and
requirements for the electronic transmission of certain health
information. 42 U.S.C. 1320d note. To this end, subtitle F directs the
Secretary to adopt national standards (HIPAA standards) for certain
information-related activities and to protect the privacy and security
of such information.
Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a), the HIPAA
provisions apply to the following persons:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in
electronic form in connection with a transaction referred to in section
1173(a)(1).
Under sections 1176 and 1177 of the Act, 42 U.S.C. 1320d-5 and 6, these
persons or organizations, collectively referred to as ``covered
entities,'' may be subject to civil money penalties and criminal
penalties for violations of the HIPAA rules. HHS enforces the civil
money penalties under section 1176 of the Act, and the U.S. Department
of Justice enforces the criminal penalties under section 1177 of the
Act.
Prior to the HITECH Act, section 1176(a) of the Act, 42 U.S.C.
1320d-5(a), authorized the Secretary to impose a civil money penalty,
as follows:
(1) IN GENERAL. Except as provided in subsection (b), the
Secretary shall impose on any person who violates a provision of
this part [42 U.S.C. 1320d et seq.] a penalty of not more than $100
for each such violation, except that the total amount imposed on the
person for all violations of an identical requirement or prohibition
during a calendar year may not exceed $25,000.
(2) PROCEDURES. The provisions of section 1128A [42 U.S.C.
1320a-7a] (other than subsections (a) and (b) and the second
sentence of subsection (f)) shall apply to the imposition of a civil
money penalty under this subsection in the same manner as such
provisions apply to the imposition of a penalty under such section
1128A.
Prior to the HITECH Act, section 1176(b) of the Act, 42 U.S.C.
1320d-5(b), set out limitations on the Secretary's above referenced
authority to impose civil money penalties. Such limitations included
prohibitions on imposing civil money penalties for: (1) An act that
``constitutes an offense punishable under section 1177'' of the Act
(the criminal penalty provisions), (2) violations ``if it is
established to the satisfaction of the Secretary that the person liable
for the penalty did not know, and by exercising reasonable diligence
would not have known, that such person violated the provision,'' and
(3) violations if the failure to comply was due ``to reasonable cause
and not to willful neglect'' and was corrected during a 30-day time
period or pursuant to an extension determined to be appropriate by the
Secretary based on the nature and circumstances of the covered entity's
failure to comply.
Section 13410(d) of the HITECH Act
The HITECH Act was incorporated into ARRA to promote the adoption
and meaningful use of health information technology. Subtitle D of the
HITECH Act, sections 13400-13424, addresses the privacy and security
concerns associated with the electronic transmission of health
information. It does so, in part, through several provisions that
strengthen the civil and criminal enforcement of the HIPAA rules. Many
of these enforcement provisions became effective as of February 18,
2009 and are the impetus of this rulemaking. Other enforcement
provisions have yet to become effective under the HITECH Act and are
therefore subject to future rulemaking.
Section 13410(d) of the HITECH Act became effective February 18,
2009, revising section 1176 of the Act, 42 U.S.C. 1320d-5, to
strengthen enforcement of the HIPAA rules in several ways. As modified,
section 1176(a) establishes categories of violations that reflect
increasing levels of culpability, requires that a penalty determination
be based on the nature and extent of the violation and the nature and
extent of the harm resulting from the violation, and establishes tiers
of increasing penalty amounts that establish, by reference, the range
of the Secretary's authority to impose civil money penalties. The
revised text of section 1176(a) that became effective February 18,
2009, pursuant to section 13410(d) of the HITECH Act is as follows:
GENERAL PENALTY.
(1) IN GENERAL. Except as provided in subsection (b), the
Secretary shall impose on any person who violates a provision of
this part--
[[Page 56125]]
(A) in the case of a violation of such provision in which it is
established that the person did not know (and by exercising
reasonable diligence would not have known) that such person violated
such provision, a penalty for each such violation of an amount that
is at least the amount described in paragraph (3)(A) but not to
exceed the amount described in paragraph (3)(D);
(B) in the case of a violation of such provision in which it is
established that the violation was due to reasonable cause and not
to willful neglect, a penalty for each such violation of an amount
that is at least the amount described in paragraph (3)(B) but not to
exceed the amount described in paragraph (3)(D); and
(C) in the case of a violation of such provision in which it is
established that the violation was due to willful neglect--
(i) if the violation is corrected as described in subsection
(b)(3)(A),\1\ a penalty in an amount that is at least the amount
described in paragraph (3)(C) but not to exceed the amount described
in paragraph (3)(D); and
---------------------------------------------------------------------------
\1\ We note that, as amended, section 1176 no longer includes a
subsection (b)(3)(A). We interpret this text as referencing the 30-
day period in section 1176(b)(2)(A), which was designated as section
1176(b)(3)(A) prior to the HITECH Act's amendment. We request public
comment on this interpretation, to the extent there is disagreement.
---------------------------------------------------------------------------
(ii) if the violation is not corrected as described in such
subsection, a penalty in an amount that is at least the amount
described in paragraph (3)(D).
In determining the amount of a penalty under this section for a
violation, the Secretary shall base such determination on the nature
and extent of the violation and the nature and extent of the harm
resulting from such violation.
(2) PROCEDURES. The provisions of section 1128A (other than
subsections (a) and (b) and the second sentence of subsection (f))
shall apply to the imposition of a civil money penalty under this
subsection in the same manner as such provisions apply to the
imposition of a penalty under such section 1128A.
(3) Tiers of penalties described.--For purposes of paragraph
(1), with respect to a violation by a person of a provision of this
part--
(A) the amount described in this subparagraph is $100 for each
such violation, except that the total amount imposed on the person
for all such violations of an identical requirement or prohibition
during a calendar year may not exceed $25,000;
(B) the amount described in this subparagraph is $1,000 for each
such violation, except that the total amount imposed on the person
for all such violations of an identical requirement or prohibition
during a calendar year may not exceed $100,000;
(C) the amount described in this subparagraph is $10,000 for
each such violation, except that the total amount imposed on the
person for all such violations of an identical requirement or
prohibition during a calendar year may not exceed $250,000; and
(D) the amount described in this subparagraph is $50,000 for
each such violation, except that the total amount imposed on the
person for all such violations of an identical requirement or
prohibition during a calendar year may not exceed $1,500,000.
Section 13410(d) of the HITECH Act also revised section 1176(b) of
the Act by: (1) Striking the affirmative defense for violations in
which the covered entity did not know, or by reasonable diligence would
not have known, of the violation (such violations are now punishable
under the first tier of penalties); and (2) revising the subsection
that provides an affirmative defense for a 30-day time period of
correction to only require that the covered entity demonstrate the
violation was not due to willful neglect (the statute previously also
required a showing that the violation was due to reasonable cause). The
revised statutory text of section 1176(b) that became effective
February 18, 2009,\2\ pursuant to section 13410(d) of the HITECH Act is
as follows:
---------------------------------------------------------------------------
\2\ Note that section 13410(a) of the HITECH Act further amends
section 1176(b) of the Act with respect to penalties imposed on or
after February 18, 2011. These changes are not reflected in the
statutory text, as they have yet to become effective.
LIMITATIONS.
(1) OFFENSES OTHERWISE PUNISHABLE. No penalty may be imposed
under subsection (a) and no damages obtained under subsection (d)
with respect to an act if the act constitutes an offense punishable
under section 1177.
(2) FAILURES DUE TO REASONABLE CAUSE.
(A) IN GENERAL. Except as provided in subparagraph (B) or
subsection (a)(1)(C), no penalty may be imposed under subsection (a)
and no damages obtained under subsection (d) if the failure to
comply is corrected during the 30-day period beginning on the first
date the person liable for the penalty knew, or by exercising
reasonable diligence would have known, that the failure to comply
occurred.
(B) EXTENSION OF PERIOD.--
(i) NO PENALTY.--With respect to the imposition of a penalty by
the Secretary under subsection (a), the period referred to in
subparagraph (A) may be extended as determined appropriate by the
Secretary based on the nature and extent of the failure to comply.
(ii) ASSISTANCE.--If the Secretary determines that a person
failed to comply because the person was unable to comply, the
Secretary may provide technical assistance to the person during the
period described in subparagraph (A). Such assistance shall be
provided in any manner determined appropriate by the Secretary.
(3) REDUCTION.--In the case of a failure to comply which is due
to reasonable cause and not to willful neglect, any penalty under
subsection (a) and any damages under subsection (d) that is not
entirely waived under paragraph (3) \3\ may be waived to the extent
that the payment of such penalty would be excessive relative to the
compliance failure involved.
\3\ We note that this reference to paragraph (3) creates a
circular reference which appears to be an error. Section 13410(d) of
the HITECH Act redesignated the prior paragraph (3) to paragraph
(2), but did not include a conforming revision to this reference.
Accordingly, we interpret this reference as being to paragraph (2)
(i.e., the affirmative defense for violations that are not due to
willful neglect and are timely corrected) and request public comment
to the extent there is disagreement.
---------------------------------------------------------------------------
B. Regulatory Background
Section 1173 of the Act, 42 U.S.C. 1320d-2, and section 264 of
HIPAA, require the Secretary to adopt a number of national standards to
facilitate the exchange of certain health information and to protect
the privacy and security of such information. The Secretary has adopted
a number of national standards to that end, which include the
following: Standards for Electronic Transactions and Code Sets
(Transactions and Code Sets Rules); Standards for Privacy of
Individually Identifiable Health Information (HIPAA Privacy Rule);
Standard Unique Employer Identifier (EIN Rule); Security Standards
(HIPAA Security Rule); and Standard Unique Health Identifier for Health
Care Providers (NPI Rule). See 70 FR 20224, 20225-26 (April 18, 2005)
for a more detailed description of the history of these HIPAA rules.
Covered entities are required to comply with these HIPAA standards.
In addition, the Secretary promulgated rules that relate to
compliance with, and enforcement of, the HIPAA rules, which are
codified at 45 CFR part 160, subparts C, D, and E and collectively
referred to as the Enforcement Rule. The Secretary first issued an
interim final rule promulgating the procedural requirements for
imposition of civil money penalties on violations of the privacy
standards on April 17, 2003, Civil Money Penalties: Procedures for
Investigations, Imposition of Penalties (68 FR 18896). The Secretary
subsequently proposed a rule on April 18, 2005, HIPAA Administrative
Simplification: Enforcement; Proposed Rule (70 FR 20224), proposing the
amendment of 45 CFR part 160, subparts A (General Provisions), C
(Compliance and Enforcement), and E (Procedures for Hearing), proposing
a new subpart D (Imposition of Civil Money Penalties) that addressed
the substantive issues related to the imposition of civil money
penalties, and proposing that the above provisions be applied to all of
the HIPAA rules, rather
[[Page 56126]]
than only the privacy standards. The Secretary then adopted a final
rule, HIPAA Administrative Simplification: Enforcement; Final Rule (71
FR 8390, February 16, 2006). The preambles of these rulemakings provide
additional information that may be helpful to readers seeking a general
understanding of HIPAA's compliance and enforcement scheme. Where, if
at all, language in these prior preambles is contrary to language in
this preamble or regulation text, the language herein applies.
Subpart D of the Enforcement Rule pertains to the imposition of
civil money penalties under section 1176 of the Act and includes a
number of provisions that apply to violations occurring before section
13410(d) of the HITECH Act's effective date of February 18, 2009, but
that conflict with the statutory language as it has been revised with
respect to violations occurring on or after February 18, 2009. Thus,
the primary objectives of this interim final rule are to conform the
Enforcement Rule provisions found in subpart D to the amended language
in section 1176 of the Act, to provide covered entities with additional
notice of the Secretary's revised statutory authority with respect to
the imposition of civil money penalties, and to avoid any public
misunderstanding or undue delay with respect to Congress' intent to
strengthen enforcement of the HIPAA rules.
III. Approach to the Interim Final Rule
As stated previously, this interim final rule amends several
provisions of the Enforcement Rule, subpart D, to conform its language
regarding HHS' imposition of civil money penalties to section 1176 of
the Act, which section 13410(d) of the HITECH Act revised as of
February 18, 2009. Subtitle D of the HITECH Act, which specifically
pertains to privacy, contains several other provisions crafted to
strengthen enforcement, some but not all of which pertain to HHS'
implementation of the Enforcement Rule. We recognize that additional
amendments will become necessary as such provisions become effective,
but we do not adopt amendments in this interim final rule pursuant to
those other provisions of subtitle D which have not yet become
statutorily effective and have not, as a result, yet operated to revise
HHS' enforcement authority under section 1176 of the Act.
HHS has concluded that it has good cause, under 5 U.S.C. 553(b)(B),
to waive the notice-and-comment requirements of the Administrative
Procedure Act (APA) and to proceed with this interim final rule. We
first note that section 13410(d) of the HITECH Act's amendment of
section 1176 of the Act, 42, U.S.C. 1320d-5, became effective the day
after the date of enactment and that many covered entities may be
unaware they are currently subject to significantly greater penalties
for violations of the HIPAA rules. In addition, section 13410(d) of the
HITECH Act's amendments have caused a number of provisions of the
Enforcement Rule to conflict with the amended statute, and the
resulting inconsistency has led to public confusion, both as to the
penalty amounts for violations of the HIPAA rules and as to what
defenses remain in effect. Delaying the promulgation of these
conforming amendments would also forestall HHS' timely implementation
of the strengthened enforcement approach mandated by statute and would
maintain the status quo with respect to the heightened privacy and
security concerns associated with the electronic transmission of health
information among health care entities.
Based on the above reasons, we believe that delaying amendment to
the Enforcement Rule, through the exercise of notice-and-comment
rulemaking prior to publication of a final rule, would be
impracticable, unnecessary, or contrary to public policy. Accordingly,
HHS has good cause under the APA, 5 U.S.C. 553(b)(B), to waive notice-
and-comment rulemaking and to proceed directly with the issuance of a
final rule. At the same time, HHS is interested in the public's input
and requests public comments regarding the substance of these
amendments.
While HIPAA generally requires certain consultations with industry
as a predicate to the issuance of the HIPAA standards, this interim
final rule does not adopt standards, as the term is defined and
interpreted under subtitle F of title II of HIPAA. Therefore, the
requirement for such industry consultations in section 1172(c) of the
Act, 42 U.S.C. 1320d-1(c), does not apply. For the same reason, the
timeframes for compliance with the HIPAA rules, as set forth in section
1175 of the Act, 42 U.S.C. 1320d-4, do not apply.
IV. Provisions in the Interim Final Rule
This interim final rule amends 45 CFR part 160, subpart D, which
establishes rules relating to the imposition of civil money penalties,
to conform several provisions to section 13410(d) of the HITECH Act's
amendments to section 1176 of the Act, 42 U.S.C. 1320d-6, which became
effective February 18, 2009. This interim final rule's amendments
distinguish between violations occurring before February 18, 2009, and
violations occurring on or after that date, with respect to the
potential amount of the civil money penalty and the affirmative
defenses available to covered entities. We discuss this interim final
rule's amendments to the Enforcement Rule on a provision-by-provision
basis below:
A. Subpart A--General Provisions
1. Section 160.101--Statutory Basis and Purpose
Section 160.101 is amended to add the statutory citation for
section 13410(d) of the HITECH Act to the list of the statutes that the
requirements of the subchapter are designed to implement.
B. Subpart D--Imposition of Civil Money Penalties
1. Section 160.401--Definitions
Section 160.401 is added and defines the terms of reasonable cause,
reasonable diligence and willful neglect, using the same definitions
currently found at Sec. 160.410. As discussed below, we are removing
these terms from Sec. 160.410 as a conforming amendment. This
reorganization of the definitions signals the application of these
terms to the entirety of subpart D. We do not discuss the terms
further, as we are amending their placement in the rule but not their
substance. Readers who would like a better understanding of these terms
are encouraged to consult prior preamble explanations at 70 FR 20224,
20237-9 (April 18, 2005) and 71 FR 8390, 8409-11 (February 16, 2006).
2. Section 160.404--Amount of Civil Money Penalties
Subsection 160.404(b) is amended to revise the range of potential
civil money penalty amounts a covered entity will be subject to based
on the HITECH Act's amendments of section 1176 of the Act, 42 U.S.C.
1320-5, which are currently in effect. As amended, Sec. 160.404(b)(1)
retains the range of penalty amounts enumerated prior to the statutory
revision for those violations occurring before February 18, 2009. The
current content of Sec. 160.404(b)(2) is re-designated as Sec.
160.404(b)(3). A new Sec. 160.404(b)(2) is added which identifies the
range of penalty amounts for violations occurring on or after February
18, 2009.
Section 160.404 currently implements a penalty scheme, as required
by section 1176(a)(1) prior to the HITECH Act's revisions, which
explicitly established the maximum penalty amount for each violation as
``not more than $100'' and
[[Page 56127]]
the maximum penalty amount ``for all violations of an identical
requirement or prohibition during a calendar year'' as ``not to exceed
$25,000.'' Subsection 160.404(b)(1) retains this penalty scheme for
violations occurring before February 18, 2009, though its language is
slightly modified to accommodate the parallel provisions for those
violations that occur on or after February 18, 2009.
As modified, section 1176(a)(1) generally establishes a minimum
penalty amount ``for each such violation'' by stating the penalty
amount is to be ``at least'' the amount described in a specifically
referenced tier and establishes a maximum penalty amount per violation
by stating that each such violation is ``not to exceed the amount
described in [section 1176(a)(3)(D)].'' \4\ Each referenced penalty
tier additionally provides a total penalty amount for all such
violations of an identical requirement or prohibition during a calendar
year. The HITECH Act's revised penalty scheme is similar to its
predecessor with respect to its identification of a range of available
civil money penalty amounts, a maximum penalty amount for violations of
identical provisions during a calendar year, and generally with respect
to the discretion it allows HHS in determining the appropriate penalty
amount within the range prescribed.
---------------------------------------------------------------------------
\4\ Section 1176(a)(1) notably provides no maximum penalty
amount, however, with respect to ``each such violation'' described
in subparagraph (C)(ii) (for violations established as due to
willful neglect and not timely corrected), although a cap is set by
section 1176(a)(3)(D). This caveat is discussed further below.
---------------------------------------------------------------------------
The revised penalty scheme differs significantly from its
predecessor by its establishment of several categories of violations
that reflect increasing levels of culpability. The revised penalty
scheme also differs significantly from its predecessor in its
establishment of the range of available penalty amounts for each
category of violation by reference to tiers of penalty amounts. Each
tier specifies a minimum penalty amount that accompanies the increasing
culpability associated with each category of violation and, for three
of the four violation categories, defaults to ``the amount described in
paragraph 3(D)'' as the outside limit.
For example, in the case of a violation where it is established
that a covered entity did not know of the violation and would not have
known through the exercise of reasonable diligence, section 13410(d) of
the HITECH Act provides that the minimum penalty amount for each such
violation is ``at least'' the amount described in paragraph (3)(A)
[section 1176(a)(3)(A)] (i.e., $100) but is ``not to exceed'' the
amount described in paragraph (3)(D) [section 1176(a)(3)(D)] (i.e.,
$50,000). Paragraphs 1176(a)(3)(A) and (D) each additionally provide
that the total penalty amount for multiple violations of an identical
requirement or prohibition during a calendar year is $25,000 and $1.5
million respectively.
HHS considered the conflicting statutory language that references
two tiers of penalties ``for each violation,'' which each provide a
penalty amount ``for all such violations'' of an identical requirement
or prohibition in a calendar year. With the exception of violations due
to willful neglect that are not timely corrected, this interim final
rule adopts a range of penalty amounts between the minimum given in one
tier and the maximum given in the second tier for each violation and
adopts the amount of $1.5 million as the limit for all violations of an
identical provision of the HIPAA rules. For violations due to willful
neglect that are not timely corrected, this interim final rule adopts
the penalty amount of $50,000 as the minimum for each violation and
$1.5 million for all such violations of an identical requirement or
prohibition. These regulatory amendments are consistent with the most
logical reading of section 1176(a)(1) and (3). The amendments are also
consistent with Congress' intent to strengthen enforcement, in part, by
increasing the minimum penalty amounts available according to
categories of violation, and with the clear discretion Congress has
provided to impose a penalty amount up to the amount described in
``paragraph (3)(D).''
More specifically, HHS amends Sec. 160.404(b)(2) to reflect each
category of violation that will serve as the basis for a civil money
penalty on or after February 18, 2009, as well as the respective range
of penalty amounts available. The range of penalty amounts available
for the first three categories of violations (i.e., where it is
established the covered entity did not reasonably know of the
violation, the violation was due to a reasonable cause, or the
violation was due to willful neglect but timely corrected) is defined
consistent with the controlling language of section 1176(a)(1)(A)-
(C)(i), whereby the minimum penalty amount for each violation is set
pursuant to the specific tier referenced by each category of violation,
and the maximum penalty amount for each violation is capped at $50,000,
the amount identified ``for such each violation'' in section
1176(a)(3)(D). For these categories of violations, the maximum penalty
amount available for all such violations of an identical provision in a
calendar year is consistently capped at $1.5 million, the other amount
referenced in section 1176(a)(1) as that ``not to exceed'' and
identified in section 1176(a)(3)(D) ``for all such violations of an
identical requirement or prohibition during a calendar year.''
The penalty amounts available for the fourth level of culpability
(i.e., where it is established the violation is due to willful neglect
but not timely corrected) are also consistent with the controlling
language of section 1176(a)(1)(C)(ii). Unlike the other levels of
culpability at section 1176(a)(1)(A), (B) and (C)(i), section
1176(a)(1)(C)(ii) only provides in its reference to section
1176(a)(3)(D) a minimum penalty amount of $50,000 ``for each
violation'' and a penalty cap of $1.5 million for multiple violations
of an identical requirement or prohibition in a calendar year.
We highlight the penalty amounts in Table 1, below, to ensure that
covered entities are fully aware of their potential liability:
Table 1--Categories of Violations and Respective Penalty Amounts
Available
------------------------------------------------------------------------
All such
violations of an
Violation category--Section Each violation identical
1176(a)(1) provision in a
calendar year
------------------------------------------------------------------------
(A) Did Not Know.................. $100-$50,000 $1,500,000
(B) Reasonable Cause.............. 1,000-50,000 1,500,000
(C)(i) Willful Neglect--Corrected. 10,000-50,000 1,500,000
(C)(ii) Willful Neglect--Not 50,000 1,500,000
Corrected........................
------------------------------------------------------------------------
[[Page 56128]]
We note that HHS will not impose the maximum penalty amount in all
cases. Rather, HHS will determine penalty amounts as required by the
statute at section 1176(a)(1) and the regulations at Sec. 160.408.
That is, penalty determinations will be based on the nature and extent
of the violation, the nature and extent of the resulting harm, as well
as the other factors set forth at Sec. 160.408 (such as the covered
entity's history of prior compliance or financial condition).
For counting violations that occur on or after February 18, 2009,
HHS will continue to utilize the methodology discussed in prior
preambles of the Enforcement Rule. See 70 FR 20224, 20233-35 (April 18,
2005) and 71 FR 8390, 8404-07 (February 16, 2006). For violations that
began prior to February 18, 2009, and continue after that date, we will
treat violations occurring before February 18, 2009, as subject to the
penalties in effect prior to February 18, 2009 and violations occurring
on or after February 18, 2009, as subject to the penalties in effect on
or after February 18, 2009.
3. Section 160.410--Affirmative Defenses
As previously discussed, the terms reasonable cause, reasonable
diligence and willful neglect, have been moved from Sec. 160.410 to
Sec. 160.401 in order to apply more generally to all of subpart D.
Accordingly, we have removed the current paragraph (a) from Sec.
160.410 and redesignated paragraph (b) as paragraph (a).
We also amended Sec. 160.410 to conform its provisions to the
statutory language in section 1176(a)(3), as revised by section
13410(d) of the HITECH Act. Section 160.410(b) currently provides three
affirmative defenses to the Secretary's authority to impose a civil
money penalty, including the following:
(1) The violation is an act punishable under 42 U.S.C. 1320d-6;
(2) The covered entity establishes, to the satisfaction of the
Secretary, that it did not have knowledge of the violation,
determined in accordance with the federal common law of agency, and
by exercising reasonable diligence, would not have known that the
violation occurred; or
(3) The violation is--
(i) Due to reasonable cause and not willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the date the covered entity
liable for the penalty knew, or by exercising reasonable diligence
would have known, that the violation occurred; or
(B) Such additional period as the Secretary determines to be
appropriate based on the nature and extent of the failure to comply
Section 13410(d) of the HITECH Act revises section 1176(b) of the
Act to: (a) Strike the limitation on imposing a penalty when a covered
entity establishes, to the Secretary's satisfaction, that it ``did not
know, and by exercising reasonable diligence would not have known'' of
the violation; and (b) extend the affirmative defense for violations
that are timely corrected, which was previously limited to violations
due to ``reasonable cause and not to willful neglect,'' to all
violations not due to willful neglect.
The amendments conform Sec. 160.410 to distinguish the limitations
placed on the Secretary's authority to impose civil money penalties
before and after the HITECH Act by: (a) Revising the current
provisions, which have been redesignated as paragraph (a), to apply
only ``[f]or violations occurring prior to February 18, 2009''; and (b)
adding a new paragraph (b) that applies ``[f]or violations occurring on
or after February 18, 2009.'' The amendments also conform Sec. 160.410
to the amended section 1176(b) by removing a covered entity's lack of
knowledge as an affirmative defense for violations occurring on or
after February 18, 2009. As a result, a covered entity that did not
know and reasonably should not have known of such violations, will not
have this affirmative defense available, unless it also corrects the
violation during the 30-day time period beginning on the first date of
such knowledge or during the period determined appropriate by the
Secretary based on the nature and extent of the failure to comply. The
amendments likewise revise the affirmative defenses available for
violations occurring on or after February 18, 2009 to conform to the
amended statute by removing any specific reference to ``reasonable
cause'' while retaining more generalized language applicable to all
violations ``not due to willful neglect.'' Notwithstanding these
revisions, the Secretary may continue to use discretion in providing
technical assistance, obtaining corrective action, and resolving
possible noncompliance by informal means where the possible
noncompliance is due to reasonable cause or in the event a person did
not reasonably know that the violation occurred.
We note that the amendments made to Sec. 160.410 do not alter the
beginning of the 30-day cure period. Section 1176(b)(2)(A) of the Act
continues to provide that the 30-day cure period begins ``on the first
date the person liable for the penalty knew, or by exercising
reasonable diligence would have known, that the failure to comply
occurred.'' As prior preambles to the Enforcement Rule explain, the
statute, ``on its face suggests that the knowledge involved must be
knowledge that a `violation' has occurred, not just knowledge of the
facts constituting the violation. * * * [HHS], thus, interpret[s] this
knowledge requirement to mean that the covered entity must have
knowledge that a violation has occurred, not just knowledge of the
facts underlying the violation.'' However, the ``reasonable diligence''
requirement makes the affirmative defense unavailable, in the event a
covered entity's ``lack of knowledge'' resulted from its failure to
inform itself about its compliance obligations or to investigate
received complaints or other information indicating likely
noncompliance. See 70 FR 20224, 20237-8 (April 18, 2005) and 71 FR
8390, 8410 (February 16, 2006). Thus, HHS expects its determination of
the beginning of the cure period will be based on evidence gathered
during its investigation of when a covered entity had actual or
constructive knowledge of a violation.
We also note that the amendments made to Sec. 160.410 do not alter
affirmative defenses with respect to violations due to willful neglect.
Section 1176(b)(2)(A) still operates to exclude violations due to
willful neglect from those that, if timely corrected, would be exempt
from the imposition of a civil money penalty. Violations due to willful
neglect are therefore not eligible for extension, nor will their timely
correction be an affirmative defense. Timely correction will, however,
determine which tier of penalty amounts will be applicable to
violations due to willful neglect.
Thus, for example, referring to ``Table 1. Categories of Violations
and Respective Penalty Amounts Available,'' which appears in the
discussion about Sec. 160.404, a covered entity's timely correction
would bar the Secretary's imposition of the penalty amounts identified
in columns two and three, if the covered entity did not reasonably know
of the violation or if the violation was due to reasonable cause. In
contrast, a covered entity's timely correction of a violation due to
willful neglect would not be an affirmative defense that bars the
Secretary's imposition of a penalty amount identified in columns two
and three of the table.
To determine the appropriate penalty tier for a violation due to
willful neglect, HHS will calculate the 30-day cure period in the same
manner as that described above for the affirmative defense of timely
correction of a violation not due to willful neglect. Our determination
of when a covered entity
[[Page 56129]]
first had actual or constructive knowledge of a violation due to
willful neglect for the purpose of calculating whether it was timely
corrected will be based on evidence gathered during our investigation
and will thus necessarily be made on a case-by-case basis. The minimum
penalty amount under the HITECH Act for a violation due to willful
neglect that is corrected during the 30-day cure period is
significantly less than the minimum penalty amount for a violation due
to willful neglect that is not timely corrected. In recognition of the
HITECH Act's enhanced penalties and its application of a 30-day cure
period to a determination of the appropriate penalty tier for a
violation due to willful neglect, we request public comment on whether
there are alternative approaches to calculating the beginning of the
30-day cure period for this purpose.
This interim final rule does not amend Sec. 160.410 with respect
to the affirmative defense pertaining to criminal violations,
punishable under 42 U.S.C. 1320d-6, since the relevant statutory
revision will not become effective until February 18, 2011. The interim
final rule also does not amend Sec. 160.410 with respect to the
enforcement authority of state attorneys general to bring civil actions
under the HIPAA rules in certain circumstances, as set forth in Sec.
13410(e) of the HITECH Act, since such authority operates pursuant to
the statute and does not require HHS rulemaking.
4. Section 160.412--Waiver
Section 160.412 is amended to reflect the revisions to Sec.
160.410. Regardless of whether violations occur before, on, or after
February 18, 2009, the Secretary may continue to provide a waiver for
violations due to reasonable cause and not willful neglect that are not
timely corrected (pursuant to the correction period in revised Sec.
160.410(a)(3)(ii) or (b)(2)(ii), as applicable).
5. Section 160.420--Notice of Proposed Determination
Section 160.420(a)(4) is amended to add the requirement that, in
addition to the proposed penalty amount, HHS identify the applicable
violation category in Sec. 160.404 upon which the proposed penalty
amount is based. While such additional language is not required by
statute, HHS makes this amendment to provide covered entities with
additional notice and information to benefit their understanding of the
violation findings in the Notice of Proposed Determination.
V. Request for Comments
HHS seeks public comments on any aspect of this interim final rule.
In particular, we invite public comments with respect to the following:
(1) The calculation of when the 30-day cure period begins for the
purpose of determining the appropriate penalty tier for a violation due
to willful neglect as discussed above in the penultimate paragraph of
Section IV.B.3; (2) whether moving the definitions of ``reasonable
cause,'' ``reasonable diligence,'' and ``willful neglect'' to the new
Sec. 160.401 leads to any unintended consequences; and (3) the HHS
interpretations of Congressional intent referenced in footnotes 1 and
3.
VI. Impact Statement and Other Required Analyses
A. Paperwork Reduction Act
We reviewed this interim final rule to determine whether it invokes
issues that would relate to the Paperwork Reduction Act (PRA). While
the PRA applies to agencies and collections of information conducted or
sponsored by those agencies, 5 CFR 1320.4(a) exempts collections of
information that occur ``during the conduct of * * * an administrative
action, investigation, or audit involving an agency against specific
individuals or entities,'' except for investigations or audits
``undertaken with reference to a category of individuals entities or
entities such as a class of licensees or an entire industry.'' The
rules adopted below come squarely within this exemption, as they deal
entirely with administrative investigations and actions against
specific individuals or entities. Therefore, we have determined that
the PRA does not apply to this interim final rule and need not be
reviewed by the Office of Management and Budget under the authority of
the PRA.
B. Executive Order 12866
We also reviewed the impacts of this interim final rule as required
by Executive Order 12866 (58 FR 51735, October 4, 1993), which directs
agencies to assess all costs and benefits of available regulatory
alternatives and, if regulation is necessary, to select regulatory
approaches that maximize net benefits (including potential economic,
environmental, public health and safety effects, distributive impacts,
and equity). Executive Order 12866 requires that a regulatory impact
analysis (RIA) be prepared for ``significant regulatory actions,''
which it defines at section 3(f), to include rules that may:
(1) Have an annual effect on the economy of $100 million or more
or adversely affect in a material way the economy, a sector of the
economy, productivity, competition, jobs, the environment, public
health or safety, or state, local, or tribal government or
communities;
(2) Create a serious inconsistency or otherwise interfere with
an action taken or planned by another agency;
(3) Materially alter the budgetary impact of entitlements,
grants, user fees, or loan programs or the rights and obligations of
recipients thereof; or
(4) Raise novel legal or policy issues arising out of legal
mandates, the President's priorities, or the principles set forth in
the Executive Order.
Executive Order 12866 requires a full economic impact analysis only
for ``economically significant'' rules under section 3(f)(1). The
amendments contained within this interim final rule only conform the
regulatory language of subpart D to that of the Act's revised statutory
basis, in a way that differentiates the categories of violations for
which a civil money penalty may be imposed, sets forth ranges of
increasing penalty amounts with respect to each category of violation,
and narrows the grounds for the affirmative defenses available.
HHS has concluded, for reasons similar, and in addition to, those
discussed in the preambles to the proposed and final Enforcement Rules
at 70 FR 20224, 20248-49 (April 18, 2005) and 71 FR 8390, 8424
(February 16, 2006), that the impact of this interim final rule is not
such that it would reach the ``economically significant'' threshold
under section 3(f)(1) of the Executive Order. As was the case at the
time of earlier promulgations, the costs covered entities may incur
with respect to their compliance with the Enforcement Rule, itself,
should be low in most cases. That is, covered entities that comply with
the HIPAA rules voluntarily, as is expected, should not incur any
additional, significant costs with respect to the imposition of a civil
money penalty. HHS' experience enforcing the HIPAA rules also suggests
that violations should not collectively amount to an annual effect on
the economy of $100 million or more, even in light of the higher
penalty amounts prescribed by statute.
Further, HHS does not expect the imposition of civil money
penalties pursuant to these amendments to ``adversely affect in a
material way the economy, a sector of the economy, productivity,
competition, jobs, the environment, public health or safety, or state,
local, or tribal government or communities.'' To the contrary, HHS
maintains that the benefits brought by
[[Page 56130]]
the HIPAA provisions and their strengthened enforcement under this
interim final rule will far outweigh the potential costs. We believe
the added penalties will encourage covered entities to take steps
necessary to comply and thus not be liable for violations. In addition,
we believe the conforming amendments made with respect to the
affirmative defenses available will encourage covered entities to
quickly and voluntarily correct acts or omissions that might otherwise
be established as violations of the HIPAA rules. Greater vigilance in
protecting privacy may also encourage public trust in the industry's
use of health information technology. For these reasons, among others,
a detailed cost-benefit assessment of the interim final rule is not
required.
C. Other Analyses
We also examined the impacts of the interim final rule as required
by the Regulatory Flexibility Act (RFA), section 1102(b) of the Act,
the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), the Small
Business Regulatory Enforcement and Fairness Act, 5 U.S.C. 801 et seq.,
and Executive Order 13132.
The RFA requires agencies to determine whether a rule will have a
significant economic impact on a substantial number of small entities.
For purposes of the RFA, small entities include small businesses,
nonprofit organizations, and government jurisdictions. The standard
size of a ``small'' health care entity ranges from $7 million to $34.5
million in revenues in any one year. HHS assumes that the majority of
covered entities to which this interim final rule is applicable are
likely to be deemed small businesses based on the size standards of the
Small Business Administration. As is discussed above, HHS expects that
a covered entity's voluntary compliance and timely correction will not
result in any significant economic impact, and that only a small
percentage of violations occurring on or after February 18, 2009, will
necessitate investigation and the imposition of a civil money penalty
due to willful neglect. As discussed in prior enforcement rulemakings,
(70 FR 20224, 20249 (April 18, 2005) and 71 FR 8390, 8424 (February 16,
2006)), the absence of evidence that small entities have a higher rate
of noncompliance than larger entities provides additional support for
the Secretary's certification that this rule will not have a
significant economic impact on a substantial number of small entities.
Section 1102(b) of the Act requires agencies to prepare a
regulatory impact analysis if a rule may have a significant impact on
the operations of a substantial number of small rural hospitals. This
analysis must conform to the provisions of section 603 (proposed
documents)/604 (final documents) of the RFA. A small rural hospital,
for purposes of section 1102(b) of the Act, is defined as a hospital
that is located outside of a Metropolitan Statistical Area and has
fewer than 100 beds. For reasons described above, this interim final
rule is not expected to have a significant impact on small rural
hospitals any more than it is expected to negatively impact any
``small'' health care entity.
Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C.
1531 et seq., requires that agencies assess anticipated costs and
benefits before issuing a rule that may result in an aggregate
expenditure of $100 million in any one year, by State, local, or tribal
governments, or by the private sector. The Small Business Regulatory
Enforcement Act of 1996 (SBREFA), 5 U.S.C. 801 et seq., also requires
that rules that will have an impact on the economy of $100 million or
more per annum be submitted for Congressional review. For the reasons
discussed above, this interim final rule would not impose a burden
large enough to require a statement under section 202 of the Unfunded
Mandates Reform Act of 1995 or Congressional review under the SBREFA.
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a rule that imposes substantial
direct requirement costs on State and local governments, preempts State
law, or otherwise has Federalism implications. As previously discussed,
this interim final rule is not likely to have substantial economic
effects. Any preemption of State law that could occur would be a
function of the HIPAA statute and the underlying HIPAA rules and not
these amendments to the Enforcement Rule, which principally establish
the means by which the statutory civil money penalty provisions will be
implemented. This interim final rule does not have ``substantial direct
effects on the States, on the relationship between the national
government and the States, or on the distribution of power and
responsibilities among the various levels of government,'' nor does it
have ``Federalism implications.'' It is therefore not subject to
Executive Order 13132.
List of Subjects in 45 CFR Part 160
Administrative practice and procedure, Computer technology,
Electronic transactions, Employer benefit plan, Health, Health care,
Health facilities, Health insurance, Health records, Hospitals,
Investigations, Medicaid, Medical research, Medicare, Penalties,
Privacy, Reporting and recordkeeping requirements, Security.
0
For the reasons set forth in the preamble, the Department of Health and
Human Services amends 45 CFR subtitle A, subchapter C, part 160, as set
forth below.
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
0
1. The authority citation for part 160 is revised to read as follows:
Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d-1320d-8, sec. 264
of Public Law 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2
(note)), 5 U.S.C. 552; and secs.13400 and 13402, Public Law 111-5,
123 Stat. 258-263.
* * * * *
0
2. Revise Sec. 160.101 to read as follows:
Sec. 160.101 Statutory basis and purpose.
The requirements of this subchapter implement sections 1171 through
1179 of the Social Security Act (the Act), as added by section 262 of
Public Law 104-191, section 264 of Public Law 104-191, section 13402 of
Public Law 111-5, and section 13410(d) of Public Law 111-5.
0
3. Add Sec. 160.401 to subpart D to read as follows:
Sec. 160.401 Definitions.
As used in this subpart, the following terms have the following
meanings:
Reasonable cause means circumstances that would make it
unreasonable for the covered entity, despite the exercise of ordinary
business care and prudence, to comply with the administrative
simplification provision violated.
Reasonable diligence means the business care and prudence expected
from a person seeking to satisfy a legal requirement under similar
circumstances.
Willful neglect means conscious, intentional failure or reckless
indifference to the obligation to comply with the administrative
simplification provision violated.
0
4. Revise paragraph (b) of Sec. 160.404 to read as follows:
Sec. 160.404 Amount of a civil monetary penalty.
* * * * *
[[Page 56131]]
(b) The amount of a civil money penalty that may be imposed is
subject to the following limitations:
(1) For violations occurring prior to February 18, 2009, the
Secretary may not impose a civil money penalty--
(i) In the amount of more than $100 for each violation; or
(ii) In excess of $25,000 for identical violations during a
calendar year (January 1 through the following December 31);
(2) For violations occurring on or after February 18, 2009, the
Secretary may not impose a civil money penalty--
(i) For a violation in which it is established that the covered
entity did not know and, by exercising reasonable diligence, would not
have known that the covered entity violated such provision,
(A) In the amount of less than $100 or more than $50,000 for each
violation; or
(B) In excess of $1,500,000 for identical violations during a
calendar year (January 1 through the following December 31);
(ii) For a violation in which it is established that the violation
was due to reasonable cause and not to willful neglect,
(A) In the amount of less than $1,000 or more than $50,000 for each
violation; or
(B) In excess of $1,500,000 for identical violations during a
calendar year (January 1 through the following December 31);
(iii) For a violation in which it is established that the violation
was due to willful neglect and was corrected during the 30-day period
beginning on the first date the covered entity liable for the penalty
knew, or, by exercising reasonable diligence, would have known that the
violation occurred,
(A) In the amount of less than $10,000 or more than $50,000 for
each violation; or
(B) In excess of $1,500,000 for identical violations during a
calendar year (January 1 through the following December 31);
(iv) For a violation in which it is established that the violation
was due to willful neglect and was not corrected during the 30-day
period beginning on the first date the covered entity liable for the
penalty knew, or, by exercising reasonable diligence, would have known
that the violation occurred,
(A) In the amount of less than $50,000 for each violation; or
(B) In excess of $1,500,000 for identical violations during a
calendar year (January 1 through the following December 31).
(3) If a requirement or prohibition in one administrative
simplification provision is repeated in a more general form in another
administrative simplification provision in the same subpart, a civil
money penalty may be imposed for a violation of only one of these
administrative simplification provisions.
0
5. Revise Sec. 160.410 to read as follows:
Sec. 160.410 Affirmative defenses.
(a) For violations occurring prior to February 18, 2009, the
Secretary may not impose a civil money penalty on a covered entity for
a violation if the covered entity establishes that an affirmative
defense exists with respect to the violations, including the following:
(1) The violation is an act punishable under 42 U.S.C. 1320d-6;
(2) The covered entity establishes, to the satisfaction of the
Secretary, that it did not have knowledge of the violation, determined
in accordance with the federal common law of agency, and, by exercising
reasonable diligence, would not have known that the violation occurred;
or
(3) The violation is--
(i) Due to reasonable cause and not willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the first date the covered
entity liable for the penalty knew, or by exercising reasonable
diligence would have known, that the violation occurred; or
(B) Such additional period as the Secretary determines to be
appropriate based on the nature and extent of the failure to comply.
(b) For violations occurring on or after February 18, 2009, the
Secretary may not impose a civil money penalty on a covered entity for
a violation if the covered entity establishes that an affirmative
defense exists with respect to the violations, including the following:
(1) The violation is an act punishable under 42 U.S.C. 1320d-6; or
(2) The covered entity establishes to the satisfaction of the
Secretary that the violation is--
(i) Not due to willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the first date the covered
entity liable for the penalty knew, or, by exercising reasonable
diligence, would have known that the violation occurred; or
(B) Such additional period as the Secretary determines to be
appropriate based on the nature and extent of the failure to comply.
0
6. Revise Sec. 160.412 to read as follows:
Sec. 160.412 Waiver.
For violations due to reasonable cause and not willful neglect that
are not corrected within the period described in Sec.
160.410(a)(3)(ii) or (b)(2)(ii), as applicable, the Secretary may waive
the civil money penalty, in whole or in part, to the extent that the
payment of the penalty would be excessive relative to the violation.
0
7. Revise Sec. 160.420(a)(4) to read as follows:
Sec. 160.420 Notice of Proposed Determination.
(a) * * *
(4) The amount of the proposed penalty and a reference to the
subparagraph of Sec. 160.404 upon which it is based.
* * * * *
Dated: August 11, 2009.
Kathleen Sebelius,
Secretary.
[FR Doc. E9-26203 Filed 10-29-09; 8:45 am]
BILLING CODE 4150-03-P