Social Security: enforNPRM

8/14/2019 Social Security: enforNPRM

http://slidepdf.com/reader/full/social-security-enfornprm 1/36

Monday,

April 18, 2005

Part III

Department of Health and Human ServicesOffice of the Secretary

45 CFR Parts 160 and 164

HIPAA Administrative Simplification;Enforcement; Proposed Rule

VerDate jul<14>2003 16:15 Apr 15, 2005 Jkt 205001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\18APP2.SGM 18APP2



20224 Federal Register / Vol. 70, No. 73/ Monday, April 18, 2005/ Proposed Rules

DEPARTMENT OF HEALTH ANDHUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0991–AB29

HIPAA Administrative Simplification;

Enforcement

AGENCY: Office of the Secretary, HHS.ACTION: Proposed rule.

SUMMARY: The Secretary of Health andHuman Services is proposing rules forthe imposition of civil money penaltieson entities that violate rules adopted bythe Secretary to implement theAdministrative Simplificationprovisions of the Health InsurancePortability and Accountability Act of 1996, Pub. L. 104–191 (HIPAA). Theproposed rule would amend the existingrules relating to the investigation of

noncompliance to make them apply toall of the HIPAA AdministrativeSimplification rules, rather thanexclusively to the privacy standards. Itwould also amend the existing rulesrelating to the process for imposition of civil money penalties. Among othermatters, the proposed rules wouldclarify and elaborate upon theinvestigation process, bases for liability,determination of the penalty amount,grounds for waiver, conduct of thehearing, and the appeal process.DATES: Comments on the proposed rulewill be considered if we receive them at

the appropriate address, as provided below, no later than June 17, 2005.

ADDRESSES: You may submit comments by any of the following methods:

• Federal eRulemaking Portal: http:// www.regulations.gov. Include agencyname and ‘‘RIN: 0991–AB29.’’

• E-mail:[email protected]. Include‘‘RIN: 0991–AB29’’ in the subject line of the message.

• Mail: U.S. Department of Healthand Human Services, Office of GeneralCounsel, Attention: HIPAA EnforcementRule, 330 Independence Ave., SW.,

Washington, DC 20201.• Hand Delivery/Courier: Attention:HIPAA Enforcement Rule, Hubert H.Humphrey Building, 200 IndependenceAvenue, SW., Washington, DC 20201.

Instructions: Because of staff andresource limitations, we cannot acceptcomments by facsimile (FAX)transmission. For detailed instructionson submitting comments and additionalinformation on the rulemaking process,see the ‘‘Public Participation’’ headingof the SUPPLEMENTARY INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: Carol Conrad, (202) 690–1840.SUPPLEMENTARY INFORMATION:

I. Public Participation

We welcome comments from thepublic on all issues set forth in this ruleto assist us in fully considering issuesand developing policies. You can assist

us by referencing the RIN number (RIN:0991–AB29) and by preceding yourdiscussion of any particular provisionwith a citation to the section of theproposed rule being discussed.

A. Inspection of Public Comments

Comments received timely will beavailable for public inspection as theyare received, generally beginningapproximately 6 weeks after publicationof this document, at the mail addressprovided above, Monday through Fridayof each week from 8:30 a.m. to 4 p.m.To schedule an appointment to view

public comments, call Karen Shaw,(202) 205–0154.

B. Electronic Comments

We will consider all electroniccomments that include the full name,postal address, and affiliation (if applicable) of the sender and aresubmitted to either of the electronicaddresses identified in the ADDRESSES section of this preamble. All commentsmust be incorporated in the e-mailmessage, because we may not be able toaccess attachments. Copies of electronically submitted comments will

be available for public inspection as

soon as practicable at the addressprovided, and subject to the processdescribed, in the preceding paragraph.

C. Mailed Comments and Hand Delivered/Couriered Comments

Mailed comments may be subject todelivery delays due to securityprocedures. Please allow sufficient timefor mailed comments to be timelyreceived in the event of delivery delays.Comments mailed to the addressindicated for hand or courier deliverymay be delayed and could beconsidered late.

D. CopiesTo order copies of the Federal

Register containing this document, sendyour request to: New Orders,Superintendent of Documents, P.O. Box371954, Pittsburgh, PA 15250–7954.Specify the date of the issue requestedand enclose a check or money orderpayable to the Superintendent of Documents, or enclose your Visa orMaster Card number and expirationdate. Credit card orders can also beplaced by calling the order desk at (202)

512–1800 (or toll-free at 1–866–512–1800) or by faxing to (202) 512–2250.The cost for each copy is $10. As analternative, you may view andphotocopy the Federal Register document at most libraries designatedas Federal Depository Libraries and atmany other public and academiclibraries throughout the country that

receive the Federal Register.E. Electronic Access

This Federal Register document isavailable from the Federal Register online database through GPO Access, aservice of the U.S. Government PrintingOffice. The web site address is: http:// www.gpoaccess.gov/nara/index.html. This document is availableelectronically at the following web sitesof the Department of Health and HumanServices (HHS): http://www.hhs.gov/ ocr/hipaa/ and http://www.cms.gov/ hipaa/hipaa2.

F. Response to CommentsBecause of the large number of public

comments we normally receive onFederal Register documents, we are notable to acknowledge or respond to themindividually. We will consider allcomments we receive in accordancewith the methods described above and

by the date specified in the DATES section of this preamble. When weproceed with a final rule, we willrespond to comments in the preamble tothat rule.

II. Background

HHS proposes to amend or renumberexisting rules that relate to compliancewith, and enforcement of, theAdministrative Simplificationregulations (HIPAA rules) adopted bythe Secretary of Health and HumanServices (Secretary) under subtitle F of Title II of HIPAA (HIPAA provisions).These rules are codified at 45 CFR part160, subparts C and E. In addition, thisproposed rule would add a new subpartD to part 160. The new subpart D wouldcontain additional rules relating to theimposition by the Secretary of civilmoney penalties on covered entities that

violate the HIPAA rules. The full set of rules that will ultimately be codified atsubparts C, D, and E of 45 CFR part 160is collectively referred to in thisproposed rule as the ‘‘EnforcementRule.’’ Finally, HHS proposesconforming changes to subpart A of part160 and subpart E of part 164.

The statutory and regulatory background of the proposed rule is setout below. A description of HHS’sapproach to enforcement of the HIPAAprovisions and the HIPAA rules ingeneral, the approach of this proposed


http://www.regulations.gov/





mailto:[email protected]



http://www.gpoaccess.gov/nara/index.html




http://www.hhs.gov/ocr/hipaa/




http://www.cms.gov/hipaa/hipaa2













20225Federal Register / Vol. 70, No. 73/ Monday, April 18, 2005/ Proposed Rules

rule in particular, and each section of the proposed rule follows. The preambleconcludes with HHS’s analyses of impact and other issues underapplicable law.

A. Statutory Background

Subtitle F of Title II of HIPAA,entitled ‘‘AdministrativeSimplification,’’ requires the Secretaryto adopt national standards for certaininformation-related activities of thehealth care industry. The purpose of subtitle F is to improve the Medicareprogram under title XVIII of the SocialSecurity Act (Act), the Medicaidprogram under title XIX of the Act, andthe efficiency and effectiveness of thehealth care system, by mandating thedevelopment of standards andrequirements to enable the electronicexchange of certain health information.Section 262 of subtitle F added a newPart C to Title XI of the Act. Part C

(sections 1171–1179 of the Act, 42U.S.C. 1320d–1320d–8) requires theSecretary to adopt national standards forcertain financial and administrativetransactions and various data elementsto be used in those transactions, such ascode sets and certain unique healthidentifiers. Recognizing that theindustry trend toward computerizinghealth information, which HIPAAencourages, may increase theaccessibility of that information,sections 262 and 264 of HIPAA alsorequire the Secretary to adopt nationalstandards to protect the security and

privacy of the information.Under section 1172(a) of the Act, 42

U.S.C. 1320d–1(a), the HIPAAprovisions apply only to—

The following persons:(1) A health plan.(2) A health care clearinghouse.(3) A health care provider who transmits

any health information in electronic form inconnection with a transaction referred to insection 1173(a)(1).

These entities are collectively known as‘‘covered entities.’’ An additionalcategory of covered entities was added

by the Medicare Prescription Drug,

Improvement, and Modernization Act of 2003 (Pub. L. 108–173) (MMA). Asadded by MMA, section 1860D–31(h)(6)(A) of the Act, 42 U.S.C. 1395w–141(h)(6)(A), provides that:

a prescription drug card sponsor is a coveredentity for purposes of applying part C of titleXI and all regulatory provisions promulgatedthereunder, including regulations (relating toprivacy) adopted pursuant to the authority of the Secretary under section 264(c) of theHealth Insurance Portability andAccountability Act of 1996 (42 U.S.C. 1320d–2 note).

HIPAA requires certain consultationswith industry as a predicate to theissuance of the HIPAA standards andprovides that most covered entities haveup to 2 years (small health plans haveup to 3 years) to come into compliancewith the standards, once adopted. Thestatute establishes civil money penaltiesand criminal penalties for violations.

Act, sections 1172(c) (42 U.S.C. 1320d–1(c)), 1175(b) (42 U.S.C. 1320d–4(b)),1176 (42 U.S.C. 1320d–5), 1177 (42U.S.C. 1320d–6). HHS enforces the civilmoney penalties, while the U.S.Department of Justice enforces thecriminal penalties.

HIPAA’s civil money penaltyprovision, section 1176(a) of the Act, 42U.S.C. 1320d–5(a), authorizes theSecretary to impose a civil moneypenalty, as follows:

(1) IN GENERAL. Except as provided insubsection (b), the Secretary shall impose onany person who violates a provision of this

part [42 U.S.C. § 1320d et seq.] a penalty of not more than $100 for each such violation,except that the total amount imposed on theperson for all violations of an identicalrequirement or prohibition during a calendaryear may not exceed $25,000.

(2) PROCEDURES. The provisions of section 1128A [42 U.S.C. 1320a–7a] (otherthan subsections (a) and (b) and the secondsentence of subsection (f)) shall apply to theimposition of a civil money penalty underthis subsection in the same manner as suchprovisions apply to the imposition of apenalty under such section 1128A.

For simplicity, we refer throughout thispreamble to this provision, the related

provisions at section 1128A of the Act,and other related provisions of the Act, by their Social Security Act citations,rather than by their U.S. Code citations.

Subsection (b) of section 1176 sets outlimitations on the Secretary’s authorityto impose civil money penalties andalso provides authority for waiving suchpenalties. Under section 1176(b)(1), acivil money penalty may not beimposed with respect to an act that‘‘constitutes an offense punishable’’ under the criminal penalty provision.Under section 1176(b)(2), a civil moneypenalty may not be imposed ‘‘if it is

established to the satisfaction of theSecretary that the person liable for thepenalty did not know, and by exercisingreasonable diligence would not haveknown, that such person violated theprovision.’’ Under section 1176(b)(3), acivil money penalty may not beimposed if the failure to comply wasdue ‘‘to reasonable cause and not towillful neglect’’ and is corrected withina certain time. Finally, under section1176(b)(4), a civil money penalty may

be reduced or entirely waived ‘‘to theextent that the payment of such penalty

would be excessive relative to thecompliance failure involved.’’

As noted above, HIPAA incorporates by reference certain provisions of section 1128A of the Act. Thoseprovisions, as relevant here, establish anumber of requirements with respect tothe imposition of civil money penalties.Under section 1128A(c)(1), the Secretary

may not initiate a civil money penaltyaction ‘‘later than six years after thedate’’ of the occurrence that forms the

basis for the civil money penalty. Undersection 1128A(c)(2), a person uponwhom the Secretary seeks to impose acivil money penalty must be givenwritten notice and an opportunity for adetermination to be made ‘‘on therecord after a hearing at which theperson is entitled to be represented bycounsel, to present witnesses, and tocross-examine witnesses against theperson.’’ Section 1128A also provides,at subsections (c), (e), and (j),

respectively, requirements for: service of the notice and authority for sanctionswhich the hearing officer may imposefor misconduct in connection with thecivil money penalty proceeding; judicialreview of the Secretary’s determinationin the United States Court of Appealsfor the circuit in which the personresides or maintains his/its principalplace of business; and the issuance of subpoenas by the Secretary and theenforcement of those subpoenas. Inaddition, section 1128A of the Actcontains provisions relating to liabilityfor civil money penalties and how theyare dealt with, once imposed. For

example, section 1128A(d) provides thatthe Secretary must take into accountcertain factors ‘‘in determining theamount * * * of any penalty,’’ section1128A(h) requires certain notificationsonce a civil money penalty is imposed,and section 1128A(l) makes a principalliable for penalties ‘‘for the actions of the principal’s agent acting within thescope of the agency.’’ These provisionsare discussed more fully below.

B. Regulatory Background

As noted above, HIPAA requires theSecretary to adopt a number of national

standards to facilitate the exchange, andprotect the privacy and security, of certain health information. TheSecretary has already adopted many of these HIPAA standards by regulation.

• Regulations implementing thestatutory requirement for the adoptionof standards for transactions and codesets, Health Insurance Reform:Standards for Electronic Transactions(Transactions Rule), were published onAugust 17, 2000 (65 FR 50312), andwere modified on February 20, 2003 (68FR 8381). The Transactions Rule





became effective on October 16, 2000,with an initial compliance date of October 16, 2002 for covered entitiesother than small health plans. Thepassage of the AdministrativeSimplification Compliance Act (ASCA),Pub. L. 107–105, in 2001 enabledcovered entities to obtain an extensionof the compliance date to October 16,

2003 by filing a compliance plan byOctober 15, 2002. If a covered entity(other than a small health plan) did notfile such a plan, it was required tocomply with the Transactions Rule byOctober 16, 2002. All covered entitieswere required to be in compliance withthe Transactions Rule, as modified, byOctober 16, 2003.

• Regulations implementing thestatutory requirement for the adoptionof privacy standards, Standards forPrivacy of Individually IdentifiableHealth Information (Privacy Rule), werepublished on December 28, 2000 (65 FR

82462). The Privacy Rule becameeffective on April 14, 2001.Modifications to simplify and increasethe workability of the Privacy Rule werepublished on August 14, 2002 (67 FR53182). Compliance with the PrivacyRule, as modified, was required by April14, 2003 for covered entities other thansmall health plans; small health planswere required to come into compliance

by April 14, 2004.The Privacy Rule adopted rules

relating to compliance and enforcement.These rules are codified at 45 CFR part160, subpart C. Subpart C presentlyapplies only to compliance with, and

enforcement of, the Privacy Rule.• Regulations implementing the

statutory requirement for the adoptionof an employer identifier standard,Health Insurance Reform: StandardUnique Employer Identifier (EIN Rule),were published on May 31, 2002 (67 FR38009) and became effective on July 30,2002. The initial compliance date was

July 30, 2004 for most covered entities;small health plans have until July 30,2005 to come into compliance. Theseregulations were modified on January23, 2004 (69 FR 3434), effective thesame date.

•

Regulations implementing thestatutory requirement for the adoptionof security standards, Health InsuranceReform: Security Standards, werepublished on February 20, 2003 (68 FR8334), effective on April 21, 2003. Theinitial compliance date for coveredentities other than small health plans isApril 20, 2005; small health plans haveuntil April 20, 2006 to come intocompliance.

• An interim final rule promulgatingprocedural requirements for impositionof civil money penalties, Civil Money

Penalties: Procedures for Investigations,Imposition of Penalties, and Hearings(April 17, 2003 interim final rule), waspublished on April 17, 2003 (68 FR18895), was effective on May 19, 2003,with a sunset date of September 16,2004 (as corrected at 68 FR 22453, April28, 2003). The April 17, 2003 interimfinal rule adopted a new subpart E of

part 160. The sunset date of the April17, 2003 interim final rule was extendedto September 16, 2005 on September 15,2004 (69 FR 55515).

• Regulations implementing therequirement to issue standards for aunique identifier for health careproviders, HIPAA AdministrativeSimplification: Standard Unique HealthIdentifier for Health Care Providers (NPIRule), were issued on January 23, 2004(69 FR 3434), effective on May 23, 2005.The compliance date is May 23, 2007 formost covered entities; small healthplans have until May 23, 2008 to come

into compliance.In addition to the foregoingregulations implementing the HIPAAprovisions, HHS has adopted two otherregulations that are relevant, for somecovered entities, to compliance withthose provisions.

• Section 3 of the ASCA amendedsection 1862 of the Act to requireMedicare providers, with certainexceptions, to submit claims toMedicare electronically (and, thus, inconformity with the Transactions Rule)

by October 16, 2003. Regulationsimplementing section 3, MedicareProgram: Electronic Submission of

Medicare Claims, were published onAugust 15, 2003 (68 FR 48805), effectiveon October 16, 2003.

• Regulations implementing theMedicare Prescription Drug DiscountCard program under MMA and thestatutory provision that Medicareprescription drug discount cardsponsors are covered entities underHIPAA, were issued on December 15,2003 (68 FR 69840), effective the samedate. These rules require such sponsorsto comply with the HIPAA rules whenthey become sponsors, except and to theextent that the Secretary temporarily

waives the Privacy Rule requirements,and provides some rules regarding howthese entities are to comply with theHIPAA rules. The Secretary hasindicated that he does not anticipatethat it will be necessary to waive thePrivacy Rule requirements and has notdone so. 68 FR 69871.

III. General Approach

As the discussion above makes clear,the duty to comply with certain HIPAArules is now a reality for all coveredentities. The immediacy of the

compliance obligation brings with it theissue of how these rules will beenforced. Accordingly, we discuss

below our general approach toenforcement, how the rules proposed

below would fit in with the existingcomponents of the Enforcement Rule,and the basic approach of the proposedrule.

A. HHS’s General Approach toEnforcement

One of the Secretary’s priorities is‘‘One HHS’’: HHS’s public health andwelfare mission and message must beconsistent, and HHS should speak withone voice. Because of the Secretary’sOne HHS policy and because there isone statutory provision for imposingcivil money penalties on coveredentities that violate the HIPAA rules,there is one enforcement andcompliance policy for the HIPAA rules.We are committed to promoting andencouraging voluntary compliance withthe HIPAA rules through education,cooperation, and technical assistance.

Many educational and technicalassistance materials on HIPAA,including the HIPAA rules, are alreadyavailable on HHS’s Web sites. Seehttp://www.hhs.gov/ocr/hipaa for thePrivacy Rule and http://www.cms.gov/ hipaa/hipaa2 for the other HIPAA rules.We continue to work on educationaland technical assistance materials,including additional guidance oncompliance and enforcement andtargeted technical assistance materialsfocused on particular segments of the

health care industry. We anticipatedeveloping additional materials relevantto new HIPAA rules as the need arises.

The authority for administering andenforcing compliance with the PrivacyRule has been delegated to the HHSOffice for Civil Rights (OCR). 65 FR82381 (December 28, 2000). Theauthority for administering andenforcing compliance with the non-privacy HIPAA rules has been delegatedto the Centers for Medicare & MedicaidServices (CMS). 68 FR 60694 (October23, 2003).

At present, our compliance and

enforcement activities are primarilycomplaint-based. Although ourenforcement efforts are focused oninvestigating complaints, they may alsoinclude conducting compliance reviewsto determine if a covered entity is incompliance. When potential violationscome to our attention through acomplaint or a compliance review, OCRor CMS’s Office of HIPAA Standards(OHS), as appropriate, attempts toresolve the matter informally. Manysuch matters are resolved at the initialstage of contact. However, even where a


http://www.hhs.gov/ocr/hipaa






http://www.hhs.gov/ocr/hipaa




matter is not resolved at this initial stageand the investigation continues, thematter can still be resolved throughvoluntary compliance (for example, bymeans of a corrective action plan); andOCR or CMS may provide technicalassistance to help the covered entityachieve compliance. Resolving issuesthrough such informal means is often

the quickest and most effective means of ensuring that the benefits of the HIPAArules are realized. However, if we areunable to obtain compliance effectivelyon matters within our jurisdictionthrough voluntary means, we may seekto impose civil money penalties.Moreover, matters subject to criminalpenalties are referred to the Departmentof Justice.

B. HHS’ s Approach to the Enforcement Rule

The Enforcement Rule would bringtogether and adopt rules governing theimplementation of the civil moneypenalty authority of section 1176 of theAct for all of the HIPAA rules. Aspreviously noted, parts of theEnforcement Rule are already in place:subpart C of part 160 establishes certaininvestigative procedures for the PrivacyRule, and subpart E establishes interimprocedures for investigations and for theimposition of, and challenges to theimposition of, civil money penalties forall of the HIPAA rules. This proposedrule would complete the EnforcementRule by addressing, among other issues,our policies for determining violationsand calculating civil money penalties,

how we will address the statutorylimitations on the imposition of civilmoney penalties, and variousprocedural issues, such as provisions forappellate review within HHS of ahearing decision, burden of proof, andnotification of other agencies of theimposition of a civil money penalty.

In developing these regulations,several principles guided our choice of policies from among the availableoptions. The Enforcement Rule shouldpromote voluntary compliance with theHIPAA rules, be clear and easy tounderstand, provide consistent results

in the interest of fairness, provide theSecretary with reasonable discretion,particularly in areas where the exerciseof judgment is called for by the statuteor rules, and avoid being overlyprescriptive in areas where it would behelpful to gain experience with thepractical impact of the HIPAA rules, toavoid unintended adverse effects.

With respect to many of theEnforcement Rule’s provisions, we werealso mindful that section 1176(a)requires the Secretary to apply theincorporated provisions of section

1128A to the imposition of a civilmoney penalty under section 1176 ‘‘inthe same manner as’’ they apply to theimposition of civil money penaltiesunder section 1128A itself. As weexplained in the preamble to the April17, 2003 interim final rule, theimposition of civil money penaltiesunder section 1128A is administered by

the HHS Office of the Inspector General(OIG). Accordingly, the rules proposed

below, like those in the current SubpartE, generally look to the regulations of the OIG that implement section 1128A,which are codified at 42 CFR parts 1003,1005, and 1006 (OIG regulations).

The Enforcement Rule does not adoptstandards, as that term is defined andinterpreted under HIPAA. Thus, therequirement for industry consultationsin section 1172(c) of the Act does notapply. For the same reason, HIPAA’stime frames for compliance, set forth insection 1175 of the Act, will not applyto the Enforcement Rule, when adoptedin final form.

IV. Provisions of the Proposed Rule

The proposed rule would revise 45CFR part 160 as follows: it would revisethe existing subpart C, adopt a newsubpart D, and revise the existingsubpart E; a minor amendment of subpart A is also proposed. Subpart A,which contains general provisions,would be amended to include adefinition of ‘‘person.’’ Subpart Cincludes all provisions that relate toactivities for determining compliance,including investigations andcooperation by covered entities. Theproposed revisions of subpart C arelargely technical, incorporating severalprovisions currently found in subpart E.We also propose to make subpart Capplicable to the non-privacy HIPAArules. The new subpart D wouldestablish rules relating to the impositionof civil money penalties, includingthose which apply whether or not thereis a hearing. Subpart D would alsoincorporate several provisions currentlyfound in subpart E. Proposed subpart Ewould address the pre-hearing and

hearing phases of the enforcementprocess. Many of the provisions of proposed subpart E were adopted by theApril 17, 2003 interim final rule andwould not be substantively changed,although they would, in general, berenumbered.

Finally, a conforming change to theprivacy standards in subpart E of part164 is proposed. This conformingchange is discussed in connection withproposed § 160.316 at section IV.B.5

below.

A. Subpart A

We propose to amend § 160.103 toadd a definition of the term ‘‘person.’’ This would replace the definition of thatterm adopted by the April 17, 2003interim final rule. We propose to placethis definition in § 160.103 so that itapplies to all of the HIPAA rules. Theterm ‘‘person’’ appears throughout theHIPAA rules, and the definition of theterm we propose is a universal one thatshould work in each of the contexts inwhich the term ‘‘person’’ occurs. If theproposed placement would createproblems, commenters should bring thatto our attention.

In § 160.502 of the April 17, 2003interim final rule, we defined a‘‘person’’ as ‘‘a natural or legal person’’ to clarify, in the context of administrative subpoenas, thedistinction between an entity (definedas a ‘‘legal person’’) and natural personswho would testify on the entity’s behalf.

The proposed rule would revise andexpand this definition.

The statutory definition of a ‘‘person’’ that would otherwise apply to theHIPAA provisions is found in section1101(3) of the Act. That section, whichhas been in the Act since it wasoriginally enacted in 1935, defines aperson as ‘‘an individual, a trust orestate, a partnership, or a corporation.’’ However, Part C of title XI specifies thatthe class of ‘‘persons’’ to whom theHIPAA standards apply—health plans,certain health care providers, and healthcare clearinghouses—includes certain

State and federal programs, which arenot included in the definition of ‘‘person’’ in section 1101(3). Forexample, section 1171(2) defines ahealth care clearinghouse as a ‘‘publicor private’’ entity. Under section1171(3), a ‘‘health care provider’’ isdefined to include a provider of servicesas defined in section 1861(u), forpurposes of the Medicare program. Thedefinition includes hospitals, which inturn include State or local government-owned hospitals. Finally, the definitionof ‘‘health plan’’ in section 1171(5)includes State and federal health plans:

section 1171(5)(A) includes a grouphealth plan ‘‘as defined in section2791(a) of the Public Health ServiceAct,’’ and this definition includes Stateand local governmental group healthplans; section 1171(5)(E) includes ‘‘themedicaid program under title XIX,’’ which is a State program; and otherprovisions of section 1171(5) explicitlyinclude as health plans various federalhealth plans, such as Medicare, theFederal Employee Benefit Health Plan,CHAMPUS, and the program of benefitsfor veterans. Section 1176, by its terms,





applies to ‘‘any person who violates aprovision of this part.’’ Nothing in thislanguage suggests that Congressintended to exempt any class of coveredentities from liability for a civil moneypenalty under this section.

Thus, to effectuate Congress’s purposein enacting the HIPAA provisions, it isnecessary to define ‘‘person’’

sufficiently broadly to encompass theentities to which the HIPAA rulesapply. The Supreme Court hasrecognized that this is a valid approachin appropriate instances. See, e.g.,Lawson v. Suwanee S.S. Co., 336 U.S.198 (1949). This proposed approach isalso consistent with that taken by theOIG regulations, the preamble to whichexplained that it was necessary toexpand the definition of ‘‘person’’ in thecontext of section 1128A of the Act toinclude States because of clearCongressional intent to include them inthe class of entities subject to civil

money penalties. 48 FR 38837, 38828(August 26, 1983).Accordingly, the proposed rule

generally tracks the definition of ‘‘person’’ in the OIG regulations. Inparticular, by defining the term as ‘‘anatural person, trust or estate,partnership, corporation, professionalassociation or corporation, or otherentity, public or private,’’ the proposedrule clarifies, consistent with the HIPAAprovisions, that the term includes Statesand other public entities. However, wepropose to adapt the language used inthe OIG regulations by substituting theterm ‘‘natural person’’ for the term

‘‘individual’’ in the definition of ‘‘person’’ in the OIG regulations. Theterm ‘‘individual’’ is defined in§ 160.103 as ‘‘the person who is thesubject of protected healthinformation.’’ Since the term‘‘individual’’ has a defined, andnarrower, meaning in the HIPAA rulesthan it does in the OIG regulations, theproposed rule uses the term ‘‘naturalperson’’ to make the definition of ‘‘person’’ have the same scope as in theOIG regulations.

B. Subpart C —Compliance and Investigations

We propose to amend subpart C tomake the compliance and investigationprovisions of the subpart—which atpresent apply only to the Privacy Rule—applicable to all of the HIPAA rules. Inaddition, we propose to include insubpart C the definitions that apply tosubparts C, D, and E. In accordance withthe organizational scheme describedabove, we also propose to move tosubpart C from subpart E the provisionrelating to investigational subpoenas,which is currently codified at § 160.504.

The title of this subpart has also beenchanged (from ‘‘Compliance andEnforcement’’) to reflect the focus of thissubpart within the larger EnforcementRule. Finally, we propose to add tosubpart C provisions prohibitingintimidation or retaliation that arecurrently found in the Privacy Rule butnot in the other HIPAA rules. Aside

from making conforming changes to§ 160.312, discussed at section IV.B.3

below, we propose to leave thesubstance of the existing provisions of subpart C unchanged. We solicitcomment as to whether these provisionsshould be revised and, if so, in whatmanner.

1. Application of Subpart C to the Non-Privacy HIPAA Rules

Subpart C is intended to provide acooperative approach to obtainingcompliance, including use of technicalassistance and informal means toresolve disputes, and currently providesas follows. Section 160.304 providesthat the Secretary will, to the extentpracticable, seek the cooperation of covered entities in obtainingcompliance and may provide technicalassistance to this end. Section 160.306provides for the investigation of complaints by the Secretary andprovides requirements relating to thefiling of such complaints. Section160.308 provides for the conduct of compliance reviews by the Secretary.Section 160.310 requires coveredentities to keep and submit such recordsas the Secretary determines are

necessary to determine compliance andcooperate with the Secretary in aninvestigation or compliance review. Acovered entity must provide accessduring normal business hours to their

books and records pertinent toascertaining compliance; while we thinksuch circumstances are very unlikelyever to arise, a covered entity is alsorequired, where exigent circumstancesexist, to permit such access at any timeand without notice. This section alsoprovides that the Secretary may discloseprotected health information obtainedin the course of an investigation or

compliance review only if necessary forascertaining or enforcing compliancewith the applicable requirements of thePrivacy Rule or if otherwise required bylaw. Section 160.312 addressesSecretarial action regarding complaintsand compliance reviews. It providesthat where noncompliance is indicated,the Secretary will attempt to resolve thematter by informal means whereverpossible and provides for certainnotifications to the covered entity (andthe complainant, if the matter arosefrom a complaint).

At present, subpart C applies only tothe Privacy Rule. However, to simplify,clarify, and reduce the burden of thecompliance process for covered entities,the proposed rule would make thissubpart applicable to the other HIPAArules as well. A uniform regulatoryscheme would simplify the complianceand enforcement process in the eventthat a covered entity violates provisionsof more than one HIPAA rule (forexample, where violations of both thePrivacy Rule and the Security Rule areat issue) and is also consistent with theSecretary’s ‘‘One HHS’’ policy.

Accordingly, we propose to amendthe following sections of subpart C tomake them applicable to all of theHIPAA rules: § 160.300—Applicability;§ 160.304—Principles for achievingcompliance; § 160.306—Complaints tothe Secretary; § 160.308—Compliancereviews; and § 160.310—

Responsibilities of covered entities. Thiswould be accomplished by changing thepresent references in these sections from‘‘subpart E of part 164’’ to the moreinclusive, defined term, ‘‘administrativesimplification provision’’ or‘‘administrative simplificationprovisions,’’ as appropriate.

2. Section 160.302—Definitions

Section 160.302 presently states thatthe terms used in subpart C that aredefined in § 164.501 have the samemeaning as defined in that section. The

terms that were initially defined in§ 164.501 that would continue to beused in this subpart (‘‘individual,’’ ‘‘disclose,’’ ‘‘protected healthinformation,’’ ‘‘use’’) have subsequently

been moved to § 160.103. The term‘‘payment’’ is used in this subpart, butnot as defined in § 164.501. Thus, wepropose to delete this text, as it is nolonger appropriate.

We propose to move to § 160.302three definitions that were adopted inthe April 17, 2003 interim final rule at§ 160.502: ‘‘ALJ’’, ‘‘civil money penaltyor penalty’’, and ‘‘respondent.’’ These

terms are placed at the outset of theprovisions that address compliance andenforcement for clarity, since they areused in more than one of the subpartsthat address compliance andenforcement. We do not discuss theseterms, as we do not propose to changethem. We discuss below two new termswhich we propose to add to § 160.302and which are likewise used throughoutsubparts C, D, and E: ‘‘administrativesimplification provision’’ and ‘‘violationor violate.’’





a. ‘‘Administrative SimplificationProvision’’

Section 1176(a)(1) provides that,except as provided in section 1176(b),the Secretary shall impose ‘‘on anyperson who violates a provision of this

part a penalty of not more than $100 foreach such violation, except that the totalamount imposed on the person for allviolations of an identical requirement or

prohibition during a calendar year maynot exceed $25,000.’’ (Emphasis added.)Based on this statutory language, andalso taking into account the structures of each of the HIPAA rules, HHSconsidered a number of differentoptions for defining the term ‘‘provisionof this part’’ in section 1176(a)(1) as itapplies to the HIPAA rules.

The HIPAA rules generally arecomprised of standards, implementationspecifications, and requirements andprohibitions. However, the structureand composition of the HIPAA rules

with respect to these elements vary. ThePrivacy Rule is generally comprised of standards that contain implementationspecifications and other requirements orprohibitions. The identifier rules (theEIN Rule and the NPI Rule) containstandards and implementationspecifications, and all requirements thatapply to covered entities are in astandard or an implementationspecification. In the Security Rule, mostrequirements are in standards or theirrelated implementation specifications,

but some requirements are freestanding.The Transactions Rule contains

requirements and prohibitions, not all of which are contained in standards andimplementation specifications, andadopts standards that are alsoimplementation specifications. Theprovisions of subpart C of part 160 thatapply to covered entities are framed asrequirements. The HIPAA rules aresilent as to which of these elements isa ‘‘provision of this part’’ that may beviolated and for which civil moneypenalties may be assessed.

We propose to define a new term—‘‘administrative simplificationprovision’’—to express the scope and

application of the compliance andinvestigation provisions, as well as theenforcement and penalty provisions.This proposed provision interprets‘‘provision of this part’’ in section 1176to refer to any requirement orprohibition established by the statute orany of the HIPAA rules that are adoptedunder the statute.

In determining how to define a‘‘provision of this part’’ that could beviolated, we considered options in lightof our goal of implementing a unifiedapproach with respect to all of the

HIPAA rules. Given the variation instructure of the HIPAA rules, we soughtan approach which would be flexibleenough to apply to all the rules butwhich would not be too complex.Accordingly, we decided against anapproach that would define the‘‘provision of this part’’ that could beviolated as either any ‘‘standard,’’ or any

‘‘implementation specification,’’ or both. These approaches would not havecaptured stand-alone requirements orprohibitions—i.e., those requirementsand prohibitions in the HIPAA rulesthat fall outside of the structure of astandard or implementationspecification. For example, in theTransactions Rule, the prohibition on ahealth plan delaying or rejecting atransaction that is a standard transaction(§ 162.925(a)(2)), which implements thestatutory prohibition at section1175(a)(1)(B), is a stand-alonerequirement. It would be anomalous to

create an enforcement scheme that, ineffect, insulated this provision fromenforcement. These options would alsohave resulted in complexity andinconsistency in the application of theEnforcement Rule to each of the HIPAArules, given their varied structures withrespect to standards andimplementation specifications.

Instead, we propose to define a‘‘provision of this part’’ that can beviolated as any ‘‘requirement orprohibition’’ found within the rules,regardless of whether the requirement orprohibition falls within a standard,implementation specification, or

elsewhere in the rules. This definitionflows directly from the statutorylanguage in section 1176(a)(1) of theAct, which refers to ‘‘violations of anidentical requirement or prohibition.’’ Itis also a definition that can be appliedconsistently across the HIPAA rules,regardless of how they are structured ortitled. Accordingly, we propose todefine the term ‘‘administrativesimplification provision’’ in § 160.302 tomean any requirement or prohibitionestablished by the HIPAA provisions orHIPAA rules: ‘‘* * * any requirementor prohibition established by: (1) 42

U.S.C. 1320d–1320d4, 1320d–7, and1320d–8; (2) Section 264 of Pub. L. 104–191; or (3) This subchapter.’’ Thisdefinition would include thoseprovisions in subpart C which apply tocovered entities.

b. ‘‘Violation’’ or ‘‘Violate’’

Building on this proposed definitionof ‘‘administrative simplificationprovision,’’ we propose to define a‘‘violation’’ (or ‘‘to violate’’) to mean a‘‘failure to comply with anadministrative simplification

provision.’’ Like the proposed definitionof ‘‘administrative simplificationprovision,’’ the proposed definition of ‘‘violation’’ flows directly from thestatutory language: subsections (b)(3)and (b)(4) of section 1176 equate a‘‘violation’’ with a ‘‘failure to comply.’’ The proposed definition is likewise onethat can be applied consistently across

the HIPAA rules. This proposeddefinition would make no distinction

between commissions and omissions—that is, a violation occurs when acovered entity fails to take an actionrequired by a HIPAA rule, as well aswhen a covered entity takes an actionprohibited by a HIPAA rule.

3. Section 160.312—Secretarial ActionRegarding Complaints and ComplianceReviews

Section 160.312(a) currently providesthat the Secretary will inform thecovered entity and the complainant, if applicable, if an investigation orcompliance review indicates a failure tocomply and attempt to resolve thematter by informal means wheneverpossible. If the Secretary determinesthat the matter cannot be resolved byinformal means, the Secretary may issuefindings to the covered entity and, if applicable, the complainant.

Like the current § 160.312(a),proposed § 160.312(a)(1) provides that,where noncompliance is indicated, theSecretary would seek to reach aresolution of the matter satisfactory tothe Secretary by informal means.Informal means would include

demonstrated compliance, or acompleted corrective action plan orother agreement. Under this provision,entering into a corrective action plan orother agreement would not, in and of itself, resolve the noncompliance;rather, the full performance by thecovered entity of its obligations underthe corrective action plan or otheragreement would be necessary toresolve the noncompliance.

Proposed §§ 160.312(a)(2) and (3)address what notifications will beprovided by the Secretary wherenoncompliance is indicated, based on

an investigation or compliance review.Notification under this paragraph wouldnot be required where the only contactsmade were with the complainant, todetermine whether the complaintwarrants investigation. Paragraph (a)(2)provides for written notice to thecovered entity and, if the matter arosefrom a complaint, the complainant,where the matter is resolved by informalmeans. If the matter is not resolved byinformal means, paragraph (a)(3)(i)requires the Secretary to so inform thecovered entity and provide the covered





entity an opportunity to submit writtenevidence of any mitigating factors oraffirmative defenses for considerationunder §§ 160.408 and 160.410; thecovered entity must submit any suchevidence to the Secretary within 30 daysof receipt of such notification.Paragraph (a)(3)(ii) would revise thecurrent § 160.312(a)(2) to avoid

confusion with the notice of proposeddetermination process provided for atproposed § 160.420. Where a matter isnot resolved by informal means and theSecretary finds that imposition of a civilmoney penalty is warranted, the formalfinding would be contained in thenotice of proposed determination issuedunder proposed § 160.420. See also thediscussion at section V.J below.

Paragraph (b) of the current § 160.312provides that if the Secretary finds afteran investigation or compliance reviewthat no further action is warranted, theSecretary will so inform the covered

entity and, if the matter arose from acomplaint, the complainant. Thissection does not apply where noinvestigation or compliance review has

been initiated, such as where acomplaint has been dismissed due tolack of jurisdiction. Paragraph (b) wouldremain largely unchanged.

4. Section 160.314—InvestigationalSubpoenas and Inquiries

The text of § 160.314 was adopted bythe April 17, 2003 interim final rule as§ 160.504. We propose to move thissection to subpart C, consistent with ouroverall approach of organizing subparts

C, D, and E to reflect the stages of theenforcement process. Since theinvestigational subpoenas and inquiriesoccur prior to the imposition of a civilmoney penalty, we propose to move therules relating to them to subpart C,where other rules related to this stage of the process are located. Thisorganizational arrangement shouldfacilitate use of the Rule by coveredentities and others.

One substantive change is proposed toparagraph (a). We would add to theintroductory language of this paragrapha sentence which states that, for the

purposes of paragraph (a), a personother than a natural person is termed an‘‘entity.’’ This permits us to avoidcreating a definition of the term ‘‘entity’’ that would have a broader applicationand might be incorrect in other contexts,

but preserves the utility of the definitionin this specific context. The term‘‘entity’’ would no longer be a definedterm for the rest of the Rule, unlike theapproach taken in § 160.502 of the April17, 2003 interim final rule.

Proposed paragraphs (b)(1), (2) and (8)are unchanged from the current

paragraphs (b)(1)—(3) of § 160.504. Wepropose to add new paragraphs (3)through (7) and (9) to § 160.314(b) andalso to add a new paragraph (c).Together, these additions would clarifythe manner in which investigationalinquiries will be conducted, and howtestimony given, and evidence obtained,during such an investigation may be

used.The new paragraphs are based upon

similar provisions in 42 CFR 1006.4.Proposed §§ 160.314(b)(3)—(7) describethe rights of the Secretary and thewitness in the inquiry process:representatives of the Secretary areentitled to attend and ask questions, awitness may clarify his or her answerson the record following questioning bythe Secretary, the witness must placeany claim of privilege on the record,what requirements apply to theassertion of objections, and under whatcircumstances and how the Secretary

may seek enforcement of the subpoena.Proposed § 160.314(b)(8) (currently§ 160.504(b)(3) and which, as notedabove, has not changed) recognizes thatinvestigational inquiries are non-publicproceedings. Accordingly, a witness’sright to retain a copy of the transcriptof his or her testimony may be limitedfor good cause (5 U.S.C. 555(c)).Proposed § 160.314(b)(9) explains whatwould happen in such a case: Thewitness would nonetheless be entitledto inspect the transcript and to proposeany corrections. If the witness isprovided a copy of the transcript,paragraph (b)(9)(i) would provide for the

opportunity to review the transcript andoffer proposed corrections. Thisprovision is consistent with the practiceunder Rule 30(e) of the Federal Rules of Civil Procedure (F.R.C.P.). Paragraph(b)(9)(ii) would allow the Secretary toattach corrections to the transcript of awitness’s testimonial interview if therecord transcribing the interview isincorrect. Consistent with the practiceunder the OIG regulations, thisprovision would not permit theSecretary to propose substantivechanges to the witness’s testimony.

Proposed § 160.314(c) provides that,

consistent with § 160.310, testimonyand other evidence obtained in aninvestigational inquiry may be used byHHS in any of its activities and may beused or offered into evidence in anyadministrative or judicial proceeding.This provision follows § 1006.4(h) of theOIG regulations, but is tailored to beconsistent with the existing§ 160.310(c)(3). Under this provision,evidence obtained in an investigationalinquiry could be used in any of HHS’sactivities and could be used or offeredinto evidence in any administrative or

judicial proceeding, except to the extentit consists of protected healthinformation. Evidence that is protectedhealth information may be disclosedonly ‘‘if necessary for ascertaining orenforcing compliance with theapplicable administrative simplificationprovisions, or if otherwise required bylaw,’’ as provided at § 160.310(c).

5. Section 160.316—Refraining FromIntimidation or Retaliation

Proposed § 160.316 would prohibitcovered entities from threatening,intimidating, coercing, discriminatingagainst, or taking any other retaliatoryaction against individuals or otherpersons (including other coveredentities) who complain to HHS orotherwise assist or cooperate in theenforcement processes created by thisrule. This provision is taken from§ 164.530(g)(2) of the Privacy Rule, withonly minor changes designed to adaptthe provision to the new subparts whichthis rule would add. The intent of thisaddition to subpart C is to make thesenon-retaliation provisions applicable toall of the HIPAA rules, not just thePrivacy Rule. The placement of theseprovisions in subpart C accomplishesthis.

Section 164.530(g) would retainexisting provisions which provide that acovered entity may not intimidate,threaten, coerce, discriminate against, ortake other retaliatory action against anindividual for exercising his or herrights or for participating in any processestablished by the Privacy Rule,

including filing a complaint with acovered entity. A conforming change to§ 164.530(g) of the Privacy Rule isproposed, to cross-reference proposed§ 160.316.

As with other provisions of subpart Cthat impose requirements orprohibitions on covered entities, theprovisions of § 160.316 are‘‘administrative simplificationprovisions.’’ Thus, a violation of arequirement or prohibition of thissection would be a basis for impositionof a civil money penalty.

C. Subpart D —Imposition of Civil

Money PenaltiesProposed subpart D addresses the

issuance of a notice of proposeddetermination to impose a civil moneypenalty and other events that would berelevant thereafter, whether or not ahearing follows the issuance of thenotice of proposed determination. Thissubpart also would contain provisionson identifying violations, determiningthe number of violations, calculatingcivil money penalties for suchviolations, and establishing affirmative





defenses to the imposition of civilmoney penalties. It would, thus,implement the provisions of section1176, as well as related provisions of section 1128A. As noted above, manyprovisions of the Rule are based in largepart upon the OIG regulations, but, aswith subpart E, we propose to adapt theOIG language to reflect issues presented

by, or the authority underlying, theHIPAA rules.

1. Section 160.402—Basis for a CivilMoney Penalty

Proposed § 160.402(a) would requirethe Secretary to impose a civil moneypenalty on any covered entity which theSecretary determines has violated anadministrative simplification provision,unless the covered entity establishesthat an affirmative defense, as providedfor by § 160.410, exists. See thediscussion at section IV.C.3 below. Thisprovision is based on the language insection 1176(a) that ‘‘* * * theSecretary shall impose on any personwho violates a provision of this part apenalty * * *’’. This proposedprovision interprets ‘‘provision of thispart’’ in section 1176(a)(1) to refer toany requirement or prohibitionestablished by the statute or any of theHIPAA rules that are adopted under thestatute. See the discussion of thedefinitions of ‘‘administrativesimplification provision’’ and‘‘violation’’ in section IV.B.2 above.

The use of the term ‘‘shall impose’’ insection 1176(a) is more than a mereconveyance of authority to the Secretary

to impose a penalty for a violation of anadministrative simplification provision.If the Secretary finds in a notice of proposed determination that a coveredentity has violated an administrativesimplification provision, he is requiredto impose a penalty unless a basis fornot imposing the penalty under section1176 exists. Section 1176(a) does notlimit the Secretary’s discretion toencourage a covered entity to come intocompliance voluntarily, to close a casewithout issuing a notice of proposeddetermination if voluntary complianceis obtained, or to set the amount of the

penalty below the statutory caps. Nordoes section 1176(a) limit theSecretary’s discretion to settle anymatter, including cases in which a civilmoney penalty has been proposed orwhich are in hearing. The first sentenceof section 1128A(f) of the Act, which isincorporated by reference in section1176, states, in part, ‘‘Civil moneypenalties * * * imposed under thissection may be compromised by theSecretary * * *’’. Therefore, theSecretary may settle a case even after acivil money penalty has been proposed.

a. Section 160.402(b)—Violations byMore than One Covered Entity

The proposed rule includes aprovision, at § 160.402(b), that addresseswhat would happen if multiple coveredentities were responsible for violating aHIPAA provision. Proposed§ 160.402(b)(1) provides that, exceptwith respect to covered entities that aremembers of an affiliated covered entity,if the Secretary determines that morethan one covered entity was responsiblefor violating an administrativesimplification provision, the Secretarywill impose a civil money penaltyagainst each such covered entity.Proposed § 160.402(b)(2) provides thateach covered entity that is a member of an affiliated covered entity would bejointly and severally liable for a civilmoney penalty for a violation by theaffiliated covered entity.

Proposed § 160.402(b)(1) is based on asimilar provision in the OIG regulations

at 42 CFR 1003.102(d). It differs fromthe OIG provision in that this proposedprovision requires the imposition of apenalty on each covered entity that theSecretary determines has violated anadministrative simplification provision,rather than giving the Secretarydiscretion to determine whether toimpose a civil money penalty on one orall. This is based on the statutorylanguage in section 1176(a) which statesthat the Secretary ‘‘* * * shall imposea penalty * * *’’ when there is adetermination that an entity hasviolated a HIPAA provision. As

discussed above, the language in thestatute mandates the imposition of apenalty in appropriate situations wherethere has been a finding of a violation.However, nothing in this section wouldlimit the Secretary’s ability to exerciseenforcement discretion to investigateonly one covered entity, to encourageone or more covered entities to comeinto compliance, to close a case againstone or more covered entities withoutissuing a notice of proposeddetermination if voluntary complianceis obtained, or to set the amount of thepenalty differently for each covered

entity when multiple covered entitiesare responsible for violating anadministrative simplification provision,to the extent section 1176 and this Rulewould allow.

With the exception of affiliatedcovered entity arrangements, thisprovision may apply to any two coveredentities, including, but not limited to,those that are part of a jointarrangement, such as an organizedhealth care arrangement. Thedetermination of whether or not anentity is responsible for the violation

would be based on the facts. Simply being part of a joint arrangement wouldnot, in and of itself, make a coveredentity responsible for a violation byanother entity in the joint arrangement,although it may be a factor consideredin the analysis.

Proposed § 160.402(b)(2) provides thateach covered entity that is a member of

an affiliated covered entity would bejointly and severally liable for a civilmoney penalty for a violation by theaffiliated covered entity. An affiliatedcovered entity is a group of coveredentities under common ownership orcontrol, which have elected to be treatedas if they were one covered entity forpurposes of compliance with theSecurity and Privacy Rules. See 45 CFR164.105(b). Electing to become anaffiliated covered entity may reduce theadministrative burden and create certainefficiencies with respect to compliance.There is no requirement to form an

affiliated covered entity; the entities thatchoose to form an affiliated coveredentity must designate themselves assuch and must document thedesignation in writing.

The December 2000 Privacy Rulestated as follows with respect to theliability of the component coveredentities of an affiliated covered entity:‘‘The covered entities that together makeup the affiliated covered entity areseparately subject to liability under thisrule.’’ 65 FR 82503. We clarify thislanguage in the proposed rule. Underproposed § 160.402(b)(2), each coveredentity that is a member of an affiliated

covered entity would be jointly andseverally liable for a civil moneypenalty for a violation by the affiliatedcovered entity. This means that wecould enforce a violation of the SecurityRule or Privacy Rule by an affiliatedcovered entity against any coveredentity member of the affiliated coveredentity separately or against all of thecovered entity members of the affiliatedcovered entity jointly. The reason forjoint and several liability is that theaffiliated covered entity is treated,under the Security and Privacy Rules, asone entity. Thus, it may be impossible

to know or prove which covered entitywithin an affiliated covered entity isresponsible for a violation, particularlyin the case of a failure to act. Forexample, if an affiliated covered entityfails to appoint a privacy official asrequired by § 164.530(a)(1)(i), it may beimpossible to identify one entity asresponsible for the omission.

Proposed § 160.402(b)(2) differs fromproposed § 160.402(b)(1) in two ways.First, no covered entity in an affiliatedcovered entity could avoid a civilmoney penalty by demonstrating that it





was not responsible for the act oromission constituting the violation orthat another covered entity member of the affiliated covered entity was theculpable entity. Second, the maximumpenalty that could be imposed on allmembers of the affiliated covered entityfor identical violations in a calendaryear would be the maximum allowed for

one covered entity—$25,000. Bycontrast, under § 160.402(b)(1), if morethan one covered entity wereresponsible for a violation of anadministrative simplification provision,each covered entity would be treated asseparately violating the provision, andeach could be assessed the maximumpenalty of $25,000 in a calendar year forsufficient identical violations.

b. Section 160.402(c)—ViolationsAttributed to a Covered Entity

Under section 1176(a)(2), ‘‘theprovisions of section 1128A * * * shall

apply to the imposition of a civil moneypenalty under [HIPAA] in the samemanner as such provisions apply to theimposition of a penalty under suchsection 1128A.’’ Section 1128A(l) of theAct addresses the liability of a coveredentity for violations committed by anagent. It states that ‘‘a principal is liablefor penalties * * * under this sectionfor the actions of the principal’s agentsacting within the scope of the agency.’’ This is similar to the traditional rule of agency in which principals arevicariously liable for the acts of theiragents acting within the scope of theirauthority. See Meyer v. Holley, 537 U.S.280 (2003). The preamble to theDecember 2000 Privacy Rule discussedthe applicability of section 1128A(l ) asfollows:

we note that section 1128A(l) of the SocialSecurity Act, which applies to the impositionof civil monetary penalties under HIPAA,provides that a principal is liable forpenalties for the actions of its agent actingwithin the scope of the agency. Therefore, acovered entity will generally be responsiblefor the actions of its employees such aswhere the employee discloses protectedhealth information in violation of theregulation.

65 FR 82603.We clarify in proposed § 160.402(c)that, in the context of the HIPAA rules,this means that a covered entitygenerally can be held liable for a civilmoney penalty based on the actions of any agent, including an employee orother workforce member, acting withinthe scope of the agency or employment.A business associate will often be anagent of a covered entity, but, asdiscussed below, a covered entity thatcomplies with the HIPAA rulesgoverning business associates will not

be held liable for a business associate’sactions that violate the rules.

i. Federal Common Law of Agency

A principal’s liability for the actionsof its agents is generally governed byState law. However, the Supreme Courthas provided that the federal commonlaw of agency may be applied wherethere is a strong governmental interestin nationwide uniformity and apredictable standard and when thefederal rule in question is interpreting afederal statute. Burlington Indus. v.Ellerth, 524 U.S. 742 (1998). Here, thereis a strong interest in nationwideuniformity. The fundamental goal of theHIPAA provisions is to achievestandardization of certain health caretransactions, to standardize certainsecurity practices, and to set a federalfloor of privacy practices, in order toincrease the efficiency and effectivenessof the health care system. Therefore, it

is essential for HHS to apply oneconsistent body of law regardless of where an action is brought. The sameconsiderations support a strong federalinterest in the predictable operation of the standards, to ensure that the variouscovered entities operating thereundercan do so consistently so as to facilitatethe legitimate exchange of information.Finally, the HIPAA rules interpret afederal statute, the HIPAA provisions.Thus, the tests for application of thefederal common law of agency are methere. Accordingly, proposed§ 160.402(c) contains specific language

to make clear that the federal law of agency applies.

Where the federal common law of agency applies, the courts often look tothe Restatement (Second) of Agency (1958) (Restatement) as a basis forexplaining the common law’sapplication. While the determination of whether an agent is acting within thescope of its authority must be decidedon a case-by-case basis, the Restatementprovides guidelines for thisdetermination. Section 229 of theRestatement provides:

(1) To be within the scope of the

employment, conduct must be of the samegeneral nature as that authorized, orincidental to the conduct authorized.

(2) In determining whether or not theconduct, although not authorized, isnevertheless so similar to or incidental to theconduct authorized as to be within the scopeof employment, the following matters of factare to be considered;

(a) Whether or not the act is one commonlydone by such servants;

(b) The time, place and purpose of the act;(c) The previous relations between the

master and the servant;

(d) The extent to which the business of themaster is apportioned between differentservants;

(e) Whether or not the act is outside theenterprise of the master or, if within theenterprise, has not been entrusted to anyservant;

(f) Whether or not the master has reason toexpect that such an act will be done;

(g) The similarity in quality of the act done

to the act authorized;(h) Whether or not the instrumentality by

which the harm is done has been furnished by the master to the servant;

(i) The extent of departure from the normalmethod of accomplishing an authorizedresult; and

(j) Whether or not the act is seriouslycriminal.

In some cases, under federal agencylaw, a principal may be liable for anagent’s acts even if the agent actsoutside the scope of its authority. Rest.2nd Agency § 219(2). However,proposed § 160.402(c) would follow

section 1128A(l), which limits liabilityfor the actions of an agent to thoseactions that are within the scope of theagency.

ii. Agents

Various categories of persons may beagents of a covered entity. These areworkforce members, business associates,and others. ‘‘Workforce’’ is defined as‘‘employees, volunteers, trainees, andother persons whose conduct, in theperformance of work for a coveredentity, is under the direct control of such entity, whether or not they are

paid by the covered entity.’’ 45 CFR160.103. Because of the ‘‘direct control’’ language of the rule, we believe that allworkforce members, including thosewho are not employees, are agents of acovered entity. This conclusion isconsistent with the requirements at§§ 164.308(a)(5) and 164.530(b) for acovered entity to train all workforcemembers and with the requirement at§ 164.514(d)(2) for a covered entity toadopt minimum necessary policies andprocedures for use of protected healthinformation by all workforce members.The workforce may include an

independent contractor; as explained inthe preamble to the Privacy Rule,independent contractors ‘‘may or maynot be workforce members.’’ 65 FR82480. Under the proposed rule, acovered entity could be liable for a civilmoney penalty for a violation by anyworkforce member, whether anemployee, contractor, volunteer, trainee,etc., acting within the scope of his orher employment or agency. Wespecifically request comment onwhether there are categories of workforce members whom it would be





inappropriate to treat as agents under§ 160.402(c).

The definition of the term ‘‘ businessassociate,’’ set forth at § 160.103,includes any agents of a covered entity,other than members of its workforce,that perform on its behalf any functionor activity regulated by the HIPAA rulesor perform certain specified services for

the covered entity that involve the useor disclosure of protected healthinformation. Under the Security andPrivacy Rules, the covered entity maydisclose protected health information tothe business associate, and allow the

business associate to create or receiveprotected health information on its

behalf, if the covered entity complieswith relevant requirements to obtainsatisfactory assurances that the businessassociate will appropriately safeguardthe information. In particular,§§ 164.308(b) and 164.502(e) of theHIPAA rules require covered entities

using the services of business associatesto obtain satisfactory assurances, by awritten contract or other arrangement,that the business associate willsafeguard the protected healthinformation. If the covered entitycomplies with these requirements, thenit can protect itself from what couldotherwise be liability for actions of itsagent business associates that violate theHIPAA rules. As specified in§§ 164.314(a)(1)(ii) and 164.504(e)(1)(ii),even if a covered entity knows of apattern of activity or practice by the

business associate that constitutes amaterial breach or violation of the

business associate’s obligations underthe contract, the covered entity will not

be considered to be in violation of theregulations if it takes certain actions. If the covered entity fails to take thesesteps, however, it is outside the safeharbor provided by the Security andPrivacy Rules and may be subject topenalty.

Some business associates are alsocovered entities. Health careclearinghouses are one example of thissituation, but a covered health careprovider or a health plan may also actas a business associate of another

covered entity. The business associateprovisions of the Security and PrivacyRules provide that where one coveredentity acts as the business associate of another covered entity and violates thesatisfactory assurances it provided as a

business associate, it is separately liablefor violation of the business associateprovisions of the Security and PrivacyRules. See §§ 164.308(b)(3) and164.502(e)(1)(iii). If the act or omissionthat resulted in a breach of the businessassociate contract by the covered entity

business associate would also constitute

a violation of an underlying provision of the Security or Privacy Rule by thatcovered entity business associate, itwould be in violation of the underlyingprovision as well.

To make this proposed rule consistentwith the business associate provisionsof the HIPAA rules, the proposed rulewould carve out from the provision for

vicarious liability those actions by a business associate that would beshielded by the business associateprovisions of the Security and PrivacyRules. Thus, a covered entity that is incompliance with the business associateprovisions of the Security and PrivacyRules would not be liable for a violationof those rules by the business associate,even though the business associate isthe covered entity’s agent and wasacting within the scope of its agencywhen it violated the rule. We recognizethat in many cases, a business associatecontract may establish an agency

relationship. However, there may also be situations in which the businessassociate may not be an agent. Forexample, the Privacy Rule permits acovered entity to rely, if such relianceis reasonable, on the request of aprofessional who is a business associateas the minimum necessary. Thissuggests that a business associate maynot always be sufficiently under thedirect control of the covered entity toqualify as an agent.

HHS has issued guidance stating thata covered entity is not required tomonitor the activities of its businessassociate:

The HIPAA Privacy Rule requires coveredentities to enter into written contracts orother arrangements with business associateswhich protect the privacy of protected healthinformation; but covered entities are notrequired to monitor or oversee the means bywhich their business associate carry outprivacy safeguards or the extent to which the

business associate abides by the privacyrequirements of the contract. Nor is thecovered entity responsible or liable for theactions of its business associates. However, if a covered entity finds out about a material

breach or violation of the contract by the business associate, it must take reasonablesteps to cure the breach or end the violation,

and, if unsuccessful, terminate the contractwith the business associate. If termination isnot feasible (e.g., where there are no otherviable business alternatives for the coveredentity), the covered entity must report theproblem to the Department of Health andHuman Services Office for Civil Rights.

FAQ Answer ID # 236 at www.hhs.gov/ ocr/hipaa, entitled ‘‘Is a covered entityliable for, or required to monitor, theactions of its business associates?’’ (Click on the link for Answers to YourFrequently Asked Questions, and thenselect and search on the subcategory for

Business Associates.) Proposed§ 160.402(c) is consistent with thisguidance. If the covered entity complieswith the applicable business associateprovisions, the covered entity will not

be held liable for the actions of its business associate. Concomitantly, if thecovered entity fails to comply withthose provisions, such as by not

entering into the requisite arrangementsor contracts, or by not taking reasonablesteps to cure the breach or end theviolation, it could be held liable underproposed § 160.402(c) for the actions of its business associate agent.

2. Sections 160.404, 160.406, 160.408—Calculation of Penalties

a. Section 160.404—Amount of a CivilMoney Penalty

Section 1176(a)(1) establishesmaximum penalty amounts forviolations. The statute provides amaximum penalty of ‘‘not more than

$100’’ for each violation (see sectionIV.B.2 above for the discussion of ‘‘violation’’), and the penalty imposedon a covered entity ‘‘for all violations of an identical requirement or prohibitionduring a calendar year may not exceed$25,000.’’

The statute establishes only maximumpenalty amounts, so the Secretary hasthe discretion to impose penalties thatare less than the statutory maximum.This proposed regulation would notestablish minimum penalties. Underproposed § 160.404(a), the penaltyamount would be determined through

the method provided for in proposed§ 160.406, using the factors set forth inproposed § 160.408, and subject to thestatutory caps reflected in proposed§ 160.404(b) and any reduction underproposed § 160.412.

Proposed § 160.404 would follow thelanguage of the statute and establish themaximum penalties for a violation andfor identical violations during acalendar year, as set forth in thestatute—up to $100 per violation and upto $25,000 for identical violations in acalendar year. Proposed § 160.404(b)makes clear that the term ‘‘calendar

year’’ means the period from January 1through the following December 31.An identical violation is a violation of

the same requirement or prohibition inone of the HIPAA rules or in the statute.It is based on the provision of theregulation or statute that has beenviolated and not on whether theviolations relate to the sameindividual’s protected healthinformation, the same transaction, or arewith the same trading partner. Forexample, assume that a health planincludes in its trading partner












agreements a provision that requires thesubmission of a data element that is notincluded in the implementation guidesfor transactions covered by theagreement and requires 7,500 differenttrading partners to sign such agreementsin a calendar year. Inclusion of theprovision violates § 162.915(b), whichprohibits covered entities from entering

into a trading partner agreement whichadds any data element or segments tothe maximum defined data set. If thepenalty is assessed at $100/violation,the total penalty for all such violationswould amount to $750,000 ($100 x7500). However, the maximum penaltythat may be assessed for the calendaryear for those violations is $25,000,

because they all relate to the sameprohibition. This is the case eventhough the violations involve 7,500different trading partners.

b. Section 160.404(b)(2)—Violations of Repeated or Overlapping Provisions in a

HIPAA RuleSome requirements or prohibitions in

the provisions of a HIPAA rule may berepeated in, or may overlap, otherprovisions in the same rule. We propose§ 160.404(b)(2) to make clear that aviolation of a more specific requirementor prohibition, such as one containedwithin an implementation specification,is not also counted, for purposes of determining civil money penalties, as anautomatic violation of a broaderrequirement or prohibition that entirelyencompasses the more specific one, inthat such duplicative requirements

generally reflect considerations of drafting and not of substance. Underthis proposal, the Secretary couldimpose a civil money penalty forviolation of either the general or thespecific requirement, but not both.

For example, if, after the applicablecompliance date for the Security Rule,a covered entity violates therequirement to implement policies andprocedures for facility access controls at§ 164.310(a)(1), the covered entity willalso have violated the Security Rule’sprovision at § 164.316(a), which is thegeneral standard requiring the

implementation of policies andprocedures. Similarly, if a coveredentity fails to implement minimumnecessary policies and procedures foruses of protected health information asrequired by the implementationspecification at § 164.514(d)(2) of thePrivacy Rule, the covered entity also hasviolated the minimum necessarystandard at § 164.514(d)(1), whichrequires compliance with theimplementation specification. In thesetwo examples, the proposed provisionwould treat the act or omission as a

violation of only one of the identifiedadministrative simplificationprovisions, not both, for purposes of imposing civil money penalties.

Proposed § 160.404(b)(2) would notapply where a covered entity’s actionresults in violations of multiple,differing requirements or prohibitionswithin the same HIPAA rule, however.The following is an example: due toinadequate safeguards, a covered entityuses protected health information in amanner prohibited by the Privacy Rule.Civil money penalties may be imposedon the covered entity for its violation of the use provision in § 164.502(a), aswell as for its violation of the safeguardsrequirement in § 164.530(c).

Proposed § 160.404(b)(2) would alsonot apply where a covered entity’saction may result in a violation of morethan one HIPAA rule; for example,failure to adopt administrativesafeguards may violate both the PrivacyRule (§ 164.530(c)) and the SecurityRule (§ 164.308). In such a case, morethan one regulatory standard has beenviolated, and the Secretary may assess apenalty under both HIPAA rules. Theproposed provision is limited toduplicate provisions in the samesubpart, or HIPAA rule, and would notapply to limit civil money penalties forviolations of more than one HIPAA rule.

Proposed § 160.404(b)(2) would alsonot preclude assessing civil moneypenalties for multiple violations of anidentical requirement or prohibition.

c. Section 160.406—Number of Violations

As stated above, section 1176(a)provides a maximum penalty foridentical violations by a covered entityin a calendar year. However, in manycases, it may not be clear exactly howto quantify the number of violations.Furthermore, the types of requirementsand prohibitions vary among and withinthe HIPAA rules—for example,requirements to adopt policies andprocedures versus requirements toconduct transactions in standard format.

There are various possible measures,or variables, that can be used to countviolations, and different laws use one ormultiple approaches. See, e.g., 42 CFRpart 488, subpart F. In the context of theHIPAA rules, there are three basicvariables that seem reasonable to use incalculating the number of violations thathave occurred—(1) the number of impermissible actions or failures to takerequired actions, (2) the number of

persons involved, and (3) the amount of time during which the violationoccurred.

i. Variables

Actions—The number of violationscould be based on the number of timesa covered entity takes a prohibitedaction (commission) or the number of times a covered entity fails to take arequired action (omission). The ‘‘action’’ variable seems likely to be a workable

variable for determining the number of violations where the acts in question arediscrete and/or repetitive, such as could

be the case with the Transactions Rule.However, the ‘‘action’’ variable mayhave a very different result in othercircumstances. For example, if acovered entity fails to implement arequired policy, there is only one failureto act, and, therefore, using thisvariable, the number of violations of therequirement would be one, even thoughsuch a failure to act might haveextended over a long period of time, beintentional, and have seriousconsequences for other entities or

individuals. Thus, the ‘‘action’’ variablemight not be appropriate in manycircumstances.

Persons—The number of violationscould be measured in terms of thenumber of persons involved or affected.Persons may be natural persons orentities, and violations could becounted in terms of one of fourcategories of persons.

• Individuals who are the subject of protected health information—forexample, the number of individualswho did not receive access to theirrecords.

• Employees for whom the coveredentity has an obligation—for example,the number of employees whoimproperly took one or moreimpermissible actions, such asimproperly using protected healthinformation.

• Persons who receive information inviolation of the rules—for example, thenumber of employees who have accessto protected health information but whoshould not have such access, either inviolation of the covered entity’sminimum necessary policies or inviolation of its access control security

procedures.• Other persons affected by theviolation—for example, the number of providers affected by an impermissiblehealth plan requirement that providersuse codes not permitted under subpart

J of the Transactions Rule.Using the ‘‘person’’ variable to

determine the number of violations of aHIPAA rule may or may not be anappropriate approach, depending on thepurpose of the regulatory provision. Forexample, counting by the ‘‘person’’ variable may not be appropriate for





purposes of counting violations of mostof the Transactions Rule requirements.

Time—When violations arecontinuous, they could be calculated interms of a unit of time, such as calendardays. For example, inclusion of a termin a trading partner agreement that isnot permitted by § 162.915 would beone action, if counted as an action, but,

if counted by time, the number of violations would depend on how longthe impermissible agreement was ineffect and what unit of time was appliedto count the number of violations.However, using a time variable makesless sense for violations that are distinctand repetitive, such as manyTransactions Rule violations would be.For example, if a covered entityconducted 3000 transactions that werenot in standard form over a two-dayperiod and another covered entityconducted two transactions that werenot in standard form over a two-day

period, each set of facts would result intwo violations under a ‘‘per day’’ approach.

ii. Determining the Number of Violations

Proposed § 160.406 would establishthe general rule that the Secretary willdetermine the number of violations of an identical requirement or prohibition

by a covered entity by applying any of the variables of action, person, or time,as follows: (1) The number of times thecovered entity failed to engage inrequired conduct or engaged in aprohibited act; (2) the number of

persons involved in, or affected by, theviolation; or (3) the duration of theviolation, counted in days (becausemany of the HIPAA requirements are interms of days, this seems to be the mostappropriate unit of time to use).Paragraph (a) of this section wouldrequire the Secretary to determine theappropriate variable or variables forcounting the number of violations basedon the specific facts and circumstancesrelated to the violation, and take intoconsideration the underlying purpose of the particular HIPAA rule that isviolated. More than one variable could

be used to determine the number of violations (for example, the number of people affected times the time (numberof days) over which the violationoccurred). Because of the range of circumstances that can be presented indetermining the number of violationsand the very different nature of theHIPAA rules that may be implicated bythose violations, the Secretary wouldhave discretion in determining whichvariable or variables were appropriatefor determining the number of violations rather than being required to

use a rigid formula, which couldproduce arbitrary results. Under thisproposal, the policy for determiningwhich variable(s) to use for which typeof violation would be developed in thecontext of specific cases rather thanestablished by regulation. Subsequentcases would be decided consistentlywith prior similar cases. This option

would defer more specific decisionsregarding the appropriate variable(s) forcounting penalties to such time as a caseraising the HIPAA provision occurs.

Several approaches were consideredin deciding how to determine thenumber of violations:

• Use one variable for all of theHIPAA rules. While this approach hasgreater consistency, the variation amongthe rules in terms of their types of requirements and prohibitions makes itdifficult to identify one variable thatwould work equally well in each rule.

• Use one variable or approach foreach individual HIPAA rule. Thisapproach would also have greaterconsistency and certainty. However, itwould not address the variations withinHIPAA rules and could be confusingwhen a covered entity violated morethan one rule.

• Categorize requirements andprohibitions and assign variables toeach. This approach would increasecertainty and consistency across all of the HIPAA rules but would likely resultin a complex scheme that might operateunfairly.

After weighing the advantages anddisadvantages of each approach, it was

determined that it would be preferableto determine the appropriate variable(s)for particular types of violations basedon the context of a specific case. Wewelcome comments on this approach,the options that were considered, andother potential options for determiningthe number of violations.

d. Section 160.408—Factors Consideredin Determining the Amount of a CivilMoney Penalty

Section 1176(a)(2) states that, withsome exceptions, the provisions of section 1128A of the Act shall apply tothe imposition of a civil money penalty

under section 1176 ‘‘in the same manneras’’ such provisions apply to theimposition of a civil money penaltyunder section 1128A. Section 1128A(d)requires that—

in determining the amount of * * * anypenalty, * * * the Secretary shall take intoaccount—

(1) The nature of the claims and thecircumstances under which they werepresented,

(2) The degree of culpability, history of prior offenses and financial condition of theperson presenting the claims, and

(3) Such other matters as justice may require.

This language establishes factors to beconsidered in determining the ultimateamount of a civil money penalty.Because section 1176 requires that civilmoney penalties be imposed in the samemanner as civil money penalties areimposed under section 1128A, suchfactors should be applied to determiningthe amount of a civil money penalty forHIPAA violations. This approach isconsistent with the approach taken inother regulations that cross-referencesection 1128A, which rely on thesefactors for purposes of determining civilmoney penalty amounts. See, e.g., 42CFR 488.438.

The factors listed in section 1128A(d)were drafted to apply to violationsinvolving claims for payment underfederally funded health programs.Because HIPAA violations will usuallynot be about specific claims, HHSproposes to tailor the section 1128A(d)

factors to the HIPAA rules and breakthem into their component elements forease of understanding and application,as follows: (1) The nature of theviolation; (2) the circumstances underwhich the violation occurred; (3) degreeof culpability; (4) history of prioroffenses; (5) financial condition of thecovered entity; and (6) such othermatters as justice may require.

Many regulations that implementsection 1128A, such as the OIGregulations, further particularize thestatutory factors by providing discretecriteria. Consistent with these otherregulations, and in order to providemore guidance to covered entities as tothe factors that would be used incalculating civil money penalties forviolations of the HIPAA rules, wepropose a more specific list of circumstances that would be consideredin calculating penalty amounts.Therefore, proposed § 160.408 providesdetailed factors, within the categoriesstated above, to consider in determiningthe amount of a civil money penalty, asfollows:

(1) The nature of the violation, whenconsidered in light of the purposes of the rule violated.

(2) The circumstances under whichthe violation occurred and theconsequences, including the time periodduring which the violation(s) occurred,whether the violation caused physicalharm, whether the violation hindered orfacilitated an individual’s ability toobtain health care, and whether theviolation resulted in financial harm.

(3) The degree of culpability of thecovered entity, including whether theviolation was intentional, and whetherthe violation was beyond the directcontrol of the covered entity.





(4) Any history of prior offenses of thecovered entity, including whether thecurrent violation is the same or similarto prior violation(s), whether and towhat extent the covered entity hasattempted to correct previous violations,how the covered entity has responded totechnical assistance from the Secretaryprovided in the context of a compliance

effort, and how the covered entity hasresponded to prior complaints. Thiscould include any violations that have

been brought to the covered entity ’sattention, including complaints raised

by individuals directly to the coveredentity, violations of which the coveredentity became aware on its own, andviolations that have been raised in thecontext of a complaint to the Secretary.

(5) The financial condition of thecovered entity, including whether thecovered entity had financial difficultiesthat affected its ability to comply,whether the imposition of a civil money

penalty would jeopardize the ability of the covered entity to continue toprovide, or to pay for, health care, andthe size of the covered entity.

(6) Such other matters as justice mayrequire.

In many regulations that implementsection 1128A, including the OIGregulations, the statutory factors and/orthe discrete criteria are designated aseither aggravating or mitigating. See,e.g., 42 CFR 1003.106(b)-(d). Forexample, in some of these regulations,history of prior offenses is listed as anaggravating factor. See, e.g., 42 CFR1003.106(b)(3). However, because the

Enforcement Rule will apply to anumber of rules and an enormousnumber of entities and circumstances,factors may be aggravating or mitigating,depending on the context. For example,the factor ‘‘time period during whichthe violation(s) occurred’’ could be anaggravating circumstance where thecovered entity decided not to comply atall with a HIPAA provision, but be amitigating circumstance where acovered entity quickly found andcorrected repetitive noncompliance.Thus, we do not propose to label any of these factors as aggravating or

mitigating. Rather, proposed § 160.408lists factors that may be considered bythe Secretary as aggravating ormitigating in determining the amount of the civil money penalty to impose. Theproposed approach would allow theSecretary to choose whether to considera particular factor and how to considereach factor as appropriate in eachsituation to avoid unfair orinappropriate results. It also would keepthe rule simple and makes possible a listof factors to consider in determiningpenalties that can work in all cases.

We propose to leave to the Secretary’sdiscretion the decision regarding whenaggravating and mitigating factors will

be taken into account in determining theamount of the civil money penalty. Thisapproach is consistent with otherregulations implementing section1128A, which do not explain how or atwhat point in the process these factors

apply. See, e.g., 42 CFR 488.438.3. Section 160.410—AffirmativeDefenses to the Imposition of a CivilMoney Penalty

Proposed § 160.410 implementssection 1176(b)(1)—(3) of the Act, whichspecify certain limitations with respectto when civil money penalties may beimposed. Paragraphs (1), (2), and (3) of section 1176(b) each state that, if theconditions described in thoseparagraphs are met, ‘‘a penalty may not

be imposed under subsection (a)’’ of section 1176. Under section 1176(b)(1),a civil money penalty may not beimposed with respect to an act thatwould be punishable by a criminalpenalty under section 1177 of the Act.Under section 1176(b)(2), a civil moneypenalty may not be imposed if it isestablished to the satisfaction of theSecretary that the person who would beliable for the civil money penalty ‘‘didnot know, and by exercising reasonablediligence would not have known’’ thatthe person violated the provision. Undersection 1176(b)(3), a civil moneypenalty may not be imposed if thefailure to comply ‘‘was due toreasonable cause and not to willful

neglect’’ and is corrected within acertain period.

Where it is shown that one or moreof these grounds exists with respect toa violation for which a civil moneypenalty is sought, such a showing barsthe imposition of a civil money penaltyfor the violation. The provisions atsection 1176(b)(1), (2), and (3), thus,constitute complete defenses to theimposition of a civil money penalty. Assuch, they meet the definition of anaffirmative defense: ‘‘A defendant’sassertion raising new facts andarguments that, if true, will defeat the

plaintiff ’s or prosecution’s claim, even if all allegations in the complaint aretrue.’’ Black’s Law Dictionary (West, 7thed. 1999).

Accordingly, proposed § 160.410would characterize the limitationsunder section 1176(b)(1), (2), and (3) as‘‘affirmative defenses,’’ to make clearthat they must be raised in the firstinstance by the respondent. See thediscussion at section IV.D.10 belowregarding proposed § 160.534, withrespect to the burden of proof. However,characterizing these grounds as

affirmative defenses would not preventthe Secretary from concluding, based oninformation already in his possession,that one of these limitations applied. If the Secretary were to conclude, basedon his investigation or on informationprovided by the covered entity underproposed § 160.312(a)(3)(i), that one ormore of these limitations applied with

respect to a violation, the Secretarywould not pursue the civil moneypenalty action with respect to theviolation. However, proposed § 160.410assumes the situation where theSecretary, through OCR or CMS, hasconcluded that none of the statutorylimitations at section 1176(b)(1), (2), or(3) applies to a particular case and has,accordingly, issued a notice of proposeddetermination to impose a civil moneypenalty. The purpose of § 160.410,therefore, is to describe what therespondent must show in order toestablish such a defense in the

proceeding that could then follow.The grounds stated in sections1176(b)(2) and (b)(3) are grounds aboutwhich the covered entity would beknowledgeable and could produceevidence. Treating them as affirmativedefenses is consistent with how similarlanguage in other statutes has beenimplemented. For example, similarlanguage in section 102 of HIPAA has

been treated as an affirmative defense:Under the implementing regulations at45 CFR 150.341(b), the burden of persuasion is on the entity to establishthat no responsible entity knew, or,exercising reasonable diligence, would

have known of the violation. Examplesof a similar assignment of burden inconnection with similar statutorylanguage are found elsewhere. See, e.g.,26 CFR 301.6651–1(c), implementing 26U.S.C. 6651 (a failure to timely file a taxreturn ‘‘is due to reasonable cause andnot due to willful neglect * * * ’’),requires ‘‘an affirmative showing of allfacts alleged as a reasonable cause* * * ’’ by the taxpayer; 8 CFR 280.5,280.51, implementing 8 U.S.C. 1323(remission of penalty for bringing inillegal aliens if the person ‘‘could nothave ascertained, by the exercise of

reasonable diligence, that * * * ’’),place the burden on the party seekingremission; 11 U.S.C. 110 (penalties forpersons who fraudulently prepare

bankruptcy petitions except wherefailure is ‘‘due to reasonable cause’’) has

been treated as an affirmative defense,U.S. Trustee v. Womack, 201 B.R. 511,518 (E.D. Ark. 1996).

Under section 1176(b)(1), a civilmoney penalty may not be imposed if the act in question ‘‘constitutes anoffense punishable under section 1177.’’ While it might appear unlikely that a





covered entity would raise this as anaffirmative defense, section 1176(b)(1)parallels sections 1176(b)(2) and (b)(3)in both structure and function. Thisconstruction suggests that Congressintended that it be treated in a parallelmanner. Proposed § 160.410,accordingly, would do so.

Finally, we recognize that other

affirmative defenses might be availablein a particular case. In order not topreclude the raising of affirmativedefenses that could legitimately beraised, the introductory text of proposed§ 160.410 is drafted to permit arespondent to offer affirmative defensesother than those provided in section1176(b).

a. Section 160.410(b)(1)—AffirmativeDefense Based on Violation Being aCriminal Offense

Section 1176(b)(1) provides that theSecretary may not impose a civil money

penalty ‘‘with respect to an act if the actconstitutes an offense punishable undersection 1177.’’ Section 1177(a) providesas follows:

A person who knowingly and in violationof this part—

(1) Uses or causes to be used a uniquehealth identifier;

(2) Obtains individually identifiable healthinformation relating to an individual; or

(3) Discloses individually identifiablehealth information relating to another person,shall be punished as provided in subsection(b).

Subsection (b) of section 1177, in turn,sets out three levels of penalties. The

level of penalty varies depending on thecircumstances under which the offensewas committed.

The proposed rule simply refers to thestatutory provision. As the criminalpenalty provision that provides the

basis for this defense is administered bythe U.S. Department of Justice, we donot propose to elaborate upon it in thisregulation.

b. Section 160.410(b)(2)—AffirmativeDefense Based on Lack of Knowledge

Section 1176(b)(2) provides as follows:A penalty may not be imposed under

subsection (a) with respect to a provision of this part if it is established to the satisfactionof the Secretary that the person liable for thepenalty did not know, and by exercisingreasonable diligence would not have known,that such person violated the provision.

For a covered entity to establish anaffirmative defense under section1176(b)(2), it must show that it did nothave actual or constructive knowledgeof the violation. What is required forsuch a showing raises several issues: (1)What ‘‘knowledge’’ will make the ‘‘lackof knowledge’’ defense no longer

available; (2) when is the ‘‘knowledge’’ of an agent imputed to the coveredentity; and (3) what constitutes‘‘reasonable diligence.’’

i. ‘‘Knowledge’’

The first question is what must thecovered entity ‘‘know’’ in order for thedefense of section 1176(b)(2) to be no

longer available. Specifically, if thecovered entity knows of the facts thatconstitute the violation, but does notknow that they constitute a violation, isthe defense under section 1176(b)(2) nolonger available?

A civil money penalty may not beimposed for a violation ‘‘if it isestablished to the satisfaction of theSecretary that the person liable for thepenalty did not know * * * that suchperson violated the provision.’’ Thislanguage on its face suggests that theknowledge involved must be knowledgethat a ‘‘violation’’ has occurred, not justknowledge of the facts constituting theviolation. Section 1176(b)(3) supportsthis reading. Under section1176(b)(3)(A)(i), the cure period—i.e.,the period in which the violation must

be corrected if the covered entity is toavail itself of the defense under section1176(b)(3)— begins to run ‘‘on the firstdate the person liable for the penaltyknew, or by exercising reasonablediligence would have known, that thefailure to comply occurred.’’ The duty totake corrective action under section1176(b)(3), thus, flows from knowledgethat ‘‘the failure to comply occurred.’’ We, thus, interpret this knowledge

requirement to mean that the coveredentity must have knowledge that aviolation has occurred, not justknowledge of the facts underlying theviolation. We use the statutory languagein framing this requirement.

This reading of the statute would notreward ignorance that is careless ordeliberate. The requirement of section1176(b)(2) that the covered entityexercise ‘‘reasonable diligence,’’ discussed below, would make a lack of knowledge defense unavailable where acovered entity’s ignorance arises fromits failure to inform itself about its

compliance obligations or to investigatecomplaints or other information itreceives indicating likelynoncompliance.

ii. Imputed Knowledge

In order to avail itself of the lack of knowledge defense, a corporate entitymust show that (1) its responsibleofficers or managers did not know aboutthe violation, and (2) even if anemployee or other agent had actualknowledge of the violation, why thatknowledge should not be imputed to the

managers and, thus, to the corporateentity itself. Whether knowledge can beimputed to a covered entity’sresponsible officers or managers will bedetermined by principles of agency. Weclarify this by providing in proposed§ 160.410(b)(2) that such knowledge will

be ‘‘determined by the federal commonlaw of agency.’’ As noted in the

discussion in section IV.C.1.b.i above,we would expect, as a general matter, tofollow the principles set forth in theRestatement (Second) of Agency withrespect to this issue. Under the generalrule at section 272 of the Restatement,an agent’s actual or constructiveknowledge is imputed to the principal,subject to certain exceptions. Rest. 2nd of Agency (1958), comments a and b.Whether any of these exceptions areapplicable would depend on thecircumstances of each case. We solicitcomment on this approach and, inparticular, illustrations and

explanations of cases where more or lessspecificity might be helpful.

iii. Reasonable Diligence

The defense under section 1176(b)(2)is available only if the covered entity‘‘ by exercising reasonable diligencewould not have known ... that the[covered entity] violated the provision.’’ The question this language raises iswhat action is required in order for acovered entity to be able to show thatit has exercised reasonable diligenceand that its ignorance of the violation is,hence, excused.

The phrase ‘‘reasonable diligence’’

has applications in many areas of thelaw. ‘‘Reasonable diligence’’ is typicallydefined as ‘‘1. A fair degree of diligenceexpected from someone of ordinaryprudence under circumstances likethose at issue. 2. See due diligence (1).’’ Black’s Law Dictionary (West, 7thedition, 1999). ‘‘Due diligence’’ is, inturn, defined as ‘‘1. The diligencereasonably expected from, andordinarily exercised by, a person whoseeks to satisfy a legal requirement or todischarge an obligation.—Also termedreasonable diligence.’’ Id. In the contextof section 1176(b)(2), these concepts

equate, we believe, to the concept of ‘‘constructive knowledge.’’ As usuallydefined, ‘‘constructive knowledge’’ isthe ‘‘knowledge that one usingreasonable care or diligence shouldhave, and therefore that is attributed bylaw to a given person.’’ Id.

The determination of whether aperson acted with reasonable diligenceis generally a factual one, since what isreasonable depends on thecircumstances. Martin v. OSHRC (Milliken & Co.), 947 F.2d 1483 (11thCir. 1991); Bell Telephone Laboratories,





Inc. v. Hughes Aircraft Co., 564 F.2d 654(3rd Cir. 1977). The courts use a varietyof formulations to articulate when aperson will be deemed to have known—i.e., to have constructive knowledge—that a particular incident occurred.However, the various formulations havecommon elements. They identify a‘‘prudent’’ or ‘‘reasonable’’ person and

consider whether that person would,under similar circumstances, have

become aware of the information inquestion. They consider how‘‘available’’ the information is; forexample, was the information in thecovered entity’s possession (such as inits electronic information system) ornot. They consider whether there was‘‘some reason to awaken inquiry andsuggest investigation;’’ for example, hadprior experience suggested that therecould be problems, which a reasonableperson would have investigated.

We considered three options for

implementing the provisions at section1176(b)(2). One approach would besimply to repeat the statutory language;a second approach would be to providea more detailed statement of criteria forestablishing reasonable diligence; andthe third approach would be to provideexamples of situations that would (orwould not) constitute reasonablediligence. We selected the second inorder to provide some guidance, but notunduly circumscribe future decisions.Adapting the Black’s definition of duediligence to the present context,proposed § 160.410(a) would define

‘‘reasonable diligence’’ to mean ‘‘the business care and prudence expectedfrom a person seeking to satisfy a legalrequirement under similarcircumstances.’’ Factors to beconsidered in evaluating theapplicability of this affirmative defensewould include whether the coveredentity took reasonable steps to learn of such violations and whether there wereindications of possible violations, suchas a complaint or other informationmade known to the entity, that a personseeking to satisfy a legal requirementwould have investigated under similar

circumstances.c. Section 160.410(b)(3)—AffirmativeDefense Based on Reasonable Cause

Section 1176(b)(3) provides as follows:(A) In general. Except as provided in

subparagraph (B), a penalty may not beimposed under subsection (a) if —

(i) The failure to comply was due toreasonable cause and not to willful neglect;and

(ii) The failure to comply is correctedduring the 30-day period beginning on thefirst date the person liable for the penaltyknew, or by exercising reasonable diligence

would have known, that the failure tocomply occurred.

(B) Extension of period. (i) No penalty. The period referred to in

subparagraph (a)(ii) may be extended asdetermined appropriate by the Secretary

based on the nature and extent of the failureto comply.

These provisions raise several issues: (1)

What is reasonable cause; (2) what iswillful neglect; and (3) how should thecure period be determined.

i. Reasonable Cause

For the defense under section 1176(b)(3) to be available, the failure tocomply at issue must be ‘‘due toreasonable cause and not to willfulneglect’’ (as well as corrected within thecure period). This language has a closeanalog in the Internal Revenue Code(IRC), which provides for an exemptionfrom penalties for late filing where thelate filing ‘‘is due to reasonable causeand not due to willful neglect.’’ 26

U.S.C. 6651(a). This IRC language wasconstrued by the United States SupremeCourt in United States v. Boyle, 469 U.S.241, 245 (1985). The Internal RevenueService (IRS) had articulated specificfactors that would constitute reasonablecause for late filing; in discussing thesefactors, the Court noted that theunderlying principle was whether thecircumstances were beyond thetaxpayer’s control.

HHS has already adopted criteriainterpreting paragraph (b)(3) that are notunlike those adopted by the IRS inconnection with its late filing penalty

statute. In the guidance published on July 24, 2003 (CMS Guidance), thecriteria developed to address theOctober 16, 2003 compliance deadlineproblems for the Transactions Rule aresimilar in nature to those developed bythe IRS. Like the IRS criteria, theypremise the existence of reasonablecause on the existence of circumstancesoutside of the covered entity’s controlwhich make compliance with theTransactions Rule unreasonable.

We considered three options forimplementing the reasonable causelanguage of section 1176(b)(3): repeating

the statutory language; providing a moredetailed statement of the criteria forestablishing reasonable cause; orproviding examples of situations thatwould (or would not) constitutereasonable cause. As with our decisionabout reasonable diligence, we took thesecond approach. Proposed § 160.410(a)would define ‘‘reasonable cause’’ as‘‘circumstances that make itunreasonable for the covered entity,despite the exercise of ordinary businesscare and prudence, to comply with theadministrative simplification provision

violated.’’ This definition is generally based on the view of the Supreme Courtin Boyle, but it is tailored to the HIPAAcontext in which the judgment inquestion would be made. It describeswith more specificity the test fordetermining whether reasonable causeexists, but does not limit this test byspecific examples. Thus, establishing

reasonable cause under section1176(b)(3) would require demonstratingcircumstances that would make itunreasonable to expect an entityexercising ordinary business care andprudence to comply with the particularrequirement that has been violated. Thedetermination of whether reasonablecause exists is generally, and under thisdefinition would be, a factual one, sincewhat is ‘‘reasonable’’ depends on thecircumstances.

ii. Willful Neglect

For the defense under section1176(b)(3) to be available, the failure of compliance must not be due to ‘‘willfulneglect.’’ In Boyle, discussed above, theSupreme Court defined ‘‘willfulneglect’’ as ‘‘conscious, intentionalfailure or reckless indifference’’ andindicated that this concept includescarelessness or other types of fault. 469U.S. at 245. Since the definition of theterm ‘‘willful neglect’’ is well settled,we propose to adapt this definition of the term in proposed § 160.410(a):‘‘conscious, intentional failure orreckless indifference to the obligation tocomply with the administrativesimplification provision violated.’’ This

definition reflects the concern thatunderlies the statutory language: wherewillful neglect caused the ‘‘failure tocomply’’ in question, the penalty shouldnot be excused.

The proposed definition is alsoconsistent with the approach alreadytaken by HHS in the CMS Guidance. Inthe CMS Guidance, HHS stated that, indetermining whether noncompliancewith the Transactions Rule would bepenalized, it would consider the ‘‘goodfaith efforts’’ of the covered entitiesdeploying contingency measures afterOctober 16, 2003 as they work to come

into compliance with the TransactionsRule. The presence of such ‘‘good faith’’ or diligent efforts to comply evidencesthe absence of willful neglect, becauseit demonstrates the absence of a‘‘reckless indifference to the obligationto comply with the administrativesimplification provision violated.’’

The issue of whether there was willfulneglect would be a factual inquiryseparate from the question of whetherreasonable cause existed, becausesection 1176(b)(3) requires both thepresence of reasonable cause and the





absence of willful neglect. In the IRCcases discussed above, for example,proving the lack of willful neglect doesnot establish the existence of reasonablecause. However, a finding concerningone element may obviate the necessityof determining the other element, byruling out the existence of a conditionprecedent for the affirmative defense.

Thus, where it is found that reasonablecause does not exist, the presence orabsence of willful neglect need not bedetermined; similarly, if it is found thatwillful neglect exists, the presence orabsence of reasonable cause need not bedetermined.

iii. Determination of the Cure Period

The presence of reasonable cause andabsence of willful neglect are notsufficient, in themselves, to establish anaffirmative defense under section1176(b)(3). The covered entity must alsocorrect the violation during the 30-dayperiod beginning when the person knewor should have known that the violationexisted. The statute gives the Secretarythe right to extend this period to theextent he determines appropriate basedon the nature and the extent of thefailure to comply. This languagepresents two issues with respect to thecure period: (1) When does the cureperiod begin; and (2) what limitations,if any, should be placed on theSecretary’s ability to extend the cureperiod.

Beginning of the Cure Period. Section1176(b)(3)(A) provides that the cureperiod begins ‘‘on the first date the

person liable for the penalty knew, or byexercising reasonable diligence wouldhave known, that the failure to complyoccurred.’’ This language is the converseof section 1176(b)(2). These twoprovisions, accordingly, dictate asequential analysis. The first question iswhether the covered entity knew, orwith reasonable diligence would haveknown, about the violation. If thecovered entity was ignorant of theviolation (i.e., it did not have actual orconstructive knowledge of theviolation), then no civil money penaltymay be imposed for the period in which

such ignorance existed. In such asituation, the covered entity’s ignoranceof the violation is a complete defense toimposition of the civil money penalty,so it is not necessary to reach thequestion of whether the grounds for adefense under section 1176(b)(3) arealso met. However, as soon as thecovered entity knows (or should haveknown) of the violation, then the cureperiod under section 1176(b)(3)(A)(ii)

begins; simultaneously, the defense of ignorance stops being available to thecovered entity. At that point, the

question is whether the grounds for the‘‘reasonable cause’’ defense (thepresence of reasonable cause, theabsence of willful neglect, and cure)exist.

We do not propose to elaborate on thestatutory language with regard to whenthe cure period begins. The text of proposed § 160.410(b)(3), like the

statute, uses the defined term‘‘reasonable diligence’’ and, thus, buildson the analysis conducted underproposed § 160.410(b)(2).

Extension of the Cure Period. Section1176(b)(3)(A)(i) provides that the cureperiod may be extended ‘‘as determinedappropriate by the Secretary based onthe nature and extent of the failure tocomply.’’ This statutory language is a

broad grant of discretion to theSecretary to determine what is‘‘appropriate,’’ requiring only that theSecretary base his decision on the‘‘nature and extent of the failure to

comply.’’ The statutory languagerequires an analysis based on thespecific circumstances of the particularfailure to comply at issue. Given theenormous number of covered entities,the almost infinite possiblecombinations of violations andcircumstances, the extensive andvarying experiences of covered entitiesin coming into compliance, the newnessof both their and our experience withrespect to compliance with the HIPAArules, and the brevity of the 30-dayperiod during which changes arerequired, the Secretary should be

afforded significant discretion to decidewhen it is appropriate to extend thecure period. Proposed§ 160.410(b)(3)(ii)(B) accordinglyfollows the statutory language andwould permit the Secretary to use thefull discretion provided by the statute.

4. Section 160.412—Waiver

Section 1176(b)(4) of the Act providesfor waiver of a civil money penalty incertain circumstances. Section1176(b)(4) provides that, if the failure tocomply is ‘‘due to reasonable cause andnot to willful neglect,’’ a penalty that

has not already been waived undersection 1176(b)(3) ‘‘may be waived tothe extent that the payment of suchpenalty would be excessive relative tothe compliance failure involved.’’ If there is reasonable cause and no willfulneglect and violation has been timelycured, the imposition of the civil moneypenalty would be precluded undersection 1176(b)(3). Therefore, waiverunder this section would be availableonly where there is reasonable cause forthe violation and no willful neglect, butthe violation was not timely cured.

Section 1176(b)(4) affords a coveredentity a statutory right to request awaiver. However, the Secretary is notrequired to grant such a request: thewords ‘‘may be waived’’ indicate thatthe decision to grant the waiver isdiscretionary. Moreover, the language‘‘to the extent that’’ and ‘‘excessiverelative to’’ indicate that the Secretary

must consider the facts of the case todetermine whether, and by whatamount, a penalty may be reduced.

While section 1176(b)(4) might appearto be subsumed by certain of thestatutory factors that could be seen asmitigating factors, this provisionduplicates neither those factors nor theaffirmative defenses. In contrast to thestatutory factors, which apply todetermining the amount of a civilmoney penalty, section 1176(b)(4)comes formally into play once thepenalty amount has been determined ,

because only after there is a specific

proposed penalty amount can it bedetermined whether the penalty ‘‘would be excessive relative to the compliancefailure involved.’’ Section 1176(b)(4)differs from the affirmative defenses inthat it is not an absolute preclusion of civil money penalties; rather, waiver orreduction under section 1176(b)(4) isdiscretionary. Finally, in contrast to themitigating factors and affirmativedefenses, section 1176(b)(4) provides aground on which a covered entity mayrequest waiver or reduction of a penalty,once the penalty amount has beendetermined.

Proposed § 160.412 does not elaborate

on the statute in any material way. Thisprovision would provide the Secretarywith the flexibility to utilize thediscretion provided by the statutorylanguage as necessary. We deem thestatutory criterion itself reasonablycapable of application, and, therefore,are not stating further criteria at thistime.

5. Section 160.414—Limitations

Proposed § 160.414 was adopted bythe April 17, 2003 interim final rule as§ 160.522. We propose to move thissection, which sets forth the 6-year

limitation period provided for in section1128A(c)(1), from subpart E to subpartD. We propose to do so because thisprovision applies generally to theimposition of civil money penalties andis not dependent on whether a hearingis requested. We also propose to changethe language of this provision so that thedate of the occurrence of the violationis the date from which the limitation isdetermined. We propose this change

because the term ‘‘violation’’ is definedin this proposed rule, whereas it wasnot defined in the April 17, 2003





interim final rule. Thus, the date of theviolation can now be accurately used tocalculate when ‘‘the occurrence tookplace,’’ as referenced in the statute. Seealso the discussion at section V.G

below.

6. Section 160.416—Authority To Settle

Proposed § 160.416 was adopted by

the April 17, 2003 interim final rule as§ 160.510. We propose to move thissection, which addresses the authorityof the Secretary to settle any issue orcase or to compromise any penaltyimposed on a covered entity, fromsubpart E to subpart D. We propose todo so because this provision appliesgenerally to the imposition of civilmoney penalties, and is not dependenton whether a hearing is requested. Nochange is made to the text of theprovision.

7. Section 160.418—Penalty NotExclusive

Proposed § 160.418 is new. It is basedupon § 1003.109 of the OIG regulations.We propose to add this section to makeclear that penalties imposed under thispart are not intended to be exclusivewhere a violation under this part mayalso be a violation of, and subject therespondent to penalties under, anotherfederal or a State law. Proposed§ 160.418 would, however, recognizethat, under section 1176(b)(1) of the Act,a penalty may not be imposed undersection 1176(a) if the act constitutes anoffense punishable under section 1177.

8. Section 160.420—Notice of ProposedDetermination

The text of proposed § 160.420 wasadopted by the April 17, 2003 interimfinal rule as § 160.514. We propose tomove this section from subpart E, whichsets out the procedures and rights of theparties to a hearing, to subpart D. Wepropose to do so because the noticeprovided for in this section must begiven whenever a civil money penalty isproposed, regardless of whether ahearing is requested. No changes areproposed to paragraphs (a)(1) and (a)(3),(4), or to paragraph (b), except

conforming changes. Paragraph (a)(2)would be revised by adding that, in theevent the Secretary employs statisticalsampling techniques under § 160.536,the sample relied upon and themethodology employed must begenerally described in the notice of proposed determination. A newparagraph (a)(5) would require thenotice to describe any circumstancesdescribed in § 160.408 that wereconsidered in determining the amountof the proposed penalty; this provisioncorresponds to § 1003.109(a)(5) of the

OIG regulations. The present paragraph(a)(5) would be renumbered as (a)(6).See also the discussion at sections V.H–V.J below.

9. Section 160.422—Failure To Requesta Hearing

The text of proposed § 160.422 wasadopted by the April 17, 2003 interim

final rule as § 160.516. We would addlanguage (‘‘and the matter is not settledpursuant to § 160.416’’) to recognize thatthe Secretary and the respondent mayagree to a settlement after the Secretaryhas issued a notice of proposeddetermination. We also provide that thepenalty is final upon receipt of thepenalty notice, to make clear whensubsequent actions, such as collection,may commence.

10. Section 160.424—Collection of Penalty

The text of § 160.424 was adopted bythe April 17, 2003 interim final rule as§ 160.518. We propose to move thissection, which addresses how a finalpenalty is collected, from subpart E tosubpart D. We propose to do so becausethis provision applies generally to theimposition of civil money penalties andis not dependent upon whether ahearing is requested.

11. Section 160.426—Notification of thePublic and Other Agencies

Proposed § 160.426 would implementsection 1128A(h) of the Act. When apenalty proposed by the Secretary

becomes final, section 1128A(h) directs

the Secretary to notify certain specifiedappropriate State or local agencies,organizations, and associations and toprovide the reasons for the penalty. Wepropose to add the public generally, inorder to make the information availableto anyone who must make decisionswith respect to covered entities. Forinstance, knowledge of the impositionof a civil money penalty for violation of the Privacy Rule could be important tohealth care consumers, as well as tocovered entities throughout theindustry, while information about theimposition of a civil money penalty for

violation of the Transactions Rule orother HIPAA rules could be of interestto a covered entity’s trading partners.

The regulatory language wouldprovide for notification in such manneras the Secretary deems appropriate.Posting to an HHS Web site and/or theperiodic publication of a notice in theFederal Register are among the methodswhich the Secretary is considering usingfor the efficient dissemination of suchinformation. These methods wouldavoid the need for the Secretary todetermine which entities, among a

potentially large universe, should benotified and would also permit thegeneral public served by coveredentities upon whom civil moneypenalties have been imposed to beapprised of this fact, where thatinformation is of interest to them. Whilethe Secretary could provide notice toindividual agencies where desired, the

Secretary could, at his option, use asingle public method of notice, such asposting to an HHS Web site, to satisfythe obligation to notify the specifiedagencies and the public. See also thediscussion at V.B below.

D. Subpart E —Procedures for Hearings

As previously explained, theprovisions of section 1128A of the Actapply to the imposition of a civil moneypenalty under section 1176 ‘‘in the samemanner as’’ they apply to the impositionof civil money penalties under section1128A itself. The provisions of subpartE are, as a consequence, based in largepart upon, and are in many respects thesame as, the OIG regulations. Wepropose to adapt, re-order, or combinethe language of the OIG regulations ina number of places for clarity of presentation or to reflect conceptsunique to the HIPAA provisions orrules. To avoid confusion, we have alsoemployed certain language usages inorder to make the usage in the rulesconsistent with that in the other HIPAArules (for example, for mandatoryduties, ‘‘must’’ or ‘‘will’’ instead of ‘‘shall’’ is used; for discretionary duties,‘‘may’’ instead of ‘‘has the authority to’’

is used). We do not discuss thosenonsubstantive changes below. Wherewe propose to materially change thelanguage of the OIG regulations,however, we discuss our reasons fordoing so.

As noted above, we have reorganizedsubparts C, D, and E so that there is alogical organization to the threesubparts. Subpart E, as we propose torevise it, will address the pre-hearingand hearing phases of the enforcementprocess. We have discussed the sectionsthat we have moved to subparts C andD in the discussion of those subparts.

The proposed movement of sections outof subpart E and the introduction of newsections into subpart E, described

below, necessitates the reordering andrenumbering of other sections of theexisting subpart E, so that the subpart isorganized logically. We do not discusssuch proposed reordering andrenumbering, unless we propose tochange substantially the text of thesection in question.

In the April 17, 2003 interim finalrule, we deferred consideration of certain provisions so that they could be





addressed through notice-and-commentrule making. Claims of privilege andother objections to the taking of testimony at investigational hearings areaddressed in proposed § 160.314. Theproposed rules relating to whatconstitutes ‘‘a violation of a provision of this part’’ and how the amount of civilmoney penalties will be determined are

found in § 160.302 of the proposedsubpart C and in §§ 160.402—160.408,respectively, of the proposed subpart D.We include in proposed subpart E theproposed rules that relate to the conductof a hearing.

1. Section 160.500—Applicability

This section has been revised toreflect the more limited scope proposedfor subpart E, resulting from themovement of many of the provisions inthe April 17, 2003 interim final rule toproposed subparts C and D.

2. Section 160.502—Definitions

Most of the definitions in this sectionof the April 17, 2003 interim final rulehave been moved either to § 160.103 orto § 160.302, and are discussed inconnection with those sections. Inaddition, we propose to delete the term‘‘entity’’ from this section. The term isused in various contexts throughout theHIPAA rules, and we believe that thedefinition in the April 17, 2003 interimfinal rule may prove confusing withrespect to the other HIPAA rules.

A new definition is added to thissection—a definition of the term‘‘Board,’’ which stands for the HHS

Departmental Appeals Board. The term‘‘Board’’ is used instead of the term‘‘DAB’’, which is used in the OIGregulations, to make clear that thereviewing body is the panel of threejudges that conducts appellate review of ALJ decisions for HHS. This term isdefined because it appears in proposed§ 160.548, discussed below.

3. Section 160.504—Hearing before anALJ

This section, which is § 160.526 of theApril 17, 2003 interim final rule, would

be largely unchanged. We note that, for

a hearing request dismissed under thissection as failing to raise any issue thatmay be properly addressed in a hearing(such as a hearing request that onlyraises constitutional claims), thissubpart provides the administrativereview channel leading to judicialreview of such claims. Thus, such adismissal would have to be appealed tothe Board, under proposed § 160.548, asa predicate to appeal to the federalcourts.

The current § 160.526(a)(2) states thatthe Departmental party in a hearing is

‘‘the Secretary.’’ The term ‘‘Secretary’’ isdefined at § 160.103 of the HIPAA rulesas ‘‘the Secretary of Health and HumanServices or any other officer oremployee of HHS to whom the authorityinvolved has been delegated.’’ TheSecretary’s authority to interpret andenforce the HIPAA rules has beendelegated to OCR, in the case of the

Privacy Rule, and to CMS, in the caseof the non-privacy HIPAA rules. Thus,the Secretary’s investigative authorityand authority to make a proposeddetermination of liability for a civilmoney penalty are exercised by OCRand/or CMS, depending on the HIPAArule or rules at issue. However, inproposed subpart E, the Secretary isperforming diverse functions: theadjudicative function is beingperformed for the Secretary by the ALJand the Board, and the decision reachedthrough this adjudicative process

becomes the decision of the Secretary; at

the same time, OCR and/or CMS areacting for the Secretary in defending theproposed determination in theadjudication. The reference to ‘‘theSecretary’’ may, thus, be confusing, aswhat part of HHS is being referred todepends on the context.

Proposed § 160.504(a)(2) wouldclarify which part of HHS acts as the‘‘party’’ in the hearing. Because whichcomponent of HHS will be the ‘‘party’’ in a particular case will depend onwhich rule is alleged to have beenviolated, and because a particular casecould involve more than one HIPAArule, we define the Secretarial party

generically, by reference to thecomponent with the delegatedenforcement authority. We adapt theregulatory definition of ‘‘Secretary’’ tomake it clear that the Secretarial partycould consist of more than one officeror employee, so that it is possible for

both CMS and OCR to be the Secretarialparty in a particular case.

The last sentence of proposed§ 160.504(b) (current § 160.526(b))provides that the date of receipt of thenotice of proposed determination ispresumed to be 5 days after the date of the notice unless the respondent makes

a reasonable showing to the contrary.This showing may be made even wherethe notice is sent by mail and is notprecluded by the computation of timerule of proposed § 160.526(c) (current§ 160.548(c)) establishing a 5-dayallowance for mailing. See section V.K

below for further discussion of thisprovision.

4. Section 160.506—Rights of the Parties

The text of paragraphs (a) and (b) of proposed § 160.506 was adopted at§ 160.528 of the April 17, 2003 interim

final rule, and no change, other than aconforming change, is proposed to thoseparagraphs. We propose to add a newparagraph (c) to address the issue of legal fees. Proposed subsection (c)adopts the same position taken in§ 1005.3(b) of the OIG regulations, byrecognizing that a party who isaccompanied, represented or advised by

an attorney is free to enter into a feearrangement of that party’s choosing.This provision is included to make clearthat the Secretary is not limiting howmuch the respondent’s attorney maycharge in attorneys fees.

5. Section 160.508—Authority of theALJ

The text of proposed § 160.508 wasadopted by the April 17, 2003 interimfinal rule as § 160.530. No changes toparagraphs (a) and (b) are proposed. Wepropose to revise paragraph (c) byadding paragraphs (c)(1) and (5) to thelist of limitations on the authority of theALJ. Proposed paragraph (c)(1) wouldrequire the ALJ to follow federalstatutes, regulations, and Secretarialdelegations of authority, and to givedeference to published guidance to theextent not inconsistent with statute orregulation. By ‘‘published guidance’’ wemean guidance that has been publiclydisseminated, including posting on theCMS or OCR Web site. Although werecognize that such guidance is notcontrolling upon the courts, we believethat the ALJ and the Board (see thediscussion below in connection withproposed § 160.548), as components of

HHS, must afford deference to suchguidance to ensure that, to the extentpossible, consistent decisions andcompliance guidance are provided bythe Secretary to covered entities.

Proposed paragraph (c)(5) clarifiesthat ALJs may not review the Secretary’sexercise of discretion whether to grantan extension or to provide technicalassistance under section 1176(b)(3)(B) of the Act or the Secretary’s exercise of discretion in the choice of variable(s)under proposed § 160.406. Proposedparagraphs (c)(1) and (5) together makeclear that the purpose of the hearing,

and the authority of the ALJ inconducting the hearing, would only beto review the proposed civil moneypenalty. Thus, the ALJ would not haveauthority to refuse to follow, or to findinvalid, the authorities cited as the basisfor the proposed civil money penalty.The ALJ also would not have authorityto review the Secretary’s exercise of discretion under section 1176(b)(3)(B) of the Act to grant an extension or toprovide technical assistance, nor wouldthe ALJ have authority to review theSecretary’s choice of variable(s) in





determining the number of violations of an identical administrativesimplification provision, as that choiceis likewise committed to the Secretary’sdiscretion. The ALJ could, however,review whether the variable(s), oncechosen, were properly applied.

6. Section 160.512—Prehearing

ConferencesProposed § 160.512 would revise

paragraph (a) to establish a minimumamount of notice (not less than 14

business days) that must be provided tothe parties in the scheduling of prehearing conferences. We propose thislimitation to address problems that have

been experienced in the context of administrative hearings in otherprograms. Proposed § 160.512 wouldalso revise paragraph (b)(11) to includethe issue of the protection of individually identifiable healthinformation as a matter that may be

discussed at the prehearing conference,if appropriate. See also the discussion atsection V.AA below, with regard to thisprovision.

7. Section 160.518—Exchange of Witness Lists, Witness Statements, andExhibits

Proposed § 160.518 carries forward§ 160.540 of the existing subpart E withone substantive change. It would reviseparagraph (a) to provide time limitswithin which the exchange of witnesslists, statements, and exhibits mustoccur prior to a hearing. Underproposed § 160.518(a), these items must

be exchanged not more than 60, but notless than 15, days prior to the scheduledhearing. We are concerned that theinformation not be exchanged too early,lest the evidence become stale, and weare also concerned that the time periodnot be too short, depriving the parties of adequate time to prepare. Experiencewith administrative hearings in otherprograms suggests the need for thisprovision. See also the discussion atsection V.R below.

8. Section 160.520—Subpoenas forAttendance at Hearing

Proposed § 160.520 would carryforward § 160.542 of the existingsubpart E mainly unchanged. Thecurrent § 160.542(c) would be revised toclarify that when a subpoena is servedon HHS, the Secretary may comply withthe subpoena by designating anyknowledgeable representative to testify.See also the discussion at sections V.Wand V.X below.

9. Section 160.532—Collateral Estoppel

Proposed § 160.532 would adopt thedoctrine of collateral estoppel applied

in federal cases that once a courtdecides an issue of fact or law necessaryto its judgment, the court’s decisionprecludes the same parties fromrelitigating the same issue in anothersuit on a different cause of action. Allen v. McCurry, 449 U.S. 90 (1980). Thedoctrine also applies to a final decisionof an administrative agency, acting in a

judicial capacity, that resolves disputedissues before it, which the parties havehad a fair opportunity to fully litigate.Astoria Federal Savings & Loan Ass’ n v.Solimino, 501 U.S. 104, 107–108 (1991).The proposed rule is modeled on§ 1003.114(a) of the OIG regulations.Section 1003.114(b), relating to the issuepreclusion arising out of a conviction orplea in a federal criminal case basedupon fraud or false statements, appearsinapplicable to enforcement of theHIPAA rules, and, hence, nocomparable provision is proposed forinclusion in this Rule.

10. Section 160.534—The HearingThe text of proposed § 160.534 was

adopted by the April 17, 2003 interimfinal rule as § 160.554. No changes toparagraphs (a) and (c) are proposed.However, HHS proposes to add a newparagraph (b) allocating the burden of proof at the hearing.

Under the Administrative ProcedureAct (APA), 5 U.S.C. 556(d), the burdenof proof in ALJ hearings has twocomponents—the burden of goingforward and the burden of persuasion.The burden of going forward relates tothe obligation to go forward initially

with evidence that supports a primafacie case. The burden of going forwardthen shifts to the other party. The

burden of persuasion relates to theobligation ultimately to convince thetrier of fact that it is more likely than notthat the advocated position is true. Theparty with the burden of persuasionloses in the situation where theevidence is in perfect balance.

Proposed § 160.534 would adopt theallocation of the burden of proof foundin the OIG regulations and inadministrative hearings generally,which is consistent with the APA. The

respondent would bear the burden of proof with respect to (1) any affirmativedefense, including those set out insection 1176(b) of the Act, asimplemented by proposed § 160.410, (2)any challenge to the amount or scope of a proposed penalty under section1128A(d), as implemented by proposed§§ 160.404—160.408, includingmitigating factors, or (3) any contentionthat a proposed penalty should bereduced or waived under section1176(b)(4), as implemented by§ 160.412. The Secretary would have the

burden of proof with respect to all otherissues, including issues of liability andthe factors considered as aggravatingfactors under proposed § 160.408 indetermining the amount of penalties to

be imposed. The burden of persuasionwould be judged by a preponderance of the evidence (i.e., it is more likely thannot that the position advocated is true).

It is also proposed to revise thecurrent § 160.554(c) by adding a newparagraph (1) at proposed § 160.534(d).Proposed § 160.534(d)(1) would providethat, at a hearing under this part, anyparty may present items or information,during its case in chief, that werediscovered after the date of the notice of proposed determination or request for ahearing, as applicable. The admissibilityof such proffered evidence would begoverned generally by the provisions of proposed § 160.540, and be subject tothe 15-day rule for the exchange of trialexhibits, witness lists and statements set

out at proposed § 160.518(a). Any suchevidence would not be admissible, if offered by the Secretary, unless it isrelevant and material to the findings of fact set forth in the notice of proposeddetermination, including circumstancesthat may increase such penalty. If anysuch evidence is offered by therespondent, it would not be admissibleunless it is relevant and material to aspecific admission, denial orexplanation of a finding of fact, or to aspecific circumstance or argumentexpressly stated in the respondent’srequest for hearing that are alleged toconstitute grounds for any defense or

the factual and legal basis for opposingor reducing the penalty. Proposed§ 160.534(d) would allow the parties theopportunity to present items andinformation that are relevant andmaterial exclusively to the issuesactually in dispute as expressly set forthin the notice of proposed determinationand request for hearing. Items andinformation that would be relevant andmaterial evidence of other violations,and support the imposition of other oradditional penalties would beinadmissible. Likewise, items orinformation that support defenses,

arguments, legal theories, or contentionsother than those expressly set forth inthe notice of hearing, or which are notrelevant and material to the admissions,denials or explanations therein made,would not be admissible. Proposed§ 160.534(d)(2) would republishparagraph (c) of the present § 160.554.

11. Section 160.536—StatisticalSampling

Proposed § 160.536, on statisticalsampling, is new. A similar provisionappears at § 1003.133 of the OIG





regulations, and the use of sampling andstatistical methods is recognized underRule 702 of the Federal Rules of Evidence. Proposed § 160.536 wouldpermit the Secretary to introduce theresults of a statistical sampling study asevidence of any variable under§ 160.406(b) used to determine thenumber of violations of a particular

administrative simplification provision,or, where appropriate, any factorconsidered in determining the amountof the civil money penalty underproposed § 160.408. If the estimation is

based upon an appropriate samplingand employs valid statistical methods, itwould constitute prima facie evidenceof the number of violations or amountof the penalty sought that is a part of theSecretary’s burden of proof. Such ashowing would cause the burden of going forward to shift to the respondent,although the burden of persuasionwould remain with the Secretary.

12. Section 160.542—The RecordThis section is § 160.560 of the April

17, 2003 interim final rule. Since thesection provides that the record of theproceedings be transcribed, we proposeto add to paragraph (a) of this section arequirement that the cost of transcription of the record be borneequally by the parties, in the interest of fairness.

13. Section 160.546—ALJ Decision

Since we are proposing a process foradministrative review of ALJ decisions(see section IV.D.14 below), the ALJ

decision would be the initial decision of the Secretary, rather than the finaldecision of the Secretary as set forth in§ 160.564(d) of the April 17, 2003interim final rule. Thus, we propose torevise paragraph (d) to provide that thedecision of the ALJ will be final and

binding on the parties 60 days from thedate of service of the ALJ decision,unless it is timely appealed by eitherparty. See also the discussion at sectionV.U below, with respect to proposed§ 160.546(b).

14. Section 160.548—Appeal of the ALJDecision

The April 17, 2003 interim final rule,at § 160.564, makes the decision of theALJ the final decision of the Secretary,thus permitting a respondent to file apetition for judicial review. In thepreamble to the interim final rule, wenoted that a second level of administrative review is generallyavailable in Departmental hearings andthat, while we had not provided for asecond level of administrative review inthe interim final rule, we intended toaddress the issue of further

administrative review in this proposedrule. We do so now.

Proposed § 160.548 is modeled on theprovisions that apply to appellatereview under the OIG regulations. Itprovides that any party may appeal theinitial decision of the ALJ to the HHSDepartmental Appeals Board (Board)within 30 days of the date of service of

the ALJ initial decision, unless extendedfor good cause. The appealing partymust file a written brief specifying itsexceptions to the initial decision. Theopposing party may file an opposition

brief, which is limited to the exceptionsraised in the brief accompanying noticeof appeal and any relevant issues notaddressed in said exceptions and must

be filed within 30 days of receiving theappealing party’s notice of appeal and

brief. The appealing party may, if permitted by the Board, file a reply

brief. These briefs may be the onlymeans that the parties will have to

present their case to the Board, sincethere is no right to appear personally before the Board. The proposed ruleprovides that if a party demonstratesthat additional evidence is material andrelevant and there are reasonablegrounds why such evidence was notintroduced at the ALJ hearing, the Boardmay remand the case to the ALJ forconsideration of the additionalevidence.

In an appeal to the Board, thestandard of review on a disputed issueof fact is whether the ALJ’s initialdecision is supported by substantialevidence on the record as a whole; on

a disputed issue of law, the standard of review is whether the ALJ’s initialdecision is erroneous. The Board maydecline to review the case; may affirm,increase (subject to the statutory caps),reduce, or reverse any penalty; or mayremand a penalty determination to theALJ.

We propose this process foradministrative review of initial ALJdecisions to achieve consistency in civilmoney penalty decisions. Becausehearings could be conducted bydifferent ALJs, it is conceivable thatdifferent ALJs might decide the same or

similar issues differently. Should thisoccur, it would be problematic for bothcovered entities and HHS. Provision foran internal, centralized review processshould reduce the likelihood of inconsistent results. Indeed, provisionfor administrative review of ALJdecisions is common in other federaladministrative hearing processes.Because the HIPAA rules affect such alarge part of the health industry and therequirements of the various HIPAAregulatory schemes are new andinterrelated, HHS considers it crucial

that the decisions reached in theadjudicative process be consistent withother adjudicated decisions as well aswith the policy decisions of theSecretary in the rules and indepartmental guidance. Since onlyaggrieved respondents can appeal to theU.S. Court of Appeals under section1128A(e), administrative review of ALJ

decisions will help to ensure that thefinal decisions subject to judicial reviewrepresent a consistent interpretation of the HIPAA rules by the Secretary. Whilea process for administrative review of ALJ decisions will add cost and time tothe process of imposing a civil moneypenalty for both HHS and coveredentities, we believe that thesedisadvantages are outweighed by thecompelling need to ensure consistencyin the decisions of HHS with respect tosuch civil money penalties. Consistencywill benefit both HHS and coveredentities.

Paragraphs (i) and (j) of proposed§ 160.548 address the issuance of theBoard’s decision on appeal. Underparagraph (i), the Board must serve itsdecision on the parties within 60 daysafter final briefs are filed. Underparagraph (j), the decision of the Boardconstitutes the final decision of theSecretary from which a petition forjudicial review may be filed by arespondent aggrieved by the Board’sdecision. This option is the traditionalprocess for administrative review of ALJinitial decisions regarding civil moneypenalties within HHS and is based onthe process set forth in the OIG

regulations. The decision of the Board becomes the final decision of theSecretary 60 days after service of thedecision, except where the decision is toremand to the ALJ or a party requestsreconsideration before the decision

becomes final. Paragraph (j) providesthat a party may request reconsiderationof the Board’s decision, provides areconsideration process, and providesthat the Board’s reconsiderationdecision becomes final on service.

Proposed § 160.548(k) provides for apetition for judicial review of a finaldecision of the Secretary. Thus, we

propose to remove § 160.568 of theApril 17, 2003 interim final rule asduplicative. The right to petition forjudicial review is not altered under thisproposal, although an ALJ decisionmust be reviewed by the Board before apetition for judicial review can be filed

by a respondent.

15. Section 160.552—Harmless Error

Proposed § 160.552 is new. It wouldadopt the ‘‘harmless error’’ rule thatapplies generally to civil litigation infederal courts. The provision provides,





in general, that the ALJ and the Boardat every stage of the proceeding willdisregard any error or defect in theproceeding that does not affect thesubstantial rights of the parties. It ismodeled on Rule 61, F.R.C.P., and on§ 1005.23 of the OIG regulations. In itsapplication, it would further promotethe efficient resolution of cases where

the proposed imposition of a civilmoney penalty is challenged.

V. Response to Public Comments

HHS requested comment on the April17, 2003 interim final rule and receivedtimely and substantive comments from19 persons or organizations. Wesummarize those comments, and ourresponses to the comments, below.

A. Comment: Two commentsdisagreed with HHS’s approach of encouraging voluntary compliance. Oneargued that such an approach istantamount to no enforcement; the otherargued that since the Secretary alreadyhas the authority to conduct compliancereviews, a complaint-driven approachfails to reflect the agency’s statutoryobligation to enforce the law and themandate under section 1176 to imposecivil money penalties for violations. Itwas also stated that while HHS’sintention to resolve potential violations

by informal means might be appropriatefor minor violations, it is inappropriatefor more serious violations or forcovered entities that demonstraterepeated resistance to compliance.

Most persons who commented on thevoluntary compliance approach

supported it, however. Several of thesecomments urged HHS to focus onresolving issues quickly and informally,particularly with respect to allegedviolations of the Transactions Rule. Onecomment asked for assurance thatcovered entities will face only one set of enforcement rules and procedures,given that two different components of HHS have enforcement responsibilities.Several organizations asked HHS toprovide more guidance with respect tohow covered entities can comply, andcan demonstrate compliance, with theHIPAA rules.

Response: We do not agree thatemphasizing voluntary complianceamounts to a policy of nonenforcement.To the contrary, our experience to datehas been that covered entities aregenerally responsive to our investigativeinquiries and act promptly to remedydeficiencies that are brought to theirattention. The overarching goal of ourenforcement program is to bring coveredentities into compliance, so that the

benefits of the HIPAA rules are fullyrealized. Securing voluntary complianceachieves this goal much more quickly

and efficiently than would a processthat was formal and adversarial from thestart. This approach is consistent withthe statute. As discussed above, one of the statutory defenses to a civil moneypenalty is the covered entity’s takingcorrective action on a timely basis,where reasonable cause for thenoncompliance exists. See section

1176(b)(3)(A). As stated above, however,should informal, cooperative efforts fail,HHS would move forward with the civilmoney penalty remedy the statuteprovides.

The Enforcement Rule addresses theconcern that covered entities not facemultiple sets of enforcement rules andprocedures, as it provides for uniformprocedures that will apply to all of theHIPAA rules. With respect to theconcerns about guidance, HHS agreesthat the provision of guidance on anongoing basis is vitally important. Asnoted above, HHS is continuing to

develop guidance on the various HIPAArules, and will be publishing suchguidance on an ongoing basis on thefollowing HHS Web sites: http:// www.hhs.gov/ocr/hipaa/ for the PrivacyRule and http://www.cms.gov/hipaa/ hipaa2/ for the other HIPAA rules.

B. Comment: Several commentssuggested that information aboutcomplaints and other noncomplianceissues should be made public to assistother covered entities in coming intocompliance. One organization statedthat the Enforcement Rule shouldinclude a requirement that the Secretaryshould annually report to Congress and

the public on the number of complaintsfiled and their disposition.

Response: The statute provides forformal notification of a number of entities when a penalty is final.Proposed § 160.426 reflects thisrequirement and would provide fornotification of the public in suchcircumstances. As previously noted,however, we expect most complaints to

be resolved informally, and informalresolutions would not come within theprocess provided for by proposed§ 160.426. OCR and CMS will considerwhether compilation and release of

analyses of complaint dispositionswould be an appropriate use of limitedresources; however, we do not proposeto mandate such action by this rule.

C. Comment: One comment askedwhether HHS anticipated developing aseparate complaint mechanism forsecurity complaints.

Response: CMS has developedcomplaint procedures for thecomplaints regarding the TransactionsRule and a complaint tool for makingsuch complaints is on the Web athttp://www.cms.hhs.gov/hipaa/hipaa2.

As the compliance dates of the HIPAArules other than the Privacy and theTransactions Rules arrive, it is expectedthat the complaint tool will be modifiedto permit the filing of complaintsrelating to compliance with those otherrules.

D. Comment: One comment statedthat additional protections are needed

for investigational inquiries. Thecomment suggested that the rule shouldinclude the procedural protections of the OIG regulations, such as permissionfor witnesses to object to answeringquestions on the basis of privilege andto clarify their answers for the record.

Response: Proposed § 160.314(b)would revise § 160.504(b) to includesuch procedural protections.

E. Comment: One comment suggestedthat the rule contain a provisionestablishing the bases under which acomplaint will be dismissed prior to arequest for a hearing. Bases suggestedwere that the complaint has beenlitigated in another forum, theopportunity to contest the matter wasavailable but not used in another forum,and another statutory remedy exists.

Response: Consistent with thepractice under the OIG regulations, therules provide for general settlementauthority, rather than specific groundsfor dismissal. See proposed § 160.416.In addition, the bases suggested in thecomment would not be grounds, per se,for dismissal.

F. Comment: One comment askedHHS to clarify the circumstances underwhich it would investigate a covered

entity that was not the subject of acomplaint.

Response: We cannot project thevariety of circumstances under whichcompliance reviews might beundertaken. Therefore, we do notpropose to limit the situations in whichthis authority could be exercised.

G. Comment: Several commentsobjected to § 160.522. One argued thatrunning the 6-year limitations periodfrom the ‘‘latest act or omission’’ is aproblem with respect to the 6-yearrecord retention period provided for bythe Privacy Rule, as covered entities

might believe that they could destroyrecords that they would later need fordefense purposes. It was also arguedthat the rule should clarify that actionsmay only be taken for violations whichoccur on or after the compliance date of the rule in question and that the date of the civil money penalty action is thedate of the notice of proposeddetermination.

Response: We agree. Proposed§ 160.414 would revise § 160.522 toprovide that the period of limitationsruns ‘‘from the date of the occurrence of










http://www.cms.hhs.gov/hipaa/hipaa2








the violation’’ and that the Secretarycommences the action ‘‘in accordancewith § 160.420, ‘‘meaning that theaction is considered to be commenced

by (and, therefore, on) the date of thenotice of proposed determination. Thedefinition of the term ‘‘violation’’ atproposed § 160.302 builds in theconcept of a duty to comply, since it

defines that term as a ‘‘failure to complywith an administrative simplificationprovision;’’ the definition of the term‘‘administrative simplificationprovision’’ in turn references theunderlying HIPAA rules, which eachexplicitly state when the duty to comply

begins.With respect to the 6-year document

retention requirement of § 164.530(j)(2),insofar as compliance issues arise out of complaints, it is unlikely that a coveredentity would be required to defend itself against a stale complaint, in view of therequirement at proposed § 160.306(b)(3)

that complaints be filed within 180 daysof when the complainant knew orshould have known of the occurrence of the violation. In any event, nothing inthe Privacy Rule precludes coveredentities from retaining documents for alonger period than § 164.530(j)(2)requires, if they wish to do so.

H. Comment: Nine commentsexpressed concern that § 160.514 doesnot specify to whom the notice of proposed determination must beaddressed. The concern was that,

because receipt is presumed 5 days aftermailing, a notice of proposeddetermination which was sent to a large

organization might not get to the properofficial on a timely basis, therebywasting some of the covered entity’stime for response. Several commentssuggested that the rule require deliveryto the chief executive officer and, asappropriate, to the company’s privacyofficer, security officer, or chief information officer. A couple of comments suggested that the ruleincorporate the service standards of Rule 4, F.R.C.P., and require serviceupon ‘‘an officer, a managing or generalagent, or to any other agent authorized

by statute to receive service.’’ Several

comments expressed support for the useof certified mail.Response: Like § 160.514, proposed

§ 160.420 does not identify the person(s)to whom the notice of proposeddetermination should be addressed, nordo we think it is necessary or feasibleto do so. Rule 4, which applies undersection 1128A(c), establishes who may

be served and applies without need forfurther regulatory action. Because thesize and other organizationalcircumstances of covered entities varygreatly, a rule that further limited or

defined who must be served would mostlikely be inappropriate for some coveredentities. Further, it is likely that a noticeof proposed determination would beissued after significant prior contactwith the covered entity, and weanticipate that our investigators wouldin any case be able to ascertain whichofficer would be the appropriate

recipient of the notice.I. Comment: Several comments also

argued that § 160.514 should, like theanalogous OIG regulations, require thenotice of proposed determination tostate the basis for the penaltycalculation. Such information wouldhelp the covered entity understand thecharges against it and prepare itsdefense. These comments recommendedthat the language in § 1003.109(a)(5) of the OIG regulations be used.

Response: We agree. A provisioncomparable to that in § 1003.109(a)(5)was omitted from § 160.514 because theinterim final rule did not provide for theaggravating and mitigating factorsreferenced in this provision of the OIGregulations. The proposed rule,however, contains the factors that may

be considered in determining theamount of the penalty. Accordingly,proposed § 160.420 follows the OIGregulations in this respect.

J. Comment: One comment stated thatit was not clear how the notice of proposed determination would interfacewith § 160.312 and whether the writtenfindings there end the informalresolution phase. The commentadvocated that notice be provided

before the notice of proposeddetermination.

Response: We agree that it is not clearhow § 160.514 interfaces with the noticeprocess described at § 160.312. Atpresent, § 160.312(a)(2) provides thatthe Secretary may issue written findingsdocumenting noncompliance, if noncompliance is found and notinformally resolved. Thus, we proposeto revise § 160.312 to make the interface

between that section and proposed§ 160.420 (currently § 160.514)seamless. Specifically, proposed§ 160.312(a)(3)(ii) would provide that if

the Secretary finds that a covered entityis not in compliance, the matter is notsettled by informal means, andimposition of a civil money penalty iswarranted, the Secretary will so informthe covered entity in a notice of proposed determination in accordancewith § 160.420. The notice of proposeddetermination would constitute theformal notice that the matter had not

been informally resolved and that HHShad decided to seek civil moneypenalties. Further, with respect to noticeprior to the notice of proposed

determination, proposed§ 160.312(a)(3)(i) would provide thatwhere noncompliance is indicated andthe matter is not resolved by informalmeans, HHS would so inform thecovered entity and give the coveredentity an opportunity to submit writtenevidence of any affirmative defenses ormitigating factors, prior to issuing a

notice of proposed determination.K. Comment: Several comments

objected to the presumption in§ 160.526(b) that the date of receipt of the notice of proposed determination is5 days after the date of the notice. Theyargued that this presumption couldwork a hardship, in combination withthe 60-day time limit for requesting ahearing, if the notice went to the wrongperson in the organization or otherwisewent astray.

Response: Proposed § 160.504(b)retains the language of the interim finalrule. We believe the concerns about

hardship are misplaced. Therequirement permits the ALJ to grant anextension of the 5-day time period if therespondent demonstrates that thepresumption should not apply: ‘‘Forpurposes of this section, therespondent’s date of receipt of thenotice of proposed determination ispresumed to be 5 days after the date of the notice unless the respondent makesa reasonable showing to the contrary tothe ALJ.’’ This language tracks thecomparable provision at § 1005.2(c) of the OIG regulations and has workedwell.

L. Comment: A number of commentsobjected to the 60-day time limit in§ 160.526(b) for a respondent to file itsrequest for hearing, in combination withthe specific detail required by thatsection. They objected to the time limitand the related requirement for specificresponse on several grounds: the level of specificity demanded requires therespondent to devise its entire defense,and, because the notice of proposeddetermination is the first notice therespondent has of the charges, 60 daysis too short a time period in which todo this; the requirement requires more

specificity of the respondent than of theSecretary, which is unfair; and therequirements, together with the 5-daypresumption of receipt and the failure tospecify who receives the notice of proposed determination, are unfair anda violation of a respondent’s right to dueprocess. It was generally recommendedthat the request for hearing requirementparallel § 1005.2 of the OIG regulations,which requires the request to be madewithin 60 days of receipt of the notice,

but requires that the request for hearingstate which findings of fact and





conclusions of law are disputed and the basis for the dispute.

Response: The comments on thisissue assume that a notice of proposeddetermination will be served on arespondent with no warning. Thisassumption is not reasonable under theprocedures the proposed rule wouldestablish, however. Proposed § 160.304

would require the Secretary to seek thecooperation of the covered entity inobtaining compliance to the extentpracticable, which will necessitatecommunication about thenoncompliance at issue. Theinvestigation or compliance reviewprocess itself will necessarily disclosemuch about the noncompliance at issueto the facility, since the covered entitywill typically be the primary source of information relevant to theinvestigation. If an investigation orcompliance review indicatesnoncompliance, proposed

§ 160.312(a)(1) provides that theSecretary will attempt to reach aresolution of the matter satisfactory tothe Secretary by informal means.Further, where noncompliance isindicated and the matter is not resolved

by informal means, HHS will so informthe covered entity and give it theopportunity to submit written evidenceof any affirmative defenses or mitigatingfactors, prior to issuing a notice of proposed determination. See proposed§ 160.312(a)(3)(i). Thus, the coveredentity necessarily will be made awareof, and have the opportunity to address,HHS’s compliance concerns throughout

the investigative period preceding thenotice of proposed determination andshould not be surprised by the mattersdescribed in the notice. For thesereasons, we do not believe that the 60-day response time is inadequate.

M. Comment: One comment statedthat settlements should be approved bythe ALJ. Another asked whethersettlements will be a viable path toresolution of disputes.

Response: Consistent with ourcommitment to obtaining voluntarycompliance and the regulatory policiesdiscussed in the preceding response, we

expect that settlement of complianceissues will be frequent. We do notpropose to have the ALJ approve suchsettlements, to preserve our ability toresolve compliance issues and achievevoluntary compliance through informalmeans. See proposed § 160.514.

N. Comment: Several commentsqueried whether covered entities would

be held liable under the EnforcementRule for violations by their businessassociates. Of particular concern wereviolations committed by health careclearinghouses.

Response: Under § 160.402 of theproposed rule, a covered entity wouldnot be liable for the actions of its

business associates where the coveredentity has complied with theappropriate business associateprovisions. See section IV.C.1.b. abovefor further discussion.

O. Comment: Several comments

stated that the rule needs to state whata violation is, what the aggravating andmitigating circumstances are, how thetotal fine for violations is calculated,and what would constitute anacceptable defense and indicate anappropriate level of ‘‘due diligence.’’ One comment suggested that evidenceof willingness to enter into a correctiveaction plan should be a mitigatingfactor. One comment noted that the fullEnforcement Rule was needed beforethe April 17, 2003 interim final ruleexpires.

Response: We generally agree. Theproposed rule addresses the violationand affirmative defense issues at§§ 160.402–160.410. Also, the April 17,2003 interim final rule has beenextended by separate regulatory actionto permit ongoing enforcement whilethis rulemaking proceeds. Proposed§ 160.408(d)(3) provides that theSecretary may consider, as anaggravating or mitigating factor, how thecovered entity has responded totechnical assistance from the Secretaryprovided in the context of a complianceeffort, with respect to prior offenses.

P. Comment: One comment asked thatthe Enforcement Rule describe the

procedures for referral to theDepartment of Justice of suspectedcriminal violations. Another commentasked that HHS attempt to ensure thatthe application of the criminalprovisions by the Department of Justicewas the same as the application of thecivil provisions by HHS.

Response: The procedures for referralof criminal matters to the Department of

Justice lie outside the scope of theEnforcement Rule, which implementsonly HHS’s authority under section1176 of the Act.

Q. Comment: One comment requested

clarification of the statutory basis forimposing penalties for violations of thePrivacy Rule, since section 264 is afootnote in the U.S. Code.

Response: Section 264 of the Act iscodified as a note to 42 U.S.C. 1320d–2. We have always read section 264 asfunctionally a part of Part C. Section 264and Part C cross-reference each other,and the terminology of section 264 isalso the terminology of Part C(‘‘standard’’, ‘‘individually identifiablehealth information’’, ‘‘implementationspecification’’). Further, the criminal

penalty provisions of section 1177would not make sense if they did notapply to the privacy standards, andsection 1176 is, as discussed at IV.C.3above, closely related to section 1177.The legislative history confirms thiscommon-sense reading. See H. Rep. No.496, 104th Cong., 2d Sess., 1996 U.S.Code Cong. & Admin. News, p. 1865.

This reading of the statute accordswith that of Congress. Section 1860D–31(h)(6)(A) of the Act, adopted byMMA, states that an endorsed discountdrug card sponsor—

is a covered entity for purposes of applyingpart C of title XI and all regulatory provisionspromulgated thereunder, includingregulations (relating to privacy) adoptedpursuant to the authority of the Secretaryunder section 264(c) of the Health InsurancePortability and Accountability Act of 1996(42 U.S.C. 1320d–2 note).

R. Comment: With respect toprehearing proceedings, two commentsstated that permitting the ALJ to requireexchange of witness lists more than 15days prior to the hearing could seriouslyinfringe on the amount of time thecovered entity has to prepare its case. Itwas also argued that 60 days is too shorta period to prepare for the hearing. Onecomment stated that interrogatoriesshould be allowed, because records may

be incomplete or contain mistakes. Onecomment supported the requirement of § 160.540(b)(3) (proposed§ 160.518(b)(3)), requiring the ALJ torecess the hearing for a reasonable timefor an objecting party to prepare aresponse to witnesses or exhibits that

were not exchanged prior to the hearing.Response: The scheduling of a hearing

will depend on the schedule of the ALJto whom the case is assigned, amongother factors. There is nothing in theEnforcement Rule that requires thescheduling of the hearing within acertain period of time following therequest for hearing. Thus, we do notthink that the provision for exchange of information earlier than 15 days prior tohearing should work a hardship oneither side, and the ALJ should be ableto establish a schedule that takes intoconsideration the needs of the parties.

Indeed, we believe that this requirementwill assist each party in presenting awell-prepared case that will result in anefficient and effective hearing. As theprehearing procedures permit bothdocumentary and testimonial discovery,we do not permit interrogatories, whichwe believe would add extra time and

burden to the preparation processwithout commensurate benefit.

S. Comment: Several comments urgedthat the rule should contain a procedureto permit the parties to waive theprehearing conference and the formal





hearing and request that the case besubmitted on documentary evidenceand written argument, to make theprocess more efficient and lessexpensive.

Response: Proposed §§ 160.508(b)(13)and 160.512(b)(4), (5) would permit this.

T. Comment: One comment statedthat the covered entity should have the

burdens of going forward andpersuasion on affirmative defenses andmitigating circumstances, while HHSshould have the burdens of goingforward and persuasion on allegationsof violation.

Response: We agree. Proposed§ 160.534(b) so provides.

U. Comment: Several commentsstated that the ‘‘affirm, increase, orreduce the penalties imposed by theSecretary’’ language of § 160.564(b)would not permit the ALJ to decide thatno violation occurred.

Response: The language of § 160.564of the April 17, 2003 interim final rule,which is now found at proposed§ 160.546, will permit the ALJ to decidethat no violation occurred. Proposed§ 160.546(a) requires the ALJ to makefindings of fact and conclusions of law.If these findings and conclusionssupport a determination that therespondent did not violate anadministrative simplification provision,then no penalty may be imposed. Thelanguage in proposed § 160.546(b)permits an ALJ who determines that arespondent has violated anadministrative simplification provisionto act in regard to the penalty amount

set forth in the notice of proposeddetermination, that is, to affirm,increase, or reduce the amount of theproposed penalty in accordance withthe other applicable provisions of theregulations.

V. Comment: Several commentsargued that statistical sampling would

be inappropriate to establish the numberof violations. It was argued thatstatistical sampling, as used in the OIGhearings, had been used improperly, instudies that had basic weaknesses, suchas a too small sample size.

Response: Proposed § 160.536

provides for the use of statisticalsampling, as a well-establishedevidentiary tool. Proposed § 160.536(b),which affords the opposing side theopportunity to rebut the statistical proof offered, provides a procedural safeguardto permit a respondent to challenge thereliability of any statistical proof offered.

W. Comment: Two commentssuggested that respondents should beable to subpoena HHS witnesses withdirect knowledge of the investigation orother matters at issue.

Response: Proposed § 160.520(c)provides that the Secretary mustdesignate a representative who is‘‘knowledgeable’’ to testify. It woulddisrupt the agency’s operations if arespondent could subpoena any HHSofficial by name. The requirement thatthe HHS representative beknowledgeable should permit the

presentation of informed testimony,while permitting the orderly conduct of government business to continue.

X. Comment: One comment statedthat the rule should permit acceptanceof testimony or a written statement fromindividuals whose privacy was violated,permit such individuals to testify, andrequire that such individuals be given30 days notice of the hearing.

Response: The proposed rule wouldnot preclude us from offering thetestimony of such individuals, but thedecision to do so is a litigation decisionthat must be reserved to the agency. We

do not require that notice of the hearing be provided to the individuals whoseprivacy was violated, but suchinformation is publicly available.

Y. Comment: A number of commentsstated that agency review of the ALJdecision was needed or questioned whyit was not provided. A few commentssupported having the ALJ decision bethe final agency action as resulting in amore efficient and expeditious process.

Response: We have proposed a secondlevel of agency review, for the reasonsset out at section IV.D.14 above.

Z. Comment: Two commentsquestioned the provision for set-off at

§ 160.518(c). One asked whether set-off would occur without state-level dueprocess. The other was concerned aboutprovision of notice. Both wereconcerned that set-off could have adevastating impact on those to whom itwas applied.

Response: The right of set-off isprovided for by section 1128A(f).Proposed § 160.424(c) accordinglyretains it. We intend to followapplicable procedures in pursuing set-off.

AA. Comment: A couple of commentsobjected to § 160.560. It was stated that

the rule should incorporate additionalprocedures to ensure that protectedhealth information introduced intoevidence is protected from review byoutside parties, redactions should bemade available to the parties for review,and OCR should be required to pay forthe court reporter.

Response: The protection of protectedhealth information, including byredaction of the record, is a matter thancan be addressed in the prehearingconference. See proposed§ 160.512(b)(11). We believe that the

ALJ will be in the best position todetermine what specific steps should betaken in a particular case to protect theprivacy of any protected healthinformation introduced into evidence.In the interest of fairness, proposed§ 160.542(a) would apportion the cost of transcription of the record equally

between the parties.

BB. Comment: One comment statedthat § 160.558(g) should be revised torequire the Secretary to include noticeto the respondent where HHS intends topresent in its case in chief evidence of past crimes or similar evidence to showmotive, opportunity, intent, etc.

Response: Proposed § 160.540(g)would retain this provision. Thisprovision tracks § 1005.17(g) of the OIGregulations, and we see no basis todepart from our practice in this regard.

VI. Impact Statement and OtherRequired Analyses

A. Paperwork Reduction Act We reviewed this proposed rule to

determine whether it raises issues thatwould subject it to the PaperworkReduction Act (PRA). While the PRAapplies to agencies and collections of information conducted or sponsored bythose agencies, 5 CFR 1320.4(a) exemptscollections of information that occur‘‘during the conduct of * * * anadministrative action, investigation, oraudit involving an agency againstspecific individuals or entities,’’ exceptfor investigations or audits ‘‘undertakenwith reference to a category of

individual or entities such as a class of licensees or an entire industry.’’ Theproposed rule comes within thisexemption, as it deals entirely withadministrative investigations andactions against specific individuals orentities. Consequently, it need not bereviewed by the Office of Managementand Budget under the authority of thePRA.

B. Executive Order 12866; Regulatory Flexibility Act; Section 1102, Social Security Act; Unfunded MandatesReform Act of 1995; Small BusinessRegulatory Enforcement Fairness Act of

1996; Executive Order 13132We have examined the impacts of this

proposed rule as required by ExecutiveOrder 12866 (September 1993,Regulatory Planning and Review), theRegulatory Flexibility Act (RFA)(September 16, 1980, Pub. L. 96–354),section 1102(b) of the Social SecurityAct, the Unfunded Mandates ReformAct of 1995 (Pub. L. 104–4), the SmallBusiness Regulatory Enforcement andFairness Act, 5 U.S.C. 801 et seq., andExecutive Order 13132.





1. Executive Order 12866

Executive Order 12866 (as amended by Executive Order 13258, whichmerely reassigns responsibility of duties) directs agencies to assess allcosts and benefits of available regulatoryalternatives and, if regulation isnecessary, to select regulatoryapproaches that maximize net benefits(including potential economic,environmental, public health and safetyeffects, distributive impacts, andequity). Executive Order 12866 defines,at section 3(f), several categories of ‘‘significant regulatory actions.’’ Onecategory is ‘‘economically significant’’ rules, which are defined in section3(f)(1) of the Order as rules that may‘‘have an annual effect on the economyof $100 million or more, or adverselyaffect in a material way the economy,productivity, competition, jobs, theenvironment, public health or safety, orState, local, or tribal governments or

communities.’’ Another category, undersection 3(f)(4) of the Order, consists of rules that are ‘‘significant regulatoryactions’’ because they ‘‘raise novel legalor policy issues arising out of legalmandates, the President’s priorities, orthe principles set forth in this ExecutiveOrder.’’ Executive Order 12866 requiresa full economic impact analysis only for‘‘economically significant’’ rules undersection 3(f)(1).

We have concluded that this ruleshould be treated as a ‘‘significantregulatory action’’ within the meaningof section 3(f)(4) of Executive Order

12866, because the HIPAA provisions to be enforced have extremely broadimplications for the Nation’s health caresystem, and because of the novel issuespresented by, and the uncertaintiessurrounding, compliance amongcovered entities. However, we havedetermined that the impact of this ruleis not such that it reaches theeconomically significant thresholdunder section 3(f)(1) of the Order.

Estimating the impacts of this rulepresents unique challenges. On its face,the rule simply describes how HHSplans to enforce the HIPAA provisions,

and can be considered a procedural rulewithout any intrinsic impact. However,health care providers, insurers, andhealth care clearinghouses that arecovered by the HIPAA provisionsrepresent a large proportion of theirrespective economic sectors. Further, allare within the jurisdiction of theEnforcement Rule (which is a‘‘significant regulatory action,’’ as notedabove).

The actual economic impacts of implementing the HIPAA provisions aresubsumed in each of the applicable

substantive regulations (Privacy Rule,Security Rule, Transactions Rule, etcetera). The economic impacts properlyattributable to this rule, however, arethose stemming from changes to currentpractice as a result of the EnforcementRule and the cost of new and additionalresponsibilities that are required toconform to the Rule. In general, these

costs are limited to costs related toconducting and responding to theinvestigation of complaints concerningthe alleged HIPAA violations overwhich HHS has jurisdiction andcompliance reviews, conductinghearings, and levying and collectingcivil money penalties. The cost of conducting and responding toinvestigations of privacy complaints andcompliance reviews with respect to thePrivacy Rule has already been covered

by the impact analysis of the PrivacyRule. Here we extend these processes tothe other HIPAA rules. For reasons

outlined in the following narrative, weanticipate the impacts of the additionalactivities covered by this rule to fall

below the $100 million annualthreshold that would raise this rule tothe definition of ‘‘economicallysignificant,’’ but acknowledge there ismuch that is unknown underlying theassumptions that have led us to thisconclusion. We discuss theseassumptions below.

Affected Entities and Projected Costs. Because of its scope, purview, andpotential application, the EnforcementRule is a significant regulatory actionwithin the meaning of section 3(f)(4) of

Executive Order 12866. We believe thatover 2.5 million health care providers,health plans, and health careclearinghouses will meet the definitionof a covered entity.

It is difficult for us to determine orestimate the impact of the EnforcementRule on covered entities. All coveredentities are expected to comply with theHIPAA rules. Enhancing the likelihoodof compliance is the fact that eachsubstantive HIPAA rule (e.g., thePrivacy Rule, the Security Rule, theTransactions Rule) has at least a twenty-six month period between publication

of the final rule and the compliance date(60 days for APA Congressional review,plus 24 months for covered entities or36 months for small health plans). Thus,covered entities have at least 26 monthsto prepare for implementation, and HHShas provided, and will continue toprovide, ample educationalopportunities for covered entities duringthese periods. We also note that, asevidenced by the CMS Guidance,discussed above, where HHS becameaware of potential noncomplianceproblems with the Transactions Rule, it

acted proactively to outline an approachto enforcement that would permitflexibility under certain circumstancesand which would not penalize goodfaith efforts to come into compliance.Accordingly, noncompliance that would

be pursued under the provisions of theproposed Enforcement Rule should beconsidered to be the exception, rather

than the norm.Further minimizing the impact of the

Enforcement Rule is the fact that mostcompliance efforts undertaken underthe provisions of the rule are expectedto result from complaints, rather thancompliance reviews. To date,complaints have involved only aninfinitesimal percentage of the universeof covered entities. As of the end of July2004, OCR has received over 7,500complaints related to the Privacy Rulesince the compliance date of April 14,2003, and CMS has received 145complaints related to the Transactions

Rule since the compliance date of October 16, 2003.The most expensive impacts of this

rule will derive from those cases inwhich the covered entities exercise theirrights of appeal under subpart E of part160. Based on our experience with othercivil money penalty cases, the costs of such cases can be expected to dwarf thecosts of cases that are resolved prior tothe hearing stage. However, again basedon our experience in other civil moneypenalty cases, very few of the casesopened will proceed through that stage.That other Departmental experience is

borne out by our experience with

respect to the HIPAA complaintsreceived to date. Of the privacycomplaints received and processed bythe end of July 2004, approximately57% were resolved immediately due tolack of jurisdiction (e.g, the complaintpertained to events that occurred beforethe implementation date of the relevantHIPAA regulation, the complaint didnot relate to a covered entity, et cetera)or because of action taken by thecovered entity to resolve the complaintvoluntarily; similarly, of the 145transactions complaints received fromOctober 2003 through July 2004, 60%

were closed in that period. Thus, itseems reasonable to assume that thecosts attributable to the provisions of this rule will, in most cases that areopened, be low.

We recognize that our experience todate reflects slightly over one year of experience under the Privacy Rule, andless than one year under theTransactions Rule. Data generated oncases that might lead to the impositionof a civil money penalty during thistime frame may not be typical of whatwe will see over time. For example, the





number of complaints that may bedismissed because they involvesituations that occurred before therelevant compliance date shoulddecrease with the passage of time.Similarly, we would expect theinstances of noncompliance to decreaseas covered entities gain experience incomplying with the HIPAA rules; on the

other hand, the number of complaintscould increase as individuals andentities become more aware of the rules’ requirements. As we acquire experienceunder the rules, we will have a moreextensive database for evaluating theimpacts of enforcement activities.

Benefits of the Enforcement Rule. We believe that the value of the benefits brought by the HIPAA provisions aresufficient to warrant appropriateenforcement efforts. The benefits of theunderlying HIPAA rules have beenpreviously estimated in connection withthe Privacy and the Transactions Rules,

and are significant. The EnforcementRule will encourage voluntarycompliance, and provide a means forenforcing compliance where it is notforthcoming voluntarily, therebyfacilitating the achievement of the

benefits of the other HIPAA rules. See, 65 FR 50350–50351; 65 FR 82760,82776–82779; 68 FR 8370–8371. The

benefits of these protections faroutweigh the costs of this enforcementregulation.

Summary. In most cases, if coveredentities comply with the various HIPAArules, they should not incur anysignificant additional costs as a result of

the Enforcement Rule. This is based onthe fact the costs intrinsic to most of theHIPAA rules and operating directionsagainst which compliance is evaluatedhave been scored independently of thisrule and the requirements have notchanged. We recognize that the specificrequirements against which complianceis evaluated are not yet well known andmay evolve with experience underHIPAA, but we expect that coveredentities have both the ability andexpectation to maintain compliance,especially given our commitment toencouraging and facilitating voluntary

compliance. While not straightforwardto project, it seems likely that thenumber of times in which the full civilmoney penalty enforcement process will

be invoked will be extremely small, based on the evidence to date.

2. Other Analyses

We also examined the impact of theproposed Rule as required by theRegulatory Flexibility Act (RFA). TheRFA requires agencies to determinewhether a rule will have a significanteconomic impact on a substantial

number of small entities. For purposesof the RFA, small entities include small

businesses, nonprofit organizations, andgovernment jurisdictions; for health careentities, the size standard for a ‘‘small’’ entity ranges from $6 million to $29million in revenues in any one year.Most hospitals and most other providersand suppliers are small entities, either

by nonprofit status or by havingrevenues less than the applicable sizestandard in any one year. As discussedabove, the incidence of noncomplianceis expected to be low, and, as alsodiscussed above, it is expected that mostissues of noncompliance will beresolved with minimal enforcementaction. Even though the burden of regulatory compliance often fallsdisproportionately on small entities,there is no evidence to suggest thatsmall entities have a higher rate of noncompliance than large entities. TheSecretary therefore certifies that this

rule will not have a significanteconomic impact on a substantialnumber of small entities.

Section 1102(b) of the Act requiresagencies to prepare a regulatory impactanalysis if a rule may have a significantimpact on the operations of a substantialnumber of small rural hospitals. Thisanalysis must conform to the provisionsof section 603 (proposed documents)/604 (final documents) of the RFA. Forpurposes of section 1102(b) of the Act,we define a small rural hospital as ahospital that is located outside of aMetropolitan Statistical Area and hasfewer than 100 beds. This proposed rule

would not have a significant impact onsmall rural hospitals. The rule wouldimplement procedures necessary for theSecretary to enforce subtitle F of Title IIof HIPAA. As noted earlier, we do notexpect that covered entities willwillfully be out of compliance in sucha way that would result in anenforcement action proceeding throughthe hearing stage.

Section 202 of the UnfundedMandates Reform Act of 1995, 2 U.S.C.1531 et seq., also requires that agenciesassess anticipated costs and benefits

before issuing any rule that may result

in expenditure in any one year by State,local, or tribal governments, in theaggregate, or by the private sector, of $100 million. The Small BusinessRegulatory Enforcement Fairness Act of 1996 (SBREFA), 5 U.S.C. 801 et seq., requires that rules that will have animpact on the economy of $100 millionor more per annum be submitted forCongressional review. For the reasonsdiscussed above, this proposed rulewould not impose a burden largeenough to require a section 202statement under the Unfunded

Mandates Reform Act of 1995 orCongressional review under SBREFA.

Executive Order 13132 establishescertain requirements that an agencymust meet when it adopts a proposedrule (and subsequent final rule) thatimposes substantial direct requirementcosts on State and local governments,preempts State law, or otherwise hasFederalism implications. This proposedrule does not have ‘‘Federalismimplications.’’ The rule would not have‘‘substantial direct effects on the States,on the relationship between the nationalgovernment and the States, or on thedistribution of power andresponsibilities among the variouslevels of government.’’ As theEnforcement Rule is procedural innature, its economic effects would not

be substantial, as explained previously.Any preemption of State law that couldoccur would be a function of theunderlying HIPAA rules, not the

Enforcement Rule, which principallyestablishes the means by which thestatutory civil money penalty provisionswill be implemented. Therefore, theEnforcement Rule is not subject toExecutive Order 13132 (Federalism).

Dated: April 8, 2005.

Michael O. Leavitt,

Secretary.

List of Subjects

45 CFR Part 160

Administrative practice andprocedure, Computer technology,

Electronic transactions, Employer benefit plan, Health, Health care, Healthfacilities, Health insurance, Healthrecords, Hospitals, Investigations,Medicaid, Medical research, Medicare,Penalties, Privacy, Reporting and recordkeeping requirements, Security.

45 CFR Part 164

Administrative practice andprocedure, Electronic informationsystem, Electronic transactions,Employer benefit plan, Health, Healthcare, Health facilities, Health Insurance,Health records, Hospitals, Medicaid,

Medical research, Medicare, Privacy,Reporting and record keepingrequirements, Security.

For the reasons set forth in thepreamble, the Department of Health andHuman Services proposes to amend 45CFR subtitle A, subchapter C, parts 160and 164, as set forth below.

PART 160—GENERALADMINISTRATIVE REQUIREMENTS

1. The authority citation for part 160is revised to read as follows:





Authority: 42 U.S.C. 1302(a), 42 U.S.C.1320d–1320d–8, and sec. 264 of Pub. L. 104–191, 110 Stat. 2033–2034 (42 U.S.C. 1320d–2 (note)).

2. Section § 160.103 is amended byadding the definition ‘‘Person’’ inalphabetical order to read as follows:

§ 160.103 Definitions.

* * * * *Person means a natural person, trust

or estate, partnership, corporation,professional association or corporation,or other entity, public or private.

* * * * *3. Revise subpart C of this part to read

as follows:

Subpart C—Compliance andInvestigations

Sec.160.300 Applicability.160.302 Definitions.160.304 Principles for achieving

compliance.

160.306 Complaints to the Secretary.160.308 Compliance reviews.160.310 Responsibilities of covered entities.160.312 Secretarial action regarding

complaints and compliance reviews.160.314 Investigational subpoenas and

inquiries.160.316 Refraining from intimidation or

retaliation.

Subpart C—Compliance andInvestigations

§ 160.300 Applicability.

This subpart applies to actions by theSecretary, covered entities, and others

with respect to ascertaining thecompliance by covered entities with,and the enforcement of, the applicablerequirements of this part 160 and theapplicable standards, requirements, andimplementation specifications of parts162 and 164 of this subchapter.


As used in this subpart and subpartsD and E of this part, the following termshave the following meanings:

Administrative simplification provision means any requirement orprohibition established by:

(1) 42 U.S.C. 1320d–1320d–4, 1320d–

7, and 1320d–8;(2) Section 264 of Pub. L. 104–191; or(3) This subchapter.ALJ means Administrative Law Judge.Civil money penalty or penalty means

the amount determined under § 160.404of this part and includes the plural of these terms.

Respondent means a covered entityupon which the Secretary has imposed,or proposes to impose, a civil moneypenalty.

Violation or violate means, as thecontext may require, failure to comply

with an administrative simplificationprovision.

§ 160.304 Principles for achievingcompliance.

(a) Cooperation. The Secretary will, tothe extent practicable, seek thecooperation of covered entities inobtaining compliance with the

applicable administrative simplificationprovisions.(b) Assistance. The Secretary may

provide technical assistance to coveredentities to help them comply voluntarilywith the applicable administrativesimplification provisions.

§ 160.306 Complaints to the Secretary.

(a) Right to file a complaint. A personwho believes a covered entity is notcomplying with the administrativesimplification provisions may file acomplaint with the Secretary.

(b) Requirements for filing complaints. Complaints under this

section must meet the followingrequirements:

(1) A complaint must be filed inwriting, either on paper orelectronically.

(2) A complaint must name the personthat is the subject of the complaint anddescribe the acts or omissions believedto be in violation of the applicableadministrative simplificationprovision(s).

(3) A complaint must be filed within180 days of when the complainant knewor should have known that the act oromission complained of occurred,

unless this time limit is waived by theSecretary for good cause shown.(4) The Secretary may prescribe

additional procedures for the filing of complaints, as well as the place andmanner of filing, by notice in theFederal Register.

(c) Investigation. The Secretary mayinvestigate complaints filed under thissection. Such investigation may includea review of the pertinent policies,procedures, or practices of the coveredentity and of the circumstancesregarding any alleged violation.

§ 160.308 Compliance reviews.

The Secretary may conductcompliance reviews to determinewhether covered entities are complyingwith the applicable administrativesimplification provisions.

§ 160.310 Responsibilities of coveredentities.

(a) Provide records and compliancereports. A covered entity must keepsuch records and submit suchcompliance reports, in such time andmanner and containing suchinformation, as the Secretary may

determine to be necessary to enable theSecretary to ascertain whether thecovered entity has complied or iscomplying with the applicableadministrative simplificationprovisions.

(b) Cooperate with complaint investigations and compliance reviews. A covered entity must cooperate with

the Secretary, if the Secretaryundertakes an investigation orcompliance review of the policies,procedures, or practices of the coveredentity to determine whether it iscomplying with the applicableadministrative simplificationprovisions.

(c) Permit access to information. (1) Acovered entity must permit access bythe Secretary during normal businesshours to its facilities, books, records,accounts, and other sources of information, including protected healthinformation, that are pertinent to

ascertaining compliance with theapplicable administrative simplificationprovisions. If the Secretary determinesthat exigent circumstances exist, such aswhen documents may be hidden ordestroyed, a covered entity must permitaccess by the Secretary at any time andwithout notice.

(2) If any information required of acovered entity under this section is inthe exclusive possession of any otheragency, institution, or person and theother agency, institution, or person failsor refuses to furnish the information, thecovered entity must so certify and setforth what efforts it has made to obtainthe information.

(3) Protected health informationobtained by the Secretary in connectionwith an investigation or compliancereview under this subpart will not bedisclosed by the Secretary, except if necessary for ascertaining or enforcingcompliance with the applicableadministrative simplificationprovisions, or if otherwise required bylaw.

§ 160.312 Secretarial action regardingcomplaints and compliance reviews.

(a) Resolution when noncompliance is

indicated. (1) If an investigation of acomplaint pursuant to § 160.306 or acompliance review pursuant to§ 160.308 indicates noncompliance, theSecretary will attempt to reach aresolution of the matter satisfactory tothe Secretary by informal means.Informal means may includedemonstrated compliance or acompleted corrective action plan orother agreement.

(2) If the matter is resolved byinformal means, the Secretary will soinform the covered entity and, if the





matter arose from a complaint, thecomplainant, in writing.

(3) If the matter is not resolved byinformal means, the Secretary will—

(i) So inform the covered entity andprovide the covered entity anopportunity to submit written evidenceof any mitigating factors or affirmativedefenses for consideration under

§§ 160.408 and 160.410. The coveredentity must submit any such evidence tothe Secretary within 30 days (computedin the same manner as prescribed under§ 160.526) of receipt of suchnotification; and

(ii) If, following action pursuant toparagraph (a)(3)(i) of this section, theSecretary finds that a civil moneypenalty should be imposed, inform thecovered entity of such finding in anotice of proposed determination inaccordance with § 160.420.

(b) Resolution when no violation is found. If, after an investigation pursuantto § 160.306 or a compliance reviewpursuant to § 160.308, the Secretarydetermines that further action is notwarranted, the Secretary will so informthe covered entity and, if the matterarose from a complaint, thecomplainant, in writing.

§ 160.314 Investigational subpoenas andinquiries.

(a) The Secretary may issuesubpoenas in accordance with 42 U.S.C.405(d) and (e), 1320a–7a(j), and 1320d–5 to require the attendance andtestimony of witnesses and theproduction of any other evidence during

an investigation pursuant to this part.For purposes of this paragraph, a personother than a natural person is termed an‘‘entity.’’

(1) A subpoena issued under thisparagraph must—

(i) State the name of the person(including the entity, if applicable) towhom the subpoena is addressed;

(ii) State the statutory authority forthe subpoena;

(iii) Indicate the date, time, and placethat the testimony will take place;

(iv) Include a reasonably specificdescription of any documents or itemsrequired to be produced; and

(v) If the subpoena is addressed to anentity, describe with reasonableparticularity the subject matter onwhich testimony is required. In thatevent, the entity must designate one ormore natural persons who will testify onits behalf, and must state as to each suchperson that person’s name and addressand the matters on which he or she willtestify. The designated person musttestify as to matters known orreasonably available to the entity.

(2) A subpoena under this sectionmust be served by—

(i) Delivering a copy to the naturalperson named in the subpoena or to theentity named in the subpoena at its lastprincipal place of business; or

(ii) Registered or certified mailaddressed to the natural person at his orher last known dwelling place or to theentity at its last known principal placeof business.

(3) A verified return by the naturalperson serving the subpoena settingforth the manner of service or, in thecase of service by registered or certifiedmail, the signed return post officereceipt, constitutes proof of service.

(4) Witnesses are entitled to the samefees and mileage as witnesses in thedistrict courts of the United States (28U.S.C. 1821 and 1825). Fees need not bepaid at the time the subpoena is served.

(5) A subpoena under this section isenforceable through the district court of the United States for the district wherethe subpoenaed natural person resides

or is found or where the entity transacts business.(b) Investigational inquiries are non-

public investigational proceedingsconducted by the Secretary.

(1) Testimony at investigationalinquiries will be taken under oath oraffirmation.

(2) Attendance of non-witnesses isdiscretionary with the Secretary, exceptthat a witness is entitled to beaccompanied, represented, and advised

by an attorney.(3) Representatives of the Secretary

are entitled to attend and ask questions.(4) A witness will have the

opportunity to clarify his or her answerson the record following questioning bythe Secretary.

(5) Any claim of privilege must beasserted by the witness on the record.

(6) Objections must be asserted on therecord. Errors of any kind that might becorrected if promptly presented will bedeemed to be waived unless reasonableobjection is made at the investigationalinquiry. Except where the objection ison the grounds of privilege, the questionwill be answered on the record, subjectto objection.

(7) If a witness refuses to answer any

question not privileged or to producerequested documents or items, orengages in conduct likely to delay orobstruct the investigational inquiry, theSecretary may seek enforcement of thesubpoena under paragraph (a)(5) of thissection.

(8) The proceedings will be recordedand transcribed. The witness is entitledto a copy of the transcript, uponpayment of prescribed costs, exceptthat, for good cause, the witness may belimited to inspection of the officialtranscript of his or her testimony.

(9)(i) The transcript will be submittedto the witness for signature.

(A) Where the witness will beprovided a copy of the transcript, thetranscript will be submitted to thewitness for signature. The witness maysubmit to the Secretary writtenproposed corrections to the transcript,with such corrections attached to the

transcript. If the witness does not returna signed copy of the transcript orproposed corrections within 30 days(computed in the same manner asprescribed under § 160.526) of its beingsubmitted to him or her for signature,the witness will be deemed to haveagreed that the transcript is true andaccurate.

(B) Where, as provided in paragraph(b)(8) of this section, the witness islimited to inspecting the transcript, thewitness will have the opportunity at thetime of inspection to proposecorrections to the transcript, with

corrections attached to the transcript.The witness will also have theopportunity to sign the transcript. If thewitness does not sign the transcript oroffer corrections within 30 days(computed in the same manner asprescribed under § 160.526 of this part)of receipt of notice of the opportunity toinspect the transcript, the witness will

be deemed to have agreed that thetranscript is true and accurate.

(ii) The Secretary’s proposedcorrections to the record of transcriptwill be attached to the transcript.

(c) Consistent with § 160.310(c)(3),

testimony and other evidence obtainedin an investigational inquiry may beused by HHS in any of its activities andmay be used or offered into evidence inany administrative or judicialproceeding.

§ 160.316 Refraining from intimidation orretaliation.

A covered entity may not threaten,intimidate, coerce, discriminate against,or take any other retaliatory actionagainst any individual or other personfor—

(a) Filing of a complaint under§ 160.306;

(b) Testifying, assisting, orparticipating in an investigation,compliance review, proceeding, orhearing under this part; or

(c) Opposing any act or practice madeunlawful by this subchapter, providedthe individual or person has a good faith

belief that the practice opposed isunlawful, and the manner of oppositionis reasonable and does not involve adisclosure of protected healthinformation in violation of subpart E of part 164 of this subchapter.





4. Amend 45 CFR part 160 by addinga new subpart D to read as follows:

Subpart D—Imposition of Civil MoneyPenalties

Sec.160.400 Applicability.160.402 Basis for a civil money penalty.160.404 Amount of a civil money penalty.160.406 Number of violations.

160.408 Factors considered in determiningthe amount of a civil money penalty.

160.410 Affirmative defenses.160.412 Waiver.160.414 Limitations.160.416 Authority to settle.160.418 Penalty not exclusive.160.420 Notice of proposed determination.160.422 Failure to request a hearing.160.424 Collection of penalty.160.426 Notification of the public and other

agencies.

Subpart D—Imposition of Civil MoneyPenalties


This subpart applies to the impositionof a civil money penalty by theSecretary under 42 U.S.C. 1320d–5.

§ 160.402 Basis for a civil money penalty.

(a) General rule. Subject to § 160.410,the Secretary will impose a civil moneypenalty upon a covered entity if theSecretary determines that the coveredentity has violated an administrativesimplification provision.

(b) Violation by more than onecovered entity. (1) Except as provided inparagraph (b)(2) of this section, if theSecretary determines that more than one

covered entity was responsible for aviolation, the Secretary will impose acivil money penalty against each suchcovered entity.

(2) Each covered entity that is amember of an affiliated covered entity,in accordance with § 164.105(b) of thissubchapter, is jointly and severallyliable for a civil money penalty for aviolation of part 164 of this subchapter

based on an act or omission of theaffiliated covered entity.

(c) Violation attributed to a covered entity. A covered entity is liable, inaccordance with the federal common

law of agency, for a civil money penaltyfor a violation based on the act oromission of any agent of the coveredentity, including a workforce member,acting within the scope of the agency,unless—

(1) The agent is a business associateof the covered entity;

(2) The covered entity has complied,with respect to such business associate,with the applicable requirements of §§ 164.308(b) and 164.502(e) of thissubchapter; and

(3) The covered entity did not—

(i) Know of a pattern of activity orpractice of the business associate, and

(ii) Fail to act as required by§§ 164.314(a)(1)(ii) and 164.504(e)(1)(ii)of this subchapter, as applicable.

§ 160.404 Amount of a civil money penalty.

(a) The amount of a civil moneypenalty will be determined in

accordance with paragraph (b) of thissection and §§ 160.406, 160.408, and160.412.

(b) The amount of a civil moneypenalty that may be imposed is subjectto the following limitations:

(1) The Secretary may not impose acivil money penalty—

(i) In the amount of more than $100for each violation; or

(ii) In excess of $25,000 for identicalviolations during a calendar year(January 1 through the followingDecember 31).

(2) If a requirement or prohibition inone administrative simplification

provision is repeated in a more generalform in another administrativesimplification provision in the samesubpart, a civil money penalty may beimposed for a violation of only one of these administrative simplificationprovisions.

§ 160.406 Number of violations.

(a) General rule. To determine thenumber of violations of an identicaladministrative simplification provision

by a covered entity, the Secretary willapply, as he deems appropriate, anyvariables identified at paragraph (b) of

this section, based upon:(1) The facts and circumstances of theviolation; and

(2) The underlying purpose of thesubpart of this subchapter that isviolated.

(b) Variables. (1) The number of timesthe covered entity failed to engage inrequired conduct or engaged in aprohibited act;

(2) The number of persons involvedin, or affected by, the violation; or

(3) The duration of the violationcounted in days.

§ 160.408 Factors considered in

determining the amount of a civil moneypenalty.

In determining the amount of anycivil money penalty, the Secretary mayconsider as aggravating or mitigatingfactors, as appropriate, any of thefollowing:

(a) The nature of the violation, in lightof the purpose of the rule violated.

(b) The circumstances, including theconsequences, of the violation,including but not limited to:

(1) The time period during which theviolation(s) occurred;

(2) Whether the violation causedphysical harm;

(3) Whether the violation hindered orfacilitated an individual’s ability toobtain health care; and

(4) Whether the violation resulted infinancial harm.

(c) The degree of culpability of thecovered entity, including but not

limited to:(1) Whether the violation wasintentional; and

(2) Whether the violation was beyondthe direct control of the covered entity.

(d) Any history of prior offenses of thecovered entity, including but notlimited to:

(1) Whether the current violation isthe same or similar to prior violation(s);

(2) Whether and to what extent thecovered entity has attempted to correctprevious violations;

(3) How the covered entity hasresponded to technical assistance fromthe Secretary provided in the context of

a compliance effort; and(4) How the covered entity has

responded to prior complaints.(e) The financial condition of the

covered entity, including but notlimited to:

(1) Whether the covered entity hadfinancial difficulties that affected itsability to comply;

(2) Whether the imposition of a civilmoney penalty would jeopardize theability of the covered entity to continueto provide, or to pay for, health care;and

(3) The size of the covered entity.(f) Such other matters as justice may

require.

§ 160.410 Affirmative defenses.

(a) As used in this section, thefollowing terms have the followingmeanings:

Reasonable cause meanscircumstances that would make itunreasonable for the covered entity,despite the exercise of ordinary businesscare and prudence, to comply with theadministrative simplification provisionviolated.

Reasonable diligence means the business care and prudence expected

from a person seeking to satisfy a legalrequirement under similarcircumstances.

Willful neglect means conscious,intentional failure or recklessindifference to the obligation to complywith the administrative simplificationprovision violated.

(b) The Secretary may not impose acivil money penalty on a covered entityfor a violation if the covered entityestablishes that an affirmative defenseexists with respect to the violation,including the following:





(1) The violation is an act punishableunder 42 U.S.C. 1320d–6;

(2) The covered entity establishes, tothe satisfaction of the Secretary, that itdid not have knowledge of the violation,determined in accordance with thefederal common law of agency, and, byexercising reasonable diligence, wouldnot have known that the violation

occurred; or(3) The violation is— (i) Due to reasonable cause and not

willful neglect; and(ii) Corrected during either:(A) The 30-day period beginning on

the date the covered entity liable for thepenalty knew, or by exercisingreasonable diligence would haveknown, that the violation occurred; or

(B) Such additional period as theSecretary determines to be appropriate

based on the nature and extent of thefailure to comply.

§ 160.412 Waiver.

For violations described in§ 160.410(b)(3)(i) that are not correctedwithin the period described in§ 160.410(b)(3)(ii), the Secretary maywaive the civil money penalty, in wholeor in part, to the extent that payment of the penalty would be excessive relativeto the violation.

§ 160.414 Limitations.

No action under this subpart may beentertained unless commenced by theSecretary, in accordance with § 160.420,within 6 years from the date of theoccurrence of the violation.

§ 160.416 Authority to settle.

Nothing in this subpart limits theauthority of the Secretary to settle anyissue or case or to compromise anypenalty.

§ 160.418 Penalty not exclusive.

Except as otherwise provided by 42U.S.C. 1320d–5(b)(1), a penalty imposedunder this part is in addition to anyother penalty prescribed by law.

§ 160.420 Notice of proposeddetermination.

(a) If a penalty is proposed in

accordance with this part, the Secretarymust deliver, or send by certified mailwith return receipt requested, to therespondent, written notice of theSecretary’s intent to impose a penalty.This notice of proposed determinationmust include—

(1) Reference to the statutory basis forthe penalty;

(2) A description of the findings of fact regarding the violations withrespect to which the penalty is proposed(except in cases where the Secretary isrelying upon a statistical sampling study

in accordance with § 160.536, in whichcase the notice must describe the studyrelied upon and briefly describe thestatistical sampling technique used bythe Secretary);

(3) The reason(s) why the violation(s)subject(s) the respondent to a penalty;

(4) The amount of the proposedpenalty;

(5) Any circumstances described in§ 160.408 that were considered indetermining the amount of the proposedpenalty; and

(6) Instructions for responding to thenotice, including a statement of therespondent’s right to a hearing, astatement that failure to request ahearing within 60 days permits theimposition of the proposed penaltywithout the right to a hearing under§ 160.504 or a right of appeal under§ 160.548, and the address to which thehearing request must be sent.

(b) The respondent may request a

hearing before an ALJ on the proposedpenalty by filing a request in accordancewith § 160.504.

§ 160.422 Failure to request a hearing.

If the respondent does not request ahearing within the time prescribed by§ 160.504 and the matter is not settledpursuant to § 160.416, the Secretary willimpose the proposed penalty or anylesser penalty permitted by 42 U.S.C.1320d–5. The Secretary will notify therespondent by certified mail, returnreceipt requested, of any penalty thathas been imposed and of the means bywhich the respondent may satisfy the

penalty, and the penalty is final onreceipt of the notice. The respondenthas no right to appeal a penalty under§ 160.548 with respect to which therespondent has not timely requested ahearing.

§ 160.424 Collection of penalty.

(a) Once a determination of theSecretary to impose a penalty has

become final, the penalty will becollected by the Secretary, subject to thefirst sentence of 42 U.S.C. 1320a–7a(f).

(b) The penalty may be recovered ina civil action brought in the United

States district court for the districtwhere the respondent resides, is found,or is located.

(c) The amount of a penalty, whenfinally determined, or the amountagreed upon in compromise, may bededucted from any sum then or laterowing by the United States, or by a Stateagency, to the respondent.

(d) Matters that were raised or thatcould have been raised in a hearing

before an ALJ, or in an appeal under 42U.S.C. 1320a–7a(e), may not be raised asa defense in a civil action by the United

States to collect a penalty under thispart.

§ 160.426 Notification of the public andother agencies.

Whenever a proposed penalty becomes final, the Secretary will notify,in such manner as the Secretary deemsappropriate, the public and the

following organizations and entitiesthereof and the reason it was imposed:The appropriate State or local medicalor professional organization, theappropriate State agency or agenciesadministering or supervising theadministration of State health careprograms (as defined in 42 U.S.C.1320a–7(h)), the appropriate utilizationand quality control peer revieworganization, and the appropriate Stateor local licensing agency or organization(including the agency specified in 42U.S.C. 1395aa(a), 1396a(a)(33)).

5. Revise subpart E to read as follows:

Subpart E—Procedures for Hearings

Sec.160.500 Applicability.160.502 Definitions.160.504 Hearing before an ALJ.160.506 Rights of the parties.160.508 Authority of the ALJ.160.510 Ex parte contacts.160.512 Prehearing conferences.160.514 Authority to settle.160.516 Discovery.160.518 Exchange of witness lists, witness

statements, and exhibits.160.520 Subpoenas for attendance at

hearing.160.522 Fees.

160.524 Form, filing, and service of papers.160.526 Computation of time.160.528 Motions.160.530 Sanctions.160.532 Collateral estoppel.160.534 The hearing.160.536 Statistical sampling.160.538 Witnesses.160.540 Evidence.160.542 The record.160.544 Post hearing briefs.160.546 ALJ decision.160.548 Appeal of the ALJ decision.160.550 Stay of the Secretary’s decision.160.552 Harmless error.

Subpart E—Procedures for Hearings


This subpart applies to hearingsconducted relating to the imposition of a civil money penalty by the Secretaryunder 42 U.S.C. 1320d–5.


As used in this subpart, the followingterm has the following meaning:

Board means the members of the HHSDepartmental Appeals Board, in theOffice of the Secretary, who issuedecisions in panels of three.





§ 160.504 Hearing before an ALJ.

(a) A respondent may request ahearing before an ALJ. The parties to thehearing proceeding consist of —

(1) The respondent; and(2) The officer(s) or employee(s) of

HHS to whom the enforcementauthority involved has been delegated.

(b) The request for a hearing must be

made in writing signed by therespondent or by the respondent’sattorney and sent by certified mail,return receipt requested, to the addressspecified in the notice of proposeddetermination. The request for a hearingmust be mailed within 60 days afternotice of the proposed determination isreceived by the respondent. Forpurposes of this section, therespondent’s date of receipt of thenotice of proposed determination ispresumed to be 5 days after the date of the notice unless the respondent makesa reasonable showing to the contrary to

the ALJ.(c) The request for a hearing mustclearly and directly admit, deny, orexplain each of the findings of factcontained in the notice of proposeddetermination with regard to which therespondent has any knowledge. If therespondent has no knowledge of aparticular finding of fact and so states,the finding shall be deemed denied. Therequest for a hearing must also state thecircumstances or arguments that therespondent alleges constitute thegrounds for any defense and the factualand legal basis for opposing the penalty.

(d) The ALJ must dismiss a hearingrequest where—

(1) The respondent’s hearing requestis not filed as required by paragraphs (b)and (c) of this section;

(2) The respondent withdraws therequest for a hearing;

(3) The respondent abandons therequest for a hearing; or

(4) The respondent’s hearing requestfails to raise any issue that may properly

be addressed in a hearing.

§ 160.506 Rights of the parties.

(a) Except as otherwise limited by thissubpart, each party may—

(1) Be accompanied, represented, andadvised by an attorney;(2) Participate in any conference held

by the ALJ;3) Conduct discovery of documents as

permitted by this subpart;(4) Agree to stipulations of fact or law

that will be made part of the record;(5) Present evidence relevant to the

issues at the hearing;(6) Present and cross-examine

witnesses;(7) Present oral arguments at the

hearing as permitted by the ALJ; and

(8) Submit written briefs andproposed findings of fact andconclusions of law after the hearing.

(b) A party may appear in person or by a representative. Natural personswho appear as an attorney or otherrepresentative must conform to thestandards of conduct and ethicsrequired of practitioners before the

courts of the United States.(c) Fees for any services performed on

behalf of a party by an attorney are notsubject to the provisions of 42 U.S.C.406, which authorizes the Secretary tospecify or limit their fees.

§ 160.508 Authority of the ALJ.

(a) The ALJ must conduct a fair andimpartial hearing, avoid delay, maintainorder, and ensure that a record of theproceeding is made.

(b) The ALJ may— (1) Set and change the date, time and

place of the hearing upon reasonablenotice to the parties;

(2) Continue or recess the hearing inwhole or in part for a reasonable periodof time;

(3) Hold conferences to identify orsimplify the issues, or to consider othermatters that may aid in the expeditiousdisposition of the proceeding;

(4) Administer oaths and affirmations;(5) Issue subpoenas requiring the

attendance of witnesses at hearings andthe production of documents at or inrelation to hearings;

(6) Rule on motions and otherprocedural matters;

(7) Regulate the scope and timing of

documentary discovery as permitted bythis subpart;(8) Regulate the course of the hearing

and the conduct of representatives,parties, and witnesses;

(9) Examine witnesses;(10) Receive, rule on, exclude, or limit

evidence;(11) Upon motion of a party, take

official notice of facts;(12) Conduct any conference,

argument or hearing in person or, uponagreement of the parties, by telephone;and

(13) Upon motion of a party, decidecases, in whole or in part, by summary

judgment where there is no disputedissue of material fact. A summaryjudgment decision constitutes a hearingon the record for the purposes of thissubpart.

(c) The ALJ— (1) May not find invalid or refuse to

follow Federal statutes, regulations, orSecretarial delegations of authority andmust give deference to publishedguidance to the extent not inconsistentwith statute or regulation;

(2) May not enter an order in thenature of a directed verdict;

(3) May not compel settlementnegotiations;

(4) May not enjoin any act of theSecretary; or

(5) May not review the exercise of discretion by the Secretary with respectto—

(i) Whether to grant an extensionunder § 160.410(b)(3)(ii)(B) or to provide

technical assistance under 42 U.S.C.1320d–5(b)(3)(B); and

(ii) Selection of variable(s) under§ 160.406.

§ 160.510 Ex parte contacts.

No party or person (except employeesof the ALJ’s office) may communicate inany way with the ALJ on any matter atissue in a case, unless on notice andopportunity for both parties toparticipate. This provision does notprohibit a party or person frominquiring about the status of a case orasking routine questions concerning

administrative functions or procedures.§ 160.512 Prehearing conferences.

(a) The ALJ must schedule at least oneprehearing conference, and mayschedule additional prehearingconferences as appropriate, uponreasonable notice, which may not beless than 14 business days, to theparties.

(b) The ALJ may use prehearingconferences to discuss the following—

(1) Simplification of the issues;(2) The necessity or desirability of

amendments to the pleadings, includingthe need for a more definite statement;

(3) Stipulations and admissions of factor as to the contents and authenticity of documents;

(4) Whether the parties can agree tosubmission of the case on a stipulatedrecord;

(5) Whether a party chooses to waiveappearance at an oral hearing and tosubmit only documentary evidence(subject to the objection of the otherparty) and written argument;

(6) Limitation of the number of witnesses;

(7) Scheduling dates for the exchangeof witness lists and of proposed

exhibits;(8) Discovery of documents aspermitted by this subpart;

(9) The time and place for the hearing;(10) The potential for the settlement

of the case by the parties; and(11) Other matters as may tend to

encourage the fair, just and expeditiousdisposition of the proceedings,including the protection of privacy of individually identifiable healthinformation that may be submitted intoevidence or otherwise used in theproceeding, if appropriate.





(c) The ALJ must issue an ordercontaining the matters agreed upon bythe parties or ordered by the ALJ at aprehearing conference.

§ 160.514 Authority to settle.

The Secretary has exclusive authorityto settle any issue or case without theconsent of the ALJ.

§ 160.516 Discovery.

(a) A party may make a request toanother party for production of documents for inspection and copyingthat are relevant and material to theissues before the ALJ.

(b) For the purpose of this section, theterm ‘‘documents’’ includesinformation, reports, answers, records,accounts, papers and other data anddocumentary evidence. Nothingcontained in this section may beinterpreted to require the creation of adocument, except that requested datastored in an electronic data storagesystem must be produced in a formaccessible to the requesting party.

(c) Requests for documents, requestsfor admissions, written interrogatories,depositions and any forms of discovery,other than those permitted underparagraph (a) of this section, are notauthorized.

(d) This section may not be construedto require the disclosure of interviewreports or statements obtained by anyparty, or on behalf of any party, of persons who will not be called aswitnesses by that party, or analyses andsummaries prepared in conjunction

with the investigation or litigation of thecase, or any otherwise privilegeddocuments.

(e)(1) When a request for productionof documents has been received, within30 days the party receiving that requestmust either fully respond to the request,or state that the request is being objectedto and the reasons for that objection. If objection is made to part of an item orcategory, the part must be specified.Upon receiving any objections, the partyseeking production may then, within 30days or any other time frame set by theALJ, file a motion for an order

compelling discovery. The partyreceiving a request for production mayalso file a motion for protective orderany time before the date the productionis due.

(2) The ALJ may grant a motion forprotective order or deny a motion for anorder compelling discovery if the ALJfinds that the discovery sought—

(i) Is irrelevant;(ii) Is unduly costly or burdensome;(iii) Will unduly delay the

proceeding; or(iv) Seeks privileged information.

(3) The ALJ may extend any of thetime frames set forth in paragraph (e)(1)of this section.

(4) The burden of showing thatdiscovery should be allowed is on theparty seeking discovery.

§ 160.518 Exchange of witness lists,witness statements, and exhibits.

(a) The parties must exchange witnesslists, copies of prior written statementsof proposed witnesses, and copies of proposed hearing exhibits, includingcopies of any written statements that theparty intends to offer in lieu of livetestimony in accordance with § 160.538,not more than 60, and not less than 15,days before the scheduled hearing.

(b)(1) If, at any time, a party objectsto the proposed admission of evidencenot exchanged in accordance withparagraph (a) of this section, the ALJmust determine whether the failure tocomply with paragraph (a) of this

section should result in the exclusion of that evidence.(2) Unless the ALJ finds that

extraordinary circumstances justifiedthe failure timely to exchange theinformation listed under paragraph (a)of this section, the ALJ must excludefrom the party’s case-in-chief —

(i) The testimony of any witnesswhose name does not appear on thewitness list; and

(ii) Any exhibit not provided to theopposing party as specified in paragraph(a) of this section.

(3) If the ALJ finds that extraordinarycircumstances existed, the ALJ must

then determine whether the admissionof that evidence would cause substantialprejudice to the objecting party.

(i) If the ALJ finds that there is nosubstantial prejudice, the evidence may

be admitted.(ii) If the ALJ finds that there is

substantial prejudice, the ALJ mayexclude the evidence, or, if he or shedoes not exclude the evidence, mustpostpone the hearing for such time as isnecessary for the objecting party toprepare and respond to the evidence,unless the objecting party waivespostponement.

(c) Unless the other party objectswithin a reasonable period of time before the hearing, documentsexchanged in accordance withparagraph (a) of this section will bedeemed to be authentic for the purposeof admissibility at the hearing.

§ 160.520 Subpoenas for attendance athearing.

(a) A party wishing to procure theappearance and testimony of any personat the hearing may make a motionrequesting the ALJ to issue a subpoena

if the appearance and testimony arereasonably necessary for thepresentation of a party’s case.

(b) A subpoena requiring theattendance of a person in accordancewith paragraph (a) of this section mayalso require the person (whether or notthe person is a party) to producerelevant and material evidence at or

before the hearing.(c) When a subpoena is served by a

respondent on a particular employee orofficial or particular office of HHS, theSecretary may comply by designatingany knowledgeable HHS representativeto appear and testify.

(d) A party seeking a subpoena mustfile a written motion not less than 30days before the date fixed for thehearing, unless otherwise allowed bythe ALJ for good cause shown. Thatmotion must—

(1) Specify any evidence to beproduced;

(2) Designate the witnesses; and(3) Describe the address and location

with sufficient particularity to permitthose witnesses to be found.

(e) The subpoena must specify thetime and place at which the witness isto appear and any evidence the witnessis to produce.

(f) Within 15 days after the writtenmotion requesting issuance of asubpoena is served, any party may filean opposition or other response.

(g) If the motion requesting issuanceof a subpoena is granted, the partyseeking the subpoena must serve it bydelivery to the person named, or by

certified mail addressed to that personat the person’s last dwelling place orprincipal place of business.

(h) The person to whom the subpoenais directed may file with the ALJ amotion to quash the subpoena within 10days after service.

(i) The exclusive remedy forcontumacy by, or refusal to obey asubpoena duly served upon, any personis specified in 42 U.S.C. 405(e).

§ 160.522 Fees.

The party requesting a subpoena mustpay the cost of the fees and mileage of any witness subpoenaed in the amounts

that would be payable to a witness in aproceeding in United States DistrictCourt. A check for witness fees andmileage must accompany the subpoenawhen served, except that, when asubpoena is issued on behalf of theSecretary, a check for witness fees andmileage need not accompany thesubpoena.

§ 160.524 Form, filing, and service ofpapers.

(a) Forms. (1) Unless the ALJ directsthe parties to do otherwise, documents





filed with the ALJ must include anoriginal and two copies.

(2) Every pleading and paper filed inthe proceeding must contain a captionsetting forth the title of the action, thecase number, and a designation of thepaper, such as motion to quashsubpoena.

(3) Every pleading and paper must be

signed by and must contain the addressand telephone number of the party orthe person on whose behalf the paperwas filed, or his or her representative.

(4) Papers are considered filed whenthey are mailed.

(b) Service. A party filing a documentwith the ALJ or the Board must, at thetime of filing, serve a copy of thedocument on the other party. Serviceupon any party of any document must

be made by delivering a copy, or placinga copy of the document in the UnitedStates mail, postage prepaid andaddressed, or with a private deliveryservice, to the party’s last knownaddress. When a party is represented byan attorney, service must be made uponthe attorney in lieu of the party.

(c) Proof of service. A certificate of thenatural person serving the document bypersonal delivery or by mail, settingforth the manner of service, constitutesproof of service.

§ 160.526 Computation of time.

(a) In computing any period of timeunder this subpart or in an order issuedthereunder, the time begins with the dayfollowing the act, event or default, andincludes the last day of the period

unless it is a Saturday, Sunday, or legalholiday observed by the FederalGovernment, in which event it includesthe next business day.

(b) When the period of time allowedis less than 7 days, intermediateSaturdays, Sundays, and legal holidaysobserved by the Federal Governmentmust be excluded from the computation.

(c) Where a document has been servedor issued by placing it in the mail, anadditional 5 days must be added to thetime permitted for any response. Thisparagraph does not apply to requests forhearing under § 160.504.

§ 160.528 Motions.(a) An application to the ALJ for anorder or ruling must be by motion.Motions must state the relief sought, theauthority relied upon and the factsalleged, and must be filed with the ALJand served on all other parties.

(b) Except for motions made during aprehearing conference or at the hearing,all motions must be in writing. The ALJmay require that oral motions bereduced to writing.

(c) Within 10 days after a writtenmotion is served, or such other time as

may be fixed by the ALJ, any party mayfile a response to the motion.

(d) The ALJ may not grant a writtenmotion before the time for filingresponses has expired, except uponconsent of the parties or following ahearing on the motion, but may overruleor deny the motion without awaiting aresponse.

(e) The ALJ must make a reasonableeffort to dispose of all outstandingmotions before the beginning of thehearing.

§ 160.530 Sanctions.

The ALJ may sanction a person,including any party or attorney, forfailing to comply with an order orprocedure, for failing to defend anaction or for other misconduct thatinterferes with the speedy, orderly orfair conduct of the hearing. Thesanctions must reasonably relate to theseverity and nature of the failure or

misconduct. The sanctions mayinclude— (a) In the case of refusal to provide or

permit discovery under the terms of thispart, drawing negative factual inferencesor treating the refusal as an admission

by deeming the matter, or certain facts,to be established;

(b) Prohibiting a party fromintroducing certain evidence orotherwise supporting a particular claimor defense;

(c) Striking pleadings, in whole or inpart;

(d) Staying the proceedings;(e) Dismissal of the action;

(f) Entering a decision by default;(g) Ordering the party or attorney to

pay the attorney’s fees and other costscaused by the failure or misconduct;and

(h) Refusing to consider any motion orother action that is not filed in a timelymanner.

§ 160.532 Collateral estoppel.

When a final determination that therespondent violated an administrativesimplification provision has beenrendered in any proceeding in whichthe respondent was a party and had an

opportunity to be heard, the respondentis bound by that determination in anyproceeding under this part.

§ 160.534 The hearing.

(a) The ALJ must conduct a hearingon the record in order to determinewhether the respondent should befound liable under this part.

(b)(1) The respondent has the burdenof going forward and the burden of persuasion with respect to any:

(i) Affirmative defense pursuant to§ 160.410;

(ii) Challenge to the amount of aproposed penalty pursuant to§§ 160.404–160.408, including anyfactors raised as mitigating factors; or

(iii) Claim that a proposed penaltyshould be reduced or waived pursuantto § 160.412.

(2) The Secretary has the burden of going forward and the burden of

persuasion with respect to all otherissues, including issues of liability andthe existence of any factors consideredas aggravating factors in determining theamount of the proposed penalty.

(3) The burden of persuasion will bejudged by a preponderance of theevidence.

(c) The hearing must be open to thepublic unless otherwise ordered by theALJ for good cause shown.

(d)(1) Subject to the 15-day rule under§ 160.518(a) and the admissibility of evidence under § 160.540, either partymay introduce, during its case in chief,

items or information that arose or became known after the date of theissuance of the notice of proposeddetermination or the request for hearing,as applicable. Such items andinformation may not be admitted intoevidence, if introduced—

(i) By the Secretary, unless they arematerial and relevant to the acts oromissions with respect to which thepenalty is proposed in the notice of proposed determination pursuant to§ 160.420, including circumstances thatmay increase penalties; or

(ii) By the respondent, unless they are

material and relevant to an admission,denial or explanation of a finding of factin the notice of proposed determinationunder § 160.420, or to a specificcircumstance or argument expresslystated in the request for hearing under§ 160.504, including circumstances thatmay reduce penalties.

(2) After both parties have presentedtheir cases, evidence may be admitted inrebuttal even if not previouslyexchanged in accordance with§ 160.518.

§ 160.536 Statistical sampling.

(a) In meeting the burden of proof setforth in § 160.534, the Secretary mayintroduce the results of a statisticalsampling study as evidence of thenumber of violations under § 160.406, orthe factors considered in determiningthe amount of the civil money penaltyunder § 160.408. Such statisticalsampling study, if based upon anappropriate sampling and computed byvalid statistical methods, constitutesprima facie evidence of the number of violations and the existence of factorsmaterial to the proposed civil money





penalty as described in §§ 160.406 and160.408.

(b) Once the Secretary has made aprima facie case, as described inparagraph (a) of this section, the burdenof going forward shifts to the respondentto produce evidence reasonablycalculated to rebut the findings of thestatistical sampling study. The Secretary

will then be given the opportunity torebut this evidence.

§ 160.538 Witnesses.

(a) Except as provided in paragraph(b) of this section, testimony at thehearing must be given orally bywitnesses under oath or affirmation.

(b) At the discretion of the ALJ,testimony of witnesses other than thetestimony of expert witnesses may beadmitted in the form of a writtenstatement. Any such written statementmust be provided to the other party,along with the last known address of the

witness, in a manner that allowssufficient time for the other party tosubpoena the witness for cross-examination at the hearing. Priorwritten statements of witnessesproposed to testify at the hearing must

be exchanged as provided in § 160.518.The ALJ may, at his or her discretion,admit prior sworn testimony of expertsthat has been subject to adverseexamination, such as a deposition ortrial testimony.

(c) The ALJ must exercise reasonablecontrol over the mode and order of interrogating witnesses and presenting

evidence so as to:(1) Make the interrogation and

presentation effective for theascertainment of the truth;

(2) Avoid repetition or needlessconsumption of time; and

(3) Protect witnesses from harassmentor undue embarrassment.

(d) The ALJ must permit the parties toconduct cross-examination of witnessesas may be required for a full and truedisclosure of the facts.

(e) The ALJ may order witnessesexcluded so that they cannot hear thetestimony of other witnesses, except

that the ALJ may not order to beexcluded—

(1) A party who is a natural person;(2) In the case of a party that is not

a natural person, the officer or employeeof the party appearing for the entity prose or designated as the party’srepresentative; or

(3) A natural person whose presenceis shown by a party to be essential to thepresentation of its case, including aperson engaged in assisting the attorneyfor the Secretary.

§ 160.540 Evidence.

(a) The ALJ must determine theadmissibility of evidence.

(b) Except as provided in this subpart,the ALJ is not bound by the FederalRules of Evidence. However, the ALJmay apply the Federal Rules of Evidence where appropriate, forexample, to exclude unreliableevidence.

(c) The ALJ must exclude irrelevant orimmaterial evidence.

(d) Although relevant, evidence may be excluded if its probative value issubstantially outweighed by the dangerof unfair prejudice, confusion of theissues, or by considerations of unduedelay or needless presentation of cumulative evidence.

(e) Although relevant, evidence must be excluded if it is privileged underFederal law.

(f) Evidence concerning offers of compromise or settlement are

inadmissible to the extent provided inRule 408 of the Federal Rules of Evidence.

(g) Evidence of crimes, wrongs, or actsother than those at issue in the instantcase is admissible in order to showmotive, opportunity, intent, knowledge,preparation, identity, lack of mistake, orexistence of a scheme. This evidence isadmissible regardless of whether thecrimes, wrongs, or acts occurred duringthe statute of limitations periodapplicable to the acts or omissions thatconstitute the basis for liability in thecase and regardless of whether they

were referenced in the Secretary’s noticeof proposed determination under§ 160.420.

(h) The ALJ must permit the parties tointroduce rebuttal witnesses andevidence.

(i) All documents and other evidenceoffered or taken for the record must beopen to examination by both parties,unless otherwise ordered by the ALJ forgood cause shown.

§ 160.542 The record.

(a) The hearing must be recorded andtranscribed. Transcripts may beobtained following the hearing from theALJ. Cost of transcription will be borneequally by the parties.

(b) The transcript of the testimony,exhibits, and other evidence admitted atthe hearing, and all papers and requestsfiled in the proceeding constitute therecord for decision by the ALJ and theSecretary.

(c) The record may be inspected andcopied (upon payment of a reasonablefee) by any person, unless otherwiseordered by the ALJ for good causeshown.

(d) For good cause, the ALJ may orderappropriate redactions made to therecord.

§ 160.544 Post hearing briefs.

The ALJ may require the parties to filepost-hearing briefs. In any event, anyparty may file a post-hearing brief. TheALJ must fix the time for filing the

briefs. The time for filing may notexceed 60 days from the date the partiesreceive the transcript of the hearing or,if applicable, the stipulated record. The

briefs may be accompanied by proposedfindings of fact and conclusions of law.The ALJ may permit the parties to filereply briefs.

§ 160.546 ALJ decision.

(a) The ALJ must issue a decision, based only on the record, which mustcontain findings of fact and conclusionsof law.

(b) The ALJ may affirm, increase, orreduce the penalties imposed by theSecretary.

(c) The ALJ must issue the decision to both parties within 60 days after thetime for submission of post-hearing

briefs and reply briefs, if permitted, hasexpired. If the ALJ fails to meet thedeadline contained in this paragraph, heor she must notify the parties of thereason for the delay and set a newdeadline.

(d) Unless the decision of the ALJ istimely appealed as provided for in§ 160.548, the decision of the ALJ will

be final and binding on the parties 60days from the date of service of the

ALJ’s decision.

§ 160.548 Appeal of the ALJ decision.

(a) Any party may appeal the decisionof the ALJ to the Board by filing a noticeof appeal with the Board within 30 daysof the date of service of the ALJdecision. The Board may extend theinitial 30 day period for a period of timenot to exceed 30 days if a party fileswith the Board a request for anextension within the initial 30 dayperiod and shows good cause.

(b) If a party files a timely notice of appeal with the Board, the ALJ must

forward the record of the proceeding tothe Board.(c) A notice of appeal must be

accompanied by a written brief specifying exceptions to the initialdecision and reasons supporting theexceptions. Any party may file a brief inopposition to the exceptions, whichmay raise any relevant issue notaddressed in the exceptions, within 30days of receiving the notice of appealand the accompanying brief. The Boardmay permit the parties to file reply

briefs.





(d) There is no right to appearpersonally before the Board or to appealto the Board any interlocutory ruling bythe ALJ.

(e) The Board may not consider anyissue not raised in the parties’ briefs,nor any issue in the briefs that couldhave been raised before the ALJ but wasnot.

(f) If any party demonstrates to thesatisfaction of the Board that additionalevidence not presented at such hearingis relevant and material and that therewere reasonable grounds for the failureto adduce such evidence at the hearing,the Board may remand the matter to theALJ for consideration of such additionalevidence.

(g) The Board may decline to reviewthe case, or may affirm, increase,reduce, reverse or remand any penaltydetermined by the ALJ.

(h) The standard of review on adisputed issue of fact is whether the

initial decision of the ALJ is supported by substantial evidence on the wholerecord. The standard of review on adisputed issue of law is whether thedecision is erroneous.

(i) Within 60 days after the time forsubmission of briefs and reply briefs, if permitted, has expired, the Board mustserve on each party to the appeal a copyof the Board’s decision and a statementdescribing the right of any respondentwho is penalized to seek judicialreview.

(j)(1) The Board’s decision underparagraph (i) of this section, includinga decision to decline review of theinitial decision, becomes the finaldecision of the Secretary 60 days afterthe date of service of the Board’sdecision, except with respect to adecision to remand to the ALJ or if reconsideration is requested under thisparagraph.

(2) The Board will reconsider itsdecision only if it determines that thedecision contains a clear error of fact orerror of law. New evidence will not bea basis for reconsideration unless theparty demonstrates that the evidence isnewly discovered and was notpreviously available.

(3) A party may file a motion forreconsideration with the Board beforethe date the decision becomes finalunder paragraph (j)(1) of this section. Amotion for reconsideration must beaccompanied by a written brief specifying any alleged error of fact or

law and, if the party is relying onadditional evidence, explaining why theevidence was not previously available.Any party may file a brief in oppositionwithin 15 days of receiving the motionfor reconsideration and theaccompanying brief unless this timelimit is extended by the Board for goodcause shown. Reply briefs are not

permitted.(4) The Board must rule on the motion

for reconsideration not later than 30days from the date the opposition brief is due. If the Board denies the motion,the decision issued under paragraph (i)of this section becomes the finaldecision of the Secretary on the date of service of the ruling. If the Board grantsthe motion, the Board will issue areconsidered decision, after suchprocedures as the Board determinesnecessary to address the effect of anyerror. The Board’s decision onreconsideration becomes the final

decision of the Secretary on the date of service of the decision, except withrespect to a decision to remand to theALJ.

(5) If service of a ruling or decisionissued under this section is by mail, thedate of service will be deemed to be 5days from the date of mailing.

(k)(1) A respondent’s petition forjudicial review must be filed within 60days of the date on which the decisionof the Board becomes the final decisionof the Secretary under paragraph (j) of this section.

(2) In compliance with 28 U.S.C.2112(a), a copy of any petition for

judicial review filed in any U.S. Courtof Appeals challenging the finaldecision of the Secretary must be sent

by certified mail, return receiptrequested, to the General Counsel of HHS. The petition copy must be a copyshowing that it has been time-stamped

by the clerk of the court when theoriginal was filed with the court.

(3) If the General Counsel of HHSreceived two or more petitions within10 days after the final decision of theSecretary, the General Counsel willnotify the U.S. Judicial Panel onMultidistrict Litigation of any petitionsthat were received within the 10 dayperiod.

§ 160.550 Stay of the Secretary’s decision.

(a) Pending judicial review, therespondent may file a request for stay of the effective date of any penalty withthe ALJ. The request must be

accompanied by a copy of the notice of appeal filed with the federal court. Thefiling of the request automatically staysthe effective date of the penalty untilsuch time as the ALJ rules upon therequest.

(b) The ALJ may not grant arespondent’s request for stay of anypenalty unless the respondent posts a

bond or provides other adequatesecurity.

(c) The ALJ must rule upon arespondent’s request for stay within 10days of receipt.

§ 160.552 Harmless error.

No error in either the admission or theexclusion of evidence, and no error ordefect in any ruling or order or in anyact done or omitted by the ALJ or by anyof the parties is ground for vacating,modifying or otherwise disturbing anotherwise appropriate ruling or order oract, unless refusal to take such action

appears to the ALJ or the Boardinconsistent with substantial justice.The ALJ and the Board at every stage of the proceeding must disregard any erroror defect in the proceeding that does notaffect the substantial rights of theparties.

PART 164—SECURITY AND PRIVACY

1. The authority citation for part 164is revised to read as follows:

Authority: 42 U.S.C. 1320d–1320d–8 andsec. 264, Pub. L. 104–191, 110 Stat. 2033–2034 (42 U.S.C. 1320d-2 (note)).

2. Revise § 164.530(g) to read asfollows:

§ 164.530 Standard: refraining fromintimidating or retaliatory acts.

* * * * *(g) A covered entity— (1) May not intimidate, threaten,

coerce, discriminate against, or takeother retaliatory action against anyindividual for the exercise by theindividual of any right established, orfor participation in any processprovided for by this subpart, includingthe filing of a complaint under this

section; and(2) Must refrain from intimidation andretaliation as provided in § 160.316 of this subchapter.

* * * * *[FR Doc. 05–7512 Filed 4–14–05; 8:45 am]

BILLING CODE 4153–01–P