HIPAA regs
HIPAA dvisory
HIPAAdvisory > HIPAAregs > Interim Final Enforcement Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Interim Final Enforcement Rule

I. Background

This interim final rule establishes rules of procedure for the imposition, by the Secretary of Health and Human Services, of civil money penalties on entities that violate the Administrative Simplification regulations ("HIPAA rules") adopted by the Secretary under subtitle F of Title II of HIPAA ("HIPAA provisions"). We intend this interim final rule to be the first installment of a rule termed the "Enforcement Rule." The Enforcement Rule, when issued in complete form, will set forth procedural and substantive requirements for imposition of civil money penalties. In the interim, we are issuing these rules of procedure to inform regulated entities of our approach to enforcement and to advise regulated entities of certain procedures that will be followed with regard to enforcement. We intend to revise the procedural rule by the expiration date provided above.

We set out below the statutory and regulatory background of the rule, describe our approach to enforcement of the HIPAA provisions and rules in general and this rule in particular, and then discuss each section of the interim final rule. We also set out our analyses of impact and other issues under applicable law.

Statutory Background

HIPAA became law in 1996. Subtitle F of Title II of HIPAA, entitled "Administrative Simplification," requires the Secretary of HHS to adopt national standards for certain information-related activities of the health care industry. The purpose of subtitle F is to improve the Medicare program under title XVIII of the Social Security Act ("Act"), the Medicaid program under title XIX of the Act, and the efficiency and effectiveness of the health care system, by mandating the development of standards and requirements to enable the electronic exchange of certain health information. Section 262 of subtitle F added a new Part C to Title XI of the Act. Part C (42 U.S.C. 1320d - 1320d-8) requires the Secretary to adopt national standards for certain financial and administrative transactions and various data elements to be used in those transactions, such as code sets and certain unique health identifiers. Recognizing that the industry trend toward computerizing health information, which HIPAA encourages, may increase the access to that information, the statute also requires national standards to protect the security and privacy of the information.

The HIPAA provisions, by statute, apply only to the following persons:

  • A health plan.
  • A health care clearinghouse.
  • A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1320d-2(a)(1) of this title.

42 U.S.C. 1320d-1(a). Collectively, these entities are known as "covered entities." The statute requires certain consultations with industry as a predicate to the issuance of standards and gives most covered entities 2 years (small health plans have 3 years) to come into compliance with the standards, once adopted. 42 U.S.C. 1320d-1(c), 42 U.S.C. 1320d-4(b). The statute establishes civil money penalties and criminal penalties for violations. 42 U.S.C. 1320d-5, 42 U.S.C. 1320d-6. HHS will enforce the civil money penalties, while the U.S. Department of Justice will enforce the criminal penalties.

HIPAA's civil money penalty ("CMP") provision authorizes the Secretary to impose CMPs, as follows:

  1. IN GENERAL. Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part [42 U.S.C. 1320d et seq.] a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.
  2. PROCEDURES. The provisions of section 1128A [42 U.S.C. 1320a-7a] (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1128A.

42 U.S.C. 1320d-5(a).

Subsection (b) of section 1320d-5 sets out a number of substantive limitations on the Secretary's authority to impose CMPs. First, a CMP may not be imposed with respect to an act that "constitutes an offense punishable" under the criminal penalty provision. 42 U.S.C. 1320d-5(b)(1). Second, a CMP may not be imposed "if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision." 42 U.S.C. 1320d-5(b)(2). Third, a CMP may not be imposed if the failure to comply was due "to reasonable cause and not to willful neglect" and is corrected within a certain time. 42 U.S.C. 1320d-5(b)(3). Finally, a CMP may be reduced, if not waived entirely, "to the extent that the payment of such penalty would be excessive relative to the compliance failure involved." 42 U.S.C. 1320d-5(b)(4).

As noted above, HIPAA incorporates by reference certain provisions of section 1128A of the Act (42 U.S.C. 1320a-7a). Those provisions, as relevant here, provide a number of procedural requirements with respect to the imposition of CMPs. The Secretary may not initiate a CMP action "later than six years after the date" of the occurrence that forms the basis for the CMP. The Secretary may initiate a CMP action by serving notice "in any manner authorized by Rule 4 of the Federal Rules of Civil Procedure." 42 U.S.C. 1320a-7a(c)(1). A person upon whom the Secretary seeks to impose a CMP must be given written notice and an opportunity for a determination to be made "on the record after a hearing at which the person is entitled to be represented by counsel, to present witnesses, and to cross-examine witnesses against the person." 42 U.S.C. 1320a-7a(c)(2). There are provisions authorizing the sanctions the hearing officer may impose for misconduct in connection with the CMP proceeding, judicial review of the Secretary's determination in the United States Court of Appeals for the circuit in which the person resides, and the issuance of subpoenas by the Secretary and the enforcement of those subpoenas. 42 U.S.C. 1320a-7a(c)(4), (e), (j). These provisions are discussed more fully below.

Regulatory Background

As noted above, HIPAA requires the Secretary of HHS to adopt a number of national standards to facilitate the exchange of certain health information. The Secretary has already issued a number of these HIPAA standards by regulation. We summarize these HIPAA Administrative Simplification rules below.

  • Regulations implementing the statutory requirement for the adoption of standards for transactions and code sets ("Transactions Rule") were published on August 17, 2000 (65 FR 50312), and were recently modified (68 FR 8381, February 20, 2003). The Transactions Rule became effective on October 16, 2000, with an initial compliance date of October 16, 2002 for covered entities other than small health plans. The passage of the Administrative Simplification Compliance Act, Pub. L. 107-105, in 2001 enabled covered entities to obtain an extension of the compliance date to October 16, 2003 by filing a compliance plan by October 15, 2002. If a covered entity (other than a small health plan) did not file such a plan, it was required to comply with the Transactions Rule by October 16, 2002. All covered entities must be in compliance with the Transactions Rule, as modified, by October 16, 2003.
  • Regulations implementing the statutory requirement for the adoption of privacy standards were published on December 28, 2000 (65 FR 82462) ("Privacy Rule"). The Privacy Rule became effective on April 14, 2001, with an initial compliance date of April 14, 2003 for covered entities other than small health plans. Modifications to the Privacy Rule were published on August 14, 2002 (67 FR 53182), and compliance with the modified privacy standards is required by the initial compliance date, April 14, 2003, for those covered entities that must comply by that date.
  • Regulations implementing the statutory requirement for the adoption of an employer identifier standard were published on May 31, 2002 (67 FR 38009) and became effective on July 30, 2002. The initial compliance date is July 30, 2004 for most covered entities; small health plans have until July 30, 2005 to come into compliance.
  • Regulations implementing the statutory requirement for the adoption of security standards were published on February 20, 2003 (68 FR 8334). They are effective on April 21, 2003, and the initial compliance date for covered entities other than small health plans is April 20, 2005; small health plans have until April 20, 2006 to comply.

The authority for administering and enforcing compliance with the Privacy Rule has been delegated to the Office for Civil Rights ("OCR") of HHS. Responsibility for administering and enforcing the remaining HIPAA rules has been assigned to the Centers for Medicare & Medicaid Services ("CMS").

[Top of Page] [Previous] [Next: Approach]