Guest Article

(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)

HHS Issues Rules on HIPAA Privacy Enforcement Process

The procedures for civil enforcement of HIPAA's privacy, transaction and related rules were established by the U.S. Department of Health and Human Services (HHS) in interim final rules issued April 17 (68 F.R. 18895).

"We intend that this be the first installment" of HIPAA's enforcement rules, which ultimately "will set forth procedural and substantive requirements for imposition of civil monetary penalties (CMPs)," HHS explains in the preamble. "We are issuing these rules of procedure to inform regulated entities of our approach to enforcement and to advise regulated entities of certain procedures that will be followed as we enforce the Administrative Simplification provisions of HIPAA."

The interim final rules include procedures for providing notice and a hearing on HHS' decision to impose a CMP. They are based largely on the procedures already followed by HHS' Office of Inspector General (OIG).

"We have used the OIG regulations as the platform for the rules below for two reasons," HHS states. First, HIPAA's enforcement provisions, codified in Section 1176 of the Social Security Act (SSA) (42 USC §1320d-5) refer to the process established by SSA Section 1128A (42 USC §1320a-7a) for assessing penalties in OIG actions such as Medicare fraud enforcement.

"Second, HHS and much of the health care industry have operated under the OIG regulations implementing section 1320a-7a for more than a decade," HHS adds. "Based on this experience, we believe that the rules below will be workable and promote the efficient resolution of cases where the Secretary's proposed imposition of a CMP is challenged."

Penalty Procedure

Under the interim final rules, once HHS decides to impose a penalty, it must notify the covered entity of its intent. The covered entity then may request a hearing before an administrative law judge (ALJ). If the covered entity does not request a hearing within 60 days after receiving the notice of proposed determination, the penalty will be imposed and cannot be appealed.

A hearing request must admit, deny or explain each of the findings of fact in HHS' notice. The request also must explain the covered entity's factual and legal basis for opposing the penalty, including the grounds for any defense.

The ALJ must schedule at least one prehearing conference to expedite the formal hearing process by narrowing the scope of issues to be addressed. The conference also may address privacy protections for any individually identifiable health information that may be submitted as evidence at the hearing.

Next Steps

The interim final rules take effect May 19 and expire Sept. 16, 2004, by which time HHS plans to complete a notice-and-comment rulemaking on the enforcement rules as a whole, which will address the agency's policies for determining violations and calculating CMPs.

HHS is accepting comments on the interim rules until June 16. "However, to allow covered entities and the public to be informed as soon as possible of procedural requirements that will apply as compliance proceeds, we are expediting the publication of these procedural rules in final form," the agency explains.

HIPAA authorizes CMPs of up to $100 per violation, with an annual maximum of $25,000 for violations of a single requirement. Both HHS' Office for Civil Rights, which enforces HIPAA's privacy rules, and the Centers for Medicare and Medicaid Services, which enforces the transaction and security rules, have stressed that they will emphasize compliance assistance over CMPs and generally will pursue enforcement action only in response to complaints.

Reprinted with permission from the May 2003 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2002. All rights reserved.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.