Guest Article

(From the April 21, 2003 issue of Deloitte's Washington Bulletin, a periodic update of legal and regulatory developments relating to Employee Benefits. Hyperlinks in the article have been added by BenefitsLink.)

More HIPAA Guidance on Transaction Civil Penalties, Complaints, and Privacy

Notwithstanding HHS's pledge to use cooperation and technical assistance to help covered entities comply with HIPAA regulations, HHS continues to release information with respect to enforcement and complaints. The most recent releases include interim final rules on procedures for imposing civil monetary penalties for violating the uniform transaction and code set rules, unique identifier requirement, and the privacy rules. On the technical assistance front, HHS has also released additional guidance in the form of an HHS Office of Civil Rights Privacy Brief, "Summary of the HIPAA Privacy Rule" and "HIPAA Privacy Rule and Public Health: Guidance from the CDC and the U.S. Department of HHS." These two documents are available at: http://www.hhs.gov/ocr/.

Civil Penalties and Complaints

The final interim rules on civil penalties (68 FR 18895, April 17, 2003) set out the administrative procedures for contesting the penalties. These penalties can be up to $100 per violation, with an annual limit of $25,000 for the same type of violation. Generally these civil penalty procedures will follow those used by the HHS Office of the Inspector General, which handles Medicare fraud investigations. HHS has assigned HIPAA enforcement responsibility for privacy to its Office of Civil Rights (OCR) and the uniform data transaction standards (code sets, data transmission standards, and identifiers) to its Centers for Medicare and Medicaid Services (CMS). The Department of Justice will enforce criminal investigations and penalties.

The procedures include a hearing before an administrative law judge if requested by the covered entity. Both HHS and the covered entity will have limited discovery rights, including documents, exchange of witness lists, statements and exhibits, and the ability to subpoena individuals to appear at the hearing. Discovery through depositions or interrogatories is not permitted. HHS also has the authority to settle for lower penalties.

Unfortunately, these civil penalties interim final regulations provide no information on how to avoid the penalties in the first place. They focus only on procedure. There is no guidance on actions that would be considered violations of the rules. Consequently, covered entities have no additional information on the types of problems and issues HHS will be addressing in enforcement. Also, the regulations do not indicate how HHS will determine the level of penalties to impose or what factors will be considered when discussing or negotiating settlements with HHS in HIPAA cases.

These interim final rules are effective on May 19, 2003, and will remain in effect until September 16, 2003, at which time the HHS expects to have final rules in place. Comments on the interim rules are due by June 16, 2003.

Informational Releases

HHS also released an updated Fact Sheet, "How to File a Privacy Complaint." The fact sheet is available at: http://www.hhs.gov/ocr/howtofileprivacy.htm.

A newly issued HHS OCR Privacy Brief, "Summary of the HIPAA Privacy Rule" offers a "plain English" description of the privacy rules with a good breakout of subjects and references to the specific regulatory section. It can serve as an excellent introduction to HIPAA privacy and good "quick reference" tool for those who need a general education in HIPAA privacy. But use it with caution. The summary cannot substitute for an in depth knowledge of the regulations. Additionally, because many HIPAA issues are highly fact specific, readers should be cautioned against making decisions based solely on the rules without having a detailed knowledge of all the facts of the specific covered entity's HIPAA situation.

The "HIPAA Privacy Rule and Public Health: Guidance from the CDC and the U.S. Department of HHS" will be especially helpful for public sector employers, who also are heavily affected by HIPAA. It includes a valuable list of state resources on HIPAA.

These documents are available at: http://www.hhs.gov/ocr.

The information in this Washington Bulletin is general information only and not intended to provide advice or guidance for specific situations. Contact your Deloitte advisor for information regarding your specific circumstances. If you have questions or need additional information about this article and you do not have a Deloitte advisor, please contact Martha Priddy Patterson (202.879.5634) or Robert B. Davis (202.879.3094). Human Capital Advisory Services, Deloitte LLP, 555 12th Street NW, Suite 500, Washington, DC 20004-1207. Copyright 2003, Deloitte.