UO > Legal Matters > The Enforcer

The Enforcer

Yes, you have yet another HIPAA rule to master. This rule dictates procedures and penalties when the others are broken.

By Bruce D. Armon Published May/June 2006

On March 16, 2006 the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification Enforcement Rule (the Rule) took effect. The Rule formally permits the Secretary of Health and Human Services to impose civil money penalties on entities that violate any of the various HIPAA regulations.

While the HIPAA Privacy Rule has received the most significant media attention, HIPAA created a variety of rules that will affect physicians in their everyday professional capacity. In addition to the HIPAA Privacy Rule, final regulations are in effect for the Transactions Rule, the Unique Employer Identifier Rule, the Security Rule, and the Unique Health Identifier for Health Care Providers Rule. Proposed HIPAA regulations are yet to be finalized for a Claims Attachment Rule and a Health Plan Identifier Rule.

The primary importance of the Rule we speak of here is that it dictates the procedures for investigations of noncompliance for each of the other HIPAA rules. The Rule has three main subparts: Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings.

Compliance & Investigations

This section of the Rule directs that “the [HHS] Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance with the applicable administrative simplification provisions.” In the Rule’s preamble, HHS reiterated that voluntary compliance is, “the most effective and quickest way of obtaining compliance in most cases.”

According to HHS, as of October 31, 2005, the HHS Office of Civil Rights (the office is charge of coordinating complaints with regard to the HIPAA Privacy Rule) has received over 16,000 Privacy Rule-related complaints. As of February of this year, 68 percent of those complaints had been resolved or otherwise closed.

The Rule provides that if a person believes a covered entity (a physician who conducts certain transactions in electronic form is a covered entity) is not complying with one of the HIPAA rules, the person may file a complaint with the HHS Secretary. The complaint must be filed within 180 days of when the complainant knew or should have known that the alleged act occurred.

The Rule requires a covered entity to cooperate with the HHS Secretary if an investigation or compliance review occurs. As part of this cooperation, the covered entity must permit access to its business books and records. The Secretary has the authority to issue subpoenas, and there are extensive provisions in the Rule relating to the subpoena process. The testimony and other evidence obtained in an investigational inquiry may be used by HHS in any of its activities, including as evidence in any administrative or judicial proceeding.

If the HHS Secretary determines that a covered entity has failed to comply with a regulation, the Secretary is instructed to resolve the matter by informal means. If resolution cannot be reached informally, the covered entity will be informed and will then have 30 days to provide written evidence of any mitigating factors or affirmative defenses. Or, if no violation is found, the Secretary will inform the covered entity and the complainant, and the covered entity may again focus all of its energies on clinical care.

The Rule also provides that a covered entity may not harass, threaten, coerce, discriminate against, or take any other retaliatory action against any individual who files a complaint or participates in an investigation against the covered entity.

Civil Money Penalties

The second subpart of the Rule sets forth the basis for a civil money penalty against a covered entity. The HHS Secretary may not impose a civil money penalty of more than $100 for each violation or in excess of $25,000 for identical violations during a calendar year. The Rule provides that the Secretary will determine the number of violations based on the nature of the covered entity’s obligation to act or not to act in a particular circumstance.

The Rule delineates six possible aggravating or mitigating factors the HHS Secretary may consider regarding a violation: 1) the nature of the violation, in light of the purpose of the rule violated; 2) the circumstances under which the violation occurred and the resulting physical or financial harm, if any; 3) the degree of culpability of the covered entity, including whether the act was intentional; 4) history of prior compliance with the HIPAA rules, including any prior violations; 5) the financial condition of the covered entity, including whether financial difficulties affected its ability to comply with a HIPAA rule; and, 6) the ultimate catch-all — “such other matters as justice may require.”

The Rule includes specific provisions if there is a violation by more than one covered entity. For instance, a member of an affiliated covered entity (a legally separate covered entity that affiliates with other covered entities and becomes a single covered entity for purposes of the HIPAA Security and Privacy rules) is jointly and severally liable for a violation by the affiliated covered entity, unless it is established that another member of the affiliated covered entity was responsible for the violation.

In addition, the Rule provides that a covered entity is liable based on the act or omission of any agent of the covered entity, including a work force member who is acting within the scope of the agency.

Every physician covered entity should take the responsibility of knowing and understanding the actions of the other physicians and covered entities with whom they interact on a more “formal basis” to protect themselves should there be an investigation regarding compliance with a HIPAA rule.

The Rules detail several affirmative defenses that a covered entity may raise, including lack of knowledge and reasonable cause that is not willful neglect.

The Rule provides that the HHS Secretary must take action against a covered entity within six years of the date of the violation. If the HHS Secretary intends to impose a penalty on a covered entity, the covered entity has the right to request a hearing.

Procedures for Hearings

If a covered entity requests a hearing, the Rule details a series of procedures that must be followed in the hearing. For instance, a request for a hearing must be mailed within 90 days of the covered entity receiving notice of a proposed determination of a penalty. A request for a hearing must clearly and directly admit, deny, or explain each of the findings of fact included in the notice of proposed determination.

The Rule provides that a covered entity has the right to be represented by an attorney, present evidence relevant to the issues at the hearing, present and cross examine witnesses, and submit written briefs and proposed findings of fact and conclusions of law after the hearing.

The hearing will be handled by an administrative law judge (ALJ), who is charged with conducting a fair and impartial hearing. The process will be structured like most civil trials. For instance, neither HHS nor the covered entity may communicate in any way with the ALJ unless there is notice and opportunity for both parties to participate. The ALJ is required to schedule at least one pre-hearing conference. The parties must exchange witness lists and copies of proposed hearing exhibits not more than 60 and not less than 15 days before the scheduled hearing.

The Rule provides that the HHS Secretary may introduce the results of statistical sampling as evidence of the number of violations by the covered entity or the factors considered in determining the amount of the civil money penalty. The preamble to the Rule rejected criticisms that the use of statistical sampling is an inappropriate means to determine violations of a HIPAA rule.

The Rule permits any party to file an appeal of the decision of the ALJ within 30 days of the ALJ decision.

Covered Entity Responsibilities

While the Rule now provides a roadmap for enforcement of the Privacy Rule and the other HIPAA regulations, it is not clear how aggressive the various HHS agencies will be in ensuring regulatory compliance.

Every physician who is a covered entity should be familiar with the provisions of the Rule (located at 71 Federal Register 8390 et seq., February 16, 2006). In addition, every physician who is a covered entity should review his policies and procedures relating to HIPAA compliance. Physicians who employ other physicians and administrative staff should remind their colleagues of the importance of complying with HIPAA and the relevant elements of the Rule, including the possibility of significant civil money penalties. Physicians who are employed by other organizations will likely get a refresher course on HIPAA compliance from their employers. If it appears that your organization is unaware of the publication of the Rule, you should raise the issue with your supervisor. Organizations often need volunteers to ensure organizational compliance with HIPAA. If you are comfortable in taking on these challenges, you will play an important role for your employer.

Finally, if you or your employer is the subject of a HIPAA rule complaint from an individual, the Rule provides a detailed explanation of your rights, responsibilities, and potential financial liability if a violation occurs. You may need an attorney to explain the provisions of a HIPAA rule, protect you, and assist you in a hearing. g

Bruce D. Armon is a partner in the health-care group of the law firm of Saul Ewing LLP and is a frequent speaker to physician audiences on many corporate, regulatory, and compliance topics. He can be reached at barmon@saul.com.

@ 2006 UO Inc. www.uoworks.com 800-888-2047





	Download pdf of this article




Physicians Recruiters Search Opportunites Advertiser Index Subscribe Feature Archives Department Archives Legal Matters Policy Points Marketing Minute Malpractice Guide Vital Stats Community Profiles Remarks Archives Career Resources Books Referenced Writers Guidelines Advertise in UO Who is UO? Contact Us

		The Enforcer Yes, you have yet another HIPAA rule to master. This rule dictates procedures and penalties when the others are broken. By Bruce D. Armon Published May/June 2006 On March 16, 2006 the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification Enforcement Rule (the Rule) took effect. The Rule formally permits the Secretary of Health and Human Services to impose civil money penalties on entities that violate any of the various HIPAA regulations. While the HIPAA Privacy Rule has received the most significant media attention, HIPAA created a variety of rules that will affect physicians in their everyday professional capacity. In addition to the HIPAA Privacy Rule, final regulations are in effect for the Transactions Rule, the Unique Employer Identifier Rule, the Security Rule, and the Unique Health Identifier for Health Care Providers Rule. Proposed HIPAA regulations are yet to be finalized for a Claims Attachment Rule and a Health Plan Identifier Rule. The primary importance of the Rule we speak of here is that it dictates the procedures for investigations of noncompliance for each of the other HIPAA rules. The Rule has three main subparts: Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings. Compliance & Investigations This section of the Rule directs that “the [HHS] Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance with the applicable administrative simplification provisions.” In the Rule’s preamble, HHS reiterated that voluntary compliance is, “the most effective and quickest way of obtaining compliance in most cases.” According to HHS, as of October 31, 2005, the HHS Office of Civil Rights (the office is charge of coordinating complaints with regard to the HIPAA Privacy Rule) has received over 16,000 Privacy Rule-related complaints. As of February of this year, 68 percent of those complaints had been resolved or otherwise closed. The Rule provides that if a person believes a covered entity (a physician who conducts certain transactions in electronic form is a covered entity) is not complying with one of the HIPAA rules, the person may file a complaint with the HHS Secretary. The complaint must be filed within 180 days of when the complainant knew or should have known that the alleged act occurred. The Rule requires a covered entity to cooperate with the HHS Secretary if an investigation or compliance review occurs. As part of this cooperation, the covered entity must permit access to its business books and records. The Secretary has the authority to issue subpoenas, and there are extensive provisions in the Rule relating to the subpoena process. The testimony and other evidence obtained in an investigational inquiry may be used by HHS in any of its activities, including as evidence in any administrative or judicial proceeding. If the HHS Secretary determines that a covered entity has failed to comply with a regulation, the Secretary is instructed to resolve the matter by informal means. If resolution cannot be reached informally, the covered entity will be informed and will then have 30 days to provide written evidence of any mitigating factors or affirmative defenses. Or, if no violation is found, the Secretary will inform the covered entity and the complainant, and the covered entity may again focus all of its energies on clinical care. The Rule also provides that a covered entity may not harass, threaten, coerce, discriminate against, or take any other retaliatory action against any individual who files a complaint or participates in an investigation against the covered entity. Civil Money Penalties The second subpart of the Rule sets forth the basis for a civil money penalty against a covered entity. The HHS Secretary may not impose a civil money penalty of more than $100 for each violation or in excess of $25,000 for identical violations during a calendar year. The Rule provides that the Secretary will determine the number of violations based on the nature of the covered entity’s obligation to act or not to act in a particular circumstance. The Rule delineates six possible aggravating or mitigating factors the HHS Secretary may consider regarding a violation: 1) the nature of the violation, in light of the purpose of the rule violated; 2) the circumstances under which the violation occurred and the resulting physical or financial harm, if any; 3) the degree of culpability of the covered entity, including whether the act was intentional; 4) history of prior compliance with the HIPAA rules, including any prior violations; 5) the financial condition of the covered entity, including whether financial difficulties affected its ability to comply with a HIPAA rule; and, 6) the ultimate catch-all — “such other matters as justice may require.” The Rule includes specific provisions if there is a violation by more than one covered entity. For instance, a member of an affiliated covered entity (a legally separate covered entity that affiliates with other covered entities and becomes a single covered entity for purposes of the HIPAA Security and Privacy rules) is jointly and severally liable for a violation by the affiliated covered entity, unless it is established that another member of the affiliated covered entity was responsible for the violation. In addition, the Rule provides that a covered entity is liable based on the act or omission of any agent of the covered entity, including a work force member who is acting within the scope of the agency. Every physician covered entity should take the responsibility of knowing and understanding the actions of the other physicians and covered entities with whom they interact on a more “formal basis” to protect themselves should there be an investigation regarding compliance with a HIPAA rule. The Rules detail several affirmative defenses that a covered entity may raise, including lack of knowledge and reasonable cause that is not willful neglect. The Rule provides that the HHS Secretary must take action against a covered entity within six years of the date of the violation. If the HHS Secretary intends to impose a penalty on a covered entity, the covered entity has the right to request a hearing. Procedures for Hearings If a covered entity requests a hearing, the Rule details a series of procedures that must be followed in the hearing. For instance, a request for a hearing must be mailed within 90 days of the covered entity receiving notice of a proposed determination of a penalty. A request for a hearing must clearly and directly admit, deny, or explain each of the findings of fact included in the notice of proposed determination. The Rule provides that a covered entity has the right to be represented by an attorney, present evidence relevant to the issues at the hearing, present and cross examine witnesses, and submit written briefs and proposed findings of fact and conclusions of law after the hearing. The hearing will be handled by an administrative law judge (ALJ), who is charged with conducting a fair and impartial hearing. The process will be structured like most civil trials. For instance, neither HHS nor the covered entity may communicate in any way with the ALJ unless there is notice and opportunity for both parties to participate. The ALJ is required to schedule at least one pre-hearing conference. The parties must exchange witness lists and copies of proposed hearing exhibits not more than 60 and not less than 15 days before the scheduled hearing. The Rule provides that the HHS Secretary may introduce the results of statistical sampling as evidence of the number of violations by the covered entity or the factors considered in determining the amount of the civil money penalty. The preamble to the Rule rejected criticisms that the use of statistical sampling is an inappropriate means to determine violations of a HIPAA rule. The Rule permits any party to file an appeal of the decision of the ALJ within 30 days of the ALJ decision. Covered Entity Responsibilities While the Rule now provides a roadmap for enforcement of the Privacy Rule and the other HIPAA regulations, it is not clear how aggressive the various HHS agencies will be in ensuring regulatory compliance. Every physician who is a covered entity should be familiar with the provisions of the Rule (located at 71 Federal Register 8390 et seq., February 16, 2006). In addition, every physician who is a covered entity should review his policies and procedures relating to HIPAA compliance. Physicians who employ other physicians and administrative staff should remind their colleagues of the importance of complying with HIPAA and the relevant elements of the Rule, including the possibility of significant civil money penalties. Physicians who are employed by other organizations will likely get a refresher course on HIPAA compliance from their employers. If it appears that your organization is unaware of the publication of the Rule, you should raise the issue with your supervisor. Organizations often need volunteers to ensure organizational compliance with HIPAA. If you are comfortable in taking on these challenges, you will play an important role for your employer. Finally, if you or your employer is the subject of a HIPAA rule complaint from an individual, the Rule provides a detailed explanation of your rights, responsibilities, and potential financial liability if a violation occurs. You may need an attorney to explain the provisions of a HIPAA rule, protect you, and assist you in a hearing. g Bruce D. Armon is a partner in the health-care group of the law firm of Saul Ewing LLP and is a frequent speaker to physician audiences on many corporate, regulatory, and compliance topics. He can be reached at barmon@saul.com. Back to top @ 2006 UO Inc. www.uoworks.com 800-888-2047