skip to content
DHHS Issues Final HIPAA Enforcement Provisions

DHHS Issues Final HIPAA Enforcement Provisions

Legal HIMformation
(March 2006)

On February 16, 2006, the Secretary of the Department of Health and Human Services ("DHHS") issued its Final Rule governing investigation and enforcement of noncompliance with each of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The final rule amends several provisions of the interim rule concerning how to determine civil money penalties, modifies and clarifies elements of the investigation process, defines the various bases for civil penalties, further explains when certain defenses to the imposition of penalties may be pled, and describes the hearing and appeal process for challenging a civil money penalty ("CMP") that has been imposed. The Final Rule will be effective March 16, 2006.

"One HHS"

As proposed in the interim rule, DHHS has adopted a single enforcement policy ("HIPAA Enforcement Rule") for compliance with all the HIPAA rules, including the privacy, security, and transactions and code sets standards. The final HIPAA Enforcement Rule is designed to promote voluntary compliance, be clear and easy to understand, promote fairness through application of consistent rules and public guidance, and provide the Secretary with reasonable discretion, but avoid being overly prescriptive.

No Retaliation Against or Harassment of Whistleblowers

As in the proposed rule, the final rule prohibits a covered entity from threatening, intimidating, coercing, discriminating against, or taking any other retaliatory action against persons who complain to DHHS or otherwise participate in the enforcement process. In addition, the final rule explicitly prohibits covered entities from engaging in retaliatory harassment against complainants.

No Termination of Employment or Patient Relationship Based on Bad Faith Complaint

The final rule notes that no statutory basis exists for DHHS to sanction a person who brings a negligent or malicious complaint against a covered entity, suggesting instead that covered entities pursue any common law remedies available against such complainants. Significantly, the final rule also appears to indicate that a covered entity may not fire an employee or terminate a relationship with a patient where such employee or patient has filed a false complaint. The final rule notes that such termination may occur if other legitimate grounds exist for such action, but it further states that the Office for Civil Rights ("OCR") evaluates whether complaints are filed in good faith, as well as whether other grounds for termination exist, thereby suggesting that covered entities may not terminate such relationships for other reasons absent OCR's endorsement. This new guidance, provided in response to questions about the interim rule, is troubling, because it appears to require covered entities to continue a difficult employment or provider/patient relationship whenever the covered entity has reason to believe that OCR has determined incorrectly that the employee or patient complained in good faith.

Compliance Activities and Authority

The final rule emphasizes that DHHS will focus on promoting voluntary compliance with HIPAA through education, cooperation, technical assistance, and informal resolution mechanisms. Compliance and enforcement activities will remain primarily complaint-driven, although the Secretary may conduct compliance reviews in its discretion to determine whether a covered entity is in compliance. DHHS must try to resolve compliance reviews informally and must notify the covered entity in writing whether the review is or is not resolved by informal means. Investigational subpoenas may be issued when a compliance review is conducted, although these subpoenas typically are used where a covered entity fails to respond to DHHS's requests for information. OCR will administer and enforce compliance with the HIPAA Privacy Rule, whereas the Centers for Medicare and Medicaid Services ("CMS") will administer and enforce compliance with all the non-privacy HIPAA rules.


Complaints alleging HIPAA violations must be received within 180 days of the date the complainant knew or should have known of the violation, although DHHS may waive this requirement for good cause shown. In its first written communication with a covered entity regarding a complaint received, DHHS must describe the basis of the underlying complaint.

Imposition of Civil Money Penalties

The final rule mandates that the Secretary impose a CMP upon a covered entity that is determined to have violated an administrative simplification provision, unless the covered entity demonstrates that an affirmative defense exists or the entity and DHHS informally resolve the complaint.

Covered Entity Can Be Liable for Its Agents' Violations

The final rule defines the circumstances under which a covered entity will be held responsible for violations by its agents acting within the scope of the agency. All "workforce" members, including employees, volunteers, trainees, and others whose work conduct is under the direct control of the covered entity, are deemed to be agents of a covered entity. Non-workforce individuals, other than business associates, will be evaluated under the federal common law of agency, which generally requires that the individual be under the control of the covered entity and acting within the scope of the agency relationship. In the final rule, DHHS clarifies that where a covered entity is dealing with a party who is neither a workforce member nor a business associate, such as a hospital that discloses information to a non-covered health care provider with privileges for treatment of a patient, the hospital would not be liable for a subsequent use or disclosure by that provider, so long as the hospital is not also involved in the use or disclosure. The final rule reiterates that covered entities are not required to monitor the activities of their business associates, so long as the covered entity does not know of a pattern of activity or practice of the business associate that violates HIPAA and, if it does know of such pattern or practice, takes steps to end the violation or to notify the Secretary, as required by the Privacy Rule. We worry whether this creates a perverse "don't ask, don't tell" disincentive.

Liability of Organized Health Care Arrangements and Affiliated Covered Entities

If the Secretary determines that more than one covered entity was responsible for violating a provision, it will impose a CMP against each such covered entity. The final rule clarifies that covered entities that are part of an organized health care arrangement will be individually (not jointly and severally) liable for HIPAA violations, although this may require DHHS to carefully review the operations of the organized health care arrangement in order to determine which party is liable. If an affiliated covered entity violates a provision, however, each member of the affiliated covered entity will be jointly and severally liable for a CMP, unless it can be established which entity within the affiliated covered entity is responsible for a particular violation. For example, if an affiliated covered entity fails to appoint a privacy officer, all members of the affiliated covered entity share in the responsibility for the failure to act, so joint and several liability for the consequent penalty is appropriate.

This may have significant implications for regional health information organizations and community health information networks that centralize functions in connection with the creation of an interoperable electronic health record.

Calculating the Number of Violations and Amount of CMPs

Several factors will be considered when calculating the amount of any CMPs to be imposed for HIPAA violations. Initially, the final rule notes that if both a general and a specific administrative simplification provision are violated, CMPs may be imposed for either violation but not both. However, where a violation of one requirement or prohibition produces consequential violations, CMPs may be imposed for all such violations.

DHHS will quantify the number of violations of an identical HIPAA requirement or prohibition based on "the nature of the covered entity's obligation to act or not to act under the provision violated, such as its obligation to act in a certain manner, or within a certain time, or with respect to certain persons." For example, if a health plan improperly conducts 200 eligibility transactions, it can be liable for 200 violations of the transactions standards (because each of the submitted transactions was not standardized). Additionally, improper access to patient medical records would result in a violation for improperly accessing each patient's chart. For continuing violations, the number of violations will be the number of days over which a violation continues. DHHS may use statistical sampling to calculate the number of violations. Because the count of violations is an integral part of a CMP, the final rule permits the Secretary's determination as to the number of violations to be challenged on appeal.

Factors the Secretary will consider in determining the amount of a CMP include:

  • The nature of the violation
  • The circumstances under which the violation occurred
  • The degree of culpability of the covered entity
  • The covered entity's history of prior violations of, and compliance with, HIPAA
  • The financial condition of the covered entity (i.e., whether the provider can pay the CMP without being put out of business)
  • Such other matters as justice may require

"Such other matters as justice may require" include the covered entity's trustworthiness, its lack of veracity and remorse, both measurable and indirect or intangible damages to the government, the effect of the penalty upon the covered entity's rehabilitation, and the covered entity's unprompted diligence in correcting the violations. These factors may be aggravating or mitigating in each case, depending upon the circumstances surrounding the violation. It is unclear how much weight will be given to the amount of the damages against the government and how such damages will be weighed against any mitigating factors.

Affirmative Defenses to CMPs

A covered entity must establish any affirmative defenses to the imposition of a CMP. Such defenses include: (i) that the violation is punishable under the criminal penalty provision of HIPAA, and so may not also be subject to CMPs; (ii) establishing "to the satisfaction of the Secretary that the person liable for the penalty" did not know, and through the exercise of reasonable diligence could not have known, that he or she violated HIPAA; (iii) demonstrating that the failure to comply with HIPAA was due to "reasonable cause and not to willful neglect" and was cured within thirty (30) days from the first date that the person liable knew, or by exercising reasonable diligence should have known, that the failure to comply occurred; or (iv) demonstrating that payment of such a penalty would be excessive relative to the compliance violation. The final rule notes that the statute of limitations also is an affirmative defense to imposition of CMPs.

The final rule clarifies that a covered entity may raise the defense that an asserted violation is punishable as a criminal penalty at any time throughout the hearing and appeal process. This clarification was made to allow covered entities to avoid self-incrimination. The remaining affirmative defenses must be raised in the covered entity's request for a hearing. The "knowledge" involved must be knowledge that a violation has occurred, not simply knowledge of the facts constituting the violation. Knowledge will be imputed to a covered entity if its responsible officers or managers knew of the violation, and may be imputed if other employees or agents knew of the violation unless the covered entity can demonstrate why such knowledge should not be imputed to the managers. The final rule further clarifies that DHHS may waive CMPs if the defense that the penalty is excessive is asserted and if the party can demonstrate that its failure to comply was due to reasonable cause, but that the party did not correct the violation within the thirty (30)-day period required by that defense.

Notification of Noncompliance and of Intention to Impose CMPs

The final rule requires the Secretary to inform a covered entity and any complainant if an investigation or compliance review demonstrates a failure to comply, and then to attempt to resolve the matter by informal means, such as demonstrated compliance or a completed corrective action plan, if possible. If a matter is resolved by informal means, the Secretary must notify the covered entity and any complainant of this fact in writing. Where the Secretary determines that a matter cannot be resolved by informal means, it will so inform the covered entity and will provide the covered entity an opportunity to submit written evidence of mitigating factors or affirmative defenses that may apply. Such information must be submitted to the Secretary within thirty (30) days of the covered entity's receipt of such notification. If, following review of such information, the Secretary finds that no CMP should be imposed, it will provide appropriate notice. If it determines that no violation has occurred following an investigation or compliance review, the Secretary will so inform the covered entity and any complainant in writing.

When the Secretary determines that imposing a CMP is appropriate, it must notify the covered entity in writing of its intent to impose a CMP. The written notice must refer to the statutory basis for the penalty, describe the factual findings underlying the violations that form the basis of the CMP, the reason why the violation carries a penalty, the amount of the proposed penalty, factors considered in arriving at the amount of the penalty, and instructions for responding to the notice. The final rule provides that if DHHS used statistical sampling to determine the number of violations, it must provide its sampling study with this notice.

Unless the covered entity requests a hearing in response to the notice of proposed CMP, the Secretary will notify the covered entity by certified mail of the penalty that has been imposed. Requesting a timely hearing is imperative, because once the covered entity receives this penalty notice, the penalty is final, and the covered entity cannot appeal the penalty. In addition, any "final" determination, which encompasses the notice of proposed determination or the decision of the ALJ if either is not appealed, or the final decision of DHHS, will be published to the public. In response to one commenter's concern that publishing this information could disproportionately injure the covered entity's reputation and cause it to lose business, DHHS indicates that the published notice will contain the entire final opinion, which the public can read to discern the nature and extent of the violation. The Secretary is empowered to settle any CMP under these sections and to collect any CMP by way of an administrative offset of federal or state funds due to the covered entity. No CMP may be imposed more than six (6) years from the date of the violation.

Process of Investigations

The Secretary may subpoena witnesses and other evidence during its compliance investigations. Such subpoenas are enforceable through the United States District Courts for the district where the subpoenaed person resides or where the covered entity transacts business. Investigational inquiries are nonpublic proceedings, but witnesses must testify under oath. The proceedings at such inquiries will be transcribed and the witness will be required to review, propose corrections to, and sign the transcript within thirty (30) days of being notified that the transcript is ready for inspection. The final rule notes that information obtained during an investigation may be used by DHHS for purposes outside of the HIPAA investigation.

Hearing and Appeals Process

Following notification that the Secretary has decided to impose a CMP, the covered entity may seek a hearing before an administrative law judge ("ALJ") by filing a request in writing within ninety (90) days of receiving notice of the proposed penalty. This hearing request: (i) must directly admit, deny, or explain each finding of fact or state that the covered entity is without knowledge to respond; and (ii) must set forth the arguments or contentions that support any defense or opposition to the proposed penalty. Failure to satisfy these "pleading requirements" may result in dismissal of the appeal upon motion of the Secretary. The parties are required to schedule a prehearing conference, with at least fourteen (14) days' advance notice, to define the issues to be addressed at the appellate hearing, and to consider the protection of individually identifiable health information during the hearing.

The hearing is similar to a civil trial in that both parties may be represented by counsel, conduct certain types of discovery, present evidence, present and cross-examine witnesses, present oral arguments, and submit written briefs. The hearing differs from a trial in significant ways, however, in that: (i) either party may present a witness statement rather than arrange for witness testimony as long as it provides the statement and the witness' address in sufficient time to permit a motion to be filed at least thirty (30) days in advance of the hearing to subpoena the witness; (ii) the ALJ may, but is not required to, comply with the Federal Rules of Evidence; and (iii) discovery may be conducted only by requests for production of documents, whereas interrogatories, requests for admission, and depositions are not permitted. DHHS rationalizes this approach by stating that conducting more than limited discovery would result in significant delays and costs.

The covered entity has the burden of proving any affirmative defenses, a challenge to the amount or scope of the proposed penalty, and any contention that the proposed penalty should be waived. The Secretary has the burden of proof with respect to all other issues, including liability and factors that are considered aggravating in nature. In satisfying its burden of proving the violation, the Secretary may introduce results of a statistical sampling study to demonstrate the number of violations that have occurred, but it must provide the statistical study with its notice of determination to impose a CMP. The covered entity may oppose such model with its own sampling study, which must be supplied thirty (30) days prior to the administrative hearing, or may provide evidence of the actual number of violations.

Within sixty (60) days after the expiration of the time for submission of post-hearing and reply briefs, if permitted, the ALJ will issue a decision based on the record, in which he or she may affirm, increase, or reduce the penalties imposed by the Secretary. If not appealed, the ALJ's decision is final and binding sixty (60) days after the decision is served upon the covered entity. However, the decision may be appealed to the DHHS Departmental Appeals Board within thirty (30) days of the date the decision is served, and any appeal must be accompanied by a written brief detailing the reasons for the appeal. A party may be able to raise an affirmative defense for the first time at this stage to be considered by the Board, if applicable. DHHS then has thirty (30) additional days to file an opposition brief, and the Board may permit a reply brief. The Board then has sixty (60) days following the expiration of the time for submission of briefs and reply briefs, if allowed, to issue its written decision. An aggrieved party may request reconsideration within sixty (60) days of service of the decision or may request judicial review of the Board's determination by the appropriate U.S. Court of Appeals. No error in the admission or exclusion of evidence, nor any error in any ruling or order by the ALJ, is grounds for vacating or modifying the determination of the ALJ, unless the refusal to take such action appears to the ALJ and the Board to be "inconsistent with substantial justice."

Associated Industries

Each of our lawyer's e-mail address is provided with his or her biography. If you are not a current client of our firm, you should not e-mail our lawyers with any confidential information or any information about a specific legal matter, given that our firm may presently represent persons or companies who have interests that are adverse to you. If you are not a current client and you e-mail any lawyer in our firm, you do so without any expectation of confidentiality. We will not establish a professional relationship with you via e-mail. Instead, you should contact our firm by telephone so that we can determine whether we are in a position to consult with you about any legal matters before you share any confidential or sensitive information with us.