About Us | Chapters | Advertising | Join
The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.
On March 16, 2006, the Final Rule for enforcing violations of HIPAA went into effect. Learn how the Final Rule gives the Secretary of Health and Human Services, or his or her designee, the authority to investigate complaints of violations of HIPAA and to impose civil monetary penalties on covered entities that violate any of HIPAA’s provisions.
by David G. Jensen
Factual Background and Working Principles
On March 16, 2006, the Final Rule for enforcing violations of HIPAA went into effect. The Final Rule gives the Secretary of Health and Human Services ("HHS"), or his or her designee, the authority to investigate complaints of violations of HIPAA and to impose civil monetary penalties on covered entities that violate any of HIPAA’s provisions. The phrase “any of HIPAA’s provisions is significant because it means that HHS may impose a monetary penalty on a covered entity for violating the Security or Transaction Standards, as well as for violating one of the provisions of the Privacy Rule.
For instance, a covered entity could violate the Security Standards by failing to designate a person to be responsible for developing and implementing applicable policies and procedures, or by failing to have passwords on the covered entity’s computers. The covered entity could violate the Transaction Standards by conducting an electronic transaction in a standard other than one sanctioned by HIPAA. Or, a covered entity could violate the Privacy Rule by failing to give each patient a Notice of Privacy Practices, or by acting in contravention of one of the rights that patients have under the Privacy Rule.
The Final Rule on Enforcement contains, among other matters, rules for investigating alleged violations of HIPAA; rules for determining liability under HIPAA; rules for calculating the amounts of penalties assessed for violating HIPAA; rules for waiving penalties; and, rules for conducting hearings, among other topics. Most of these rules are not relevant to covered entities; they are more germane to attorneys defending covered entities accused of violating HIPAA. Consequently, covered entities do not have to have an encyclopedic knowledge of the Final Rule. However, they should have a working knowledge of the complaint, investigation, and enforcement process, both for the sake of the knowledge itself as well as for a spur towards compliance. This article explains some of the more important and fundamental aspects of the Final Rule on Enforcement. As we shall see, the Final Rule has good, bad, and ugly aspects to it.
Any person who believes that a covered entity is not complying with HIPAA has the right to file a complaint with HHS.1 However, this right to file a complaint is not limited to patients; other covered entities, i.e., other providers or insurance companies, or anyone for that matter, may file complaints regarding alleged violations of HIPAA.
The complaint can be filed with HHS on paper or electronically, but it must name the provider who allegedly violated HIPAA and describe the acts or omissions that are believed to have violated HIPAA.2 The complaint, however, does not have to be signed by the complainant or made under a declaration of penalty of perjury. There is also no basis in HIPAA for penalizing a person who files a false or malicious complaint. There is a statute of limitations time period for filing complaints; each complaint is supposed to be filed within 180 days of the date when the complainant knew or should have known that the act or omission occurred, but the Secretary of HHS can waive this time limit for good cause.3
Once the complaint has been filed, one of two things will happen. HHS may decide not to investigate the complaint. 45 CFR 160.306(c) says that the “Secretary may investigate complaints,” with the operative word being may. The Secretary has stated that “[N]ot all complaints need to be investigated.” 4 For instance, HHS has stated that it will not investigate complaints for actions that occurred prior to the compliance date of the provision allegedly violated; nor would HHS investigate complaints regarding actions by providers who are not covered entities.5
The good news in the Enforcement Rule is that there seems to be a willingness by HHS to resolve complaints of violations of HIPAA informally, which means without the imposition of monetary penalties. HHS may even provide technical assistance to covered entities to help them comply with HIPAA.6 This inclination towards informal resolution, however, does not mean that a covered entity can do anything it wants in terms of violating HIPAA and have the matter resolved informally. It means that innocent or accidental mistakes will probably be resolved informally. Reckless or intentional misconduct will undoubtedly be pursued more aggressively and punished more severely.
Any complaint process can be abused, which means that HHS may scrutinize a covered entity’s compliance with HIPAA because of the filing of a fabricated complaint. Covered entities are, to a certain extent, placed behind the eight ball. Since this is the reality of the situation, covered entities should be prepared to prove themselves right should HHS “come-a-knocking” regarding their compliance efforts. Certainly, no one wants to go through a government investigation, but, because of the complaint process, providers may be forced to defend themselves.
If HHS decides to investigate the complaint, it will send a written communication to the covered entity that it is investigating, with the communication describing the acts or omissions that constitute the basis of the complaint.7 HHS has the authority to subpoena witnesses and documents as part of its investigation.8 The investigation may provide a review of the covered entity’s policies, procedures, or practices.9
Once HHS has completed its investigation, one of three things may occur. The first thing that may occur is that HHS may close the case in favor of the covered entity because it determines that the covered entity did not violate HIPAA. HHS will inform the covered entity and the complainant of its determination.10
Assuming HHS believes that a covered entity has violated HIPAA, the second thing that may occur is that the matter gets resolved on terms satisfactory to HHS via informal means, which could include such things as demonstrated compliance, a completed corrective action plan, or other agreement.11 This scenario is likely to be used when it is clear that a covered entity has violated HIPAA, but can achieve compliance voluntarily. In such a case, HHS may close the case without imposing a monetary penalty.12
If the complaint is not resolved by informal means, the Secretary will inform the covered entity and will allow the covered entity to submit written evidence of any mitigating factors or affirmative defenses. 13 Mitigating factors are things such as the nature of the violation; the circumstances surrounding the violation; the degree of culpability of the covered entity; a history of compliance; and, the financial condition of the covered entity.14
Affirmative defenses would include circumstances that made it unreasonable for the covered entity, despite exercising ordinary care and prudence, to comply with the administrative simplification provisions. 15 This is an area where the attorney representing the covered entity would gather facts and make the most cogent arguments possible as to why it was unreasonable for the therapist to comply with the provision of HIPAA that was allegedly violated.
After considering any mitigating factors and/or affirmative defenses, HHS could decide to close the case without imposing a monetary penalty.16 This is unlikely, however, because HHS probably would not have taken the complaint so far without clear evidence of noncompliance. The more likely scenario is that HHS will inform the covered entity that it will be seeking to impose a monetary penalty.17
HHS has the legal authority to impose a monetary penalty against a covered entity when it determines that the covered entity has violated HIPAA.18 The amount of this penalty may not be more than $100 for each violation, or in excess of $25,000 for “identical violations” occurring from January 1 through December 31 of the same year.19 HHS determines the number of violations.20
This concept of “identical violations” allows HHS to assess a monetary penalty and then multiply it by the number of days that the violation has occurred. For instance, suppose that a provider has one patient and the provider became a covered entity on March 1, 2005. As a result of being a covered entity, the provider was required to give a Notice of Privacy Practices to the patient on March 1, 2005, but the Notice was not given to the patient until April 1, 2005, which is a delay of thirty-one days. This failure to do so is a clear violation of HIPAA. But, in failing to do this one thing, has the provider violated HIPAA one time? Or, has the provider violated HIPAA thirty-one times by not giving the Notice? In other terms: is this a one hundred dollar fine ($100 x one violation = $100), or a thirty-one hundred dollar fine ($100 x thirty-one separate violations = $3,100)?
Embedded within the concept of an “identical violation” is the concept of a “continuing violation,” which is a type of violation that will recur each day that the covered entity is in violation of HIPAA.21This means that under HIPAA the amount of any fine may be multiplied by the number of days that the covered entity has been found to have violated HIPAA. Consequently, with the hypothetical mentioned above, the provider would be looking at, potentially, at least, a fine of thirty- one hundred dollars, not one hundred dollars.
But, before one worries about financial ruin as the result of the imposition of onerous fines, consider the following: First, a situation such as the one described above could possibly settle via informal means, which, again, means that the complaint would be resolved without the imposition of monetary penalties. Second, HHS does not have to assess the maximum amount of the penalty. HHS is not likely to assess a penalty that would jeopardize the covered entity’s survival as a business entity.22 The attorney representing the covered entity would present facts to evidence that a proposed fine is onerous. Additionally, even if a penalty has been assessed, HHS has the legal authority to waive the penalty, in whole or in part.23 Consequently, upon reconsideration, the fine could be expunged or reduced.
Finally, it is possible to have HHS’s determination reviewed by an Administrative Law Judge (ALJ),24 who may affirm, increase, or reduce the penalties imposed by HHS.25 And, the matter may not end there. The ALJ’s decision can be appealed by the covered entity to the HHS Departmental Appeals Board,26 with such Board having the authority to affirm, increase, reduce, reverse or remand, any penalty as determined by the ALJ.27
Paying or Collecting the Monetary Penalty
If HHS assesses a fine against a covered entity for violating HIPAA, although the covered entity’s malpractice insurance policy will probably cover the cost of attorney fees for defending the covered entity during the government’s investigation, any resulting monetary penalty would probably have to be paid by the covered entity. Malpractice policies do not typically cover the imposition of fines.
Once a proposed penalty becomes final, it will be collected by HHS, unless compromised. If not paid, the Secretary of HHS may bring a collection action in the federal district court where the covered entity resides, is found, or is located.28 Moreover, HHS may, if necessary, collect the penalty by taking funds owed to the covered entity from federal or state sources and then using such funds to offset the monetary penalty.29
Another aspect to the Enforcement Rule is that HHS, once the monetary penalty has become final, will notify the BBS, as well as the public and other interested organizations, including possibly CAMFT, of the imposition of the penalty and the reasons for such imposition. Such action could result in the BBS taking its own action against the licensee or registrant for the violation.30 Final decisions of the ALJs and the Department Appeals Board are made public via the Department Appeals Board’s website.
Another way that one can become the subject of an HHS investigation involves the compliance review.31 The purpose of such a review is to determine whether a covered entity is complying with HIPAA. HHS will initiate these reviews, not because anyone has formally complained about the covered entity, but because HHS has learned, in some manner, of possible violations of HIPAA (noncompliance) by the covered entity. What might happen, for example, is that HHS will learn the name of a covered entity from the investigation of another covered entity’s alleged violations of HIPAA and then act on such information via a compliance review.
Complaints, compliance reviews, government investigations, subpoenas, monetary penalties, and possible BBS investigations, among other things, are all part of the legal landscape for covered entities under the Enforcement Rule. For marriage and family therapists who are covered entities, the challenge is clear: make sure you are in compliance so that should someone file a complaint against you, the investigation can be successfully responded to at the earliest possible stage. For therapists who are not covered entities, and should someone, nevertheless file a complaint, you will need to show you are not a covered entity.
David Jensen, J.D., is a Staff Attorney at CAMFT. David is available to answer member calls regarding business, legal, and ethical issues.
1 45 CFR 160.306(a)
2 45 CFR 160.306(b) (1) and (2)
3 45 CFR 160.306(b)(3)
4 Federal Register/ Vol. 71, No. 32/ 4Thursday, February 16, 2006/ Rules and Regulations, page 8396
5 Federal Register/ Vol. 71, No. 32/ Thursday, February 16,2006/ Rules and Regulations, page 8396
6 45 CFR 160.304(b)
7 45 CFR 160.306(c)
8 45 CFR 160.314(a)
9 45 CFR 160.306(c)
10 45 CFR 160.312(b)
11 45 CFR 160.312(a)
12 Federal Register/ Vol. 71, No. 32/ Thursday, February 16, 2006/ Rules and Regulations, page 8400
13 45 CFR 160.312(a)(3)
14 45 CFR 160.408
15 45 CFR 160.410
16 45 CFR 160.410(b)
17 45 CFR 160.312(a)(3)(ii)
18 45 CFR 160.402(a)
19 45 CFR 160.404(b)
20 45 CFR 160.406
21 45 CFR 160.406
22Federal Register/ Vol. 71, No. 32/ Thursday, February 16, 2006/ Rules and Regulations, page 8408
23 45 CFR 160.412
24 45 CFR 160.504
25 45 CFR 160.546(b)
26 45 CFR 160.548
27 45 CFR 160.548(g)
28 45 CFR 160.424(b)
29 45 CFR 160.424
30 California Business & Professions Code § 141
31 45 CFR 160.308