In this article we will illuminate the government's approach to Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance as reflected in the final enforcement rule. Additionally, we will explain the provisions addressing the two modes of compliance review, enforcement through "informal means," the imposition of civil money penalties, the abilities of covered entities to demonstrate affirmative defenses to the imposition of civil money penalties, and notice and hearing requirements for imposition of civil money penalties. Covered entities should familiarize themselves with these new provisions to make any adjustments and fine tune their HIPAA compliance efforts as necessary.

The Department of Health and Human Services' (HHS) long-awaited final rule on the HIPAA administrative simplification enforcement provisions was published on February 16, 2006. Final Rule, 71 Fed. Reg. 8389 (Feb. 16, 2006). (An interim final rule promulgating procedural requirements for imposition of civil money penalties, "Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings," was published on April 17, 2003 (68 Fed. Reg. 18,895), and was effective on May 19, 2003, with a sunset date of September 16, 2004 (as corrected at 68 Fed. Reg. 22,453 (Apr. 28, 2003)). The sunset date of the April 17, 2003, interim final rule was extended to September 16, 2005, on September 15, 2004 (69 Fed. Reg. 55,515), and was further extended to March 16, 2006, on September 14, 2005 (70 Fed. Reg. 54,293).) This final rule amends the existing rules relating to the enforcement of privacy non-compliance rules, applying them to all of the HIPAA administrative simplification provisions, e.g. the privacy, security, and transaction code set standard rules. The final enforcement rule provides details about the investigation process, the basis for civil money penalty (CMP) liability and determining civil money penalty amounts, and generally provides certain procedural protections and provisions with regard to HIPAA covered entities. The effective date of the final rule is March 16, 2006.

Resolution by "Informal Means"
As HHS notes in the preamble to the final rule, one of the department's fundamental considerations in shaping the final rule was to facilitate the movement from noncompliance to compliance by promoting and encouraging voluntary compliance with the HIPAA administrative simplification provisions. This consideration is reflected in HHS's scaled approach to enforcement. As the final rule provides, when HHS identifies a covered entity's noncompliance through either a complaint investigation or a compliance review, HHS must attempt to reach a resolution of the matter by informal means.

The rule explains that "informal means" may include demonstrated compliance by the covered entity, a completed corrective action plan, or other satisfactory resolution of an alleged or identified violation. The significance of this aspect of the final rule is that the government is codifying its tiered approach to HIPAA enforcement by encouraging compliance by covered entities through cooperation in the form of action plans or plans of correction rather than imposing compliance by resorting to punitive enforcement actions, such as civil money penalties.

Notification of Resolution or Request for Additional Evidence
If an alleged or identified violation is resolved by informal means, HHS is required to inform the covered entity and the complainant of the resolution in writing. If the matter is not resolved by informal means, HHS must inform the covered entity and provide it an opportunity to submit evidence of mitigating factors or affirmative defenses that would potentially resolve the issue informally. Such response by the covered entity to HHS must be submitted within 30 days of HHS's notice to the covered entity.

Notification of Findings After Any Submitted Information is Received and Reviewed by HHS
If HHS finds that a civil money penalty should be imposed, HHS will inform the covered entity of its findings through a notice of proposed determination sent by certified mail. Conversely, if, based on the covered entity's submission, HHS finds there was no evidence of noncompliance, HHS will inform the covered entity and the complainant of its findings.

Statistical Support for Measured Approach
With respect to its intended approach to HIPAA enforcement, in the preamble, HHS notes that as of October 31, 2005, it had received over 16,000 privacy complaints from health care consumers. It further notes that 60 percent of these cases have been resolved informally or otherwise closed to date, indicating that HHS is receiving cooperation from covered entities and that covered entities are quickly addressing compliance problems through corrective action. Thus, with these statistics as support, it appears that HHS recognizes the value in taking a measured approach to HIPAA enforcement, rather than immediate corrective action through the imposition of civil money penalties.

HHS Review
As noted above, the HIPAA enforcement rule contemplates two ways in which a covered entity may be subject to review by HHS. First HHS will investigate complaints that are lodged against covered entities by health care consumers or other individuals. Even in the absence of a specific complaint, however, HHS may conduct a "compliance review" of covered entities. The government most likely gave itself this ability to conduct compliance reviews of covered entities' HIPAA programs to address issues that can often be brought to HHS's attention regarding a covered entity's operational practices but have not necessarily been identified by an individual or do not stem from a specific complaint. For example, the media sometimes identify particular concerns or issues with operational aspects of health care providers' practices that may raise HIPAA concerns. In that event, HHS has enabled itself to review a covered entity's compliance so that it can take appropriate enforcement action if violations are identified.

Covered Entity Liability for Violations
The final enforcement rule outlines the methods for imposition of civil money penalties. These new provisions provide that if HHS determines that more than one covered entity was responsible for a violation, it will impose a civil money penalty against each of the covered entities. In addition, the rule provides that a covered entity that is a member of an affiliated covered entity is jointly and severally liable for a civil money penalty for violation of the rules unless it is established that one particular member of the affiliated covered entity was responsible for that violation.

Workforce Violations
The final rule further provides guidance for covered entities with respect to their liability for their workforce's compliance violations. Significantly, the stated basis for a civil money penalty sanction includes specific reference to the federal common law of agency. This provision provides that covered entities are liable for a violation of the HIPAA rules based on the acts or omissions of any agent of the covered entities, including a workforce member, who is acting within the scope of his or her agency.

Business Associates
The rule explicitly excludes business associates from such direct liability, assuming that the covered entity has complied with the applicable requirements pertaining to business associate agreements and business associates' obligations under the administrative simplification rules, and provided that the covered entity did not know of a pattern of activity or practice of the business associate nor failed to act upon such pattern or practice if it did know. In such cases, a covered entity will not be held liable for acts or omissions of its business associate.

Amount of Civil Money Penalty
HHS may not impose a civil money penalty that is more than $100 for each violation or in excess of $25,000 for identical violations during a calendar year. The enforcement rule provides, however, that if a requirement or prohibition in one administrative simplification provision is repeated in a more general form in another provision under the same subpart, a civil money penalty may be imposed for a violation of only one of those administrative simplification provisions.

Calculating the Amount of the Penalty
With respect to calculation of the amount of the civil money penalty, the rule notes that in the case of continuing violations of the provisions, a separate violation occurs each day the covered entity is in violation of the provision. Consequently, even though the actual amount of a civil money penalty is limited to $100, that $100 may be assessed on a daily basis for the period of time a covered entity is out of compliance with the provision. As noted above, however, the total violation is limited to no more than $25,000 for the same violations in a calendar year. Moreover, in assessing the number of violations that have occurred, the rule requires HHS to base its assessment on the nature of the covered entity's obligation to act or not act under the provisions violated. For example, HHS must assess whether the violation involved the failure to respond within a certain time frame or acting or not acting with respect to certain persons.

Mitigating Factors
In determining the amount of the civil money penalty, the provisions permit, but do not require, HHS to consider certain aggregating or mitigating factors. The factors HHS may consider in assessing a civil money penalty include:

the nature of the violation; and
the circumstances of the violation, including:
- the time periods during which it occurred,
- whether the violation caused any physical harm,
- whether it hindered any individual's ability to obtain health care, and
- whether the violation resulted in any financial harm.

Additional factors HHS may take into consideration include the degree of culpability of the covered entity, including whether the violation was intentional and whether it was beyond the direct control of the covered entity and any prior compliance history of the covered entity, including previous violations, the financial condition of the covered entity and other matters "as justice may require."

Affirmative Defenses
Importantly, the final rule makes available to covered entities three affirmative defenses, which if established, prevent HHS from imposing a civil money penalty. The basis for the affirmative defenses include:

a violation of an act punishable under 42 U.S.C. § 1320d-6 (the statutory provisions outlining criminal penalties for wrongful disclosure of individually identifiable health information);
violations about which the covered entity did not have knowledge ("determined in accordance with the federal common law of agency") and, by exercising reasonable diligence, would not have known; and
the violation was due to reasonable cause, not willful neglect, and was corrected during a 30-day period beginning on the date the covered entity knew or should have known that the violation had occurred.

These affirmative defenses are significant because covered entities that conduct regular and ongoing compliance and promptly address HIPAA issues when they are identified will have positioned themselves well for establishing an affirmative defense if a complaint is lodged and HHS investigates.

Notice of Intent to Impose a Penalty
The enforcement rule provides appropriate provisions for notice to the covered entity of HHS's intention to impose a civil money penalty. Such notice must be sent by certified mail, return receipt requested, and must include the statutory basis for the penalty, a description of the findings of fact regarding the violations, the reasons the violations subject the covered entity to a penalty, the amount of the proposed penalty, any factors HHS considered in assessing the amount and instructions for responding to the notice, including the covered entity's right to a hearing.

Hearing Rules and Procedures
The covered entity must request a hearing before an administrative law judge within 90 days of the notice.

The final rule contains the procedures for the hearings, including provisions for pre-hearing conferences, discovery, exchange of witness lists, statements and exhibits, subpoenas and attendance at hearings, motions, evidence and establishing the hearing record.

Rules for Statistical Sampling
Of particular note are the provisions addressing statistical sampling. The hearing rules specifically permit HHS to introduce results of a statistical sampling study as evidence of the number of violations of the rule that was used in determining the amount of the civil money penalty.

The rule provides that the statistical study must be based upon an appropriate sampling and computed by valid statistical methods, in which case it constitutes prima facie evidence of the number of violations. As a result of these provisions, HHS is permitted to estimate the number of violations, rather than prove the exact number that occurred, arguably granting HHS significant discretion in determining civil money penalty amounts.

Further Appeal Rights
Finally, the hearing rules ultimately provide that the administrative law judge's decision may be appealed to the Departmental Appeals Board and, if the covered entity is dissatisfied with the decision of the Board, the covered entity may request judicial review in federal district court.

Conclusion
While the final enforcement rules grant a certain amount of discretion to the government in the oversight of the administrative simplification provisions, they nevertheless reflect a certain willingness on the part of the government to recognize covered entities' good faith attempts at HIPAA compliance. These provisions should serve to encourage covered entities to continually review and update their HIPAA compliance efforts to demonstrate to the government that they make good faith efforts not only to prevent violations, but to timely correct them when they are identified. If a violation is identified by HHS, such compliance efforts should have a significant impact on HHS's ultimate decision as to whether to resolve the issue informally or to impose civil money penalties.