HIPAA Regulatory Alert

Administrative simplification enforcement rule in effect

Rule reinforces HHS approach to enforcement, experts say

The Department of Health and Human Services published the final enforcement rule for all HIPAA Administrative Simplification rules with an effective date of March 16, 2006. The final enforcement rule applies to the HIPAA EDI, privacy, and security rules, and the HIPAA unique identifiers.

Officials with the Segal Co., a benefits consulting firm, say the final rule reinforces the department's basic approach to enforcement — it will rely on complaints to identify violations, seek voluntary compliance through informal means, and provide technical assistance to help covered entities comply. It only will open a process that could lead to civil money penalties if a complaint is not resolved informally.

To open a process leading to monetary penalties, HHS must issue a "notice of proposed determination" that includes, among other things, a description of an alleged violation and the amount of the proposed penalty. The department has the authority to assess a penalty of up to $100 per day for each violation (a maximum of $25,000 per calendar year for identical violations).

Factors affecting the amount of a proposed penalty, according to Segal's Capital Checkup, are the nature of the violation, the circumstances (including the consequences) of the violation, the degree of the covered entity's culpability, the covered entity's history of compliance or non-compliance with the Administrative Simplification rules, and the financial condition of the covered entity.

Generally, the rule says a covered entity is liable for the acts or omissions of any agent, including a work force member, acting within the scope of the agency. But there is an important, limited exception for business associates. Segal's analysis says a covered entity is not liable for the acts or omissions of business associates if (1) the covered entity has a written business associate contract in place with that business associate and the contract complies with the applicable HIPAA privacy and security rule requirements, and (2) if the covered entity knew of a pattern of activity or practice of the business associate and the covered entity took reasonable corrective action.

Seattle technology attorney John Christiansen tells HIPAA Regulatory Alert he was somewhat surprised that the violation definitions in the new law are stronger than had been expected and have the potential for greater penalties.

The bottom line for organizations

While acknowledging that the Department of Health and Human Services intends to remain complaint-driven in its enforcement approach and work cooperatively with entities that are making a good faith effort, Christiansen says the department could use the concept of continuing violations to rack up huge civil monetary penalties if necessary to make a point.

"It's clear they are not funding investigators and responders well and so will remain complaint-driven," he says. "But they have a lot of leverage if they do go after a problem."

Christiansen says he also can see the strengthened violation definitions being used by trial attorneys involved in commercial disputes in which HIPAA violations are among the concerns being raised. "If I were litigating, I could write quite a brief now that we have this much specificity," he says.

The bottom line for organizations, he says, is the need to make a good faith effort to comply with the rules. "If you are acting in good faith, the department is supposed to meet you and work with you collaboratively," he explains. "But if something major happens, regulators may see a need to intervene and have a lot at their disposal."

Christiansen says the final rule is an improvement of the draft due to the greater clarity and specificity that was included.

Contact John Christiansen at (206) 301-9412 or e-mail john@christiansenlaw.net.