[Federal Register Volume 71, Number 32 (Thursday, February 16, 2006)] [Rules and Regulations] [Pages 8390-8433] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 06-1376] [[Page 8389]] ----------------------------------------------------------------------- Part III Department of Health and Human Services ----------------------------------------------------------------------- Office of the Secretary ----------------------------------------------------------------------- 45 CFR Parts 160 and 164 HIPAA Administrative Simplification: Enforcement; Final Rule Federal Register / Vol. 71, No. 32 / Thursday, February 16, 2006 / Rules and Regulations [[Page 8390]] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Parts 160 and 164 RIN 0991-AB29 HIPAA Administrative Simplification: Enforcement AGENCY: Office of the Secretary, HHS. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Secretary of Health and Human Services is adopting rules for the imposition of civil money penalties on entities that violate rules adopted by the Secretary to implement the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA). The final rule amends the existing rules relating to the investigation of noncompliance to make them apply to all of the HIPAA Administrative Simplification rules, rather than exclusively to the privacy standards. It also amends the existing rules relating to the process for imposition of civil money penalties. Among other matters, the final rule clarifies and elaborates upon the investigation process, bases for liability, determination of the penalty amount, grounds for waiver, conduct of the hearing, and the appeal process. DATES: This final rule is effective on March 16, 2006. FOR FURTHER INFORMATION CONTACT: Carol C. Conrad, (202) 690-1840. SUPPLEMENTARY INFORMATION: On April 18, 2005, the Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (proposed rule) proposing to revise the existing rules relating to compliance with, and enforcement of, the Administrative Simplification regulations (HIPAA rules) adopted by the Secretary of Health and Human Services (Secretary) under subtitle F of Title II of HIPAA (HIPAA provisions). 70 FR 20224. The proposed rule also proposed the adoption of new provisions relating to the imposition of civil money penalties on covered entities that violate a HIPAA provision or HIPAA rule. The comment period on the proposed rule closed on June 17, 2005. Forty-nine comments, principally from health care organizations, were received during the comment period. In this final rule, HHS revises existing rules that relate to compliance with, and enforcement of, the HIPAA rules. These rules are codified at 45 CFR part 160, subparts C and E. In addition, this final rule adds a new subpart D to part 160. The new subpart D contains additional rules relating to the imposition by the Secretary of civil money penalties on covered entities that violate the HIPAA rules. The full set of rules to be codified at subparts C, D, and E of 45 CFR part 160 is collectively referred to in this final rule as the ``Enforcement Rule.'' Finally, HHS makes minor and conforming changes to subpart A of part 160 and subpart E of part 164. The statutory and regulatory background of the final rule is set out below. A description of the provisions of the proposed rule, the public comments, and HHS's responses to the comments follows. The preamble concludes with HHS's analyses of impact and other issues under applicable law. I. Background A. Statutory Background Subtitle F of Title II of HIPAA, entitled ``Administrative Simplification,'' requires the Secretary to adopt national standards for certain information-related activities of the health care industry. Under section 1173 of the Social Security Act (Act), 42 U.S.C. 1320d-2, the Secretary is required to adopt national standards for certain financial and administrative transactions, code sets, the security of health information, and certain unique health identifiers. In addition, section 264 of HIPAA, 42 U.S.C. 1320d-2 note, requires the Secretary to promulgate standards to protect the privacy of certain health information. Under section 1172(a) of the Act, 42 U.S.C. 1320d-1(a), the provisions of Subtitle F apply only to-- The following persons: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1173(a)(1). These entities are collectively known as ``covered entities.'' \1\ --------------------------------------------------------------------------- \1\ An additional category of covered entities was added by the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L. 108-173) (MMA). As added by MMA, section 1860D- 31(h)(6)(A) of the Act, 42 U.S.C. 1395w-141(h)(6)(A), provides that a prescription drug card sponsor is a covered entity for purposes of applying part C of title XI and all regulatory provisions promulgated thereunder, including regulations (relating to privacy) adopted pursuant to the authority of the Secretary under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note). --------------------------------------------------------------------------- HIPAA requires certain consultations with industry as a predicate to the issuance of the HIPAA standards and provides that most covered entities have up to 2 years (small health plans have up to 3 years) to come into compliance with the standards, once adopted. Act, sections 1172(c) (42 U.S.C. 1320d-1(c)), 1175(b) (42 U.S.C. 1320d-4(b)). The statute establishes civil money penalties and criminal penalties for violations. Act, sections 1176 (42 U.S.C. 1320d-5), 1177 (42 U.S.C. 1320d-6). HHS enforces the civil money penalties, while the U.S. Department of Justice enforces the criminal penalties. HIPAA's civil money penalty provision, section 1176(a) of the Act, 42 U.S.C. 1320d-5(a), authorizes the Secretary to impose a civil money penalty, as follows: (1) IN GENERAL. Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part [42 U.S.C. 1320d, et seq.] a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000. (2) PROCEDURES. The provisions of section 1128A [42 U.S.C. 1320a-7a] (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1128A. For simplicity, we refer throughout this preamble to this provision, the related provisions at section 1128A of the Act, and other related provisions of the Act, by their Social Security Act citations, rather than by their U.S. Code citations. Subsection (b) of section 1176 sets out limitations on the Secretary's authority to impose civil money penalties and also provides authority for waiving such penalties. Under section 1176(b)(1), a civil money penalty may not be imposed with respect to an act that ``constitutes an offense punishable'' under the related criminal penalty provision, section 1177 of the Act. Under section 1176(b)(2), a civil money penalty may not be imposed ``if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision.'' Under section 1176(b)(3), a civil money penalty may not be imposed if the failure to comply was due ``to reasonable cause and not to willful neglect'' and is corrected within a certain time. Finally, under section 1176(b)(4), a civil money penalty may be reduced or entirely waived ``to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.'' As noted above, section 1176(a) incorporates by reference certain [[Page 8391]] provisions of section 1128A of the Act. Those provisions, as relevant here, establish a number of requirements with respect to the imposition of civil money penalties. Under section 1128A(c)(1), the Secretary may not initiate a civil money penalty action ``later than six years after the date'' of the occurrence that forms the basis for the civil money penalty. Under section 1128A(c)(2), a person upon whom the Secretary seeks to impose a civil money penalty must be given written notice and an opportunity for a determination to be made ``on the record after a hearing at which the person is entitled to be represented by counsel, to present witnesses, and to cross-examine witnesses against the person.'' Section 1128A also provides, at subsections (c), (e), and (j), respectively, requirements for: Service of the notice and authority for sanctions which the hearing officer may impose for misconduct in connection with the civil money penalty proceeding; judicial review of the Secretary's determination in the United States Court of Appeals for the circuit in which the person resides or maintains his/its principal place of business; and the issuance and enforcement of subpoenas by the Secretary. In addition, section 1128A of the Act contains provisions relating to liability for civil money penalties and what measures must be taken once they are imposed. For example, section 1128A(d) provides that the Secretary must take into account certain factors ``in determining the amount * * * of any penalty''; section 1128A(h) requires certain notifications once a civil money penalty is imposed; and section 1128A(l) makes a principal liable for penalties ``for the actions of the principal's agent acting within the scope of the agency.'' These provisions are discussed more fully below. B. Regulatory Background As noted above, section 1173 of the Act and section 264 of HIPAA require the Secretary to adopt a number of national standards to facilitate the exchange, and protect the privacy and security, of certain health information. The Secretary has already adopted many of these HIPAA standards by regulation. These regulations consist of the following: Health Insurance Reform: Standards for Electronic Transactions (Transactions Rule); Standards for Privacy of Individually Identifiable Health Information (Privacy Rule); Health Insurance Reform: Standard Unique Employer Identifier (EIN Rule); Health Insurance Reform: Security Standards (Security Rule); and HIPAA Administrative Simplification: Standard Unique Health Identifier for Health Care Providers (NPI Rule). Proposed standards for certain claims attachments were published on September 23, 2005 (70 FR 55990) and proposed standards for health plan identifiers are under development. The history of these and related rules is described in a proposed rule published on April 18, 2005 at 70 FR 20225-20226. An interim final rule promulgating procedural requirements for imposition of civil money penalties, Civil Money Penalties: Procedures for Investigations, Imposition of Penalties, and Hearings (April 17, 2003 interim final rule), was published on April 17, 2003 (68 FR 18895), and was effective on May 19, 2003, with a sunset date of September 16, 2004 (as corrected at 68 FR 22453, April 28, 2003). The April 17, 2003 interim final rule adopted a new subpart E of part 160. The sunset date of the April 17, 2003 interim final rule was extended to September 16, 2005 on September 15, 2004 (69 FR 55515) and was further extended to March 16, 2006 on September 14, 2005 (70 FR 54293). The authority for administering and enforcing compliance with the Privacy Rule has been delegated to the HHS Office for Civil Rights (OCR). 65 FR 82381 (December 28, 2000). The authority for administering and enforcing compliance with the non-privacy HIPAA rules has been delegated to the HHS Centers for Medicare & Medicaid Services (CMS). 68 FR 60694 (October 23, 2003). II. Overview of the Proposed and Final Rules A. The Proposed Rule In the proposed rule, we proposed to bring together and adopt rules governing the implementation of the civil money penalty authority of section 1176 of the Act for all of the HIPAA rules. As previously noted, parts of the Enforcement Rule are already in place: subpart C of part 160 establishes certain investigative procedures for the Privacy Rule, and subpart E establishes interim procedures for investigations and for the imposition, and challenges to the imposition, of civil money penalties for all of the HIPAA rules. The proposed rule would complete the Enforcement Rule by (1) making subpart C applicable to all of the HIPAA rules; (2) adopting on a permanent basis most of the provisions of subpart E; and (3) addressing, among other issues, our policies for determining violations and calculating civil money penalties, how we will address the statutory limitations on the imposition of civil money penalties, and various procedural issues, such as provisions for appellate review within HHS of a hearing decision, burden of proof, and notification of other agencies of the imposition of a civil money penalty. Several fundamental considerations shaped the proposed rule. First, there is one statutory provision for imposing civil money penalties on covered entities that violate the HIPAA rules; thus, the proposed rule sought to establish a uniform enforcement and compliance policy for all of the HIPAA rules to minimize the potential for confusion and burden and maximize the potential for fairness and consistency in enforcement. Second, the proposed rule sought to facilitate the movement from noncompliance to compliance by covered entities by extending to all of the HIPAA rules the regulatory commitment to promoting and encouraging voluntary compliance with the HIPAA rules that currently applies to the Privacy Rule, subpart C of part 160. Third, the proposed rule sought to minimize confusion with the procedures for investigations and hearings by building upon pre-existing Departmental procedures for investigations and hearings under section 1128A of the Act--the civil money penalty regulations of the Office of the Inspector General, which are codified at 42 CFR parts 1003, 1005, and 1006 (OIG regulations). Fourth, the proposed rule was intended to be clear and easy to understand. Finally, the proposed rule sought to provide the Secretary with reasonable discretion, particularly in areas where the exercise of judgment is called for by the statute or rules, and to avoid being overly prescriptive in areas where it would be helpful to gain experience with the practical impact of the HIPAA rules, to avoid unintended adverse effects. We proposed to amend subpart A of part 160, which contains general provisions, to include a definition of ``person.'' With respect to subpart C of part 160, we proposed to incorporate several provisions currently found in subpart E and to make subpart C applicable to the non-privacy HIPAA rules. We also proposed to add to part 160 a new subpart D, which would establish rules relating to the imposition of civil money penalties, including those which apply whether or not there is a hearing. We also proposed to incorporate into subpart D several provisions currently found in subpart E. Proposed subpart E addressed the pre-hearing and hearing phases of the enforcement process. Many of the provisions of proposed subpart E were adopted by the April 17, 2003 interim final rule; we did not propose to change them substantively, although we [[Page 8392]] proposed to renumber them. Finally, a conforming change to the privacy standards in subpart E of part 164 was proposed. B. The Final Rule While the final rule adopts most of the provisions of the proposed rule without change, several significant changes to certain provisions of the proposed rule have been made in response to comments. We do not list variables in the final rule, as was proposed, to count the number of violations of an identical requirement or prohibition; rather, the final rule clarifies that the method for determining the number of such violations is grounded in the substantive requirement or prohibition violated. In addition, the ALJ will be able to review the number of violations determined as part of his or her review of the proposed civil money penalty. The provision for joint and several liability of the members of an affiliated covered entity is retained, unless it is established that another member of the affiliated covered entity was responsible for the violation. While we continue to treat section 1176(b)(1) as an affirmative defense, we provide that it may be raised at any time. We retain the provision for statistical sampling, but we provide that, where statistical sampling is used, HHS must provide a copy of the study on which its statistical findings are based with the notice of proposed determination. As a corollary, we provide that a respondent who intends to introduce evidence of its statistical expert at the hearing must provide the study prepared by its expert to HHS at least 30 days prior to the scheduled hearing. We also provide that a respondent will have 90, rather than 60, days in which to file its request for hearing. Other changes made by the final rule are described below. The Enforcement Rule does not adopt standards, as that term is defined and interpreted under Subtitle F of Title II of HIPAA. Thus, the requirement for industry consultations in section 1172(c) of the Act does not apply. For the same reason, the statute's time frames for compliance, set forth in section 1175 of the Act, do not apply to the Enforcement Rule. Accordingly, the Enforcement Rule is effective on March 16, 2006. III. Section-by-Section Description of the Final Rule and Response to Comments We received 49 comments on the proposed rule. Many of these comments were from associations or interest groups involved in the health care industry. We also received comments from covered entities, a state agency, a law school class, and a number of individuals. While the comments addressed most of the provisions of the proposed rule, the following 14 sections of the proposed rule received no comment: proposed Sec. Sec. 160.400, 160.418, 160.500, 160.502, 160.506, 160.510, 160.514, 160.524, 160.526, 160.528, 160.530, 160.532, 160.544, and 160.550. We have, accordingly, not changed these sections in the final rule from what was proposed, and we do not discuss them below. The basis and purpose of sections that are unchanged from the proposed rule and are not discussed below are set out in the proposed rule published on April 18, 2005 at 70 FR 20240-20247 and, in certain cases, in the interim final rule published on April 17, 2003 at 68 FR 18895-18901. A number of comments also expressed support for particular provisions. In most cases, we do not discuss these comments, with which we generally agree, below. Finally, certain comments raised issues concerning other HIPAA rules, such as allegations that a particular entity had violated the Privacy Rule or that particular provisions of a HIPAA rule create a hardship. Such issues are outside the scope of this rulemaking and, accordingly, are not addressed here. A. Subpart A Subpart A of the final rule adopts a new definition of the term ``person.'' This definition is placed in Sec. 160.103, which contains definitions that apply to all of the HIPAA rules. Thus, the new definition of ``person'' applies to all of the HIPAA rules. Proposed rule: We proposed to amend Sec. 160.103 to add a definition of the term ``person'' to replace the definition of that term adopted by the April 17, 2003 interim final rule. We proposed to define the term ``person'' as ``a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.'' As more fully explained at 70 FR 20227-20228, the proposed definition clarified, consistent with the HIPAA provisions, that the term includes States and other public entities. Final rule: The final rule adopts the provisions of the proposed rule. Comment: We received one comment on this section, endorsing its application to all of the HIPAA rules. Response: The definition of ``person'' in the final rule remains the same as proposed. B. Subpart C--Compliance and Investigations We amend subpart C to make the compliance and investigation provisions of the subpart--which at present apply only to the Privacy Rule--apply to all of the HIPAA rules. In addition, we include in subpart C the definitions that apply to subparts C, D, and E. We move to subpart C from subpart E the provisions relating to investigational subpoenas and inquiries. We also add to subpart C provisions prohibiting intimidation or retaliation that are currently found in the Privacy Rule but not in the other HIPAA rules. We change the title of this subpart to reflect the focus of this subpart within the larger Enforcement Rule. Aside from a change to Sec. 160.306 and certain minor and conforming changes to Sec. Sec. 160.300, 160.312, 160.314, and 160.316, we do not change the substance of the existing provisions of subpart C. 1. Section 160.300--Applicability Proposed rule: We proposed to amend Sec. 160.300 (along with Sec. 160.304--Principles for achieving compliance; Sec. 160.306--Complaints to the Secretary; Sec. 160.308--Compliance reviews; and Sec. 160.310--Responsibilities of covered entities) to make the provisions of subpart C applicable to all of the HIPAA rules, instead of applicable only to the Privacy Rule. The proposed rule would accomplish this by changing the present references in these sections from ``subpart E of part 164'' to the more inclusive, defined term, ``administrative simplification provision'' or ``administrative simplification provisions,'' as appropriate. As explained at 70 FR 20228, the purpose of this proposed change was to simplify and make uniform the compliance and enforcement process for the HIPAA rules. Final rule: The final rule streamlines the provisions of the proposed rule by substituting the term ``provisions'' for the references to standards, requirements, and implementation specifications in Sec. 160.300. Comment: A number of comments endorsed the approach of having uniform compliance and enforcement provisions for the HIPAA rules, and no comments disagreed with this approach. Response: The final rule retains the policy of the proposed rule, consistent with the expression of support for this approach in the public comment, but streamlines the language of the section. Comment: A couple of comments asked whether ``affiliated entities'' were the same as ``hybrid entities,'' in terms of applying the rule. [[Page 8393]] Response: As described at Sec. 164.105(b)(2)(i)(A), an affiliated covered entity consists of ``[l]egally separate covered entities [that] designate themselves (including any health care component of such covered entity) as a single affiliated covered entity * * * [where] all of the covered entities designated are under common ownership or control.'' Thus, an affiliated covered entity is comprised of more than one covered entity. By contrast, a hybrid entity is defined at Sec. 164.103 as ``a single legal entity: (1) That is a covered entity; (2) Whose business activities include both covered and non-covered functions; and (3) That designates health care components in accordance with [the regulation].'' The Privacy and Security Rules apply to any covered entity in either arrangement. The issue of liability for a particular violation with respect to covered entities in an affiliated covered entity is discussed in connection with Sec. 160.402(b) below. 2. Section 160.302--Definitions Proposed rule: We proposed to move to Sec. 160.302 three definitions that were adopted in the April 17, 2003 interim final rule at Sec. 160.502: ``ALJ'' (Administrative Law Judge), ``civil money penalty or penalty'', and ``respondent.'' We also proposed to add to Sec. 160.302 two terms which are used throughout subparts C, D, and E: ``administrative simplification provision'' and ``violation'' or ``to violate.'' We proposed to define the term ``administrative simplification provision'' in Sec. 160.302 to mean any requirement or prohibition established by the HIPAA provisions or HIPAA rules: ``* * * any requirement or prohibition established by: (1) 42 U.S.C. 1320d- 1320d-4, 1320d-7, and 1320d-8; (2) Section 264 of Public Law 104-191; or (3) This subchapter.'' We proposed to define a ``violation'' (or ``to violate'') to mean a ``failure to comply with an administrative simplification provision.'' As more fully explained at 70 FR 20228- 20229, both definitions derive directly from the statutory language, and both definitions function consistently and fairly across the various HIPAA rules. Final rule: The final rule adopts the provisions of the proposed rule. a. ``Administrative Simplification Provision'' Comment: One comment expressed general support for the definitions. Another comment stated that the definition of ``administrative simplification provision'' should be revised to include only standards. The comment argued that this approach would be more consistent with the statute, which provides that covered entities must comply with standards, not requirements, prohibitions, or other restrictions set forth in the HIPAA rules. Response: No change is made to the definition of ``administrative simplification provision.'' With respect to the second comment above, we do not agree that the definition of this term should be limited to standards. As discussed at 70 FR 20229, limiting the elements of the HIPAA rules that could be violated to those designated as standards would have the effect of, among other things, insulating from enforcement explicit statutory requirements and prohibitions (e.g., the prohibitions at section 1175(a) of the Act, which the statute terms ``requirements'' and which the Transactions Rule treats as requirements but not standards). We do not agree that Congress intended such an effect. We note, moreover, that the statute explicitly provides for the adoption of implementation specifications. See section 1172(d) of the Act. Furthermore, we disagree with the contention that the statute does not contemplate that violations may be tied to requirements and prohibitions: section 1176(a)(1) speaks of ``violations of an identical requirement or prohibition.'' Comment: Several comments argued that this definition could lead to multiple violations from a single act and lead to more liability than covered entities could reasonably expect. It also was argued that this definition would render almost meaningless the statutory $25,000 cap on liability for violations of an identical provision in a calendar year. Response: No examples were supplied to illustrate the concern as to how this definition would increase the anticipated liability of covered entities, so we can only respond generally. The prohibition in Sec. 160.404(b)(2) on counting overlapping requirements twice should minimize any such effect. As for violations that might be implicated in a single act and not be insulated by Sec. 160.404(b)(2), we see no reason why they should not be considered as separate violations, since covered entities must comply with all applicable requirements and prohibitions of the HIPAA provisions and rules. Also, the definition does not render the statutory cap meaningless; rather, the ``requirement or prohibition'' language of the definition is taken directly from the part of section 1176(a) that establishes the $25,000 statutory cap (``the total amount imposed on the person for all violations of an identical requirement or prohibition for a calendar year may not exceed $25,000''). Furthermore, for the reasons explained in the preamble to the proposed rule, none of the other possible formulations of what constitutes a ``provision of this part'' works uniformly and fairly across the HIPAA rules. Thus, we retain the definition of ``administrative simplification provision'' as proposed. b. ``Violation'' or ``Violate'' Comment: One comment asked how the definition of ``violation'' would work with the addressable components of the Security Rule. Response: With respect to the issue of how this term would apply to the addressable implementation specifications of the Security Rule, we provide the following guidance. Under Sec. 164.306(d)(3)(ii), a covered entity must implement an addressable implementation specification if doing so is ``reasonable and appropriate.'' Where that condition is met, the addressable implementation specification is a requirement, and failure to implement the addressable implementation specification would, accordingly, constitute a violation. Where that condition is not met, the covered entity must document why it would not be reasonable and appropriate to implement the implementation specification and implement ``an equivalent alternative measure if reasonable and appropriate.'' In this latter situation, creating the documentation referred to is a requirement, and implementing an alternative measure is also a requirement, if doing so is reasonable and appropriate in the covered entity's circumstances; failure to take either required action would, accordingly, constitute a violation. 3. Section 160.304--Principles for Achieving Compliance Proposed rule: We proposed to amend Sec. 160.304 to make it applicable to all of the HIPAA rules; otherwise, we proposed to leave the rule substantively unchanged. Section 160.304 provides that the Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance. Section 160.304 also provides that the Secretary may provide technical assistance to help covered entities voluntarily comply with the HIPAA rules. Final rule: The final rule adopts the provisions of the proposed rule. Comment: Many comments supported HHS's approach to voluntary compliance and the use of a complaint-based process to identify and correct [[Page 8394]] noncompliance, on the grounds that it is the most efficient and effective way of obtaining compliance and realizing the benefits of the HIPAA rules. In addition, some contended that, given the confusion of many covered entities with many of the rules' requirements, it is an appropriate approach. However, one comment criticized HHS's reliance on voluntary compliance and informal resolution of complaints on the ground that the statute contemplates that violations of the HIPAA rules should be pursued in the same manner as fraud and abuse cases, that is, through the formal, adversarial process provided for by section 1128A(c). Another comment stated that HHS's reliance on voluntary compliance has led to lax enforcement and that reliance on a complaint- based system is a fundamentally flawed approach, particularly with respect to enforcement of the Privacy Rule, because HHS has provided insufficient education to consumers, and it is impossible for consumers to complain about a law about which they know very little. Several comments urged that OCR and CMS continue to provide educational materials and guidance to help covered entities comply with the HIPAA rules and to educate consumers about their rights under the Privacy Rule. Response: We agree that encouraging voluntary compliance is the most effective and quickest way of obtaining compliance in most cases. We do not agree that encouraging voluntary compliance and seeking informal resolution of complaints in individual cases constitutes lax enforcement or that such an approach is inconsistent with our statutory obligations. Our experience to date with privacy complaints illustrates the effectiveness of our enforcement approach. As of October 31, 2005, OCR had received and initiated reviews of over 16,000 privacy complaints from health care consumers and others across the country. These complaints are widespread and diverse, not only geographically, but also with respect to the type of entity complained against, as well as the Privacy Rule issues raised by the complaints. Complaints are filed against all sizes and types of covered entities, from solo practitioners to hospitals and pharmacy chains, and from health insurance issuers to group health plans, for example. In addition, the complaints implicate a full range of Privacy Rule issues, from uses and disclosures of protected health information to individual rights to administrative requirements. The variation and expansiveness of the complaints provide HHS with a much broader approach to compliance than would a compliance review system, which likely would need to be targeted to larger institutions and/or a smaller set of concerns. Further, our experience with these cases--68 percent have been resolved or otherwise closed to date--indicates that generally we are receiving good cooperation from covered entities in quickly addressing compliance problems. Such resolutions bring the benefits of the HIPAA rules to consumers far more quickly than would a formalized, adversarial process, which would also be time-consuming and costly for both sides. We also do not agree that the statute contemplates only a formalized, adversarial process; rather, it only requires such a process where a proposed civil money penalty is contested. It is important to note, moreover, that section 1176 contemplates that we would work with covered entities to help them achieve compliance, even when there is an allegation that the covered entity is in violation of the rules. Section 1176 provides that a civil money penalty may not be imposed if the failure to comply was due to reasonable cause and not willful neglect and is corrected within a certain period of time after the covered entity knew or should have known of the compliance failure, and that the Secretary may, in some circumstances, provide technical assistance to the covered entity during that period. Further, an approach that is primarily complaint-based does not limit our ability to perform compliance reviews when appropriate, and this has, in fact, occurred. We will continue to review the effectiveness of our enforcement approach and revise it, if needed. Notwithstanding our above approach, however, we will resort to civil money penalties, as needed, for matters that cannot be resolved by informal means. Further, we disagree that persons affected by the Privacy Rule and the other HIPAA rules are unaware of their rights, as evidenced by the large number of complaints that HHS has received from consumers and covered and other entities. HHS has an ongoing program of providing information to the public and guidance to covered entities through the Internet, public speaking and educational events, and toll-free call-in lines. The millions of hits to our Web sites--http://www.hhs.gov/ocr/hipaa for the Privacy Rule and http://www.cms.gov/hipaa/hipaa2 for the other HIPAA rules--suggest that covered entities and the public are increasingly aware of the application of the HIPAA rules to their business activities and lives, respectively, and are able to access the information we have made available. In addition, the American Health Information Management Association issued the results of their latest compliance survey in a report entitled ``The State of HIPAA Privacy and Security Compliance, April 2005,'' which indicated, with respect to the Privacy Rule, that over two-thirds of all hospital and health system patients had some or a complete understanding of their rights and the facility's responsibilities. Nonetheless, while such evidence is encouraging, we recognize that HHS must remain active in providing outreach and public education. We are committed to doing so, and thus, continue to develop educational material for consumers and industry guidance for covered entities. Comment: One comment suggested that the Secretary commit to providing technical assistance to covered entities. Response: We do not agree that the provision of technical assistance should be mandated. The statute (at section 1176(b)(3)(B)(ii)) makes the provision of technical assistance discretionary if the Secretary determines that the compliance failure was due to the covered entity's inability to comply. While OCR and CMS provide technical assistance in many cases, it is not necessary in all instances to provide such assistance in order to obtain compliance. Thus, it is inappropriate to mandate the provision of technical assistance. Comment: One comment suggested amending Sec. 160.304(b) to require ongoing reporting of complaints and resolutions to the healthcare industry. The goal in requiring reporting would be to educate covered entities regarding complaints that are found to be actual violations and encourage them to review their compliance. The comment stated that the current reports made by OCR to the National Committee on Vital and Health Statistics are not helpful since they only report the volume of complaints, not the nature of the complaints or whether a violation occurred. Response: We do not believe mandatory reporting of complaints and resolutions is necessary. Both CMS and OCR currently have the ability to report to the public, including the healthcare industry, about complaints and their resolutions, and do so in summary form. We continue to present summaries of actions on complaints in various fora, including in public presentations, testimony, and in written documents. Our enforcement experience also informs our development of FAQs and guidance documents to explain certain [[Page 8395]] provisions and how to comply with them. In any event, covered entities should use their own internal complaint processes and experience to assess and improve their compliance and ability to serve the needs of their customers. Comment: One comment suggested that the informal resolution process should allow HHS to render opinions on a covered entity's interpretation of the HIPAA rules. The comment expressed concern that a covered entity would not be able to resolve a compliance issue during the informal resolution process if it made a good faith, but incorrect, interpretation of a HIPAA rule. The comment suggested allowing HHS to render an opinion on the entity's interpretation to facilitate the informal resolution of compliance problems. Response: As a general matter, we do not issue advisory opinions, but the informal resolution process will provide covered entities with information about HHS's interpretation of the HIPAA rules. Covered entities may also find guidance as to the proper interpretation of a HIPAA rule in the FAQs posted on the HHS website and technical assistance offered to the covered entities by HHS. Covered entities may also submit questions to HHS for consideration with respect to future FAQs and guidance. 4. Section 160.306--Complaints to the Secretary Proposed rule: Section 160.306 provides for investigations of covered entities by the Secretary. It also outlines the procedure and requirements for filing a complaint against a covered entity. For example, it provides that a complaint must name the person that is the subject of the complaint and describe the acts or omissions believed to be violations. It also requires that complaints be filed within 180 days of when the complainant knew or should have known that the act or omission occurred, unless this time limit is waived for good cause. The proposed rule would have amended this section to apply it to all of the HIPAA rules, rather than exclusively to the Privacy Rule, but otherwise proposed no substantive changes to the section. Final rule: The final rule adopts the provisions of the proposed rule, except that proposed Sec. 160.306(c) is revised to require the Secretary to describe the basis of the complaint in the first written communication with the covered entity about the complaint. Comment: One comment asked for clarification on when a complaint will be considered to have been timely filed in situations when a complainant should have known of the violation, thus triggering the 180-day time period for filing a complaint. Response: Deciding whether or not a complaint was properly filed within the 180-day period will need to be determined in each case. For example, an individual who is informed through an accounting of disclosures that his or her health information was impermissibly disclosed would be considered to know of the violation at the time the individual receives the accounting. In any event, however, the 180-day period can be waived for good cause shown. Comment: Two comments suggested that HHS be required to inform a covered entity of the specific basis for an investigation or compliance review. These comments suggested the best way to accomplish this goal would be to send a copy of the complaint to the covered entity. The comments stated that, without specific information as to the basis of the complaint, a covered entity will not be able to properly respond to the agency's request for information. Response: Both CMS and OCR currently provide the basis for an investigation in the first written communication with a covered entity about a complaint. This policy will continue to be followed, and the final rule is revised to require it. It should be noted that provision of a description of the basis for the complaint does not circumscribe the investigation, if the investigation subsequently uncovers other compliance issues with respect to the covered entity. We disagree that sending a copy of the complaint is necessary for a covered entity to adequately respond to the Secretary's inquiries. As noted above, covered entities receive a description of the basis for the complaint. Other information contained in the complaint, such as the complainant's identity, is not always relevant to the investigation. In some cases, in fact, it may be necessary to withhold such information to, for example, protect the complainant's privacy. In instances where it is necessary to provide the complainant's identity in order for the covered entity to properly respond to the investigation, the complainant is so informed before this information is released to the covered entity. Comment: One comment suggested that the rule be revised to require that a complaint include the name of the covered entity that is the subject of the complaint. Response: The rule, both as proposed and as adopted below, already requires that a complaint ``name the person that is the subject of the complaint.'' See Sec. 160.306(b)(2). Comment: In one comment, a covered entity complained that it had expended a great deal of time and money defending itself against what turned out to be a false allegation and asked that HHS put more effort into gathering detailed information from complainants and helping covered entities respond to complaints. Another comment criticized the rule for providing no way of sanctioning a person bringing a negligent or malicious complaint. Response: We understand that it may take time and effort to establish that an allegation is unfounded. When complaints are received, we make every effort to determine if the complaint is legitimate, so as not to place undue burdens on covered entities. Further, covered entities are encouraged promptly to contact the OCR or CMS investigators handling their complaints to discuss the allegations once notice of an investigation is received by the covered entity. Doing so should help a covered entity avoid the expenditure of unnecessary time and funds on defending itself against baseless complaints. The statute provides no basis for our penalizing a person for bringing a negligent or malicious complaint, although remedies may exist at common law. However, as discussed below in connection with Sec. 160.316, lack of good faith would typically be a matter that is looked at in the course of investigating a complaint. Comment: One comment suggested that only individuals or personal representatives should have standing to file a complaint. The comment takes the position that one covered entity should not be able to bring a complaint against another. Response: We disagree. The purpose of the complaint process is to bring violations to the attention of HHS, so that any noncompliance with the HIPAA rules may be corrected. Particularly with respect to the Transactions Rule, the persons or entities that are likely to be disadvantaged by the noncompliance of a covered entity are other covered entities. It would, accordingly, be inconsistent with the purpose of the complaint process to exclude such entities from it. Comment: Two comments suggested that HHS be required to notify covered entities of a complaint within a specified time-frame. Response: OCR and CMS make every effort to notify covered entities of complaints on a timely basis. However, we do not include a specific deadline for notifying covered entities of [[Page 8396]] complaints in the rule. The time needed to determine whether a complaint states issues that should be investigated can vary greatly, while fluctuations in the volume of complaints and other workload demands may also make meeting a specific deadline problematic. Comment: One comment suggested that Sec. 160.306(a)(2) should be amended to require that ``uses or disclosures'' be described in the complaint rather than ``acts or omissions.'' Response: The suggested change would not be appropriate. The provisions of this rule apply to all of the HIPAA rules, not just the Privacy Rule; the other HIPAA rules regulate actions other than uses and disclosures of protected health information. Moreover, even under the Privacy Rule, a violation may occur where no impermissible use or disclosure of protected health information has occurred. Failure to comply with a notice requirement under Sec. 164.520 is an example of a violation that does not involve a use or disclosure of protected health information. Comment: One comment suggested that the Secretary should be required to investigate all complaints and that failure to do so is inconsistent with section 1176(a) of the Act, which compels the Secretary to impose penalties for violations unless a statutory limitation applies. Imposing a deadline for beginning investigations was also suggested. Response: The decision to investigate a complaint is based on the facts presented. Not all complaints need to be investigated. For example, in our experience, a substantial percentage of privacy complaints allege facts that fall outside of OCR's jurisdiction under HIPAA--e.g., an action prior to the compliance date of the Privacy Rule or an action by an entity not covered by the Rule. Revising the rule to require the Secretary to investigate all complaints would be counterproductive and lead to an inefficient allocation of enforcement resources. Similarly, imposing a deadline for beginning an investigation is unrealistic: Some investigations may turn out to be more time-consuming than anticipated, delaying the start of other investigations. It is necessary to provide OCR and CMS with the flexibility to deal with variations in circumstances and resource constraints. 5. Section 160.308--Compliance Reviews Proposed rule: The proposed rule provided that the Secretary may conduct compliance reviews to determine whether covered entities are complying with the applicable administrative simplification provisions. Final rule: The final rule adopts the provisions of the proposed rule. Comment: Several comments asked HHS to outline the circumstances under which a compliance review would be undertaken or asked that the compliance review provision be eliminated from the rule. One comment suggested that compliance reviews be limited to evidence-based reviews. These comments expressed concern that the rule does not specifically define when a compliance review will be undertaken. Response: Compliance reviews are conducted at the discretion of the Secretary. Outlining specific instances in which a compliance review will be conducted could have the counterproductive effect of skewing compliance efforts toward those aspects of compliance that had been identified as likely to result in a compliance review. It also does not seem advisable to limit, by rule, the circumstances under which such reviews may be conducted at this early stage of the enforcement program, when our knowledge of the types of violations that may arise is necessarily limited. We also do not agree that the provision for compliance reviews should be eliminated. There are situations where instances of potential noncompliance come to HHS's attention outside of the complaint process (e.g., where media reports suggest that a violation has occurred), and HHS must have clear authority to investigate such situations. Comment: A number of comments suggested that HHS detail the compliance review process and rules for notification of covered entities when they are being reviewed. Response: The rule already contains procedures to be followed, and requirements to be met, that apply to compliance reviews. See Sec. Sec. 160.304, 160.310, 160.312, 160.314, and 160.316. It is unnecessary to establish procedures comparable to the complaint filing procedures of Sec. 160.306 for compliance reviews, since they are initiated by HHS. The concerns expressed by most of the comments on this topic--that HHS would undertake a compliance review without notice to the covered entity and without specifying the basis for, or the focus of, the review--are misplaced. Section 160.312 requires HHS to attempt to resolve violations found in a compliance review by informal means and to inform the covered entity in writing if a compliance review is or is not resolved by informal means. Failing to notify the covered entity of a compliance review or the basis for such a review is not consistent with our practice generally and would be unlikely to yield much information of use, resulting in an ineffective use of the covered entity's and the agency's resources. Comment: One comment suggests that compliance reviews should be mandatory and should be initiated within a specified time period. Response: The rule, as proposed and adopted, does not preclude establishing a compliance review program or schedule, but it does not require it either. One purpose of compliance reviews is to permit investigation when allegations or situations warranting investigation come to our attention outside of the complaint process. The necessity for a compliance review in a particular case or a program of scheduled compliance reviews is inherently unpredictable, and it is important to retain the administrative flexibility to address such situations. Mandating compliance reviews on a fixed basis or schedule would be an inefficient allocation of limited enforcement resources and would hamper the agency's ability to target resources at actual noncompliance problems as they arise. Comment: One comment suggested that the rule contain provisions outlining the coordination and cooperation between CMS and OCR when a compliance review under more than one rule occurs. Response: As with complaint-based investigations, CMS and OCR will coordinate and allocate responsibility for compliance reviews based upon the HIPAA provisions involved and the facts of the case. We do not consider it advisable to specify detailed rules in this regard, as the allocation of function and responsibility will depend on the facts of each case and the resources available at the time. 6. Section 160.310--Responsibilities of Covered Entities Proposed rule: Section 160.310 addresses the responsibilities of a covered entity, such as providing records and compliance reports to the Secretary and cooperating during a compliance review or complaint investigation. Section 160.310(c) provides that a covered entity must permit HHS to have access during normal business hours to its facilities, books, records, and other information necessary to determine compliance, but provides that if the Secretary determines that ``exigent circumstances exist, such as when documents may be hidden or destroyed,'' the covered entity must permit access at any time without [[Page 8397]] notice. Section 160.310 also requires that the Secretary may not disclose protected health information obtained by the Secretary in the course of an investigation or compliance review except when necessary to ascertaining or enforcing compliance or as otherwise required by law. The proposed rule would amend this section to apply it to all of the HIPAA rules, rather than exclusively to the Privacy Rule, but otherwise proposed no substantive changes to the section. Final rule: The final rule adopts the provisions of the proposed rule. Comment: A couple of comments asked HHS either to further define ``exigent circumstances,'' such as by limiting it to situations involving national security or by inserting specific examples of exigent circumstances in Sec. 160.310(c)(1). One comment suggested that the rule be revised to require that the Secretary's determination that ``exigent circumstances'' exist be a ``reasonable'' one. Response: The determination of what constitutes ``exigent circumstances'' will inevitably be fact-dependent. Specific language defining ``exigent circumstances'' is unnecessary, as the rule already provides a clarifying example and the principle underlying the provision is reasonably universal. We note that limiting the provision to situations where matters of national security are involved would most likely not cover the types of situations the provision is intended to cover--situations in which it is likely that the covered entity will seek to conceal or destroy evidence of noncompliance that HHS needs to carry out its statutory obligation to enforce the HIPAA rules. Comment: Two comments asked for further guidance and notice of record retention requirements and another comment expressed concerns with the record retention requirements of the Privacy Rule. Response: Record retention requirements applicable to the Privacy and Security Rules are spelled out in those rules; see, Sec. 164.530(j) and Sec. 164.316(b), respectively. We do not address these record retention requirements here, as this topic lies outside the scope of this rule. The other HIPAA rules do not contain explicit record retention requirements, as such. However, it is likely that the documentation that would be relevant to showing compliance with those rules--such as health plan instructions to providers, software documentation, contracts, and systems processes--is kept as part of normal business practices. Covered entities should consider any other applicable laws, such as state law, in making such decisions. 7. Section 160.312--Secretarial Action Regarding Complaints and Compliance Reviews Proposed rule: We proposed to revise Sec. 160.312(a) to require that, where noncompliance is indicated, the Secretary would seek to reach by informal means a resolution of the matter that is satisfactory to the Secretary. Informal means could include demonstrated compliance, or a completed corrective action plan or other agreement. We proposed to revise Sec. 160.312(a)(2) to require, where noncompliance is indicated and the matter is resolved by informal means, that HHS notify the covered entity in writing and, if the matter arose from a complaint, the complainant. Where noncompliance is indicated and the matter is not resolved by informal means, proposed Sec. 160.312(a)(3)(i) would require the Secretary to so inform the covered entity and provide the covered entity an opportunity to submit, within 30 days of receipt of such notification, written evidence of any mitigating factors or affirmative defenses. To avoid confusion with the notice of proposed determination process provided for at proposed Sec. 160.420, proposed Sec. 160.312(a)(3)(ii) provided that, where the matter is not resolved by informal means and the Secretary finds that imposition of a civil money penalty is warranted, the formal finding would be contained in the notice of proposed determination issued under proposed Sec. 160.420. We proposed to leave Sec. 160.312(b) substantively unchanged. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment suggested that covered entities should be able to appeal the Secretary's findings during the informal resolution process and that the Secretary's decision to resolve a matter informally should not preclude the respondent from questioning the Secretary's interpretation or application of the rule in question. Response: The purpose of the informal resolution process described in Sec. 160.312 is to bring closure at an early stage to a matter where compliance is in issue and, thus, to obviate the need to issue a notice of proposed determination. Section 160.312 recognizes, however, that informal resolutions will not always be achieved. Where the agency and the covered entity are not able to resolve the matter informally, HHS (through OCR and/or CMS) will make a finding of noncompliance pursuant to Sec. 160.420, which the covered entity may then challenge through the applicable procedures of subparts D and E. Nothing in the rule compels the covered entity to challenge the finding of noncompliance under Sec. 160.420, but if the covered entity wishes to challenge such a finding, including the agency's interpretation or application of a rule, it must do so through the procedural avenue provided by subparts D and E. These procedures implement the requirement of section 1128A(c) of the Act that the Secretary may not make an adverse determination against a person until the person has been given written notice and an opportunity for a hearing on the record on the adverse determination. Comment: One comment asked how informal resolution is possible, given HHS's position that, where a violation is found, a CMP must be imposed. Another comment expressed concern that the informal resolution process would allow covered entities to skirt penalties and the consequences of noncompliance with the HIPAA rules and suggested that the Secretary should not be compelled to reach a resolution through informal processes. Response: These comments misunderstand our position as to the mandatory nature of the statute. The Secretary must impose a civil money penalty where a formal determination of a violation is made. However, many opportunities exist prior to this determination that allow the Secretary to exercise his discretion to not impose a penalty. This issue is discussed more fully in connection with Sec. 160.402 below. The second comment above also misconstrues Sec. 160.312. Nothing in that section compels OCR or CMS to resolve matters informally. Indeed, Sec. 160.312(a)(3) describes the actions to be taken ``[i]f the matter is not resolved by informal means * * *''. Comment: One comment suggested that HHS and the covered entity should be required to put the informal resolution in writing. Response: Both Sec. 160.312(a)(2) and Sec. 160.312(b) require that the resolutions contemplated in those sections be ``in writing.'' CMS and OCR currently document informal resolutions. Comment: One comment suggested that the 30-day time period for a covered entity to submit to the Secretary evidence of mitigating factors or affirmative defenses should be extended. Response: Thirty days should be sufficient for a covered entity to submit such evidence. The opportunity to provide additional evidence comes at [[Page 8398]] the end of investigation, and the covered entity should be gathering any evidence of mitigating factors or affirmative defenses during the investigation. In addition, the covered entity will have the opportunity to present such evidence to the ALJ if it chooses to appeal the Secretary's findings. Accordingly, we do not change this provision. Comment: One comment suggested that a deadline should be imposed for HHS to notify the covered entity of its findings after an investigation. Response: The time needed to finalize the agency's findings will depend on the complexity of the case, its outcome, and workload considerations. As these factors are inherently variable and unpredictable, we do not believe it would be advisable to impose fixed deadlines for taking the actions described in Sec. 160.312. Comment: One comment requested clarification of proposed Sec. 160.312(a)(3)(ii), with respect to what action is referred to and the associated time frame. Response: The action referred to is HHS's notification of the covered entity of its finding of noncompliance when it determines that the matter cannot be resolved informally. Section 160.312(a)(3)(ii) provides that, if HHS decides to impose a civil money penalty, it will send a notice of proposed determination to the covered entity pursuant to Sec. 160.420. Thus, the intent of this provision is to clarify that, once OCR and/or CMS, as applicable, has determined that a violation has occurred, the matter cannot be resolved informally in a manner that is satisfactory to OCR and/or CMS, and a civil money penalty should be imposed, the agency's next step is to provide the formal notice required by section 1128A(c)(1), which in this rule is the notice of proposed determination under Sec. 160.420. The rule imposes no specific deadline on the agency for sending this notice. However, it should be noted that if the notice is not sent within six years of the violation, pursuit of the civil money penalty would be precluded by section 1128A(c)(1), which is implemented in this rule by Sec. 160.414. Comment: One comment requested that Sec. 160.312(a)(3) be revised to afford complainants the opportunity to express, in writing, the impact of the violation. Response: The suggested change is unnecessary, since nothing in the rule precludes a complainant from providing such information to the agency at any point in the process. Complainants frequently describe, in their complaints or in the course of OCR's or CMS's initial contacts with the complainants, the impact of the alleged violation. HHS also may request such information from the complainant where, for example, it bears on the amount of the penalty to be imposed. 8. Section 160.314--Investigational Subpoenas and Inquiries Proposed rule: The text of proposed Sec. 160.314 was adopted by the April 17, 2003 interim final rule as Sec. 160.504. We proposed to move this section to subpart C, consistent with our overall approach of organizing subparts C, D, and E to reflect the stages of the enforcement process. We proposed to include in the introductory language of proposed Sec. 160.314(a) a sentence which states that, for the purposes of paragraph (a), a person other than a natural person is termed an ``entity.'' We proposed not to modify Sec. 160.314(b)(1), (2) and (8) from the provisions of the April 17, 2003 interim final rule at paragraphs (b)(1)-(3) of Sec. 160.504. However, we proposed to add new paragraphs (3) through (7) and (9) to Sec. 160.314(b) and also to add a new paragraph (c). The proposed new paragraphs at Sec. Sec. 160.314(b)(3)-(b)(7) would permit representatives of HHS to attend and ask questions at the inquiry, give a witness the opportunity to clarify his answers on the record after being questioned by HHS, require any objections or claims of privilege to be asserted on the record, and permit HHS to seek enforcement of the subpoena through the federal district court if a witness refuses to answer non-privileged questions or produce requested documents or items. Further, proposed Sec. 160.314(c) provided that, consistent with Sec. 160.310, testimony and other evidence obtained in an investigational inquiry may be used by HHS in any of its activities and may be used or offered into evidence in any administrative or judicial proceeding. Together, these additions would clarify the manner in which investigational inquiries will be conducted, and how testimony given, and evidence obtained, during such an investigation may be used. Final rule: The final rule adopts the provisions of the proposed rule, except that paragraph (a) is revised to clarify that investigational subpoenas may issue when a compliance review is conducted. Comment: A few comments requested that this section provide for the protection of privileged documents when subpoenaed by the Secretary. Comments also suggested that covered entities should have the ability to challenge a subpoena issued by the Secretary. Response: The rule, as proposed and adopted, provides a process for a subpoenaed witness to challenge the subpoena and/or assert privilege. Under section 205(e) of the Act, made applicable by section 1128A(j)(1) of the Act, the federal district court in which a person charged with contumacy or refusal to obey a subpoena resides or transacts business has jurisdiction upon application of HHS. As provided in Sec. 160.314(a)(5), HHS may seek to enforce the subpoena in such cases through action in the relevant federal district court, which would presumably hear the basis for the witness's refusal to obey or claim of privilege in connection with a motion to quash under Fed. R. Civ. P. 45(c)(3). (28 U.S.C. Appendix). Comment: Several comments requested that the scope of the subpoenas issued by the Secretary be limited to the investigation and that the Secretary not be allowed to pursue open-ended inquiries. Response: Section 205(d) of the Act, which is made applicable by section 1128A(j)(1), provides that a subpoena may issue for ``the production of any evidence that relates to any matter under investigation or in question before [the Secretary].'' Moreover, the federal courts subject the exercise of an agency's administrative subpoena authority to a reasonableness analysis. In U.S. v. Powell, 397 U.S. 481 (1964), the holding of which was extended to all administrative subpoena authorities in Securities and Exchange Commission v. Jerry T. O'Brien, Inc., 467 U.S. 735, 741-42 (1984), the U.S. Supreme Court articulated a standard for the judicial review of administrative subpoenas that requires that the investigation be conducted pursuant to a legitimate purpose and that the information requested under the subpoena is relevant to that purpose. HHS is required to comply with this standard in the exercise of the subpoena authority under this section. Comment: One comment asked that covered entities be given notice of investigational inquiries directed at them. Response: In general, we would expect that an investigational subpoena would be used where a covered entity has failed to respond to HHS's requests for information in the course of an investigation conducted under Sec. 160.306. In such a case, the covered entity will have been previously notified of the investigation pursuant to Sec. 160.306(c). Similarly, a subpoena would typically be issued in connection with a compliance review under Sec. 160.308 where the covered entity had [[Page 8399]] failed to respond to HHS's prior requests for information. Thus, we do not expect the element of surprise to be present, which appears to be the concern underlying these comments. We clarify in Sec. 160.314(a) that this section also applies to compliance reviews. Comment: One comment suggested that Sec. 160.314(a) be revised to state that the admissibility of written statements obtained by HHS during an investigational inquiry is subject to 45 CFR 160.518 and 160.538. Response: We do not consider the suggested language necessary. Sections 160.518 and 160.538 apply to the exchange and admission of written statements. Should OCR or CMS seek to have written statements obtained during an investigation admitted into evidence, those statements would be subject to the requirements of Sec. Sec. 160.518 and 160.538. Comment: One comment asked for clarification as to who may amend a transcript and whether the Secretary has the discretion to limit a witness's amendment of his or her testimony transcript. Response: Under Sec. 160.314(b)(9), both sides may propose corrections to the transcript, and any proposed corrections are attached to the transcript; the transcript itself is not altered. Section 160.314(b)(9)(i) provides that, if a witness is provided with a copy of the transcript, the witness may submit written proposed corrections to the transcript, or, if the witness is afforded only the opportunity to inspect the transcript, the witness may propose corrections to the transcript at the time of inspection. In either case, the witness's proposed corrections are attached to the transcript. Similarly, under Sec. 160.314(b)(9)(ii), the Secretary's proposed corrections are attached to the transcript. The purpose of the proposed corrections is to make the transcript ``true and accurate.'' See Sec. 160.314(b)(9)(i). Under this process, then, HHS would not be changing the witness's proposed corrections; HHS would, at most, be proposing different corrections. Comment: One comment suggested that Sec. 160.314 be revised to require HHS to provide for the same protection of protected health information that is required of covered entities when HHS receives protected health information during an investigation. Response: Section 160.310(c)(3) explicitly protects the confidentiality of protected health information received by HHS ``in connection with an investigation or compliance review under this subpart.'' Although these protections are not the same as those required of covered entities with respect to protected health information, in some respects they are more stringent, given the limited circumstances for which the information may be disclosed under this provision. Because Sec. 160.314 is now part of the subpart, the restriction of Sec. 160.310(c)(3) applies to protected health information received during an investigational inquiry. See Sec. 160.314(c), which provides that testimony and other evidence obtained in an investigational inquiry may only be used ``[c]onsistent with Sec. 160.310(c)(3) * * *''. Comment: One comment asked for clarification of the ``good cause'' limitation on a witness's ability to inspect the official transcript of their testimony. Response: This provision derives from the Administrative Procedure Act, which requires, at 5 U.S.C. 555(c), that ``[a] person compelled to submit data or evidence is entitled to retain or, on payment of lawfully prescribed costs, procure a copy or transcript thereof, except that in a nonpublic investigatory proceeding the witness may for good cause be limited to inspection of the official transcript of his testimony.'' The ``good cause'' language of this provision has been explained as follows: The * * * grant[] to agencies of the right to inhibit access to testimony in nonpublic investigatory proceedings were in recognition that such investigations, ``like those of a grand jury, might be thwarted in certain cases if not kept secret, and that if witnesses were given a copy of their transcript, suspected violators would be in a better position to tailor their own testimony to that of the previous testimony, and to threaten witness about to testify with economic or other reprisals.'' LaMorte v. Mansfield, 438 F.2d 448, 451 (2d Cir. 1971) (quoting Commercial Capital Corp. v. S.E.C., 360 F.2d 856, 858 (7th Cir. 1966)). Comment: Several comments suggested that evidence obtained during an investigation by HHS should be used only within the scope of that investigation, not for other matters, as provided for by Sec. 160.314(c). Response: Section 160.314(c) mirrors the OIG rule. The concept that HHS may use evidence obtained in an investigation for matters outside the scope of the investigation is not novel. While we would expect to be careful in using such information for other purposes, we are legally obligated to take appropriate action if we obtain clear evidence of wrongdoing. 9. Section 160.316--Refraining From Intimidation or Retaliation Proposed rule: Proposed Sec. 160.316, which was taken from Sec. 164.530(g)(2) of the Privacy Rule, would prohibit covered entities from threatening, intimidating, coercing, discriminating against, or taking any other retaliatory action against individuals or other persons (including other covered entities) who complain to HHS or otherwise assist or cooperate in the enforcement processes created by this rule. The intent of this addition to subpart C was to make these non- retaliation provisions applicable to all of the HIPAA rules, not just the Privacy Rule. A conforming change to Sec. 164.530(g) of the Privacy Rule was proposed, to cross-reference proposed Sec. 160.316. Final rule: The final rule adopts the provisions of the proposed rule, except that the verb ``harass'' is inserted in the introductory language of this section. The related revision to Sec. 164.530(g) is adopted without change. Comment: Two comments asked HHS to strengthen the prohibition on retaliation and intimidation. The comments express concern that the current provision is not a sufficient deterrence to covered entities, particularly payers. One comment suggested that the language be revised to read in pertinent part as follows: ``A covered entity may not threaten * * * including not threaten to reduce or eliminate payment, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person * * * including suspending or terminating participation in a Medicaid program and/or in any other program or network or reducing or eliminating payment for * * *''. Another comment suggested that persons who engage in prohibited retaliation or intimidation should be considered to have ``knowingly'' violated the statute and be subject to criminal penalties under section 1177 of the Act. Response: We agree with the comment that the actions covered in the suggested language would constitute intimidation or retaliation under the appropriate facts, but we think that such claims may be made under the existing language. However, while harassment is encompassed by the phrase ``other retaliatory action'' in this section, since harassment is a form of pressure that is sufficiently different from, and as objectionable as, the other intimidating or retaliatory acts that are specifically mentioned, we clarify the section by including it in the text of the regulation; [[Page 8400]] the text of the final rule is revised accordingly. The statute does not make retaliation or intimidation the subject of a criminal penalty under section 1177, and we cannot expand the scope of the criminal provision by regulation. Accordingly, we do not adopt this suggestion. Comment: One comment suggested amending the section to require that a complaint be filed in good faith under Sec. 160.306 and that the same change be made to the remaining language in proposed Sec. 164.530(g). The comment stated that covered entities should not be prohibited from firing employees who file false complaints and that covered health care providers should not be prohibited from terminating the provider-patient relationship where the patient files a false complaint. Response: The good faith of a complainant is currently evaluated by OCR to the extent it bears upon determining whether a compliance failure appears to have occurred and the extent to which the complaint should be investigated. We do not read the rule as prohibiting the firing of an employee or the termination of a provider-patient relationship where other legitimate grounds for such action exist; whether such grounds exist would be a matter to be ascertained in the course of the investigation. Comment: Two comments asked HHS to provide examples of retaliation and/or outline procedures or criteria for how the occurrence of retaliation will be investigated and determined. One comment asked that the rule stipulate that an act be considered to be one of retaliation or intimidation only if it occurred after the filing of a complaint. Response: Complaints regarding retaliation or intimidation will be handled in the same manner as investigations regarding other possible violations of the HIPAA rule, as Sec. 160.316 is considered an administrative simplification provision for the purposes of imposing a civil money penalty. Because such situations are likely to be quite varied and factually complex, we are reluctant to preclude consideration of events prior to the filing of a complaint that may be relevant to a claim of retaliation or intimidation. We, thus, retain the language as proposed. C. Subpart D--Imposition of Civil Money Penalties Subpart D of the final rule addresses the issuance of a notice of proposed determination to impose a civil money penalty and other actions that are relevant thereafter, whether or not a hearing is requested following the issuance of the notice of proposed determination. It also contains provisions on identifying violations, calculating civil money penalties for such violations, and establishing affirmative defenses to the imposition of civil money penalties. It, thus, implements the provisions of section 1176, as well as related provisions of section 1128A. As noted above, many provisions of subpart D are based in large part upon the OIG regulations, but we adapt the language of the OIG regulations to reflect issues presented by, or the authority underlying, the HIPAA rules. 1. Section 160.402--Basis for a Civil Money Penalty Section 160.402 sets forth the rules concerning the basis for liability for a civil money penalty. It includes the rules for determining liability if more than one covered entity is responsible for a violation and where an agent of a covered entity is responsible for a violation. a. Section 160.402(a)--General Rule Proposed rule: Proposed Sec. 160.402(a) would require the Secretary to impose a civil money penalty on any covered entity which the Secretary determines has violated an administrative simplification provision, unless the covered entity establishes that an affirmative defense, as provided for by Sec. 160.410, exists. This provision is based on the language in section 1176(a) that ''* * * the Secretary shall impose on any person who violates a provision of this part a penalty * * * ''. A ``provision of this part'' is considered to be a requirement or prohibition of the HIPAA statute or rules. See the discussion of ``administrative simplification provision'' under Sec. 160.302 above. Final rule: The final rule adopts the provisions of the proposed rule. Comment: A number of comments suggested that the words ``the Secretary will impose a civil money penalty * * * '' are too strict. Some comments expressed concern that this language could jeopardize HHS's ability to resolve a matter informally; other comments questioned how this language was consistent with the provisions for voluntary compliance (Sec. 160.304), informal resolution (Sec. 160.312), and settlement (Sec. 160.416). Most of these comments suggested that the rule give the Secretary discretion to impose a civil money penalty instead of making it mandatory. Response: Section 160.402(a) states the general rule of section 1176(a): If the Secretary determines that a covered entity has violated an administrative simplification provision, he will impose a civil money penalty unless a basis for not imposing a penalty under section 1176(b) exists. The use of the words ``shall impose'' in section 1176(a) is more than the mere conveyance of authority to the Secretary to exercise his discretion where he has made a formal determination that a covered entity has violated an administrative simplification provision. Under the procedures set forth in this final rule, the formal determination is proposed in a notice of proposed determination under Sec. 160.420. A covered entity may request administrative review by an administrative law judge of this determination. If the covered entity does not so request, the proposed determination becomes final. Many opportunities will precede a determination of a violation, however, that will permit the Secretary to exercise his discretion to not impose a penalty. As set forth in Sec. 160.304, the principle for achieving compliance is to seek voluntary compliance by covered entities. To implement this principle in complaints and compliance reviews, Sec. 160.312 provides that the Secretary will attempt to reach resolution by informal means prior to proposing a determination under Sec. 160.420 that a covered entity has violated an administrative simplification provision. If resolution satisfactory to the Secretary is reached by informal means, the Secretary may exercise his discretion to close the matter without formally proposing a determination under Sec. 160.420. The Secretary is also authorized by section 1128A(f) of the Act, which is incorporated by reference in section 1176, to exercise discretion to settle any matter. Thus, under Sec. Sec. 160.416 and 160.514, settlements of civil money penalties which have been proposed or are being challenged through the administrative hearing process are possible. The Secretary also has discretion to waive civil money penalties, in whole or in part, in certain cases under Sec. 160.412. The general rule stated in Sec. 160.402(a) that the Secretary will impose a civil money penalty upon a covered entity if the Secretary determines that the covered entity has violated an administrative simplification provision is not at odds with the Secretary's authority to exercise his discretion pursuant to Sec. Sec. 160.304, 160.312, 160.412, 160.416, and 160.514. However, these exercises of Secretarial discretion require actions by covered entities. When a covered entity acts, or fails to act, in ways that do not allow the exercise of Secretarial discretion not to [[Page 8401]] impose a penalty, the Secretary will impose a civil money penalty upon the covered entity if the Secretary determines that the covered entity has violated an administrative simplification provision. Comment: One comment complained that Sec. 160.402(a) does not allow for early termination of frivolous complaints. The comment stated that covered entities are locked into paying a civil money penalty or initiating an expensive and elaborate defense to the complaint. Response: It is our expectation that complaints that are frivolous will be resolved at an early stage of the informal resolution process under Sec. 160.312. A covered entity can facilitate this process by cooperating with the OCR or CMS investigators on a timely basis. Comment: One comment suggested that Sec. 160.402(a) be revised to require HHS to issue a finding that informal resolution is not sufficient and that a civil money penalty is necessary. Response: The provision suggested would be redundant. The notice of proposed determination under Sec. 160.420 essentially fulfills this function, in that it must state the grounds upon which the Secretary has decided to impose the penalty. b. Section 160.402(b)--Violations by More Than One Covered Entity Proposed rule: Proposed Sec. 160.402(b) provided that, except with respect to covered entities that are members of an affiliated covered entity, if the Secretary determines that more than one covered entity was responsible for violating an administrative simplification provision, the Secretary will impose a civil money penalty against each such covered entity. Based on the statutory language in section 1176(a), which states that the Secretary ``* * * shall impose a penalty * * *'' when there is a determination that an entity has violated a HIPAA provision, this provision would apply to any two or more covered entities (other than members of an affiliated covered entity, discussed below), including, but not limited to, those that are part of a joint arrangement, such as an organized health care arrangement. The preamble to the proposed rule noted that the determination of whether or not an entity is responsible for the violation would be based on the facts and that, while simply being part of a joint arrangement would not, in and of itself, make a covered entity responsible for a violation by another entity in the joint arrangement, it could be a factor considered in the analysis. See 70 FR 20231. Proposed Sec. 160.402(b)(2) provided that each covered entity that is a member of an affiliated covered entity would be jointly and severally liable for a civil money penalty for a violation by the affiliated covered entity. An affiliated covered entity is a group of covered entities under common ownership or control, which have elected to be treated as if they were one covered entity for purposes of compliance with the Security and Privacy Rules. See Sec. 164.105(b). Final rule: The final rule provides that a member of an affiliated covered entity is jointly and severally liable for a violation by the affiliated covered entity, unless it is established that another member of the affiliated covered entity was responsible for the violation. Comment: Proposed Sec. 160.402(b) was opposed by many on the ground that it was unfair to make one covered entity liable for a violation committed by another covered entity. A number of comments stated that this provision was particularly unfair, when coupled with the requirement of proposed Sec. 160.426 that the public be notified of civil money penalties imposed, in that a covered entity that was not responsible for the violation in question could bear the reputational injury associated with such notification, due to the operation of proposed Sec. 160.402(b). One comment pointed out that violations may not be system-wide, but may be limited to one member of the affiliated covered entity; in such a situation, it would not be fair to penalize the other members of the affiliated covered entity. Response: We agree with these comments to a certain extent and have changed the final rule accordingly. We agree that, if responsibility for a violation can be shown to lie with one member of an affiliated covered entity, that member should be held liable for the violation. Thus, we have provided that a covered entity member of an affiliated covered entity may avoid liability if it is established that another member was responsible for the violation. We suspect that in most cases, which member was responsible for the violation will be clear-- for example, if four of five members of a covered entity distributed privacy notices but the fifth member did not, the violations of the notice distribution requirement of Sec. 164.520 would be attributed to the fifth member. In such cases, the objections to publication described above are beside the point, because liability follows responsibility. However, we do not agree that the inability to assign specific responsibility for a violation to one or more members of an affiliated covered entity should shield all of its members from liability. We doubt that such situations will arise often, but they may arise where the affiliated covered entity has failed to take a required act--for example, where the affiliated covered entity has failed to appoint a privacy officer. In such a case, all of the members of the affiliated covered entity bear a share of the responsibility for the failure to act, since any of them could have presumably taken action to bring the group, as a whole, into compliance. It is, thus, not unreasonable that all members of the affiliated covered entity should be jointly and severally liable for the consequent penalty. Moreover, absent joint and several liability, each member of the affiliated covered entity would be separately liable for the penalty for the violation, e.g., the failure to appoint a privacy officer. Thus, the removal of joint and several liability may result in greater liability for the members of an affiliated covered entity in some cases. Comment: Several comments argued that there is no statutory authority for holding the members of an affiliated covered entity jointly and severally liable, in that the statute requires that the penalty ``shall be imposed on any person who violates a provision * * *'' and, thus, does not authorize imposition of a penalty on a person who has not violated a provision of the statute or rules. One comment argued that proposed Sec. 160.402(b) would violate the due process clause by imposing liability on entities not responsible for a violation. Response: These objections are misplaced. Where, as will usually be the case, responsibility for the violation is evident and the responsible party is charged with the violation, they are obviously not relevant. In the case of other violations, where the responsibility for the violation is shared by the members of the affiliated covered entity, as in where the affiliated covered entity fails to take required actions, they are likewise not relevant. Since each covered entity member of the affiliated covered entity is responsible for complying with the rule in question, responsibility for the failure to act may be properly imputed to each member. Moreover, since an affiliated covered entity is a type of joint undertaking, it is reasonable to impute responsibility to the members of the affiliated covered entity, as is typically done with joint ventures. Comment: Several comments argued that proposed Sec. 160.402(b) uses a legal fiction of the Privacy and Security Rules to create liability where liability would not otherwise exist and substitutes this fiction for the corporate form and structure that establish the basis for enterprise liability under U.S. law. [[Page 8402]] Another comment stated that this section is inconsistent with the provision of the HIPAA rules (Sec. 160.105(b)) that defines an affiliated covered entity as an entity comprised of ``legally separate'' entities. Response: We disagree. The affiliated covered entity concept is more than a legal fiction. It is an operational approach to discharging certain compliance responsibilities. When covered entities create an affiliated covered entity, they mutually agree to conduct their business in a certain manner and hold themselves out to the world as a joint undertaking. While the Privacy and Security Rules do not prescribe detailed requirements for how an affiliated covered entity must be organized, the level of cooperation such an undertaking necessitates, the requirement for designation, and the requirement of common ownership or control mean that the participating members will have entered into an agreement of some sort, whether formal or informal. We, thus, think that it is properly viewed as a joint venture. The fact that an affiliated covered entity is composed of ``legally separate'' entities is beside the point. Joint and several liability, as a concept, is imposed on legally separate entities. See, e.g., Black's Law Dictionary (8th ed. 2004), liability. Comment: A number of comments argued that the provision for joint and several liability would discourage covered entities from setting up affiliated covered entities. One comment stated that proposed Sec. 160.402(b) represents a change in position by HHS, in that the preamble to the Privacy Rule, on which many covered entities relied, stated that covered entities that formed an affiliated covered entity are ``separately subject to liability under this rule.'' Response: Section 160.402(b), as adopted, should allay the concerns expressed by these comments with respect to the potential exposure to liability for the members of affiliated covered entities. We think that, in most cases, which member of an affiliated covered entity is responsible for a violation will be obvious; where this is the case, HHS would seek to impose the civil money penalties on that member. Even if it is not obvious from the violation itself who the responsible party is, a covered entity may adduce evidence to establish that responsibility for the violation lies elsewhere, and, if this is shown, avoid liability. In any event, the establishment of an affiliated covered entity is not mandated by either the Privacy Rule or the Security Rule. Rather, establishing an affiliated covered entity is a business decision to be made by the covered entities involved. The affiliated covered entity arrangement carries with it certain benefits for the member entities; any increased exposure to potential liability under this rule, assuming there is one, should be part of the business calculus. In addition, we do not agree that Sec. 160.402(b) is inconsistent with the position taken in the preamble to the Privacy Rule. Our prior statement was intended to provide notice that liability for violations by an affiliated covered entity would devolve onto the member covered entities of an affiliated covered entity, rather than being attributed to the affiliated covered entity itself, so that member covered entities could not avoid liability by arguing that the affiliated covered entity had committed the violation in question. It was not intended to indicate the bases upon which that liability would be determined, which is the purpose of Sec. 160.402(b). Comment: A couple of comments supported the policy of holding the members of an affiliated covered entity jointly and severally liable. One comment supported holding all covered entities in an affiliated covered entity liable for the violations of one as an efficient mechanism for highlighting the seriousness of violations of the HIPAA rules. Response: For the reasons set forth above, we have not adopted this policy in the final rule, insofar as responsibility for a violation can be determined. Comment: Two comments requested clarification of the maximum amount of the penalty that will be assessed against an affiliated covered entity when one of its members has been found noncompliant. Response: Where responsibility for a violation is allocated to individual covered entities, each covered entity determined to be responsible for the violation would be liable for violations of an identical requirement or prohibition in a calendar year up to the statutory maximum of $25,000. If responsibility for particular violations cannot be determined, so that the members of the affiliated covered entity are jointly and severally liable for the violation, the maximum that would be imposed for violations of an identical requirement or prohibition in a calendar year would be $25,000. Comment: Several comments requested clarification of the statement in the preamble to the proposed rule that membership in an organized health care arrangement ``could be a factor considered in the analysis'' in determining the liability of a member of such arrangement for a violation. Of particular concern was the potential liability of a hospital for the actions of physicians with privileges; one comment noted that the hospital exercises little control over medical staff in such situations. One comment requested that the final rule clarify that membership in an organized health care arrangement would not increase a covered entity's exposure to liability. Response: As we noted in the preamble to the proposed rule, the members of an organized health care arrangement would be individually-- not jointly and severally--liable for any violation of the HIPAA rules. What our preamble statement intended to indicate was that HHS might have to look carefully at how the organized health care arrangement operated in determining which member(s) of the organized health care arrangement was responsible for a particular violation, if that was not clear at the outset. c. Section 160.402(c)--Violations Attributed to a Covered Entity Proposed rule: Proposed Sec. 160.402(c) provided that a covered entity can be held liable for a civil money penalty based on the actions of any agent, including a workforce member, acting within the scope of the agency. This provision derives from section 1128A(l) of the Act, which is made applicable to HIPAA by section 1176(a)(2) of the Act. Section 1128A(l) states that ``a principal is liable for penalties * * * under this section for the actions of the principal's agents acting within the scope of the agency.'' Under the proposed rule, a covered entity could be liable for a civil money penalty for a violation by any agent acting within the scope of the agency, including a workforce member. (``Workforce'' is defined at Sec. 160.103 as ``employees, volunteers, trainees, or other persons whose conduct in the performance of work for a covered entity is under the direct control of such entity, whether or not they are paid by the covered entity.'') The proposed rule excepted covered entities from liability for actions of a business associate agent that violate the HIPAA rules, if the covered entity was in compliance with the HIPAA rules governing business associates at Sec. Sec. 164.308(b) and 164.502(e). Proposed Sec. 160.402(c) also provided that the Federal common law of agency would apply to determine agency issues under this provision. Final rule: The final rule adopts the provisions of the proposed rule. Comment: A number of comments supported the provision of proposed Sec. 160.402(c) relating to business [[Page 8403]] associates and requested that it be retained in the final rule. Response: We agree and have done so. Comment: One comment requested clarification of the liability of a covered entity for a violation committed by a non-covered entity who is not a business associate or workforce member, such as researchers, medical device vendors, and non-covered providers who have treatment privileges and access to protected health information at a covered entity's facility. The comment argued that, depending on the circumstances, such persons may or may not be considered agents. Response: In general, a ``violation'' cannot occur, if the act in question is not done by a covered entity or its agent, because only covered entities are subject to the HIPAA rules. For example, if a permitted or required disclosure of protected health information is made by a covered entity to a person or entity that is not a workforce member or business associate, the covered entity would not generally be responsible for that person's or entity's subsequent use or disclosure of the information. Thus, if a hospital that is a covered entity discloses protected health information to a non-covered health care provider with privileges for treatment of a patient, the hospital would not be liable for a subsequent use or disclosure by that provider, as long as the hospital is not also involved in that use or disclosure. If the provider is an agent of the hospital, however, the hospital's liability will be determined in accordance with Sec. 160.402(c). Comment: We requested comment in the proposed rule on whether there are categories of workforce members whom it would be inappropriate to treat as agents under Sec. 160.402(c). A number of comments suggested that independent contractors, volunteers, and students under the supervision of an academic institution be excluded from the definition of an agent for whose acts the covered entity could be liable, provided that the covered entity has given the requisite training to such persons. The comments indicated that generally covered entities have less control over such persons than they have over employees. Response: Whether a person is sufficiently under the control of a covered entity and acting within the scope of the agency has to be determined on the facts of each situation, but Sec. 160.402(c) creates a presumption that a workforce member is an agent of the covered entity for the member's conduct under the HIPAA rules, such as using and disclosing protected health information. With regard to whether an independent contractor is a member of the covered entity's workforce, the question would be whether the covered entity had direct control over the independent contractor in the performance of its work for the covered entity. See Sec. 160.103 (definition of ``workforce''). If the covered entity does not have direct control over such persons, they do not fall within the definition of ``workforce.'' Where persons, such as independent contractors, who are not under the direct control of the covered entity perform a function or activity that involves the use or disclosure of individually identifiable health information or a function or activity regulated by this subchapter on behalf of a covered entity, such persons would fall within the definition of ``business associate,'' and the covered entity would be required to comply with the business associate provisions of the Privacy and Security Rules with regard to such persons. Because of the direct control requirement in the definition of workforce, we think it is appropriate for a covered entity to be liable for a violative act of an independent contractor who is a member of the workforce, that is, who is under the direct control of the covered entity. With respect to volunteers and trainees, we note that, while covered entities may have less control over these persons, they do control their performance of activities that are governed by the HIPAA rules, such as access to protected health information. In regard to privacy, a covered entity is required to train these categories of workforce members as necessary and appropriate for these volunteers and trainees to carry out their functions within the covered entity. 45 CFR 164.530(b). This requirement allows a covered entity to adapt its training to a volunteer's or trainee's scope of duties. For example, a volunteer who files laboratory results in a medical record will require training that is different and more extensive than the training given to a volunteer in the lobby gift shop of a hospital. Section 160.402(c) is consistent with these distinctions. The acts of volunteers and trainees will be examined on a case-by-case basis to determine if they are acting as agents within the scope of their agency. Thus, we think that it is appropriate to treat volunteers and trainees as persons for whose acts a covered entity may be liable, if they act as agents for the covered entity and violate the HIPAA rules within the scope of their agency. Comment: One comment recommended that the rule be revised to make covered entities liable for violations committed by business associates. The comment suggested that, if a covered entity is not liable for the actions of its business associates, covered entities will outsource the handling of protected health information to avoid liability. Response: We included the business associate exception in proposed Sec. 160.402(c)(1)-(3) to make this rule consistent with the business associate provisions in the Privacy and Security Rules. Changing the business associate provisions in the Privacy and Security Rules is outside the scope of this rulemaking. (See the extensive discussion about business associates in the Privacy Rule and Security Rule preambles at 65 FR 82503-82507 and 82640-82645, 67 FR 53251-53253, and 68 FR 8358-8361). The satisfactory assurances that are required in written contracts or arrangements between covered entities and their business associates are intended to protect the confidentiality of protected health information handled by business associates. If a covered entity fails to comply with the business associate provisions in the Privacy and Security Rules, such as by not entering into the requisite contracts or arrangements, or by not taking reasonable steps to cure a breach or end a violation that is known to the covered entity, the covered entity may be liable for the actions of a business associate agent. We, therefore, decline to follow the recommendation. Comment: Two comments suggested that HHS limit its use of the Federal common law of agency because its application may make a covered entity liable for the actions of a person, such as an independent contractor, for whom the covered entity is not liable under state law. Response: As we stated above, covered entities must comply with the business associate provisions of the Privacy and Security Rules for independent contractors who are not under the direct control of the covered entity and who perform a function or activity that involves the use or disclosure of individually identifiable health information or a function or activity regulated by ``this subchapter'' (i.e., the HIPAA rules) on behalf of a covered entity. If a covered entity complies with the business associate provisions, the exception from liability in Sec. 160.402(c) will be applicable. The purpose of establishing the Federal common law of agency to determine when a covered entity is vicariously liable for the acts of its agents is to achieve nationwide uniformity in the implementation of the HIPAA rules by covered entities and nationwide [[Page 8404]] consistency in the enforcement of these rules by HHS. The comments reinforced our conclusion that reliance on state law could introduce inconsistency in the implementation of the HIPAA rules by covered entities in different states. Thus, we retain the Federal common law of agency as the standard by which agency questions in specific cases will be determined. Comment: Two comments requested clarification of how this section will apply to insurance agents, brokers, and consultants. Response: Insurance agents, brokers, and consultants who are not members of the covered entity's workforce but with whom the covered entity shares protected health information will generally fall within the definition of ``business associate'' at Sec. 160.103. A covered entity that complies with the business associate provisions of the Privacy and Security Rules would not be liable for a violation of those rules by the business associate pursuant to the liability exception in Sec. 160.402(c). It is also possible that the insurance agent, broker, or consultant may be the covered entity's agent in some, but not all, of his or her activities. An agent or broker may be working on behalf of an employer to arrange insurance coverage for its employees and not on behalf of the health insurance issuer that is a covered entity. In cases where the liability exception for business associates is not available or not met, the determination of whether an insurance agent, broker, or consultant is an agent of a covered entity and was acting within the scope of the agency will be made based on the facts of each situation. Comment: One comment argued that covered entities should not be liable for acts of employees outside the scope of their employment. Another comment suggested that covered entities should not be liable for the actions of agents who have been informed of the covered entity's HIPAA compliance policies, yet act contrary to them. Another suggested that a covered entity should not be liable for the acts of agents who, although authorized to disclose protected health information, disclose it for purposes of sale or with intent to do harm. Response: Section 160.402(c), as proposed and adopted, provides that a covered entity is liable for the acts of an agent acting ``within the scope of the agency.'' This provision necessarily implies that a covered entity is not liable for its agent's acts outside the scope of the agency (as determined under the federal common law of agency). With regard to the comments that suggest that unauthorized conduct by an agent is outside the scope of the agency, the Federal common law of agency will be applied to the facts of each case to determine whether the covered entity is liable for the conduct, even though it was unauthorized. Comment: Two comments expressed concern with the role of a Privacy Officer and his or her liability under this part and the covered entity's liability for the actions of a Privacy Officer who is a business associate. One comment suggested that the Privacy Officer should not incur any additional liability merely by being designated the Privacy Officer. The other comment requested clarification as to a covered entity's liability when the covered entity directly controls a Privacy Officer, if the Privacy Officer is a business associate. Response: As stated above, the facts of each case will determine the liability of covered entities for wrongful conduct of its agents under the HIPAA rules. As a general matter, we think that a Privacy Officer is an officer of a covered entity for the purposes of the Privacy Rule and, thus, will likely be the covered entity's agent. As stated in Sec. 160.402, a covered entity is liable for the acts of its agent acting within the scope of its agency and, thus, is liable for any penalties that result from those acts. However, if a Privacy Officer is a business associate of the covered entity, the liability exception in Sec. 160.402(c) may apply. A covered entity that is in compliance with the business associate provisions of the Privacy and Security Rules will not be liable for a violation of those rules by the business associate. 2. Section 160.404--Amount of a Civil Money Penalty Proposed rule: Under proposed Sec. 160.404(a), the penalty amount would be determined through the method provided for in proposed Sec. 160.406, using the factors set forth in proposed Sec. 160.408, and subject to the statutory caps reflected in proposed Sec. 160.404(b) and any reduction under proposed Sec. 160.412. The proposed regulation would not establish minimum penalties. Proposed Sec. 160.404 would follow the language of the statute and establish the maximum penalties for a violation and for violations of an identical requirement or prohibition during a calendar year, as set forth in the statute--up to $100 per violation and up to $25,000 for violations of an identical requirement or prohibition in a calendar year. Proposed Sec. 160.404(b) provided that the term ``calendar year'' means the period from January 1 through the following December 31. Under proposed Sec. 160.404(b)(2), a violation of a more specific requirement or prohibition, such as one contained within an implementation specification, could not also be counted, for purposes of determining civil money penalties, as an automatic violation of a broader requirement or prohibition that entirely encompasses the more specific one. That is, the Secretary could impose a civil money penalty for violation of either the general or the specific requirement, but not both. Proposed Sec. 160.404(b)(2) would not apply where a covered entity's action results in violations of multiple, differing requirements or prohibitions within the same HIPAA rule or in violations of more than one HIPAA rule. Proposed Sec. 160.404(b)(2) also would not preclude assessing civil money penalties for multiple violations of an identical requirement or prohibition, up to the statutory cap. Final rule: The final rule adopts the provisions of the proposed rule. Changes to the provisions referenced in this section are discussed in connection with those provisions. Comment: While most comments that addressed proposed Sec. 160.404(b)(2) supported it, several comments suggested that a single set of facts or single activity should not result in the finding of more than one violation, even of different subparts. According to the comments, covered entities should not be assessed penalties for violating more than one provision if all violations arise out of the same facts or incident. One comment suggested that penalties should not be doubly assessed for overlapping provisions in other subparts unless gross misconduct or willful negligence was involved. Response: We do not count an act that violates overlapping provisions of a subpart as more than one violation because provisions that are duplicative in a subpart were written that way as a drafting convenience and were not intended to establish separate legal obligations. This rationale, however, does not apply where the legal obligations are found in different subparts. Further, the different subparts implement different statutory standards and, thus, impose separate legal obligations. For example, where a covered entity re- sells its used computers without scrubbing the hard drives that contain protected health information, this act may violate several separate legal obligations under the Security and Privacy Rules: (1) The media re-use requirement of Sec. 164.310(d)(2)(ii); (2) the safeguards requirement of Sec. 164.530(c); and (3) to the extent that the protected health [[Page 8405]] information on the drives is accessible by persons to whom it could not permissibly be disclosed, Sec. Sec. 164.308(a)(4)(i) and 164.502(a). In such a situation, the act has violated requirements or prohibitions of different rules promulgated pursuant to different provisions of the statute, and it is appropriate that such violations be treated separately. Thus, we decline to extend Sec. 160.404(b)(2) as suggested. Further, the same facts may evidence noncompliance with more than one non-overlapping provision of a subpart and, thus, may result in multiple violations for which a penalty may be assessed. For example, a covered entity that makes an impermissible use of protected health information may also, by virtue of the impermissible use, have violated the Privacy Rule's minimum necessary and/or reasonable safeguard provisions. We also note that, in some cases, a violation of one requirement or prohibition may produce consequential violations, and such cases would not come within Sec. 160.404(b)(2). For example, Sec. 164.308(a) requires covered entities to conduct security risk analyses. The security risk analysis is the foundation of the covered entity's security risk management plan and is one of the bases which it must take into account in deciding not to implement addressable implementation specifications under the Security Rule. If a covered entity does not do a security risk analysis, it has no basis for not implementing the addressable implementation specifications under the Security Rule, and any failure to implement such specifications could, thus, be considered a violation. Thus, while the failure to conduct the security risk analysis would be a violation, albeit a continuing one, of just one provision, it would necessarily result in other violations, to the extent the covered entity failed to implement the addressable implementation specifications of the Security Rule. Comment: One comment suggested that the costs incurred by the covered entity as a result of the violation should be considered in calculating the amount of the penalty. Response: We do not adopt this suggestion for several reasons. First, we are not certain what costs the comment is suggesting be considered--the costs associated with committing the violation, the costs associated with correcting the violation, or both. Second, the factors to be considered in determining the amount of the penalty for a violation are set out at section 1128A(d) and are implemented in this rule by Sec. 160.408. ``Costs incurred by the covered entity as a result of the violation'' is not a concept that fits squarely within any of the statutory factors. Third, to the extent consideration of such costs is reasonable, it would seem to be relevant only to the criterion for waiver under Sec. 160.412 (``the extent that payment of the penalty would be excessive relative to the violation''); insofar as that criterion weighs the seriousness of the effect of the violation, costs associated with correcting the violation might in certain circumstances be a relevant factor to be considered. 3. Section 160.406--Number of Violations Proposed rule: Proposed Sec. 160.406 would establish the general rule that the Secretary will determine the number of violations of an identical requirement or prohibition by a covered entity by applying any of the variables of action, person, or time, as follows: (1) The number of times the covered entity failed to engage in required conduct or engaged in a prohibited act; (2) the number of persons involved in, or affected by, the violation; or (3) the duration of the violation, counted in days. Paragraph (a) of this section would require the Secretary to determine the appropriate variable or variables for counting the number of violations based on the specific facts and circumstances related to the violation, and take into consideration the underlying purpose of the particular HIPAA rule that is violated. More than one variable could be used to determine the number of violations (for example, the number of people affected multiplied by the time (number of days) over which the violation occurred). The Secretary would have discretion in determining which variable or variables were appropriate for determining the number of violations. The preamble to the proposed rule noted that, under this proposal, the policy for determining which variable(s) to use for which type of violation would be developed in the context of specific cases rather than established by regulation and that subsequent cases would be decided consistently with prior similar cases. Final rule: The final rule eliminates the provision for variables and provides that the number of violations of an identical requirement or prohibition (termed ``identical violations'') will be determined based on the nature of the covered entity's obligation to act or not act under the provision violated, such as its obligation to act in a certain manner, or within a certain time, or with respect to certain persons. With respect to continuing violations, a separate violation will be deemed to occur on each day such a violation continues. Comment: While two comments supported the proposal, many comments challenged the variable approach of proposed Sec. 160.406 to determining the number of violations. In particular, several comments expressed concern over the broad discretion provided to the Secretary to determine the number of violations, particularly in light of the fact that the proposed rule would have prohibited the ALJ from reviewing the Secretary's choice of variable(s). Further, some comments were concerned that the Secretary could use multiple variables to determine the number of violations. It was argued that the proposed approach was unfair in that it (1) did not allow covered entities to predict the amount of a civil money penalty that would result from a violation, and (2) could maximize the penalty to the statutory cap in virtually any case, which could result in very harsh penalties for relatively minor offenses. Other comments argued that the variable approach was inconsistent with the policy of proposed Sec. 160.404(b)(2), prohibiting the double counting of overlapping regulatory requirements, or was inconsistent with HHS's general approach to voluntary compliance. It was suggested, for example, that HHS instead could establish one particular calculation method for each HIPAA rule or specify the types of violations for which HHS would use a particular method. Comments also criticized the variable approach as inconsistent with the definition of ``violation,'' arguing that the person and time variables have no logical relationship to a failure to comply, and thus, would not be appropriate for counting violations. Specifically, it was argued that since a ``violation'' is defined as a failure to comply with a requirement or prohibition, by definition a violation is a failure to take a required action or a failure to refrain from doing a prohibited act, and, thus, is not defined by the period of time during which such action or inaction occurs or by the number of people who may be affected by it. Further, several comments argued that the action/inaction variable was the only one that was consistent with the statute, so that penalizing covered entities by using other variables would be penalizing them for violations that, by definition, do not exist, which would be inconsistent with Congressional intent, as expressed in section 1176(a), and inappropriate as a matter of public policy. It was also argued that the time and person variables look at qualitative issues and attempt to measure the [[Page 8406]] importance of an act or omission; they do not measure where an act is quantitatively extensive--i.e., repeated or prolonged. It was argued that qualitative considerations are treated, under the statute, as aggravating or mitigating factors, not as questions of the quantity of violations, as is done under the variable approach. Response: It was not our intent to suggest that the variables we proposed would be employed in a manner unrelated to the nature of the underlying violation, as assumed by many of the comments. However, since we agree that the manner in which the number of identical violations should be determined will depend on the nature of the provision violated, and the provision for variables was confusing and susceptible to misinterpretation, we have eliminated the explicit requirement to use the person, time, and action variables. The final rule instead makes clear that the Secretary will determine the number of identical violations based on the nature of the obligation of the covered entity to act (or not act) under the provision violated. While we agree, in principle, that the definition of ``violation'' looks to an action or a failure to act as the essence of a violation, defining what particular act or failure to act constitutes the specific violation in question will necessarily require looking at the substantive provision involved and determining what the covered entity was legally obligated to do. We do not agree, in this regard, that the elements of ``people'' and ``time'' are always irrelevant to a failure to comply or that consideration of these elements would result in double counting of violations. Rather, the precise nature of the covered entity's obligation will, as discussed below, in many cases be a function of to whom the obligation is owed or the manner in which it must be performed or other elements. Thus, we include in the regulation examples of elements that should be considered, as appropriate, in construing a provision to determine a covered entity's obligation thereunder. We believe that this approach, under which the number of violations is grounded in the language of the provision violated, is wholly consistent with the statutory scheme. In many cases, applying this principle should not be difficult. For example, the Privacy Rule requires that covered entities have contracts or other arrangements in place with its business associates to assure the privacy of protected health information, and specifies what must (and may not) be included in the contract or other arrangement to do so. See Sec. 164.504(e). Two such provisions are that the contract may not authorize the business associate to use or further disclose the information in a manner that would violate the Privacy Rule, if done by the covered entity, and that the contract must provide that the business associate will use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the contract. See Sec. 164.504(e)(2)(i) and 164.504(e)(2)(ii)(B). If a covered entity enters into five contracts with business associates that authorize the business associates to use protected health information in a manner not permitted by the Privacy Rule and that do not require the business associates to use appropriate safeguards to protect the information, the covered entity will have committed five violations of each of the two separate requirements. Similarly, the Transactions Rule prohibits covered entities from entering into trading partner agreements that would change the use of a data element in a standard or add data elements not contained in the standard. See Sec. 162.915(a), (b). If a health plan were, by trading partner agreement, to require 200 providers to use a data element in a given transaction in a manner that was inconsistent with the standard, and also required the use of another data element that was not part of the standard, we would view each inconsistent requirement in the trading partner agreement as a separate violation. The regulation prohibits the adoption of certain terms in trading partner agreements, so each noncompliant term in each agreement would constitute a separate violation, resulting in 200 violations of each of these requirements. With respect to the transactions standards themselves, however, we anticipate defining the requirement violated to be the requirement to conduct a standard transaction. While one could view each required data element in a transaction as a separate requirement, because the Implementation Guide for each transaction is incorporated by reference into the regulation, one could also view the underlying Implementation Guides as functioning simply to describe what constitutes compliance in a particular case, rather than establishing separate compliance requirements. While we believe that either interpretation of the Transactions Rule is permissible, we expect to take the latter view of the Rule, to facilitate the predictability of determining violations under that Rule. Thus, we would count each noncompliant transaction as a single violation, regardless of the number of missing data elements. For example, if a health plan is found to have conducted 200 eligibility transactions which are missing several required data elements, the health plan would have committed 200 violations of one identical requirement (i.e., the requirement at Sec. 162.923(a) to conduct a covered transaction as a standard (i.e., compliant) transaction). In some cases, determining how many times a provision has been violated will be a function of the number of individuals or other entities affected, because the covered entity's obligation is to act in a certain manner with respect to certain persons. We include the term ``persons'' in the list of examples in Sec. 160.406 to make clear that such consideration may be appropriate. It may include not only individuals, but also other covered entities, their workforce members, or trading partners, where the obligation in question relates to such types of persons. For example, assume that a covered entity impermissibly allows a workforce member to access the protected health information of 20 patients whose information is stored on a computer file. The question is whether this set of facts constitutes one violation or 20 violations of Sec. 164.502(a), which prohibits impermissible uses or disclosures of protected health information. Since the covered entity has an obligation with respect to each patient to protect his or her protected health information, the sharing of the 20 patients' protected health information with the employee constitutes a separate impermissible use, or violation, of Sec. 164.502(a) with respect to each patient. Some provisions embody a requirement or prohibition that is of an ongoing nature or for which timeliness is an element of compliance. We characterize violations of such a requirement or prohibition as continuing violations. In such cases, the covered entity's obligation to act continues over time, and, if it fails to take the required action, that failure to comply also continues over time. Thus, there needs to be a way of determining how such compliance failures are measured. We have decided to count such failures in days, as each day represents a new opportunity to correct the compliance failure. Accordingly, we have included, in the second sentence of Sec. 160.406, language that establishes that continuing violations will be counted by days for purposes of determining how many violations of an identical requirement or prohibition occurred. [[Page 8407]] For example, the Security Rule requires covered entities to implement many types of policies and procedures. Under Sec. 164.308(a)(4)(i), for example, a covered entity is required to implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of the Privacy Rule. The implementation of such policies and procedures is an ongoing obligation and, thus, any failure to adopt them is a continuing violation. As another example, a covered entity generally is required by Sec. 164.524 to act on a request by an individual for access to his or her protected health information no later than 30 days after the request is received. Thus, each day beyond the 30-day period a covered entity fails to provide such access would be a separate violation. In contrast, situations in which the violation is a discrete act would not be continuing violations. The transaction example above illustrates violations that are discrete acts. Similarly, where a health plan violates Sec. 162.925(a)(2) by rejecting transactions because they are standard transactions, each rejection would constitute a discrete act. The example above of the workforce member who impermissibly accesses protected health information likewise is an example of violations that are discrete acts. As explained above, determining the number of violations in a particular case will depend, necessarily, on the precise provision violated and a covered entity's obligations thereunder. The examples above should assist covered entities in understanding their potential liability. These examples also illustrate that determining the number of violations may implicate a number of elements depending on the underlying provision violated, such as whether a covered entity had an obligation with respect to each person, or the amount of time that had elapsed with respect to a continuing violation, or a combination of these or other elements. While the final rule does not adopt the variable approach of the proposed rule, it does not preclude consideration of multiple elements in determining what constitutes the violation and, thus, the number of violations. Comment: Several comments challenged the preamble statement that future cases would be decided consistently with prior similar cases. One comment suggested that giving HHS discretion to determine the variables used in counting violations, yet saying that future cases will be consistent with past use of variable in similar violations, creates conflict. Other comments asked whether and how a covered entity would be able to challenge the selection of variable(s) based on the variables used in similar cases, if the facts of prior cases were not publicized, so that covered entities could determine how prior violations had been counted. Thus, comments requested that tracking of decided cases and the use of variables for each provision be assigned to a central entity within HHS, or that this information be made available to covered entities via the HHS Web sites. Response: With respect to the comments regarding the preamble statement in the proposed rule that future cases would be decided consistently with prior similar cases, we clarify that the number of violations of a particular provision will be determined in a similar manner each time a case presents a violation of that particular provision, with due regard to the individual facts and circumstances of the case. In addition, as discussed below, the final rule eliminates the prohibition on ALJ review of the Secretary's choice of variable. Thus, under the final rule, the ALJ may review the Secretary's method of determining the number of violations for consistency or other purposes. With respect to a covered entity's ability to challenge the Secretary's method of determining the number of violations, HHS will make available for public inspection and copying final decisions imposing civil money penalties and may publish such decisions on its HIPAA Web sites. (This is discussed below in connection with Sec. 160.426.) Thus, covered entities will be able to ascertain the application of the penalty provisions where penalties are imposed. Comment: One comment suggested that there be a limit on the number of violations determined based upon the monetary impact the fine will have on the covered entity. Response: A change is not necessary, as the statute and regulation already provide two points at which the financial impact of a civil money penalty on a covered entity may be considered--in connection with (1) the statutory factors (section 1128A(d), implemented in this rule by Sec. 160.408) and (2) waiver (section 1176(b)(4), implemented in this rule by Sec. 160.412). Comment: Two comments suggested that the Secretary should consider whether or not the covered entity has enacted and completed a corrective action plan when determining the number of violations. Response: Completion of a corrective action plan does not relate to determining the number of occurrences of a violation, so we do not include it as part of Sec. 160.406. However, HHS would consider any such action prior to imposition of a civil money penalty for purposes of determining whether there is a basis for informal resolution of the complaint. In addition, this fact is taken into account in determining whether the penalty should be imposed at all, insofar as it pertains to the ``reasonable cause'' defense under section 1176(b)(3) and Sec. 160.410(b)(3), since an element of that defense is whether the ``failure to comply'' has been corrected. 4. Section 160.408--Factors Considered in Determining the Amount of a Civil Money Penalty Proposed rule: Section 1176(a)(2) states that, with some exceptions, the provisions of section 1128A of the Act shall apply to the imposition of a civil money penalty under section 1176 ``in the same manner as'' such provisions apply to the imposition of a civil money penalty under section 1128A. Section 1128A(d) requires that-- In determining the amount of * * * any penalty, * * * the Secretary shall take into account-- (1) The nature of the claims and the circumstances under which they were presented, (2) The degree of culpability, history of prior offenses and financial condition of the person presenting the claims, and (3) Such other matters as justice may require. While the factors listed in section 1128A(d) were drafted to apply to violations involving claims for payment under federally funded health programs, HIPAA violations usually will not concern claims. Thus, we proposed to tailor the section 1128A(d) factors to the HIPAA rules and break them into their component elements for ease of understanding and application, as follows: (1) The nature of the violation; (2) the circumstances under which the violation occurred; (3) degree of culpability; (4) history of prior offenses; (5) financial condition of the covered entity; and (6) such other matters as justice may require. Proposed Sec. 160.408 provided detailed factors, within the categories stated above, to consider in determining the amount of a civil money penalty. However, the proposed rule would not label any of these factors as aggravating or mitigating. Rather, proposed Sec. 160.408 listed factors that could be considered either as aggravating or mitigating in determining the amount of the civil money penalty. The proposed approach would allow the Secretary to choose whether to consider a particular factor and how to consider each factor as appropriate in each [[Page 8408]] situation to avoid unfair or inappropriate results. It also would leave to the Secretary's discretion the decision regarding when aggravating and mitigating factors will be taken into account in determining the amount of the civil money penalty. Final rule: The final rule adopts the provisions of the proposed rule, with a minor clarification. Section 160.408(d) is revised to clarify that the prior history to be considered relates to prior compliance with, and violations of, the administrative simplification provisions. Comment: A number of comments supported the provision for mitigating factors and urged that it be retained in the final rule. Response: We agree and have done so. See Sec. 160.408 below. Comment: A number of comments raised concerns or recommendations related to a covered entity's history of compliance. For example, several urged that HHS consider as a factor whether the covered entity has initiated correction action, and whether such action was performed independently and prior to contact from HHS. Some comments also requested that HHS consider any evidence of a covered entity's good faith attempts to comply with the administrative simplification requirements or that HHS take into consideration a history of prior controls. One comment stated that the phrase ``history of prior offenses'' in proposed Sec. 160.408(d) was vague and requested that HHS revise the provision to clarify that it refers only to prior violations by a covered entity of the HIPAA rules, and not to prior offenses unrelated to the HIPAA rules. Another comment expressed concern with the provision at proposed Sec. 160.408(d)(4), which would allow HHS to consider as a factor in determining the amount of a civil money penalty how the covered entity has responded to prior complaints, as well as the preamble statement that such factor could include complaints raised by individuals directly to the covered entity. The comment argued that the manner in which a covered entity responded to previous complaints about matters unrelated to the violation at issue, or to complaints raised by individuals, may be irrelevant and unfairly prejudicial. Response: With respect to corrective action by a covered entity, HHS would consider any such action prior to imposition of a civil money penalty for purposes of determining whether there is a basis for informal resolution of a complaint. In addition, corrective actions of the covered entity are taken into account in determining whether the covered entity has established an affirmative defense to the violation as provided for under Sec. 160.410(b)(3). Nonetheless, where the corrective action is taken in response to a complaint from an individual, the final rule at Sec. 160.408(d)(4) provides the Secretary with authority to consider such corrective action as a factor in determining a civil money penalty. With respect to a covered entity's good faith attempt to comply with the HIPAA provisions and rules, we agree that such actions could be mitigating factors depending on the circumstances and, thus, have revised the rule to clarify that a covered entity's history of prior compliance generally may be considered, which could include, as appropriate, prior violations, as well as prior compliance efforts. In addition, we agree that Sec. 160.408(d) should apply only to violations of the HIPAA rules, and not to offenses of other provisions of law. Accordingly, we have revised the language of Sec. 160.408(d) to substitute the term ``violations''--which is defined at Sec. 160.302 as a failure to comply with an administrative simplification provision--for the term ``offenses'' in the proposed rule. Finally, we disagree that only those prior violations that are relevant to the issue at hand should be considered. While greater attention may be given to those violations that are similar in nature to the violation at issue, a covered entity's history of HIPAA compliance generally is relevant to determining whether the amount of a civil money penalty should be increased or decreased. Comment: One comment urged that the size of the covered entity not be used as a factor in determining the amount of a civil money penalty, arguing that larger covered entities should not be subject to greater penalties for violations identical to those of smaller entities. The comment stated that, depending on the way the number of violations is calculated, larger covered entities are already subject to greater risk since more patients potentially could be affected by one act or omission. Another comment asked what financial information would be required of a respondent to make a showing of its financial condition and whether, given that section 1128A provides that the Secretary shall take into account financial condition, the burden is on HHS to do so even if the respondent does not. Another comment asked how the financial condition of a covered entity is to be assessed. Response: With respect to the first comment, no change is made in the final rule. The size of the covered entity is relevant in considering, under Sec. 160.408(e)(1), whether a covered entity experienced financial difficulties affecting its ability to comply, and under Sec. 160.408(e)(2), whether the imposition of a civil money penalty would jeopardize a covered entity's ability to provide or pay for health care. In response to the second comment, the showing that a covered entity must make of its financial condition will vary depending on the circumstances. However, a respondent may provide whatever information it believes relevant to such a determination should it desire that HHS consider the entity's financial condition as a mitigating factor. Should a respondent fail to raise financial condition as a mitigating factor (or any other mitigating factor), however, HHS is under no obligation to raise the issue. See Sec. 160.534(b)(1)(ii). With respect to how financial condition is assessed, the Departmental Appeals Board (Board) has considered this issue in other cases litigated under section 1128A. The Board has said that an inquiry into a provider's financial condition should be focused on whether the provider can pay the civil money penalty without being put out of business. See Milpitas Care Center, DAB No. 1864 (2003). In Capitol Hill Community Rehabilitation and Specialty Care Center, DAB CR 469 (1997), aff'd, DAB No. 1629 (1997), the Board construed a regulation (42 CFR 488.438(f)(2)) that lists a facility's ``financial condition'' as one of the factors that must be considered in deciding the amounts of civil money penalties. The Board stated that, while the term ``financial condition'' is not defined in the regulations, the plain meaning of the term is that a facility's ``financial condition'' is its overall financial health. Thus, the relevant question to be considered in deciding whether a facility's financial condition would permit it to pay civil money penalties is whether the penalty amounts would jeopardize the facility's ability to survive as a business entity. Comment: One comment argued that proposed Sec. 160.408 should establish that HHS can only consider mitigating factors to determine the amount of the civil money penalty and not as a basis for waiving the penalty altogether. The comment stated that proposed Sec. 160.410 already establishes circumstances under which HHS may not impose a fine, and it would be unreasonable to extend those circumstances. Response: The final rule does not expand the circumstances under which the Secretary is prohibited from imposing, or may waive, a civil money penalty under Sec. Sec. 160.410 and 160.412, [[Page 8409]] respectively. The factors in Sec. 160.408 may be applied to determine, as appropriate, whether to increase or decrease the amount of a civil money penalty. Comment: One comment expressed concern that the overlap of certain variables in proposed Sec. 160.406 with factors in proposed Sec. 160.408 (e.g., the variable for the duration of the violation counted in days versus the factor for the time period during which the violation occurred) could result in compounding the penalty. Response: We disagree that providing for both counting continuing violations in days and taking time into account under Sec. 160.408 is inappropriate. The provision for counting continuing violations in days relates to determining how many times violation of an identical provision occurred; the provision for considering the time period of the violation is one element, among others, that may constitute a mitigating or aggravating factor in determining the amount of a civil money penalty. While it is true that length of time will tend to operate in the same direction (i.e., to reduce or enlarge the penalty) with respect to each of these elements of the penalty calculation, these two elements are different in nature, and time is relevant to both. Comment: One comment that supported the list of factors in proposed Sec. 160.408 nonetheless recommended that we better describe the factors in the preamble. Another comment requested examples of what may be included in the factor of ``[s]uch other matters as justice may require'' proposed at Sec. 160.408(f). Response: With respect to the first comment, the factors themselves are particularized and, thus, are fairly self-explanatory. However, where questions about the factors were raised in the public comments, we have provided further guidance in our responses in this preamble. With respect to the ``such matters as justice may require'' factor, many different circumstances have been cited for consideration in prior cases in other areas in which this factor applies. For example, ALJs have been asked to consider the following types of circumstances under this factor: the respondent's trustworthiness, the respondent's lack of veracity and remorse, measurable damages to the government, indirect or intangible damages to the government, the effect of the penalty on respondent's rehabilitation, and unprompted diligence in correcting violations. 5. Section 160.410--Affirmative Defenses to the Imposition of a Civil Money Penalty Section 160.410 implements sections 1176(b)(1)-(3) of the Act. These sections specify certain limitations on when civil money penalties may be imposed. Paragraphs (1), (2), and (3) of section 1176(b) each state that, if the conditions described in those paragraphs are met, a penalty may not be imposed under subsection (a) of section 1176. Under section 1176(b)(1), a civil money penalty may not be imposed with respect to an act if the act constitutes a criminal offense punishable under section 1177 of the Act. Under section 1176(b)(2), a civil money penalty may not be imposed if it is established to the satisfaction of the Secretary that the person who would be liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision. Under section 1176(b)(3), a civil money penalty may not be imposed if the failure to comply was due to reasonable cause and not to willful neglect and is corrected within a certain period. The period of time to correct a failure to comply may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply. Proposed rule: Proposed Sec. 160.410 would characterize the limitations under section 1176(b)(1), (2), and (3) as ``affirmative defenses,'' to make clear that they must be raised in the first instance by the respondent. In order not to preclude the raising of affirmative defenses that could legitimately be raised, the introductory text of proposed Sec. 160.410 would permit a respondent to offer affirmative defenses other than those provided in section 1176(b). Under proposed Sec. 160.410(a), several terms relevant to the affirmative defenses would be defined: ``Reasonable cause,'' ``reasonable diligence,'' and ``willful neglect.'' ``Reasonable cause'' would be defined as ``circumstances that make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.'' ``Reasonable diligence'' would be defined as ``the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.'' ``Willful neglect'' would be defined as ``conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.'' Proposed Sec. 160.410(b)(1) simply referred to section 1177.\2\ Proposed Sec. 160.410(b)(2) generally tracked the statutory language, but also provided that whether or not a covered entity possesses the requisite knowledge to make this affirmative defense inapplicable would be ``determined by the federal common law of agency.'' The text of proposed Sec. 160.410(b)(3) used the defined term ``reasonable diligence'' and, thus, would build on the analysis conducted under proposed Sec. 160.410(b)(2). Proposed Sec. 160.410(b)(3)(ii)(B) would follow the statutory language and would permit the Secretary to use the full discretion provided by the statute in extending the statutory cure period. --------------------------------------------------------------------------- \2\ Section 1177(a) provides that a person who knowingly and in violation of this part uses or causes to be used a unique health identifier, obtains individually identifiable health information relating to an individual, or discloses individually identifiable health information relating to another person shall be punished as provided in subsection (b). Section 1177(b) sets out three levels of penalties that vary depending on the circumstances under which the offense was committed. --------------------------------------------------------------------------- Final rule: The final rule adopts the provisions of the proposed rule. A related change is made to Sec. 160.504(c), as discussed below. a. Section 160.410(b)--General Rule Comment: One comment asked whether a covered entity could challenge in a hearing the reasonableness of the Secretary's finding that an affirmative defense has not been sufficiently established. Response: A respondent may challenge in a hearing the finding in a notice of proposed determination that an affirmative defense has not been established. See Sec. 160.534(b)(1)(i), which provides that the respondent bears the burden of proof with respect to affirmative defenses. Comment: Two comments noted that the preamble to the proposed rule (70 FR 20237) would allow a covered entity to raise affirmative defenses in addition to those listed under Sec. 160.410(b), but that the text of the proposed rule would not allow for additional defenses. They asked that the final rule be revised to allow a covered entity to present affirmative defenses not expressly listed in Sec. 160.410(b). One comment contended, however, that Sec. 160.410 would allow covered entities too many opportunities to avoid a penalty. Response: The introductory text of Sec. 160.410(b) permits other affirmative defenses to be raised by using the phrase ``including the following.'' While we do not delineate what additional affirmative defenses might be raised, the ``[e]xcept as provided in subsection (b)'' [[Page 8410]] language of section 1176(a)(1) suggests that they are limited. Nonetheless, the statute clearly contemplates at least one defense other than the limitations set out at section 1176(b)--the statute of limitations provision at section 1128A(h). Statutes of limitations defenses are typically treated as affirmative defenses, see Fed. R. Civ. P. 8(c). (28 U.S.C. Appendix). Thus, we believe that provision for other affirmative defenses that may be fairly implied from the HIPAA provisions or section 1128A must be made and, accordingly, have done so. We do not eliminate the affirmative defenses that may be raised and that are provided for by Sec. 160.410, as suggested by the final comment above. We have no authority to eliminate a limitation that the statute imposes on our authority to impose civil money penalties, whether or not it has the effect complained of. Comment: One comment suggested that Sec. 160.410(b) should be revised to state that the Secretary ``shall not'' impose a civil money penalty. The comment stated that if a covered entity establishes an affirmative defense, the Secretary should not have discretion to impose a penalty as indicated by the current wording ``may not impose.'' Response: We do not make the suggested change, because the present wording accomplishes what the comment urges. The phrase ``may not impose'' means, in this context, ``is not permitted to impose.'' We do not change the language here, as it is consistent with the usage in the HIPAA rules generally, and we do not wish to suggest an inconsistency or a different meaning for similar prohibitions in other HIPAA rules. b. Section 160.410(b)(1)--``Criminal Offense'' Affirmative Defense Comment: Several comments expressed concern that covered entities are being forced to incriminate themselves if they raise the affirmative defense under Sec. 160.410(b)(1) in the request for hearing under Sec. 160.504. These comments stated that covered entities should be able to raise this defense after a case has been referred to the Department of Justice, on the theory that section 1176(b)(1) operates as a jurisdictional bar to the imposition of a civil money penalty. One comment cited the Memorandum for Alex M. Azar II and Timothy J. Coleman from Stephen G. Bradbury, Re: Scope of Criminal Enforcement Under 42 U.S.C. 1320d-6 (June 1, 2005) (Justice Memorandum). The Justice Memorandum is available at http://www.usdoj.gov/olc/hipaa_final.htm. The comment cited the Justice Memorandum for the proposition that this section of the statute operates as an absolute bar to imposition of a civil money penalty, rather than as an affirmative defense. Several comments argued that the burden of establishing that the limitation of section 1176(b)(1) applied should be on HHS, not on the respondent, as a matter of fairness. Response: We continue to be of the view that the statute is structured to make the limitation of section 1176(b)(1) a defense that must be raised by the respondent. The fact that meeting the condition described in this subsection operates to bar the imposition of a civil money penalty does not distinguish it from the limitations provided for by sections 1176(b)(2) and 1176(b)(3), and those sections of the statute clearly are defenses which the respondent should raise. Moreover, the burden of establishing that section 1176(b)(1) applied could never be on HHS, as that would require HHS to carry the burden of proving a fact that would defeat its claim; it is the respondent, not HHS, who, in the context of the hearing, will be the proponent of the claim that the act for which a civil money penalty is sought is a criminal offense. However, we recognize that section 1176(b)(1) could potentially present a situation of some difficulty for a respondent, where the Department of Justice is considering a referral related to the violations on which the civil money penalty action has been brought. While the requirement that civil money penalties be authorized by the Department of Justice before they are brought should prevent such situations from arising, we cannot assume that they will never arise. Accordingly, we provide that, unlike the other affirmative defenses, which are waived if not raised in the request for hearing, this affirmative defense may be raised at any time during the administrative proceedings, to permit respondents to better manage such legal risks, should they ever arise. Provision for this is made in Sec. 160.504(c), and a conforming change is made to Sec. 160.548(e). Comment: One comment stated that the fact of referral to the Department of Justice should constitute conclusive evidence that the act is one ``punishable'' under section 1177, even if the Department of Justice declines to prosecute (so that the act is not ``punished'' under section 1177). Response: We do not agree. Referral to the Department of Justice constitutes, at most, our preliminary assessment that the act in question may be subject to criminal prosecution. The Department of Justice may not agree with our preliminary assessment and may return the case to us for administrative action. Comment: One comment requested that knowledge under section 1177 be defined. Response: ``Knowingly'' is the term used in section 1177 of the Act (``A person who knowingly and in violation of this part * * * ''). According to the Office of Legal Counsel of the United States Department of Justice, `` `the term `knowingly' merely requires proof of knowledge of the facts that constitute the offense.' '' Justice Memorandum, at 11, quoting U.S. v. Bryan, 524 U.S. 184, 193 (1998). c. Section 160.410(b)(2)--``Lack of Knowledge'' Affirmative Defense Comment: One comment asks HHS to clarify the definition of knowledge required for a civil money penalty to be imposed. Response: Under section 1176(b)(2), a civil money penalty may not be imposed for a violation ``if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know * * * that such person violated the provision.'' As we observed at 70 FR 20237-- This language on its face suggests that the knowledge involved must be knowledge that a ``violation'' has occurred, not just knowledge of the facts constituting the violation. * * * We, thus, interpret this knowledge requirement to mean that the covered entity must have knowledge that a violation has occurred, not just knowledge of the facts underlying the violation. Comment: One comment asked whether, if a covered entity were found not to be liable because the knowledge of an agent could not be imputed to it, the individual committing the violation would be held liable for the penalty. Response: The Enforcement Rule provides that only a covered entity is liable for a civil money penalty under section 1176. See Sec. 160.402(a) and the definition of ``respondent'' at Sec. 160.302. Comment: One comment contended that the phrase ``to the satisfaction of the Secretary'' should be stricken from proposed Sec. 160.410(b)(2). The comment stated that this phrase would preclude the covered entity from raising an argument before the ALJ that the Secretary did not properly consider their affirmative defenses before imposing a penalty. Another comment asked whether this phrase makes the finding totally discretionary and, thus, unreviewable by the ALJ. Response: This language is statutory, as may be seen at section 1176(b)(2), set out above. Further, as discussed above, a respondent may raise affirmative defenses in a hearing. Where so raised, [[Page 8411]] the ALJ's decision as to whether the covered entity lacked knowledge would become the decision of the Secretary, unless reversed on subsequent appeal. Comment: One comment asked, with respect to imputing knowledge to the covered entity, who would be considered to be a ``responsible officer or manager'' and whether a Privacy Officer is considered a ``responsible officer or manager.'' Response: With respect to who would be considered to be a responsible officer or manager and whether a Privacy Officer would be considered a responsible officer or manager, see the discussion above under Sec. 160.402(c). Comment: One comment asked whether, if a Privacy Officer mitigates or corrects a violation, that action would satisfy the requirement that a responsible officer or manager be made aware of the violation. Response: We are unsure what the precise concern of this comment is, as the issue of knowledge typically would arise in the context of the ``lack of knowledge'' affirmative defense. That defense requires, for its application, that the covered entity not have actual or constructive knowledge of the violation. If the violation has been corrected, as the comment suggests, one would normally presume that the covered entity knew of the violation, making the lack of knowledge defense unavailable. Under the scenario posed by the comment, as we understand it, the issue would be whether the elements of the ``reasonable cause'' affirmative defense were present. d. Section 160.410(b)(3)--``Reasonable Cause'' Affirmative Defense Comment: One comment asked that the word ``corrected'' in Sec. 160.410(b)(3)(ii) be changed to ``mitigated,'' because not all violations can be fully corrected. Response: We agree with the comment that not all violations of the HIPAA rules can be fully corrected, in the sense of being undone or fully remediated. However, we do not agree that the term ``corrected,'' which is the term used by the statute, need be read so narrowly. Rather, the statute speaks of the ``failure to comply'' being corrected. Thus, the term ``corrected,'' as used in the statute, could include correction of a covered entity's noncompliant procedure by making the procedure compliant. In any event, since the term ``corrected'' is the term used in the statute, we employ it in the rule below. Comment: One comment requested clarification as to how a covered entity could ask for an extension of time to cure a violation under Sec. 160.410(b)(3)(ii)(B). Response: The covered entity should make this request in writing to, as applicable, CMS or OCR. The request should state when the violation will be corrected and the reasons that support the need for additional time. Comment: One comment asked that the 30-day cure period be extended by an additional 30 days. Response: The initial cure period is, by statute, 30 days. However, section 1176(b)(3)(B)(i) permits the Secretary to extend the initial cure period ``as determined appropriate by the Secretary based on the nature and extent of the failure to comply.'' Section 160.410(b)(3)(ii)(B) adopts, and does not expand upon, this statutory language. Thus, HHS could extend the cure period for an additional 30 days (or some greater or lesser period), if it were determined appropriate to do so. 6. Section 160.412--Waiver Section 1176(b)(4) of the Act provides for waiver of a civil money penalty in certain circumstances. Section 1176(b)(4) provides that, if the failure to comply is ``due to reasonable cause and not to willful neglect,'' a penalty that has not already been waived under section 1176(b)(3) ``may be waived to the extent that the payment of such penalty would be excessive relative to the compliance failure involved.'' If there is reasonable cause and no willful neglect and the violation has been timely corrected, the imposition of the civil money penalty would be precluded by section 1176(b)(3). Therefore, waiver under this section would be available only where there was reasonable cause for the violation and no willful neglect, but the violation was not timely corrected. Proposed rule: Proposed Sec. 160.412 did not propose to elaborate on the statute in any material way. This provision would provide the Secretary with the flexibility to utilize the discretion provided by the statutory language as necessary. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment suggested that this section be removed entirely. The comment stated that section 1176(b)(4) authorizes, but does not compel, the Secretary to allow for waiver of civil money penalties. The comment argued that waiver is an unnecessary avenue for covered entities to avoid penalties, as the statute and the proposed rule would provide so many other avenues by which a covered entity could avoid being penalized for violations. Response: As was more fully discussed at 70 FR 20239, the statute, in our view, creates a statutory right for covered entities to request a waiver, where a violation is due to reasonable cause and not willful neglect, but has not been corrected within the statutory cure period (including any extensions thereof). While the grant of a waiver is within the agency's discretion, the statute clearly contemplates that covered entities may request a waiver in such circumstances and that HHS must consider the request. Accordingly, we do not make the change suggested. 7. Section 160.414--Limitations Proposed rule: Proposed Sec. 160.414 was adopted by the April 17, 2003 interim final rule as Sec. 160.522. We proposed to move this section, which sets forth the six-year limitation period provided for in section 1128A(c)(1), from subpart E to subpart D, because this provision applies generally to the imposition of civil money penalties and is not dependent on whether a hearing is requested. We also proposed to change the language of this provision so that the date of the occurrence of the violation is the date from which the limitation is determined. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment requested clarification of record retention requirements and their interaction with the time limitation on bringing an enforcement action. Response: The issue raised by this comment is discussed in connection with Sec. 160.310 above. Comment: One comment suggested shortening the time period to two years in the interest of accomplishing compliance faster and making record-keeping less burdensome for covered entities. Response: The six-year limitations period of Sec. 160.414 is provided for by statute (section 1128A(c)(1) of the Act), and, thus, is not within our power to change by regulation. Insofar as this comment suggests changing the record retention requirements of the Privacy and Security Rules, the requested change is outside the scope of this rulemaking. 8. Section 160.416--Authority To Settle Proposed rule: Proposed Sec. 160.416 was adopted by the April 17, 2003 interim final rule as Sec. 160.510. We proposed to move this section, which addresses the authority of the Secretary to settle any issue or case or to compromise any penalty imposed on a covered entity, from subpart E to subpart D, because this provision [[Page 8412]] applies generally to the imposition of civil money penalties, and is not dependent on whether a hearing is requested. No change was proposed to the text of the provision. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment expressed concern that this provision does not provide for alternative dispute resolution. The comment urged HHS to remain committed to the informal resolution process. Response: We provide in the rule that HHS will attempt to resolve compliance issues informally, for the reasons discussed above and in the preamble to the proposed rule. Where this process is insufficient to resolve the matter, the statute requires provision of a formal hearing process, if a hearing is requested. We note that under their current procedures, the ALJ and/or the Departmental Appeals Board routinely afford parties the opportunity to engage in alternative dispute resolution. Comment: Two comments suggested removing Sec. 160.416 from the final rule, on the ground that it is inappropriate to give the Secretary this authority without oversight. Response: We do not adopt this suggestion. The statute explicitly gives the Secretary the authority to compromise penalties, which would typically be done through settlement of the case. See section 1128A(f). 9. Section 160.420--Notice of Proposed Determination Proposed rule: The text of proposed Sec. 160.420 was adopted by the April 17, 2003 interim final rule as Sec. 160.514. We proposed to move this section from subpart E, which sets out the procedures and rights of the parties to a hearing, to subpart D, because the notice provided for in this section must be given whenever a civil money penalty is proposed, regardless of whether a hearing is requested. No changes, other than conforming changes, were proposed to paragraphs (a)(1) and (a)(3), (a)(4), or to paragraph (b). We proposed to revise paragraph (a)(2) by adding that, in the event the Secretary employs statistical sampling techniques under Sec. 160.536, the sample relied upon and the methodology employed must be generally described in the notice of proposed determination. A new paragraph (a)(5) would require the notice to describe any circumstances described in Sec. 160.408 that were considered in determining the amount of the proposed penalty; this provision would correspond to Sec. 1003.109(a)(5) of the OIG regulations. Paragraph (a)(5) of Sec. 160.514 of the April 17, 2003 interim final rule would be renumbered as Sec. 160.420(a)(6). Final rule: We adopt the section as proposed, except that, where HHS bases the proposed penalty in part on statistical sampling, a copy of the report of the agency's statistical expert, rather than just a description of the study and the sampling technique used, must be provided with the notice of proposed determination. Comment: One comment requested clarification as to whether the notice of proposed determination serves as the notice required by the statute. Response: Yes, the notice provided for by Sec. 160.420--the notice of proposed determination--implements the requirement for notice of section 1128A(c)(1). Comment: One comment recommended that the final rule retain Sec. 160.420(a)(5) to ensure that covered entities have sufficient information as to why the penalty was imposed. Response: This has been done. See Sec. 160.420(a)(5) below. Comment: Several comments requested that the rule specify that the notice of proposed determination will be sent to the covered entity's Privacy Officer or another designated officer. Response: This issue is discussed below in connection with Sec. 160.504. Comment: Several comments stated that, if HHS bases its proposed penalty on statistical sampling, the notice of proposed determination should include a copy of the study relied upon, so that a covered entity has adequate notice and time to prepare its defense. Response: We agree and have made the requested change. 10. Section 160.422--Failure To Request a Hearing Proposed rule: The text of proposed Sec. 160.422 was adopted by the April 17, 2003 interim final rule as Sec. 160.516. We proposed to add language (``and the matter is not settled pursuant to Sec. 160.416'') to recognize that the Secretary and the respondent may agree to a settlement after the Secretary has issued a notice of proposed determination. We also proposed that the penalty be final upon receipt of the penalty notice, to make clear when subsequent actions, such as collection, may commence. Final rule: The final rule adopts the provisions of the proposed rule. Comment: Several comments suggested that a provision should be added allowing the time frame to request a hearing to be extended when the notice of proposed determination is not received by the appropriate person within the covered entity. Response: This issue is discussed in connection with Sec. 160.504 below. 11. Section 160.424--Collection of Penalty Proposed rule: The text of Sec. 160.424 was adopted by the April 17, 2003 interim final rule as Sec. 160.518. We proposed to move this section, which addresses how a final penalty is collected, from subpart E to subpart D, because this provision applies generally to the imposition of civil money penalties and is not dependent upon whether a hearing is requested. The rule provides that once a proposed penalty becomes final, it will be collected by the Secretary, unless compromised. The Secretary may bring a collection action in the Federal district court for the district in which the respondent resides, is found, or is located. The penalty amount, as finally determined, may be collected by means of offset from Federal funds or state funds owing to the respondent. Matters that were, or could have been, raised in a hearing or in an appeal to the U.S. Circuit Court of Appeals may not be raised as a defense to the collection action. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment asked what interest rate will accrue, if a penalty is not paid promptly by the covered entity. Response: Under the Federal Claims Collection rules, interest is calculated as provided by 31 U.S.C. 3717. See 31 CFR 901.9. Comment: One comment asked whether, if a penalty is assessed against a hybrid entity, the part of the entity responsible for the violation would pay the penalty or the entire hybrid entity would pay the penalty. Response: As noted above, a hybrid entity is, by definition, a single legal entity. Where a penalty is assessed against a covered entity that has designated itself as a hybrid entity, the legal entity that is the covered entity is responsible for payment of the penalty. How the covered entity allocates the penalty payment as a matter of internal accounting is a business decision of the covered entity. Comment: One comment asked whether, if an agency with the same structure as a Medicaid agency is assessed a penalty, federal dollars can be withheld in lieu of payment of the penalty. Response: Yes. Section 1128A(f) provides for setoff of penalty amounts against Federal or state agency funds then or later owing to the person penalized. Comment: One comment suggests that the Secretary does not have the [[Page 8413]] authority to preclude issues from being raised in a civil action in federal court. The comment suggests removing Sec. 160.424(d) from the final rule. Response: Section 160.424(d) merely states the well-recognized principle that, where an administrative remedy exists, a plaintiff must exhaust that remedy as a precondition to raising the issue in question in court. 12. Section 160.426--Notification of the Public and Other Agencies Proposed rule: We proposed to require notification of the public generally whenever a proposed penalty became final, in order to make the information available to anyone who must make decisions with respect to covered entities. The regulatory language would provide for notification in such manner as the Secretary deems appropriate, which would include posting to an HHS Web site and/or the periodic publication of a notice in the Federal Register. Final rule: The final rule adopts the provisions of the proposed rule. Comment: Several comments argued that the provision for notification of the public in proposed Sec. 160.426 would extend beyond the scope of the Secretary's statutory authority under section 1128A(h), since section 1128A(h) specifies only that certain types of organizations and agencies to be notified. They urged that the requirement be eliminated. Response: We disagree that the requirement for public notification is unauthorized. It is true that Sec. 160.426 establishes the means by which HHS may carry out its obligation to notify various agencies and organizations under section 1128A(h). However, the basis for the public notice portion of Sec. 160.426 lies not in section 1128A(h), as the comments assumed, but in the Freedom of Information Act (FOIA), 5 U.S.C. 552. FOIA requires final opinions and orders made in adjudication cases to be made available for public inspection and copying. See 5 U.S.C. 552(a)(2)(A). The adjudicatory process \3\ set forth in the Enforcement Rule begins with the service upon the respondent of a notice of proposed determination under Sec. 160.420. This proposed penalty becomes final if the respondent fails to contest it in the time and manner provided in Sec. 160.504(b). If the respondent does contest the proposed penalty, the final agency order is the decision of the ALJ, or the Board, as the case may be. While it is true that section 1128A(h) does not require that such notice be given to the public, neither does it prohibit such wider dissemination of that information, and nothing in section 1128A(h) suggests that it modifies the Secretary's obligations under FOIA. FOIA requires making final orders or opinions available for public inspection and copying by ``computer telecommunication * * * or other electronic means,'' which would encompass putting them up on the Department's Web site, and further provides that, absent actual and timely notice, in order for the Department to rely upon final opinions that affect a member of the public or to cite them as precedent against a party, the opinions or orders must be indexed and made available electronically. See 5 U.S.C. 552(a)(2). --------------------------------------------------------------------------- \3\ Under the Administrative Procedure Act, ``adjudication means agency process for the formulation of an order.'' 5 U.S.C. 551(7). An ``order means the whole or part of a final disposition * * * of an agency in a matter other than rule making * * *''. 5 U.S.C. 551(6). --------------------------------------------------------------------------- Comment: Many comments objected to the requirement for public notice. Comments argued that since final decisions of the Departmental Appeals Board are available under FOIA, there is no need for further notice to the public. Further, it was stated that many HIPAA violations, particularly of the Transactions Rule, are very technical in nature and the public may be unable to understand the nature of such violations. Accordingly, public notification may injure the reputation of covered entities and cause them to lose business, while the reputational injury attendant on public notification may be wholly disproportionate to the violations involved. Also, comments argued that entities that are members of an affiliated covered entity and that are held liable for the actions of others under Sec. 160.402(b) may be unfairly labeled as noncompliant. Finally, comments stated that covered entities may have to expend additional resources to fight complaints, because the public notification provision would give competitors an incentive to use the complaint process to gain an unfair business advantage. Response: Final decisions of the ALJs and the Departmental Appeals Board are made public via the Board's Web site. See http://www.hhs.gov/dab/search.html. Such postings, however, would not include penalties that become final because a request for hearing was not filed under Sec. 160.422. Notices of proposed determination under Sec. 160.420 that become final because a hearing has not been timely requested, would likewise be made available for such public inspection and copying as final orders. By making the entire final opinion or order available to the public, the facts underlying the penalty determination and the law applied to those facts will be apparent. Given that information, the public may discern the nature and extent of the violation as well as the basis for imposition of the civil money penalty on the covered entity. Finally, the process established for the review and investigation of complaints should identify those without merit, or over which HHS has no jurisdiction under the HIPAA provisions, but, in any event, we doubt that the notification provisions of this section will increase the likelihood that complaints will be filed. Comment: One comment suggested that, rather than mandating the provision of notice to the public, the rule should give the Secretary discretion to determine when public notification is prudent, as doing so may not be appropriate in all instances--for example, where there is an ongoing investigation or a technical failure is involved. A number of comments urged HHS to publish violations of HIPAA without the name of the covered entity. They argued that this approach would enable covered entities to understand how OCR and CMS apply the HIPAA rules in particular circumstances and would, thus, encourage voluntary compliance. Response: As noted, under FOIA, we must make final orders and opinions available for public inspection and copying. FOIA permits the Secretary to withhold information whose release could, for instance, reasonably be expected to interfere with prospective or ongoing law enforcement proceedings, but such exemption does not apply where, as in the case of such final opinions and orders, they are made after the conclusion of such proceedings. See 5 U.S.C. 552(b)(7)(A). While FOIA permits the deletion of identifying details to prevent a clearly unwarranted invasion of personal privacy, identifying the name(s) of the covered entities against whom penalties are imposed would not be such an invasion of personal privacy. Comment: One comment suggested that the rule be revised to require covered entities to notify the Secretary and potentially affected individuals when there is a suspected breach of the Privacy Rule. The comment also suggested that HHS make available a list of violations organized by entity, including the number of persons affected by each violation. One comment asked that all final decisions of the ALJ or the Board, including those to not assess a penalty, be made public, [[Page 8414]] so that covered entities could present a better defense in the future based on past decisions to not impose a penalty in a similar situation. Another comment supported the proposal to notify the public of final penalties, on the ground that the public should be aware of violations, particularly of the Privacy Rule. Another comment suggested that complainants should be notified when a penalty is imposed. Response: As noted, final opinions or orders imposing penalties will be made available to the public for inspection and copying. Given that this information will be public, we do not accept the other comments above. Comment: One comment stated that the public notification rule should not apply to, or include, matters referred to the Department of Justice. Another comment asked that HHS confirm that the public notification provision would not apply to informal resolutions. Response: In neither of the above situations has a final order on a penalty proposed under Sec. 160.420 been entered. Consequently, neither situation would come within the public notification requirement of Sec. 160.426. Comment: Several comments expressed concern that publication of a penalty could occur prematurely, before all of the covered entity's appeals had been exhausted. They requested clarification as to when a penalty is considered final for purposes of notification. A couple of comments stated that the penalty should be considered to be final, for purposes of the public notification, when all court appeals have been exhausted. Response: A civil money penalty is considered to be final, for purposes of notification, when it is a final agency action--i.e., the time for administrative appeal has run or the adverse administrative finding has otherwise become final. The final opinion or order that is subject to the notification provisions of this section is the notice of proposed determination, if a request for hearing is not timely filed, the decision of the ALJ, if that is not appealed, or the final decision of the Board. D. Subpart E--Procedures for Hearings As previously explained, the provisions of section 1128A of the Act apply to the imposition of a civil money penalty under section 1176 ``in the same manner as'' they apply to the imposition of civil money penalties under section 1128A itself. The provisions of subpart E are, as a consequence, based in large part upon, and are in many respects the same as, the OIG regulations implementing section 1128A. We adapt, re-order, or combine the language of the OIG regulations in a number of places for clarity of presentation or to reflect concepts unique to the HIPAA provisions or rules. To avoid confusion, we also employ certain language usages in order to be consistent with the usages in the other HIPAA rules (for example, for mandatory duties, ``must'' or ``will'' instead of ``shall'' is used; for discretionary duties, ``may'' instead of ``has the authority to'' is used). Subpart E, as adopted by the April 17, 2003 interim final rule, adopted provisions relating to investigational inquiries and subpoenas and certain definitions that have now been moved to subpart C. It also adopted a number of provisions that relate to all civil money penalties that have now been moved to subpart D. Subpart E, as revised below, addresses only the administrative hearing phase of the enforcement process. General comment: Several comments argued that the proposed Enforcement Rule, as a whole, would give the government an unfair advantage and seriously compromise the ability of covered entities to defend themselves before an ALJ and on an appeal to the Board. It was argued that the following provisions, in combination, would ``stack the deck'' in the government's favor: (1) The severely restricted ability of covered entities to rebut the statistical sampling report; (2) the ``extraordinary circumstances'' standard for failure to timely exchange exhibits and witness statements; (3) the inability to depose prior to the hearing or question at the hearing the government's statistical sampling expert; (4) the ability of the * * * ALJ * * * to admit prior evidence of witnesses which were not subject to cross examination by the covered entity; (5) the requirements regarding hearing requests; (6) the limited nature of discovery and the lack of obligation to share exculpatory evidence; (7) the ALJ's discretion about applying the Federal Rules of Evidence; (8) the very broad harmless error rule which significantly restricts a covered entity's appeal rights; and (9) the limited authority of the ALJ and correspondingly broad discretion provided to the Secretary. Response: While we also discuss the above provisions individually, we provide the following general response. We do not agree that the proposed rule would have given HHS an unfair advantage or compromised the ability of covered entities to defend themselves. Most of the provisions cited should operate even-handedly, providing no greater advantage to the government than to the respondent. For example, the limitation on depositions will also mean that the governmental party cannot depose any statistical expert of the respondent; similarly, the other limitations on discovery should operate similarly for both parties, as should the ALJ's discretion with respect to the application of the Federal Rules of Evidence and the application of the harmless error rule. In any event, we have changed several of the provisions cited. We have required the government's statistical study to be provided with the notice of proposed determination, we have clarified the conditions for the admission of written statements, and we have eliminated the restriction on the ALJ's authority to review the method by which the number of violations is determined. We believe that the final rule strikes an appropriate balance and should ensure that neither party has a procedural advantage. 1. Section 160.504--Hearing Before an ALJ Proposed rule: The proposed rule proposed few changes to this section, which was Sec. 160.526 of the April 17, 2003 interim final rule. Section 160.526(a)(2) of the April 17, 2003 interim final rule stated that the Departmental party in a hearing is ``the Secretary.'' The term ``Secretary'' is defined at Sec. 160.103 of the HIPAA rules as ``the Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has been delegated.'' However, in light of the multiple roles of the Secretary in the context of a hearing (OCR and/or CMS would be a party, while the ALJ or the Board would be the adjudicator), we proposed to clarify in Sec. 160.504(a)(2) which part of HHS acts as the ``party'' in the hearing. Because which component of HHS will be the ``party'' in a particular case will depend on which rule is alleged to have been violated, and because a particular case could involve more than one HIPAA rule, we proposed to define the Secretarial party generically, by reference to the component with the delegated enforcement authority. Under the proposed provision, the Secretarial party could consist of more than one officer or employee, so that it is possible for both CMS and OCR to be the Secretarial party in a particular case. Proposed Sec. 160.504(b) provided that the request for a hearing must be mailed within 60 days, via certified mail, return receipt requested, to the address specified in the notice of proposed determination. The last sentence of proposed Sec. 160.504(b) provided that the date of receipt of the notice of proposed determination is presumed to be five days after the date of the notice unless the respondent makes a reasonable [[Page 8415]] showing to the contrary. This showing may be made even where the notice is sent by mail and is not precluded by the computation of time rule of proposed Sec. 160.526(c), establishing a five-day allowance for mailing. Proposed Sec. 160.504(c) would require that the request for hearing clearly and directly admit, deny, or explain each of the findings of fact contained in the notice of proposed determination with respect to which the respondent has knowledge and must also state the circumstances or arguments that the respondent alleges constitute the grounds for any defense and the factual and legal basis for opposing the penalty. Proposed Sec. 160.504(d)(1) would require the ALJ to dismiss a hearing request where ``[t]he respondent's hearing request is not filed as required by paragraphs (b) and (c) of this section.'' Proposed Sec. Sec. 160.504(d)(2)-(4) would require dismissal where the hearing request was, respectively, withdrawn, abandoned, or raised no issue that could properly be addressed in a hearing. Final rule: Section 160.504 below revises the proposed rule in several respects. The proposed 60-day time limit for filing a request for hearing is extended to 90 days. See Sec. 160.504(b). Section 160.504(c) provides that an affirmative defense under Sec. 160.410(b)(1) may be raised at any time. Section 160.504(d)(1) provides that a dismissal on the grounds stated in that paragraph may only be made on motion of the Secretary, and the ground for dismissal under paragraph (b) is limited to the respondent's failure to comply with the timely filing requirement of paragraph (b). Comment: A number of comments objected to the 60-day time limit of proposed Sec. 160.504(b) as unreasonably short and unfair, given the detailed showing the covered entity is required to provide in its request for hearing and the severe consequences, under proposed Sec. 160.504(d)(1), of failing to meet this requirement. A couple of comments also objected that this provision is not necessary and does not follow the OIG regulation in this respect. Comments suggested several changes: (1) That the required specificity of the request for hearing be eliminated, (2) that the time for response be lengthened, and/or (3) that there be a provision to excuse an untimely request for hearing based on good cause. Response: We accommodate the concerns raised in the public comment by extending the period for filing a request for hearing from 60 to 90 days. We note that, as so revised, the rule does not parallel the analogous provision of the OIG regulations (42 CFR 1005.2(c)) in two respects: (1) It requires more specificity in the hearing request; and (2) it provides the respondent more time in which to file the hearing request. We are of the view, however, that the compromise in Sec. 160.504(b), as revised, will promote the conduct of the hearing in an efficient manner by clarifying at an early stage of the process the issues in dispute and the basis for those disputes. We retain the requirement of proposed Sec. 160.504(c) that the request for hearing clearly and directly admit, deny, or explain each of the findings of fact and state the circumstances or arguments that the respondent alleges constitute the grounds for any defense and the factual and legal basis for opposing the penalty. (However, the respondent need not provide its statistical study, assuming it has one, until 30 days before the scheduled hearing. See Sec. 160.518.) This requirement will facilitate narrowing and refining the issues in dispute, thereby expediting the conduct of the hearing. Comment: One comment suggested that, if the 60-day time period for response were retained, HHS be required to send a reminder to the covered entity on the 45th day. Response: We do not adopt this suggestion. The need for the suggested change is obviated by our decision to extend the 60-day period. Comment: Several comments suggested that the rule does not properly take into account the possibility of notices being delivered to the wrong official in a covered entity or getting lost in a covered entity's internal mail system. They recommended that the rule specify the official(s) in the covered entity to whom the notice of proposed determination must be sent, so that the covered entity does not lose time needed to prepare its defense. A few comments suggested that the notice of proposed determination be sent to the Privacy Officer. It was suggested that the covered entity be able to show good cause for failing to respond in a timely manner in such cases, or that the 60-day time period be tolled. Response: We do not think it is necessary or feasible to identify the person(s) to whom the notice of proposed determination should be addressed. Fed. R. Civ. P. 4 (28 U.S.C. Appendix), which applies under section 1128A(c), establishes who may be served and applies without need for further regulatory action. Because the size and other organizational circumstances of covered entities vary greatly, a rule that further limited or defined who must be served would most likely be inappropriate for some covered entities. Further, it is likely that a notice of proposed determination would be issued after significant prior contact with the covered entity, so we anticipate that our investigators would be able to ascertain which officer would be the appropriate recipient of the notice. In any event, a respondent can raise the issues of concern raised by the comments--e.g., failure to reach the appropriate official or the official to whom the notice of proposed determination was addressed due to problems in the entity's mail system--under Sec. 160.504(b). Under that section, if the respondent makes ``a reasonable showing'' to the ALJ that the mailed notice of proposed determination was not properly received by the covered entity or by a proper official within the covered entity, the ALJ can extend the 90-day period to the extent he or she considers appropriate. Comment: One comment asked whether findings of fact that are not contested or about which the claim is made of insufficient knowledge to respond in the hearing request are deemed admitted. Response: Section 160.504(c) provides respondents with two choices with respect to denying findings of fact: (1) The respondent may deny them; or (2) the respondent may claim a lack of knowledge, in which case the finding in question is ``deemed denied.'' Since the regulation deems a finding of fact denied only where lack of knowledge is claimed, if the respondent has neither denied nor asserted lack of knowledge with respect to the finding, the finding must be deemed admitted. Comment: One comment stated that dismissal of a hearing request on the grounds described in proposed Sec. 160.504(d)(1)-(3) should be made permissive, not mandatory, and Sec. 160.504(d)(4) (dismissal where the respondent fails to state an issue that may properly be addressed in a hearing) should be eliminated, to ensure that covered entities are provided a fair opportunity to request a hearing and develop an appropriate defense. Response: We revise proposed Sec. 160.504(d)(1) to require dismissal on the ground of failure to comply with paragraph (b) to be limited to failure to comply with the requirement of the paragraph for timely filing of the request for hearing. We revise proposed Sec. 160.504(d)(1) to provide that dismissal on this ground may occur only if the Secretary moves for dismissal on this ground. If the Secretarial party--OCR, CMS, or both--does not believe that the hearing should be dismissed due to the insufficiency of the respondent's request [[Page 8416]] for hearing, and so does not challenge the timeliness or sufficiency of the request for hearing under paragraph (b) or (c), respectively, the hearing should go forward. The revision to paragraph (d)(1) would permit this to occur. Like its counterparts in other rules issued pursuant to section 1128A, Sec. 160.504(d)(1)-(3) mandates dismissal so that the limited resources of the government and of respondents are not expended on hearing requests that fail to comply with the straightforward requirements of this section or that have been withdrawn or abandoned by the respondent. We believe that considerations of economy and efficiency require the dismissal of cases that fall within the descriptions of these subsections. However, in response to the comments, we have added a requirement to Sec. 160.504(d)(1) that the Secretary must file a motion for dismissal of a hearing request rather than permit an automatic dismissal by the ALJ. The filing of such a motion will require the Secretary to enunciate the reasons a hearing request is deficient under paragraphs (b) and (c) of this section and allow the respondent the opportunity to answer those charges. We do not add such a requirement to Sec. 160.504(d)(2)-(3), because we think that the ALJ should have authority to dismiss such cases for reasons of withdrawal or abandonment by the respondent without being requested to do so by the Secretary. Section 160.504(d)(4) provides the administrative review channel leading to judicial review of claims that may not be reviewed administratively, such as constitutional claims. This subsection is necessary so that there is no confusion about how respondents can efficiently exhaust the administrative process for such claims. We, thus, decline to eliminate this subsection. 2. Section 160.508--Authority of the ALJ Proposed rule: The text of proposed Sec. 160.508 was adopted by the April 17, 2003 interim final rule as Sec. 160.530. No changes to paragraphs (a) and (b) were proposed. We proposed to revise paragraph (c) by adding paragraphs (c)(1) and (c)(5) to the list of limitations on the authority of the ALJ. Proposed paragraph (c)(1) would require the ALJ to follow Federal statutes, regulations, and Secretarial delegations of authority, and to give deference to published guidance to the extent not inconsistent with statute or regulation; the preamble to the proposed rule indicated that by ``published guidance'' we meant guidance that has been publicly disseminated, including posting on the CMS or OCR Web site. Proposed paragraph (c)(5) would clarify that ALJs may not review the Secretary's exercise of discretion whether to grant an extension or to provide technical assistance under section 1176(b)(3)(B) of the Act or the Secretary's exercise of discretion in the choice of variable(s) under proposed Sec. 160.406. Final rule: The final rule adopts the provisions of the proposed rule, except for proposed Sec. 160.508(c)(5)(ii), which is eliminated. A conforming change is made to Sec. 160.508(c)(5). a. Section 160.508(b) Comment: One comment stated that this provision should be amended to add a provision requiring that a requested hearing be conducted within a time certain, not to exceed 90 days from receipt of the request for a hearing. Another comment suggested that the ALJ should notify a respondent of the date and time for the hearing no later than 90 days after the request for hearing is filed. Response: It would not be reasonable or appropriate to impose a fixed deadline by which hearings must be scheduled, and we decline to do so. In a complicated case, the time for discovery and pre-hearing motions may take more than 90 days, and, thus, imposing such a deadline may circumscribe the parties' ability to prepare their cases. Moreover, the ALJs have other cases on their dockets, and we cannot assume that they will in all cases be able to begin a hearing on a civil money penalty within 90 days. The scheduling of the hearing is best left to the ALJs, in consultation with the parties. b. Section 160.508(c) Comment: A number of comments opposed proposed Sec. 160.508(c), on the ground that it would significantly limit the ALJ's authority to rule on pertinent issues. They stated that it was questionable under this section whether the ALJ would have the authority to review the determination of the number of violations, or imposition of joint and several liability, since they may be addressed in published guidance to which the ALJ must give deference. It was suggested that this limitation would be a problem under proposed Sec. 160.424(d), since those are issues that a respondent would be unable to raise at the administrative level. Response: We do not agree. We believe that it is of importance to covered entities that ALJ and Board decisions, as components of HHS, be consistent with one another and with the published compliance guidance HHS provides to covered entities. Accordingly, we require ALJs and the Board to follow guidance which has been publicly disseminated, unless the ALJ or Board finds the guidance to be inconsistent with statute or regulation. In the examples cited, any published guidance related to the determination of the number of violations, or when joint and several liability is appropriate must be consistent with applicable statute and regulation, matters upon which the ALJ may rule. See section 1176 and Sec. Sec. 160.402(b)(2), 160.406, and 160.508. While deference to such published guidance is required of the ALJs and DAB, as components of HHS, similar deference is not necessarily afforded such guidance in any judicial review of an adverse final agency determination sought by a respondent. Section 160.424(d) should not present a problem, since challenges related to published guidance may be raised during administrative and judicial reviews of the proposed penalty. Comment: One comment stated that ALJs should be allowed to consider affirmative defenses during a hearing, even if they relate to issues committed to the Secretary's discretion. The comment argued that an inability to raise affirmative defenses before the ALJ might impact a covered entity's ability to subsequently pursue legal remedies under Sec. 160.424(d). Response: We agree that the ALJ is allowed to consider affirmative defenses during a hearing. See the discussion of Sec. 160.410 above. Comment: A couple of comments agreed that ALJs should have the authority to evaluate whether there was a violation in the first place and asked that this provision be retained in the final rule. Response: We agree and have done so. c. Section 160.508(c)(1) Comment: One comment asked, if a guidance in effect at the time a violation occurred were changed before the date of the hearing, which version of the guidance the ALJ would have to follow. Response: The guidance in effect at the time the violation occurred would govern. Comment: One comment expressed concern with Sec. 160.508(c)(1), insofar as it would include in ``published guidance'' FAQs published on the CMS and OCR Web sites. According to the comment, FAQs have never been designated in the HIPAA regulations as having the force of regulations themselves. According to the comment, many covered entities are not aware of these postings and the industry is unaware that they will have the same [[Page 8417]] force and effect as regulations. The comment further stated that if FAQs are to have the force of regulation, then the questions and responses should be organized for such use, and the HIPAA regulation should specifically designate that covered entities will be held accountable for compliance with these responses or ``published guidance.'' Another comment suggested that proposed Sec. 160.508(c)(1) should be revised to require the ALJ to give consideration to published guidance and consider whether the covered entity reasonably relied on such guidance, as is done in the regulations relating to hearings by the Provider Reimbursement Review Board (PRRB), citing to 42 CFR 405.1867. Response: The ``published guidances'', including FAQs, inform covered entities of the approach HHS is taking in the enforcement of the HIPAA rules. The guidances do not have the force and effect of a regulation, as the comment suggests, and are not controlling upon the courts, as would be the case with a regulation. As previously explained, HHS seeks to provide consistent compliance guidance to covered entities and, to the extent possible, to render decisions in the adjudicative process that are both consistent with other adjudicated cases and with the policy decisions of the Secretary expressed in HHS rules and guidances. The consistency sought within HHS is achieved by requiring the ALJ and the Board, which are components of HHS, to defer to such published guidances, if they are consistent with statute and regulation. This is consistent with, and recognizes the effect of, the existing delegations of authority by the Secretary, which delegate to the programs the Secretary's authority to establish policy. Requiring that only consideration be given to such published guidances, as in PRRB hearings, rather than deference, would not achieve the desired result. Comment: One comment argued that proposed Sec. 160.508(c)(1) should be changed to add ``and does not establish requirements in addition to those specified in the applicable statute or regulation,'' on the ground that covered entities should not be penalized for not complying with requirements that exceed the plain language of the statute. Response: It is not clear what the comment is suggesting, but if the comment is suggesting that guidance merely parrot what is in the statute and regulations, guidance would be both unnecessary and unhelpful. If, however, the comment is suggesting that guidance not exceed any explicit limits imposed by the statute or regulations, the language is likewise unnecessary, as the current language would permit the ALJ or the Board to disregard guidance that was not consistent with statute or regulations. d. Section 160.508(c)(5) Comment: Proposed Sec. 160.508(c)(5)(ii) would have made the Secretary's selection of the variable under Sec. 160.406 unreviewable by the ALJ. It was criticized by several commenters as unfair and inconsistent with the statute on the grounds that the whole purpose of the hearing before an ALJ is to review the Secretary's assessment of a penalty. It was argued that, if a covered entity has a reasonable argument as to why the use of variables or a particular variable was not appropriate, it should be allowed to present the argument during the ALJ hearing to which it is entitled by statute. It was also argued that, since proposed Sec. 160.406 would include a factual determination of the number of times a covered entity may have failed to engage in required conduct, or may have engaged in a prohibited act, each of the parties should be authorized to address, and the ALJ to consider at a hearing, that factual determination. One comment asked whether, even if the ALJ lacks authority to directly question the variable(s) selected, a challenge to the variable could be made through a claim that ``justice required'' selection of a different variable. Response: Section 1128A(c)(2) establishes the right to a hearing on the record for any person who has been given an adverse determination by the Secretary. In a proceeding under section 1176, the adverse determination by the Secretary is the civil money penalty proposed in the notice of proposed determination under Sec. 160.420. Upon review of the comments regarding proposed Sec. 160.508(c)(5)(ii), we agree that the count of violations is an integral part of a civil money penalty and should be reviewable by the ALJ. Thus, we have deleted proposed subparagraph (ii) from Sec. 160.508(c)(5) in the final rule. As a conforming change, we have integrated subparagraph (i) into the text of Sec. 160.508(c)(5). 3. Section 160.512--Prehearing Conferences Proposed rule: Proposed Sec. 160.512 would adopt Sec. 160.534, as added by the April 17, 2003 interim final rule, with two changes. Proposed Sec. 160.512 would revise paragraph (a) to establish a minimum amount of notice (not less than 14 business days) that must be provided to the parties in the scheduling of prehearing conferences. Proposed Sec. 160.512 would also revise paragraph (b)(11) to include the issue of the protection of individually identifiable health information as a matter that may be discussed at the prehearing conference, if appropriate. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment recommended that a provision be added to Sec. 160.512 to require the ALJ to schedule a prehearing conference within 30 days of a request for a hearing, unless both parties agree to a later date. Response: The scheduling of a prehearing conference will depend, in part, on the scheduling of the hearing. For the reasons discussed under Sec. 160.508(b) above, we do not agree that it is advisable to so circumscribe the ALJ's flexibility to set the hearing calendar. Comment: A couple of comments objected that the time frame for notice of a pre-hearing conference provided for by proposed Sec. 160.512 is inadequate to permit all necessary parties involved to prepare a response. One comment stated that the rule should extend the time frame to 25 business days, while the other suggested that the rule should require at least a 30-day notice of a pre-hearing conference. Response: Section 160.512 does not prescribe 14 days as the amount of notice of a pre-hearing conference that must be given; rather, it simply establishes 14 days as the minimum amount of notice that is ``reasonable.'' In our experience, 14 days should in most cases be sufficient for the parties to prepare for the conference adequately; however, nothing in the rule prohibits a party from requesting a longer period of time to prepare for a pre-hearing conference or the ALJ from granting such a request. 4. Section 160.516--Discovery Proposed rule: Proposed Sec. 160.516 would adopt Sec. 160.538 of the April 17, 2003 interim final rule. As relevant here, proposed Sec. 160.516 would permit requests for production of documents, but would not permit other forms of discovery, such as interrogatories, requests for admission, and depositions. Proposed paragraph (d) states that this section ``may not be construed to require the disclosure of interview reports or statements obtained by any party, or on behalf of any party, of persons who will not be called as witnesses by that party, or analyses and summaries prepared in conjunction with the investigation or litigation of the case, or any otherwise privileged documents.'' [[Page 8418]] Final rule: The final rule adopts the provisions of the proposed rule. Comment: Several comments recommended that proposed Sec. 160.516 should be revised to allow requests for admissions, depositions, and written interrogatories in the discovery process. It was argued that permitting these forms of discovery would ensure that covered entities are able to mount a proper defense. It also was asserted that expert testimony will be necessary to establish both the alleged violation(s) and any affirmative defenses. Allowing such discovery would, it was asserted, help to produce a record, make appeals less likely, and potentially decrease the length of administrative hearings. Response: We believe that the level of detail provided to a covered entity in the notice of proposed determination (including, where applicable, a copy of HHS's statistical expert's study), coupled with a right to request the production of documents for copying and inspection, provides the covered entity with the information reasonably required to mount its challenge to the proposed civil money penalty or to determine whether an affirmative defense applies. The additional discovery mentioned in the comments would result in delays and costs. Experience with the OIG regulation at 42 CFR 1005.7, which likewise does not authorize other types of discovery, has demonstrated that the discovery provided for is appropriate and sufficient. Comment: Several comments argued that, at a minimum, depositions should be permitted at least with regard to expert witnesses, including the government's statistical expert. They asserted that, because depositions would not be permitted, covered entities would lose another potential opportunity to question the government's statistician in an effort to understand and defend against the conclusion and assumptions made in establishing the proposed civil money penalty, which would be prejudicial to the covered entity. Response: We do not agree that depositions are necessary. Under Sec. 160.420(a)(2), as adopted in this final rule, the study of HHS's statistical expert must be provided to the respondent with the notice of proposed determination. Comment: A couple of comments criticized the proposed rule for not requiring that OCR and/or CMS hand over potentially exculpatory information to the entity being investigated. The obligation to provide exculpatory evidence should include handing over exculpatory interview reports or statements obtained by the government of persons who will not be called as witnesses by that party. It was recommended that this obligation be added to the final rule. Response: The obligation to provide exculpatory evidence to an accused, which applies in criminal proceedings, is inapplicable in a HIPAA administrative simplification enforcement case. Comment: One comment contended that Sec. 160.516 should be revised to treat personal health information as privileged information not subject to discovery, since hearings are open to the public under proposed Sec. 160.534. Response: A covered entity concerned with potential public access to protected health information may raise the issue before the ALJ and seek a protective order under Sec. 160.512(b)(11). Depending on the circumstances, an ALJ may require the information to be de-identified or direct identifiers to be stripped to protect the privacy of individuals or order other protections routinely afforded to similarly confidential information within the litigation forum, such as protective orders on the use of the information in public portions of the proceedings. In addition, the ALJ may, for good cause shown, order appropriate redactions made to the record after hearing. See Sec. 160.542(d). 5. Section 160.518--Exchange of Witness Lists, Witness Statements, and Exhibits Proposed rule: Proposed Sec. 160.518 would carry forward Sec. 160.540, as adopted by the April 17, 2003 interim final rule, with one substantive change. It would revise paragraph (a) to provide time limits within which the exchange of witness lists, statements, and exhibits must occur prior to a hearing. Under proposed Sec. 160.518(a), these items must be exchanged not more than 60, but not less than 15, days prior to the scheduled hearing. Final rule: The final rule revises this provision to require that, where a respondent retains a statistical expert for the purpose of challenging the Secretary's statistical sampling, a report by the respondent's expert be provided to the Secretarial party not less than 30 days prior to the hearing. Comment: Several comments criticized the time frames of proposed Sec. 160.518 as problematic in light of the anticipated use of statistical sampling. They argued that, if HHS uses statistical sampling to determine the number of violations and to establish its prima facie case against a covered entity, the covered entity must have a fair opportunity to rebut this evidence. That fair opportunity should permit the addition of rebuttal witnesses, statements and exhibits after the 15-day period and/or requiring the government to provide more detailed information to the covered entity regarding its statistical sampling calculations, methodology and assumptions at a time that is sufficiently prior to the 15-day deadline. The comments requested that the time frames listed in the regulation be increased to allow a covered entity adequate time to prepare for a hearing. Specifically, the comments urged that witness lists, statements, and exhibits for a hearing be exchanged by the parties not more than 60 days and not less than 30 days before a scheduled hearing date. Response: We have accommodated the concern that the details of HHS's statistical study will not be made available early enough in the proceeding to allow a fair opportunity for rebuttal by requiring in Sec. 160.420(a)(2) that a copy of the study be given to the respondent with the notice of proposed determination. Accordingly, under such circumstances, there should not be a problem identifying who respondent should call as a rebuttal witness within the time frames set out in this section. We revise Sec. 160.518(a) to require the respondent to provide to HHS a copy of the report of its statistical expert not less than 30 days before the scheduled hearing. This will give the Secretarial party adequate time to prepare the statistical part of its case and is reasonable in light of the fact that the respondent is given HHS's statistical study at the commencement of the proceeding. Comment: With respect to proposed Sec. 160.518(b)(2), one comment asked what would constitute extraordinary circumstances. The comment stated that this standard seems unnecessarily high and that ``good cause'' would be a more reasonable and fairer standard, given the need for covered entities to rebut the evidence of a statistical expert whose information they will not receive until the exchange of witnesses and exhibits. Response: The decision concerning what is sufficient to convince the ALJ that extraordinary circumstances exist will be case-specific. The justification for lowering the standard no longer applies, given our change to Sec. 160.420. Accordingly, we retain the ``extraordinary circumstances'' standard to emphasize the importance of observing the time frame for the exchange of such information. [[Page 8419]] 6. Section 160.520--Subpoenas for Attendance at Hearing Proposed rule: Proposed Sec. 160.520 would carry forward Sec. 160.542, as adopted by the April 17, 2003 interim final rule, mainly unchanged. Proposed Sec. 160.520 would clarify that when a subpoena is served on HHS, the Secretary may comply with the subpoena by designating any knowledgeable representative to testify. Proposed Sec. 160.520(d) would require a party seeking a subpoena to file a written motion not less than 30 days before the scheduled hearing, unless otherwise allowed by the ALJ for good cause shown; the paragraph specified what such a motion must contain. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment asked that the language in proposed Sec. 160.520(c) be modified to provide that, if a respondent subpoenas a particular employee or official with specific knowledge of the case at hand, the identified employee or official would be required to testify. While acknowledging that it was reasonable for HHS to be able to substitute a witness if a respondent subpoenas an employee or official with no knowledge of the case (such as the Secretary), the comment argued that HHS should not have such discretion if the employee or official who is subpoenaed has specific knowledge of the case. Response: We retain the provision as proposed, because it is necessary to permit the smooth conduct of government business. We do not agree that the provision will damage a respondent's ability to litigate his case, as the provision requires that, although the Secretary may designate an HHS representative, the person so designated must be ``knowledgeable.'' That person may be the employee or official upon whom the subpoena was first served, if the Secretary determines that such person is the appropriate witness, possessed of the requisite knowledge to testify upon the issues which are the subject of the subpoena. Comment: One comment stated concerns with the interplay of proposed Sec. 160.538 with proposed Sec. 160.520(d). Under proposed Sec. 160.538(b), if a party seeks to admit the testimony of a witness in the form of a written statement, that statement must be provided to the other party ``in a manner that allows sufficient time for the other party to subpoena the witness for cross-examination at the hearing.'' Under proposed Sec. 160.520(d), ``a party seeking a subpoena must file a written motion not less than 30 days before the date fixed for the hearing, unless otherwise allowed by the ALJ for good cause shown.'' The comment argued that a party that wanted to subpoena a person whose written statement was being offered by the opposing party should not have the burden of showing good cause for moving for a subpoena less than 30 days before the hearing date. Instead, the party seeking to admit the written statement should be required to provide that statement to the other party more than 30 days before the hearing, so that the other party will have an opportunity to subpoena that witness under the procedures established by these regulations. Response: We believe that the rules adequately provide for such a contingency, and so do not revise Sec. 160.520 as requested. The party that seeks to introduce testimony, other than expert testimony, in the form of a written statement must provide the other party with a copy of the statement and the address of the witness in sufficient time to allow that other party to subpoena that witness for cross examination. Since Sec. 160.520(d) requires that motions seeking a subpoena be filed not less than 30 days before the hearing, the witness statement and address should be provided in sufficient time to allow a timely motion to be made. In the event that such statement and/or address is not provided in sufficient time to allow for a timely motion, good cause for permitting the motion for subpoena to be made on fewer than 30 days notice would exist. 7. Section 160.522--Fees Proposed rule: The proposed rule proposed in Sec. 160.522 to carry forward unchanged Sec. 160.544 of the April 17, 2003 interim final rule. The provision requires the party subpoenaing a witness to pay the cost of fees and mileage. Where the respondent is the party subpoenaing the witness, the check for such fees and mileage must accompany the subpoena when served, but the check is not required to accompany the subpoena where the party subpoenaing the witness is the Secretary. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment requested clarification of this provision. Observing that proposed Sec. 160.522 would require a check for specific fees to accompany the subpoena except when HHS issues such a subpoena, the comment questioned whether this meant that HHS would be required to reimburse someone they subpoenaed or whether the HHS reimbursement would come at a later date. Further, if it was the case that HHS was not required to reimburse such fees, the comment asked why this is the case, since any other party would be required to reimburse those fees. Response: HHS is required to, and will, pay to a subpoenaed witness the fees provided for in this section. The payment, however, need not accompany the subpoena. This policy is consistent with the usual procedure when the federal government is a party. See, e.g., Fed. R. Civ. P. 45(b)(1). (28 U.S.C. Appendix). 8. Section 160.534--The Hearing Proposed rule: The text of proposed Sec. 160.534 was adopted by the April 17, 2003 interim final rule as Sec. 160.554. No changes to paragraphs (a) and (c) were proposed. However, it was proposed to add a new paragraph (b) allocating the burden of proof at the hearing. Under proposed Sec. 160.534(b), the respondent would bear the burden of proof with respect to: (1) Any affirmative defense, including those set out in section 1176(b) of the Act, as implemented by proposed Sec. 160.410; (2) any challenge to the amount or scope of a proposed penalty under section 1128A(d), as implemented by proposed Sec. Sec. 160.404- 160.408, including mitigating factors; and (3) any contention that a proposed penalty should be reduced or waived under section 1176(b)(4), as implemented by Sec. 160.412. The Secretary would have the burden of proof with respect to all other issues, including issues of liability and the factors considered as aggravating factors under proposed Sec. 160.408 in determining the amount of penalties to be imposed. The burden of persuasion would be judged by a preponderance of the evidence (i.e., it is more likely than not that the position advocated is true). We also proposed a new Sec. 160.534(d), which would provide that any party may present items or information, during its case in chief, that were discovered after the date of the notice of proposed determination or request for a hearing, as applicable. The admissibility of such proffered evidence would be governed generally by the provisions of proposed Sec. 160.540, and be subject to the 15-day rule for the exchange of trial exhibits, witness lists and statements set out at proposed Sec. 160.518(a). If any such evidence is offered by the Secretary, it would not be admissible, unless relevant and material to the findings of fact set forth in the notice of proposed determination, including circumstances that may increase such penalty. If any such evidence is offered by the respondent, it would not be admissible unless relevant and material to a [[Page 8420]] specific admission, denial, or explanation of a finding of fact, or to a specific circumstance or argument expressly stated in the respondent's request for hearing that are alleged to constitute grounds for any defense or the factual and legal basis for opposing or reducing the penalty. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment recommended that proposed Sec. 160.534(b)(1)(ii) (placing the burden of proof on the respondent with respect to any challenge to the amount of a proposed penalty pursuant to Sec. 160.404-160.408, including mitigating factors) be deleted. It was argued that due process requires that HHS sustain the burden of going forward with evidence proving the amount of a proposed penalty and the burden of persuasion. It was also noted that this section would place on the respondent the burden of proof with respect to an issue that is unreviewable under proposed Sec. 160.508(c)(5)--the selection of variables under Sec. 160.406. Response: We disagree that Sec. 160.534(b)(1)(ii) violates the due process clause. Rather, it is consistent with the normal allocation of the burden of proof, in which the proponent of a fact or argument has the burden of proving it. Our change to Sec. 160.508(c)(5) renders the remainder of the comment moot. Comment: One comment suggested that Sec. 160.534(c) be revised to require the ALJ, upon the request of either party, to close a public hearing that could result in disclosure of privacy or security information that should not be made public and seal the records. Response: We agree that protecting protected health information is important and is an issue about which all parties and the ALJ should be concerned. However, administrative hearings are, in general, required to be open to the public. See, e.g., Detroit Free Press v. Ashcroft, 303 F.3d 681, 700 (6th Cir. 2002) (stating that INS deportation hearings and similar administrative proceedings are traditionally open to the public). An ALJ has means by which he can protect the privacy of protected health information to be introduced into evidence, if he determines that this should be done, including requiring redaction of identifying information and closing part of the hearing. In our view, the ALJ will be in the best position to balance the competing interests of the public's right to information and the privacy interests associated with any protected health information. Accordingly, we do not mandate closure of the hearing on request. 9. Section 160.536--Statistical Sampling Proposed rule: Proposed Sec. 160.536 would permit the Secretary to introduce the results of a statistical sampling study as evidence of the number of violations under proposed Sec. 160.406(b), or, where appropriate, any factor considered in determining the amount of the civil money penalty under proposed Sec. 160.408. If the estimation is based upon an appropriate sampling and employs valid statistical methods, it would constitute prima facie evidence of the number of violations or amount of the penalty sought that is a part of the Secretary's burden of proof. Such a showing would cause the burden of going forward to shift to the respondent, although the burden of persuasion would remain with the Secretary. Final rule: The final rule adopts the provisions of the proposed rule. Comment: Several comments argued that the proposed rule would significantly limit a covered entity's ability to challenge HHS's statistical evidence. Although proposed Sec. 160.420(a)(2) would require HHS, in the notice of proposed determination, to describe the sampling technique used by the Secretary, it is unclear what constitutes a ``brief'' description, and a brief description will most likely be insufficient to provide the covered entity with enough information to mount an adequate challenge. Because the covered entity may not receive a copy of the actual statistical study until 15 days before the hearing, it would have a very short period of time in which to review, investigate, critique, and/or rebut the statistical study. Because proposed Sec. 160.516 would prohibit the taking of depositions, there would be no way to subject the HHS's statistical expert to adverse examination until the hearing, if then. The comments requested that proposed Sec. 160.536 be deleted or, alternatively, the rule be revised to permit depositions of HHS's statistical expert and require HHS to give covered entities more detail of the technique utilized in sufficient time to allow entities to provide a meaningful defense and rebuttal. Response: We recognize the concern that to make an effective challenge to the Secretary's introduction of the results of a statistical study, a covered entity should be provided with the details of that study early in the proceeding. Accordingly, we have revised proposed Sec. 160.420(a)(2) to require HHS to provide a copy of the study relied upon to the respondent with the notice of proposed determination. Further, we have revised proposed Sec. 160.504(b) to enlarge the time within which a respondent seeking a hearing before an ALJ must mail its request for hearing from 60 to 90 days. We do not agree that depositions, which are expensive and time consuming, are required; the statistical study relied upon will be given to respondent with the notice of proposed determination, allowing an adequate amount of time to prepare any opposition thereto. Comment: Several comments contended that permitting proof of violations by statistical sampling violates basic notions of due process and fundamental fairness, in that either a violation is provable or it is not. The comments raised the following specific objections on this ground. Statistical sampling merely estimates the number of violations that could have occurred and should not be used as a ``short cut'' for appropriate investigation and review. The determination of any variable used to calculate the number of violations should be based on an objective standard. The proposed approach would not treat all covered entities the same. The following example was provided to illustrate this latter concern. Suppose that a dentist had 3,000 patients of record, and that seven percent of those patients, or 210, did not receive a Notice of Privacy Practices. Suppose that a sample of 100 of the 3,000 patients was examined by HHS, and it was determined that 15 did not receive a notice. A statistical inference from this sample would estimate that 600, or 15 percent of all patients of record, did not receive a notice, even though in fact only 210 had not received a notice. Under Sec. 160.536, the provider could be charged for 600 violations. While, on average, the sampling approach would yield the correct estimate of all providers, it would not necessarily be correct for any specific provider, which would be unfair to the individual providers involved. Response: The use of sampling and statistical methods is recognized under Fed. R. Evid. 702 and under 42 CFR 1003.133 of the OIG rules, upon which the language of this section is based. The respondent may challenge whether the estimation offered by the Secretary is based upon a valid sample and employs valid statistical methods or may otherwise rebut the statistical evidence submitted. In the example cited by the comment, the respondent also could rebut the results with evidence that the actual number of violations is less than the estimate derived from the statistical sample. With respect to the concerns regarding the fairness and appropriateness of using statistical [[Page 8421]] sampling to determine the number of violations, HHS will use sampling methods which follow recognized scientific guidelines for statistical validity and precision. These methods would be applicable to all types of covered entities and will objectively measure the number of violations by a covered entity or the number of occurrences of a particular aggravating circumstance. Because of the wide range of possible violations, however, we cannot at this time present specific sampling designs or levels of acceptable precision. However, the methodology employed will be documented and made available in the statistical sampling study provided with the notice of proposed determination. Comment: Several comments argued that the use of statistical sampling is inappropriate to determine violations of the HIPAA rules. A couple of comments argued that, because of the many variables and discretionary considerations that can go into determining that a violation has occurred, and because many complaints or investigations will relate to individual circumstances, using statistical sampling to determine the number of violations is not appropriate. Another comment gave as an example of this problem Privacy Rule violations involving disclosure of protected health information beyond the ``minimum necessary;'' it asserted that the number of such violations cannot be adequately assessed through a statistical sample. Use of statistical sampling in such a case could preclude a covered entity from asserting its fact-based affirmative defenses. It was argued that statistical sampling is appropriate for use in estimating averages, but is not appropriate for determining the number of violations by a specific covered entity. Response: As noted above, statistical sampling is recognized under the Federal Rules of Evidence and other HHS regulations. See, e.g., 42 CFR 1003.133. The results, if based upon an appropriate sampling and computed by valid statistical methods, are only prima facie evidence of the number of violations or the existence of factors material to the proposed civil money penalty. The respondent may challenge the adequacy or size of the sample or the statistical methods employed, and may offer other evidence to rebut the results derived through the statistical methodology. We do not agree that statistical methods are, per se, inappropriate for determining the number of violations that have occurred. For example, suppose that a health plan with a large volume of electronic claims is found to have required providers to include on such claims a data element which is not part of the standard. A sample of the claims would be selected, and the percentage of claims found to be in violation of the standard would be computed from the sample and projected to the universe of claims for the year to establish the total number of violations of the standard in the calendar year. Of course, HHS's statistical methods would have to pass muster, and a respondent could challenge the statistical results, on normal statistical grounds, e.g., that the sample size was insufficient, that the sample was not representative, and so on. Comment: Several comments contended that, by allowing statistical sampling to be introduced at a hearing, proposed Sec. 160.536 directly contradicts the language of Sec. 160.508, which does not allow an ALJ to review issues under the Secretary's discretion, which includes calculating the number of violations. Other comments stated that, in the event that statistical sampling is used by HHS to determine the number of violations, it should be subject to ALJ review and that insulating it from review would increase the potential for abuse exponentially. Response: Proposed Sec. 160.508(c) has been revised to permit the ALJ to review the Secretary's calculation of the number of violations of an identical administrative simplification provision under Sec. 160.406. If statistical sampling is employed to determine the number of violations, the results are subject to challenge before the ALJ. Comment: The provision of proposed Sec. 160.536 limiting statistical studies to those ``based upon an appropriate sampling and computed by valid statistical methods'' was criticized. It was noted that no criteria for validity are given, even though the comments by the agency specifically acknowledge the danger of extrapolating from small sample sizes. It also was argued that the appropriateness and validity of such sampling techniques are left to the discretion of the Secretary, who will employ criteria known only to the Secretary. It was recommended that statistical sampling not be permitted without clearer guidelines or more flexibility to challenge the study at an early stage, before significant investment of resources. Response: By requiring that appropriate sampling and valid statistical methods be employed, HHS is mirroring the standard by which the reliability of such expert testimony is assessed under Fed. R. Evid. 702. If statistical sampling is employed to determine the number of violations of an administrative simplification provision in a calendar year, such determination is subject to review by the ALJ. With respect to a respondent's ability to challenge the study at an earlier stage, under Sec. 160.420(a)(2), a copy of the study relied upon will be provided to the respondent with the notice of proposed determination. 10. Section 160.538--Witnesses Proposed rule: Proposed Sec. 160.538 would carry forward unchanged Sec. 160.556, as adopted by the April 17, 2003 interim final rule. As relevant here, paragraph (b) provides that, at the discretion of the ALJ and subject to certain conditions, testimony of witnesses other than the testimony of expert witnesses may be admitted in the form of a written statement and the ALJ may, at his discretion, admit prior sworn testimony of experts that has been subject to adverse examination. Final rule: The final rule adopts the provisions of the proposed rule, except that the fourth sentence of proposed Sec. 160.538(b) is placed before the second sentence of proposed Sec. 160.538(b). Comment: One comment stated that it was unclear whether the government's statistician could even be required to testify; rather, it appeared that the government could rely solely on the expert's prior testimony in other cases and/or the expert's report. Because depositions are not allowed, this provision must mean that testimony from experts in other cases may be used. It was argued that this would be prejudicial, because the covered entity will not have had an opportunity to subject the testimony to adverse examination and the facts of different cases would likely not be identical. Therefore, the expert testimony in one case may not be appropriate for use in a different case. It was recommended that this section be revised to require, at the covered entity's request, the testimony at the hearing of the government's statistical expert and prohibit the use of prior sworn testimony of experts unless from the specific case at issue. Response: HHS expects that its statistical expert will testify at the hearing. Moreover, the respondent may move the ALJ to subpoena HHS's statistical expert to appear and testify at the hearing. See Sec. 160.520. Comment: One comment stated that, when Sec. Sec. 160.538 and 160.516(b) are read together, they would permit an expert's testimony, taken under oath in a different case, to be admitted into [[Page 8422]] evidence, leaving the respondent with no chance to question the expert. Response: We recognize the concern raised, which we believe arises out of an inadvertent transposition of a sentence in the text of proposed Sec. 160.538(b). We intended that the subsection's text mirror that of the OIG regulation at 45 CFR 1005.16(b) by ending with the following: ``Any such written statement must be provided to the other party, along with the last known address of the witness, in a manner that allows sufficient time for the other party to subpoena the witness for cross-examination at the hearing. Prior written statements of witnesses proposed to testify at the hearing must be exchanged as provided in Sec. 160.518.'' We have corrected this error. As the rule now reads, the prior sworn testimony of an expert will be treated like any other witness's statement that a party proposes to offer in lieu of testimony at the hearing: a copy must be provided to the other party along with the witness's address in sufficient time to permit such other party to subpoena and question that witness at the hearing. 11. Section 160.540--Evidence Proposed rule: Proposed Sec. 160.540 would carry forward unchanged Sec. 160.558, which was adopted by the April 17, 2003 interim final rule. Paragraph (b) of this section provides that the ALJ is not bound by the Federal Rules of Evidence, except as provided in the subpart. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment argued that proposed Sec. 160.540(b) should be revised. The comment stated that the optional use of the Federal Rules of Evidence is insufficient and would not allow entities to know what evidence will be admissible at the hearing or what rules of evidence will apply. At a minimum, it was argued, the use of hearsay should be prohibited except pursuant to the hearsay exceptions of the Federal Rules of Evidence. Response: The Administrative Procedure Act does not require HHS to apply the Federal Rules of Evidence to limit the discretion of ALJs to admit evidence at hearings. See 5 U.S.C. 556(d). To be admissible, evidence need only be relevant, material, reliable, and probative. However, the ALJ may apply the Federal Rules of Evidence, where appropriate. Examples of situations where use of the Federal Rules of Evidence might be appropriate would include to exclude unreliable evidence, to weigh the probative value of evidence against the risks attending its admission, to determine whether a Federal privilege exists, or to determine whether the evidence relates to an offered compromise and settlement, which would be inadmissible under Fed. R. Evid. 408. Comment: One comment argued that proposed Sec. 160.540(g) should be deleted. It was argued that this provision is inconsistent with the six-year time limit in Sec. 160.414, in that it permits admission at the hearing of ``crimes, wrongs or acts'' without limit as to when they may have occurred. The comment stated that acts or other behaviors that are not the subject of civil money penalties are not relevant factors in determining the penalties that should be imposed, nor are they proof that the prohibited activity occurred. The Secretary is not required in a civil administrative proceeding to prove intent or mens rea. Response: We believe that evidence of prior bad acts, admitted for the purposes listed (which are consistent with Fed. R. Evid. 404(b)) may be relevant and material in particular cases and, thus, should not be categorically excluded, as suggested. For instance, such evidence may be relevant and material to proving a covered entity's knowledge of the violation or aggravating circumstances affecting the amount of the civil money penalty imposed. In the latter case, for example, the evidence would be admitted to prove the aggravating circumstances and not the actual violations at issue; thus, the statute of limitations would not apply with respect to the bad acts. (We note, however, that prior bad acts unrelated to the covered entity's compliance with the HIPAA provisions or rules would not be admissible to prove aggravating circumstances under Sec. 160.408(d).) Comment: Another comment argued that proposed Sec. 160.540(g) should be deleted, but if retained, such evidence should be reviewable under the other criteria for admissibility of proposed Sec. 160.540, and HHS should be required to provide advance notice of its intent to present such evidence. Response: Evidence of prior bad acts would be subject to the same criteria for admissibility as other evidence offered at the hearing-- for instance, whether the probative value of such evidence is substantially outweighed by its potential for prejudice. Such evidence is also subject to the rules regarding notice that apply to other evidence; see, e.g., Sec. Sec. 160.420(a)(5), 160.516, and 160.518. 12. Section 160.542--The Record Proposed rule: This section would carry forward unchanged Sec. 160.560, adopted by the April 17, 2003 interim final rule. Since the section provides that the record of the proceedings be transcribed, we proposed to add to paragraph (a) of this section a requirement that the cost of transcription of the record be borne equally by the parties, in the interest of fairness. Final rule: The final rule adopts the provisions of the proposed rule, except that paragraph (a) is revised to clarify that if a party requests a copy of the transcript of the hearing proceedings it must pay the cost of such transcript, unless such payment is waived by the ALJ or the Board for good cause shown. Comment: One comment recommended that this fee be assessed at the end of the investigation and assumed by the responsible party based on the outcome of the investigation. Another comment requested that HHS bear the cost of the court reporter's appearance (as opposed to the cost of copies). Response: We acknowledge that the language of proposed paragraph (a) suggested that there is a fee or cost for a court reporter's appearance, in addition to the cost of obtaining a copy of the transcript of the hearing proceedings. As there is no such additional cost, we have revised paragraph (a) to state that a party that requests a copy of the transcript of hearing is required to pay the cost of preparing such transcript. We have also added a provision that will permit the ALJ or the Board, for good cause shown, to waive the cost of obtaining the transcript. 13. Section 160.546--ALJ Decision Proposed rule: The proposed rule proposed that the ALJ decision would be the initial decision of the Secretary, rather than the final decision of the Secretary as set forth in Sec. 160.564(d) of the April 17, 2003 interim final rule. Thus, we proposed to revise paragraph (d) to provide that the decision of the ALJ will be final and binding on the parties 60 days from the date of service of the ALJ decision, unless it is timely appealed by either party. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment requested that the section be revised to provide that the ALJ could not increase a penalty beyond the statutory cap of section 1176(a)(1). Response: The ALJ is bound by both the statute and the regulations, which both explicitly address this issue. Section 1176(a)(1) states that ``the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.'' Section [[Page 8423]] 160.404(b)(1)(ii) states that the Secretary may not impose a civil money penalty in excess of $25,000 for identical violations during a calendar year. In light of these explicit provisions, we do not agree that the suggested change is necessary. 14. Section 160.548--Appeal of the ALJ Decision Proposed rule: Proposed Sec. 160.548 would provide that any party may appeal the initial decision of the ALJ to the Board within 30 days of the date of service of the ALJ initial decision, unless extended for good cause. The appealing party must file a written brief specifying its exceptions to the initial decision. The opposing party may file an opposition brief, which is limited to the exceptions raised in the brief accompanying notice of appeal and any relevant issues not addressed in said exceptions and must be filed within 30 days of receiving the appealing party's notice of appeal and brief. The appealing party may, if permitted by the Board, file a reply brief. These briefs may be the only means that the parties will have to present their case to the Board, since there is no right to appear personally before the Board. The proposed rule provided that if a party demonstrates that additional evidence is material and relevant and there are reasonable grounds why such evidence was not introduced at the ALJ hearing, the Board may remand the case to the ALJ for consideration of the additional evidence. In an appeal to the Board, the standard of review on a disputed issue of fact would be whether the ALJ's initial decision is supported by substantial evidence on the record as a whole; on a disputed issue of law, the standard of review is whether the ALJ's initial decision is erroneous. The Board could decline review, affirm, increase, reduce, or reverse any penalty, or remand a penalty determination to the ALJ. Under proposed Sec. 160.548(i), the Board must serve its decision on the parties within 60 days after final briefs are filed. The decision of the Board becomes the final decision of the Secretary 60 days after service of the decision, except where the decision is to remand to the ALJ or a party requests reconsideration before the decision becomes final. Proposed Sec. 160.548(j) provides that a party may request reconsideration of the Board's decision, provides a reconsideration process, and provides that the Board's reconsideration decision becomes final on service. The decision of the Board constitutes the final decision of the Secretary from which a petition for judicial review may be filed by a respondent aggrieved by the Board's decision. Proposed Sec. 160.548(k) provides for a petition for judicial review of a final decision of the Secretary. Final rule: The final rule adopts the provisions of the proposed rule, except that paragraph (e) is revised to make it consistent with the revision to Sec. 160.504(c). The revision would permit the Board to consider an affirmative defense under Sec. 160.410(b)(1) that is raised for the first time before the Board. Thus, under paragraph (f) of this section, the Board could, but would not be required to, remand the case to the ALJ for consideration of any evidence adduced with respect to such defense. Comment: One comment was received on this section. It requested that the section be revised to provide that the Board could not increase a penalty beyond the statutory cap of section 1176(a)(1). Response: We do not agree that such a provision is necessary, for the reasons discussed in the preceding section. 15. Section 160.552--Harmless Error Proposed rule: Proposed Sec. 160.552 proposed to adopt the ``harmless error'' rule that applies to civil litigation in Federal courts. The provision would provide, in general, that the ALJ and the Board at every stage of the proceeding will disregard any error or defect in the proceeding that does not affect the substantial rights of the parties. Final rule: The final rule adopts the provisions of the proposed rule. Comment: One comment asked for further guidance on, and clarification of, this provision. Another comment stated that the provision was far too broad, particularly given the limited discovery available to covered entities. Concern was expressed that the rule would severely limit a covered entity's ability to appeal an adverse ruling. Response: The proposed rule was modeled after Fed. R. Civ. P. 61 and 42 CFR 1005.23 of the OIG regulations. It is a common provision in procedural rules that govern civil and administrative adjudications and is intended to promote efficiency in the resolution of disputes. If a respondent seeks an appeal because of an error that affects the party's substantive rights or the case's outcome, this section would not be applicable. Thus, we do not agree that it would severely limit a covered entity's ability to appeal an adverse ruling, and we adopt the section as proposed. IV. Impact Statement and Other Required Analyses Comment: Only one comment was received on the impact and other required analyses of the proposed rule (see 70 FR 20247-49). The comment asserted that HHS was declaring itself exempt from complying with the Paperwork Reduction Act, the Regulatory Flexibility Act, the Unfunded Mandates Reform Act of 1995, the Small Business Regulatory Enforcement and Fairness Act, and Executive Order 13132, and that an effort to compute vigorously the range of potential effects is needed to assure agency accountability. Response: The comment misstates the position HHS took in the proposed rules concerning these laws. HHS does not consider itself, or the Enforcement Rule, exempt from these laws. However, each of these laws covers only certain types of rules and agency actions. For the reasons stated in the proposed rule and summarized below, those laws do not apply to the particular actions taken with respect to this rule. The comment provides no substantive grounds for altering our prior conclusions with respect to these laws. A. Paperwork Reduction Act We reviewed this final rule to determine whether it raises issues that would subject it to the Paperwork Reduction Act (PRA). Since the final rule comes within the exemption of 5 CFR 1320.4(a), as it deals entirely with administrative investigations and actions against specific individuals or entities, it need not be reviewed by the Office of Management and Budget under the authority of the PRA. B. Executive Order 12866; Regulatory Flexibility Act; Unfunded Mandates Reform Act of 1995; Small Business Regulatory Enforcement Fairness Act of 1996; Executive Order 13132 We have examined the impacts of this final rule as required by Executive Order 12866 (September 1993, Regulatory Planning and Review), the Regulatory Flexibility Act (RFA) (September 16, 1980, Pub. L. 96- 354), the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), the Small Business Regulatory Enforcement and Fairness Act, 5 U.S.C. 801, et seq., and Executive Order 13132. 1. Executive Order 12866 Executive Order 12866 (as amended by Executive Order 13258, which merely reassigns responsibility of duties) directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is [[Page 8424]] necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 12866 defines, at section 3(f), several categories of ``significant regulatory actions.'' One category is ``economically significant'' rules, which are defined in section 3(f)(1) of the Order as rules that may ``have an annual effect on the economy of $100 million or more, or adversely affect in a material way the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal governments or communities.'' Another category, under section 3(f)(4) of the Order, consists of rules that are ``significant regulatory actions'' because they ``raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in this Executive Order.'' Executive Order 12866 requires a full economic impact analysis only for ``economically significant'' rules under section 3(f)(1). For the reasons stated at 70 FR 20248-49, we have concluded that this rule should be treated as a ``significant regulatory action'' within the meaning of section 3(f)(4) of Executive Order 12866, but that the impact of this rule is not such that it reaches the economically significant threshold under section 3(f)(1) of the Order. We note, with regard to our prior analysis, that our ongoing experiences with HIPAA complaints bears out our experience to July 2004, which was discussed at 70 FR 20248. As of October 31, 2005, OCR had received and initiated review of over 16,000 complaints and had closed 68 percent of the complaints; at the same time, CMS had received and initiated review of 413 complaints and closed 67 percent of the complaints. Thus, we continue to be of the view that the costs attributable to the provisions of this rule will, in most cases that are opened, be low. We likewise continue to believe, for the reasons stated at 70 FR 20249, that the value of the benefits brought by the HIPAA provisions are sufficient to warrant appropriate enforcement efforts and that the benefits of these protections far outweigh the costs of this enforcement regulation. Thus, in most cases, if covered entities comply with the various HIPAA rules, they should not incur any significant additional costs as a result of the Enforcement Rule. This is based on the fact the costs intrinsic to most of the HIPAA rules and operating directions against which compliance is evaluated have been scored independently of this rule, and those requirements are not changed by this rule. We recognize that the specific requirements against which compliance is evaluated are not yet well known and may evolve with experience under HIPAA, but we expect that covered entities have both the ability and expectation to maintain compliance, especially given our commitment to encouraging and facilitating voluntary compliance. While not straightforward to project, it seems likely that the number of times in which the full civil money penalty enforcement process will be invoked will be extremely small, based on the evidence to date. 2. Other Analyses We also examined the impact of this rule as required by the Regulatory Flexibility Act (RFA). The RFA requires agencies to determine whether a rule will have a significant economic impact on a substantial number of small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and government jurisdictions; for health care entities, the size standard for a ``small'' entity ranges from $6 million to $29 million in revenues in any one year. For the reasons discussed at 70 FR 20249, the Secretary certifies that this rule will not have a significant economic impact on a substantial number of small entities. Section 202 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1531 et seq., also requires that agencies assess anticipated costs and benefits before issuing any rule that may result in expenditure in any one year by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million, adjusted for inflation. The Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), 5 U.S.C. 801, et seq., requires that rules that will have an impact on the economy of $100 million or more per annum be submitted for Congressional review. For the reasons discussed above and at 70 FR 20248-49, this rule will not impose a burden large enough to require a section 202 statement under the Unfunded Mandates Reform Act of 1995 or Congressional review under SBREFA. Executive Order 13132 establishes certain requirements that an agency must meet when it adopts a final rule that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. This final rule does not have ``Federalism implications, `` as it will not have ``substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government,'' nor, for the reasons previously explained, will it have substantial economic effects would not be substantial, while any preemption of State law that could occur would be a function of the underlying HIPAA rules, not this rule. Therefore, the Enforcement Rule is not subject to Executive Order 13132 (Federalism). Dated: December 20, 2005. Michael O. Leavitt, Secretary. List of Subjects 45 CFR Part 160 Administrative practice and procedure, Computer technology, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health records, Hospitals, Investigations, Medicaid, Medical research, Medicare, Penalties, Privacy, Reporting and record keeping requirements, Security. 45 CFR Part 164 Administrative practice and procedure, Electronic information system, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health Insurance, Health records, Hospitals, Medicaid, Medical research, Medicare, Privacy, Reporting and record keeping requirements, Security. 0 For the reasons set forth in the preamble, the Department of Health and Human Services amends 45 CFR subtitle A, subchapter C, parts 160 and 164, as set forth below. PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS 0 1. The authority citation for part 160 is revised to read as follows: Authority: 42 U.S.C. 1302(a), 42 U.S.C. 1320d--1320d-8, sec. 264 of Pub. L.104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)), and 5 U.S.C. 552. 0 2. Add to Sec. 160.103 in alphabetical order the definition of ``Person'' to read as follows: Sec. 160.103 Definitions. * * * * * ``Person'' means a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private. * * * * * 0 3. Revise subpart C to read as follows: [[Page 8425]] Subpart C--Compliance and Investigations Sec. 160.300 Applicability. 160.302 Definitions. 160.304 Principles for achieving compliance. 160.306 Complaints to the Secretary. 160.308 Compliance reviews. 160.310 Responsibilities of covered entities. 160.312 Secretarial action regarding complaints and compliance reviews. 160.314 Investigational subpoenas and inquiries. 160.316 Refraining from intimidation or retaliation. Sec. 160.300 Applicability. This subpart applies to actions by the Secretary, covered entities, and others with respect to ascertaining the compliance by covered entities with, and the enforcement of, the applicable provisions of this part 160 and parts 162 and 164 of this subchapter. Sec. 160.302 Definitions. As used in this subpart and subparts D and E of this part, the following terms have the following meanings: Administrative simplification provision means any requirement or prohibition established by: (1) 42 U.S.C. 1320d--1320d-4, 1320d-7, and 1320d-8; (2) Section 264 of Pub. L. 104-191; or (3) This subchapter. ALJ means Administrative Law Judge. Civil money penalty or penalty means the amount determined under Sec. 160.404 of this part and includes the plural of these terms. Respondent means a covered entity upon which the Secretary has imposed, or proposes to impose, a civil money penalty. Violation or violate means, as the context may require, failure to comply with an administrative simplification provision. Sec. 160.304 Principles for achieving compliance. (a) Cooperation. The Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance with the applicable administrative simplification provisions. (b) Assistance. The Secretary may provide technical assistance to covered entities to help them comply voluntarily with the applicable administrative simplification provisions. Sec. 160.306 Complaints to the Secretary. (a) Right to file a complaint. A person who believes a covered entity is not complying with the administrative simplification provisions may file a complaint with the Secretary. (b) Requirements for filing complaints. Complaints under this section must meet the following requirements: (1) A complaint must be filed in writing, either on paper or electronically. (2) A complaint must name the person that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable administrative simplification provision(s). (3) A complaint must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown. (4) The Secretary may prescribe additional procedures for the filing of complaints, as well as the place and manner of filing, by notice in the Federal Register. (c) Investigation. The Secretary may investigate complaints filed under this section. Such investigation may include a review of the pertinent policies, procedures, or practices of the covered entity and of the circumstances regarding any alleged violation. At the time of initial written communication with the covered entity about the complaint, the Secretary will describe the act(s) and/or omission(s) that are the basis of the complaint. Sec. 160.308 Compliance reviews. The Secretary may conduct compliance reviews to determine whether covered entities are complying with the applicable administrative simplification provisions. Sec. 160.310 Responsibilities of covered entities. (a) Provide records and compliance reports. A covered entity must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the covered entity has complied or is complying with the applicable administrative simplification provisions. (b) Cooperate with complaint investigations and compliance reviews. A covered entity must cooperate with the Secretary, if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of the covered entity to determine whether it is complying with the applicable administrative simplification provisions. (c) Permit access to information. (1) A covered entity must permit access by the Secretary during normal business hours to its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance with the applicable administrative simplification provisions. If the Secretary determines that exigent circumstances exist, such as when documents may be hidden or destroyed, a covered entity must permit access by the Secretary at any time and without notice. (2) If any information required of a covered entity under this section is in the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails or refuses to furnish the information, the covered entity must so certify and set forth what efforts it has made to obtain the information. (3) Protected health information obtained by the Secretary in connection with an investigation or compliance review under this subpart will not be disclosed by the Secretary, except if necessary for ascertaining or enforcing compliance with the applicable administrative simplification provisions, or if otherwise required by law. Sec. 160.312 Secretarial action regarding complaints and compliance reviews. (a) Resolution when noncompliance is indicated. (1) If an investigation of a complaint pursuant to Sec. 160.306 or a compliance review pursuant to Sec. 160.308 indicates noncompliance, the Secretary will attempt to reach a resolution of the matter satisfactory to the Secretary by informal means. Informal means may include demonstrated compliance or a completed corrective action plan or other agreement. (2) If the matter is resolved by informal means, the Secretary will so inform the covered entity and, if the matter arose from a complaint, the complainant, in writing. (3) If the matter is not resolved by informal means, the Secretary will-- (i) So inform the covered entity and provide the covered entity an opportunity to submit written evidence of any mitigating factors or affirmative defenses for consideration under Sec. Sec. 160.408 and 160.410 of this part. The covered entity must submit any such evidence to the Secretary within 30 days (computed in the same manner as prescribed under Sec. 160.526 of this part) of receipt of such notification; and (ii) If, following action pursuant to paragraph (a)(3)(i) of this section, the [[Page 8426]] Secretary finds that a civil money penalty should be imposed, inform the covered entity of such finding in a notice of proposed determination in accordance with Sec. 160.420 of this part. (b) Resolution when no violation is found. If, after an investigation pursuant to Sec. 160.306 or a compliance review pursuant to Sec. 160.308, the Secretary determines that further action is not warranted, the Secretary will so inform the covered entity and, if the matter arose from a complaint, the complainant, in writing. Sec. 160.314 Investigational subpoenas and inquiries. (a) The Secretary may issue subpoenas in accordance with 42 U.S.C. 405(d) and (e), 1320a-7a(j), and 1320d-5 to require the attendance and testimony of witnesses and the production of any other evidence during an investigation or compliance review pursuant to this part. For purposes of this paragraph, a person other than a natural person is termed an ``entity.'' (1) A subpoena issued under this paragraph must-- (i) State the name of the person (including the entity, if applicable) to whom the subpoena is addressed; (ii) State the statutory authority for the subpoena; (iii) Indicate the date, time, and place that the testimony will take place; (iv) Include a reasonably specific description of any documents or items required to be produced; and (v) If the subpoena is addressed to an entity, describe with reasonable particularity the subject matter on which testimony is required. In that event, the entity must designate one or more natural persons who will testify on its behalf, and must state as to each such person that person's name and address and the matters on which he or she will testify. The designated person must testify as to matters known or reasonably available to the entity. (2) A subpoena under this section must be served by-- (i) Delivering a copy to the natural person named in the subpoena or to the entity named in the subpoena at its last principal place of business; or (ii) Registered or certified mail addressed to the natural person at his or her last known dwelling place or to the entity at its last known principal place of business. (3) A verified return by the natural person serving the subpoena setting forth the manner of service or, in the case of service by registered or certified mail, the signed return post office receipt, constitutes proof of service. (4) Witnesses are entitled to the same fees and mileage as witnesses in the district courts of the United States (28 U.S.C. 1821 and 1825). Fees need not be paid at the time the subpoena is served. (5) A subpoena under this section is enforceable through the district court of the United States for the district where the subpoenaed natural person resides or is found or where the entity transacts business. (b) Investigational inquiries are non-public investigational proceedings conducted by the Secretary. (1) Testimony at investigational inquiries will be taken under oath or affirmation. (2) Attendance of non-witnesses is discretionary with the Secretary, except that a witness is entitled to be accompanied, represented, and advised by an attorney. (3) Representatives of the Secretary are entitled to attend and ask questions. (4) A witness will have the opportunity to clarify his or her answers on the record following questioning by the Secretary. (5) Any claim of privilege must be asserted by the witness on the record. (6) Objections must be asserted on the record. Errors of any kind that might be corrected if promptly presented will be deemed to be waived unless reasonable objection is made at the investigational inquiry. Except where the objection is on the grounds of privilege, the question will be answered on the record, subject to objection. (7) If a witness refuses to answer any question not privileged or to produce requested documents or items, or engages in conduct likely to delay or obstruct the investigational inquiry, the Secretary may seek enforcement of the subpoena under paragraph (a)(5) of this section. (8) The proceedings will be recorded and transcribed. The witness is entitled to a copy of the transcript, upon payment of prescribed costs, except that, for good cause, the witness may be limited to inspection of the official transcript of his or her testimony. (9)(i) The transcript will be submitted to the witness for signature. (A) Where the witness will be provided a copy of the transcript, the transcript will be submitted to the witness for signature. The witness may submit to the Secretary written proposed corrections to the transcript, with such corrections attached to the transcript. If the witness does not return a signed copy of the transcript or proposed corrections within 30 days (computed in the same manner as prescribed under Sec. 160.526 of this part) of its being submitted to him or her for signature, the witness will be deemed to have agreed that the transcript is true and accurate. (B) Where, as provided in paragraph (b)(8) of this section, the witness is limited to inspecting the transcript, the witness will have the opportunity at the time of inspection to propose corrections to the transcript, with corrections attached to the transcript. The witness will also have the opportunity to sign the transcript. If the witness does not sign the transcript or offer corrections within 30 days (computed in the same manner as prescribed under Sec. 160.526 of this part) of receipt of notice of the opportunity to inspect the transcript, the witness will be deemed to have agreed that the transcript is true and accurate. (ii) The Secretary's proposed corrections to the record of transcript will be attached to the transcript. (c) Consistent with Sec. 160.310(c)(3), testimony and other evidence obtained in an investigational inquiry may be used by HHS in any of its activities and may be used or offered into evidence in any administrative or judicial proceeding. Sec. 160.316 Refraining from intimidation or retaliation. A covered entity may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person for-- (a) Filing of a complaint under Sec. 160.306; (b) Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under this part; or (c) Opposing any act or practice made unlawful by this subchapter, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of protected health information in violation of subpart E of part 164 of this subchapter. 0 4. Add a new subpart D to read as follows: Subpart D--Imposition of Civil Money Penalties 160.400 Applicability. 160.402 Basis for a civil money penalty. 160.404 Amount of a civil money penalty. 160.406 Violations of an identical requirement or prohibition. 160.408 Factors considered in determining the amount of a civil money penalty. 160.410 Affirmative defenses. 160.412 Waiver. 160.414 Limitations. 160.416 Authority to settle. 160.418 Penalty not exclusive. [[Page 8427]] 160.420 Notice of proposed determination. 160.422 Failure to request a hearing. 160.424 Collection of penalty. 160.426 Notification of the public and other agencies. Sec. 160.400 Applicability. This subpart applies to the imposition of a civil money penalty by the Secretary under 42 U.S.C. 1320d-5. Sec. 160.402 Basis for a civil money penalty. (a) General rule. Subject to Sec. 160.410, the Secretary will impose a civil money penalty upon a covered entity if the Secretary determines that the covered entity has violated an administrative simplification provision. (b) Violation by more than one covered entity. (1) Except as provided in paragraph (b)(2) of this section, if the Secretary determines that more than one covered entity was responsible for a violation, the Secretary will impose a civil money penalty against each such covered entity. (2) A covered entity that is a member of an affiliated covered entity, in accordance with Sec. 164.105(b) of this subchapter, is jointly and severally liable for a civil money penalty for a violation of part 164 of this subchapter based on an act or omission of the affiliated covered entity, unless it is established that another member of the affiliated covered entity was responsible for the violation. (c) Violation attributed to a covered entity. A covered entity is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member, acting within the scope of the agency, unless-- (1) The agent is a business associate of the covered entity; (2) The covered entity has complied, with respect to such business associate, with the applicable requirements of Sec. Sec. 164.308(b) and 164.502(e) of this subchapter; and (3) The covered entity did not-- (i) Know of a pattern of activity or practice of the business associate, and (ii) Fail to act as required by Sec. Sec. 164.314(a)(1)(ii) and 164.504(e)(1)(ii) of this subchapter, as applicable. Sec. 160.404 Amount of a civil money penalty. (a) The amount of a civil money penalty will be determined in accordance with paragraph (b) of this section and Sec. Sec. 160.406, 160.408, and 160.412. (b) The amount of a civil money penalty that may be imposed is subject to the following limitations: (1) The Secretary may not impose a civil money penalty-- (i) In the amount of more than $100 for each violation; or (ii) In excess of $25,000 for identical violations during a calendar year (January 1 through the following December 31). (2) If a requirement or prohibition in one administrative simplification provision is repeated in a more general form in another administrative simplification provision in the same subpart, a civil money penalty may be imposed for a violation of only one of these administrative simplification provisions. Sec. 160.406 Violations of an identical requirement or prohibition. The Secretary will determine the number of violations of an administrative simplification provision based on the nature of the covered entity's obligation to act or not act under the provision that is violated, such as its obligation to act in a certain manner, or within a certain time, or to act or not act with respect to certain persons. In the case of continuing violation of a provision, a separate violation occurs each day the covered entity is in violation of the provision. Sec. 160.408 Factors considered in determining the amount of a civil money penalty. In determining the amount of any civil money penalty, the Secretary may consider as aggravating or mitigating factors, as appropriate, any of the following: (a) The nature of the violation, in light of the purpose of the rule violated. (b) The circumstances, including the consequences, of the violation, including but not limited to: (1) The time period during which the violation(s) occurred; (2) Whether the violation caused physical harm; (3) Whether the violation hindered or facilitated an individual's ability to obtain health care; and (4) Whether the violation resulted in financial harm. (c) The degree of culpability of the covered entity, including but not limited to: (1) Whether the violation was intentional; and (2) Whether the violation was beyond the direct control of the covered entity. (d) Any history of prior compliance with the administrative simplification provisions, including violations, by the covered entity, including but not limited to: (1) Whether the current violation is the same or similar to prior violation(s); (2) Whether and to what extent the covered entity has attempted to correct previous violations; (3) How the covered entity has responded to technical assistance from the Secretary provided in the context of a compliance effort; and (4) How the covered entity has responded to prior complaints. (e) The financial condition of the covered entity, including but not limited to: (1) Whether the covered entity had financial difficulties that affected its ability to comply; (2) Whether the imposition of a civil money penalty would jeopardize the ability of the covered entity to continue to provide, or to pay for, health care; and (3) The size of the covered entity. (f) Such other matters as justice may require. Sec. 160.410 Affirmative defenses. (a) As used in this section, the following terms have the following meanings: Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. (b) The Secretary may not impose a civil money penalty on a covered entity for a violation if the covered entity establishes that an affirmative defense exists with respect to the violation, including the following: (1) The violation is an act punishable under 42 U.S.C. 1320d-6; (2) The covered entity establishes, to the satisfaction of the Secretary, that it did not have knowledge of the violation, determined in accordance with the federal common law of agency, and, by exercising reasonable diligence, would not have known that the violation occurred; or (3) The violation is-- (i) Due to reasonable cause and not willful neglect; and (ii) Corrected during either: (A) The 30-day period beginning on the date the covered entity liable for the penalty knew, or by exercising reasonable diligence would have known, that the violation occurred; or [[Page 8428]] (B) Such additional period as the Secretary determines to be appropriate based on the nature and extent of the failure to comply. Sec. 160.412 Waiver. For violations described in Sec. 160.410(b)(3)(i) that are not corrected within the period described in Sec. 160.410(b)(3)(ii), the Secretary may waive the civil money penalty, in whole or in part, to the extent that payment of the penalty would be excessive relative to the violation. Sec. 160.414 Limitations. No action under this subpart may be entertained unless commenced by the Secretary, in accordance with Sec. 160.420, within 6 years from the date of the occurrence of the violation. Sec. 160.416 Authority to settle. Nothing in this subpart limits the authority of the Secretary to settle any issue or case or to compromise any penalty. Sec. 160.418 Penalty not exclusive. Except as otherwise provided by 42 U.S.C. 1320d-5(b)(1), a penalty imposed under this part is in addition to any other penalty prescribed by law. Sec. 160.420 Notice of proposed determination. (a) If a penalty is proposed in accordance with this part, the Secretary must deliver, or send by certified mail with return receipt requested, to the respondent, written notice of the Secretary's intent to impose a penalty. This notice of proposed determination must include-- (1) Reference to the statutory basis for the penalty; (2) A description of the findings of fact regarding the violations with respect to which the penalty is proposed (except that, in any case where the Secretary is relying upon a statistical sampling study in accordance with Sec. 160.536 of this part, the notice must provide a copy of the study relied upon by the Secretary); (3) The reason(s) why the violation(s) subject(s) the respondent to a penalty; (4) The amount of the proposed penalty; (5) Any circumstances described in Sec. 160.408 that were considered in determining the amount of the proposed penalty; and (6) Instructions for responding to the notice, including a statement of the respondent's right to a hearing, a statement that failure to request a hearing within 90 days permits the imposition of the proposed penalty without the right to a hearing under Sec. 160.504 or a right of appeal under Sec. 160.548 of this part, and the address to which the hearing request must be sent. (b) The respondent may request a hearing before an ALJ on the proposed penalty by filing a request in accordance with Sec. 160.504 of this part. Sec. 160.422 Failure to request a hearing. If the respondent does not request a hearing within the time prescribed by Sec. 160.504 of this part and the matter is not settled pursuant to Sec. 160.416, the Secretary will impose the proposed penalty or any lesser penalty permitted by 42 U.S.C. 1320d-5. The Secretary will notify the respondent by certified mail, return receipt requested, of any penalty that has been imposed and of the means by which the respondent may satisfy the penalty, and the penalty is final on receipt of the notice. The respondent has no right to appeal a penalty under Sec. 160.548 of this part with respect to which the respondent has not timely requested a hearing. Sec. 160.424 Collection of penalty. (a) Once a determination of the Secretary to impose a penalty has become final, the penalty will be collected by the Secretary, subject to the first sentence of 42 U.S.C. 1320a-7a(f). (b) The penalty may be recovered in a civil action brought in the United States district court for the district where the respondent resides, is found, or is located. (c) The amount of a penalty, when finally determined, or the amount agreed upon in compromise, may be deducted from any sum then or later owing by the United States, or by a State agency, to the respondent. (d) Matters that were raised or that could have been raised in a hearing before an ALJ, or in an appeal under 42 U.S.C. 1320a-7a(e), may not be raised as a defense in a civil action by the United States to collect a penalty under this part. Sec. 160.426 Notification of the public and other agencies. Whenever a proposed penalty becomes final, the Secretary will notify, in such manner as the Secretary deems appropriate, the public and the following organizations and entities thereof and the reason it was imposed: the appropriate State or local medical or professional organization, the appropriate State agency or agencies administering or supervising the administration of State health care programs (as defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and quality control peer review organization, and the appropriate State or local licensing agency or organization (including the agency specified in 42 U.S.C. 1395aa(a), 1396a(a)(33)). 0 5. Revise subpart E of this part to read as follows: Subpart E--Procedures for Hearings Sec. 160.500 Applicability. 160.502 Definitions. 160.504 Hearing before an ALJ. 160.506 Rights of the parties. 160.508 Authority of the ALJ. 160.510 Ex parte contacts. 160.512 Prehearing conferences. 160.514 Authority to settle. 160.516 Discovery. 160.518 Exchange of witness lists, witness statements, and exhibits. 160.520 Subpoenas for attendance at hearing. 160.522 Fees. 160.524 Form, filing, and service of papers. 160.526 Computation of time. 160.528 Motions. 160.530 Sanctions. 160.532 Collateral estoppel. 160.534 The hearing. 160.536 Statistical sampling. 160.538 Witnesses. 160.540 Evidence. 160.542 The record. 160.544 Post hearing briefs. 160.546 ALJ's decision. 160.548 Appeal of the ALJ's decision. 160.550 Stay of the Secretary's decision. 160.552 Harmless error. Sec. 160.500 Applicability. This subpart applies to hearings conducted relating to the imposition of a civil money penalty by the Secretary under 42 U.S.C. 1320d-5. Sec. 160.502 Definitions. As used in this subpart, the following term has the following meaning: Board means the members of the HHS Departmental Appeals Board, in the Office of the Secretary, who issue decisions in panels of three. Sec. 160.504 Hearing before an ALJ. (a) A respondent may request a hearing before an ALJ. The parties to the hearing proceeding consist of-- (1) The respondent; and (2) The officer(s) or employee(s) of HHS to whom the enforcement authority involved has been delegated. (b) The request for a hearing must be made in writing signed by the respondent or by the respondent's attorney and sent by certified mail, return receipt requested, to the address specified in the notice of proposed determination. The request for a hearing must be mailed within 90 days after notice of the proposed determination is received by the respondent. For purposes of this section, the [[Page 8429]] respondent's date of receipt of the notice of proposed determination is presumed to be 5 days after the date of the notice unless the respondent makes a reasonable showing to the contrary to the ALJ. (c) The request for a hearing must clearly and directly admit, deny, or explain each of the findings of fact contained in the notice of proposed determination with regard to which the respondent has any knowledge. If the respondent has no knowledge of a particular finding of fact and so states, the finding shall be deemed denied. The request for a hearing must also state the circumstances or arguments that the respondent alleges constitute the grounds for any defense and the factual and legal basis for opposing the penalty, except that a respondent may raise an affirmative defense under Sec. 160.410(b)(1) at any time. (d) The ALJ must dismiss a hearing request where-- (1) On motion of the Secretary, the ALJ determines that the respondent's hearing request is not timely filed as required by paragraphs (b) or does not meet the requirements of paragraph (c) of this section; (2) The respondent withdraws the request for a hearing; (3) The respondent abandons the request for a hearing; or (4) The respondent's hearing request fails to raise any issue that may properly be addressed in a hearing. Sec. 160.506 Rights of the parties. (a) Except as otherwise limited by this subpart, each party may-- (1) Be accompanied, represented, and advised by an attorney; (2) Participate in any conference held by the ALJ; (3) Conduct discovery of documents as permitted by this subpart; (4) Agree to stipulations of fact or law that will be made part of the record; (5) Present evidence relevant to the issues at the hearing; (6) Present and cross-examine witnesses; (7) Present oral arguments at the hearing as permitted by the ALJ; and (8) Submit written briefs and proposed findings of fact and conclusions of law after the hearing. (b) A party may appear in person or by a representative. Natural persons who appear as an attorney or other representative must conform to the standards of conduct and ethics required of practitioners before the courts of the United States. (c) Fees for any services performed on behalf of a party by an attorney are not subject to the provisions of 42 U.S.C. 406, which authorizes the Secretary to specify or limit their fees. Sec. 160.508 Authority of the ALJ. (a) The ALJ must conduct a fair and impartial hearing, avoid delay, maintain order, and ensure that a record of the proceeding is made. (b) The ALJ may-- (1) Set and change the date, time and place of the hearing upon reasonable notice to the parties; (2) Continue or recess the hearing in whole or in part for a reasonable period of time; (3) Hold conferences to identify or simplify the issues, or to consider other matters that may aid in the expeditious disposition of the proceeding; (4) Administer oaths and affirmations; (5) Issue subpoenas requiring the attendance of witnesses at hearings and the production of documents at or in relation to hearings; (6) Rule on motions and other procedural matters; (7) Regulate the scope and timing of documentary discovery as permitted by this subpart; (8) Regulate the course of the hearing and the conduct of representatives, parties, and witnesses; (9) Examine witnesses; (10) Receive, rule on, exclude, or limit evidence; (11) Upon motion of a party, take official notice of facts; (12) Conduct any conference, argument or hearing in person or, upon agreement of the parties, by telephone; and (13) Upon motion of a party, decide cases, in whole or in part, by summary judgment where there is no disputed issue of material fact. A summary judgment decision constitutes a hearing on the record for the purposes of this subpart. (c) The ALJ-- (1) May not find invalid or refuse to follow Federal statutes, regulations, or Secretarial delegations of authority and must give deference to published guidance to the extent not inconsistent with statute or regulation; (2) May not enter an order in the nature of a directed verdict; (3) May not compel settlement negotiations; (4) May not enjoin any act of the Secretary; or (5) May not review the exercise of discretion by the Secretary with respect to whether to grant an extension under Sec. 160.410(b)(3)(ii)(B) of this part or to provide technical assistance under 42 U.S.C. 1320d-5(b)(3)(B). Sec. 160.510 Ex parte contacts. No party or person (except employees of the ALJ's office) may communicate in any way with the ALJ on any matter at issue in a case, unless on notice and opportunity for both parties to participate. This provision does not prohibit a party or person from inquiring about the status of a case or asking routine questions concerning administrative functions or procedures. Sec. 160.512 Prehearing conferences. (a) The ALJ must schedule at least one prehearing conference, and may schedule additional prehearing conferences as appropriate, upon reasonable notice, which may not be less than 14 business days, to the parties. (b) The ALJ may use prehearing conferences to discuss the following-- (1) Simplification of the issues; (2) The necessity or desirability of amendments to the pleadings, including the need for a more definite statement; (3) Stipulations and admissions of fact or as to the contents and authenticity of documents; (4) Whether the parties can agree to submission of the case on a stipulated record; (5) Whether a party chooses to waive appearance at an oral hearing and to submit only documentary evidence (subject to the objection of the other party) and written argument; (6) Limitation of the number of witnesses; (7) Scheduling dates for the exchange of witness lists and of proposed exhibits; (8) Discovery of documents as permitted by this subpart; (9) The time and place for the hearing; (10) The potential for the settlement of the case by the parties; and (11) Other matters as may tend to encourage the fair, just and expeditious disposition of the proceedings, including the protection of privacy of individually identifiable health information that may be submitted into evidence or otherwise used in the proceeding, if appropriate. (c) The ALJ must issue an order containing the matters agreed upon by the parties or ordered by the ALJ at a prehearing conference. Sec. 160.514 Authority to settle. The Secretary has exclusive authority to settle any issue or case without the consent of the ALJ. Sec. 160.516 Discovery. (a) A party may make a request to another party for production of documents for inspection and copying [[Page 8430]] that are relevant and material to the issues before the ALJ. (b) For the purpose of this section, the term ``documents'' includes information, reports, answers, records, accounts, papers and other data and documentary evidence. Nothing contained in this section may be interpreted to require the creation of a document, except that requested data stored in an electronic data storage system must be produced in a form accessible to the requesting party. (c) Requests for documents, requests for admissions, written interrogatories, depositions and any forms of discovery, other than those permitted under paragraph (a) of this section, are not authorized. (d) This section may not be construed to require the disclosure of interview reports or statements obtained by any party, or on behalf of any party, of persons who will not be called as witnesses by that party, or analyses and summaries prepared in conjunction with the investigation or litigation of the case, or any otherwise privileged documents. (e)(1) When a request for production of documents has been received, within 30 days the party receiving that request must either fully respond to the request, or state that the request is being objected to and the reasons for that objection. If objection is made to part of an item or category, the part must be specified. Upon receiving any objections, the party seeking production may then, within 30 days or any other time frame set by the ALJ, file a motion for an order compelling discovery. The party receiving a request for production may also file a motion for protective order any time before the date the production is due. (2) The ALJ may grant a motion for protective order or deny a motion for an order compelling discovery if the ALJ finds that the discovery sought-- (i) Is irrelevant; (ii) Is unduly costly or burdensome; (iii) Will unduly delay the proceeding; or (iv) Seeks privileged information. (3) The ALJ may extend any of the time frames set forth in paragraph (e)(1) of this section. (4) The burden of showing that discovery should be allowed is on the party seeking discovery. Sec. 160.518 Exchange of witness lists, witness statements, and exhibits. (a) The parties must exchange witness lists, copies of prior written statements of proposed witnesses, and copies of proposed hearing exhibits, including copies of any written statements that the party intends to offer in lieu of live testimony in accordance with Sec. 160.538, not more than 60, and not less than 15, days before the scheduled hearing, except that if a respondent intends to introduce the evidence of a statistical expert, the respondent must provide the Secretarial party with a copy of the statistical expert's report not less than 30 days before the scheduled hearing. (b)(1) If, at any time, a party objects to the proposed admission of evidence not exchanged in accordance with paragraph (a) of this section, the ALJ must determine whether the failure to comply with paragraph (a) of this section should result in the exclusion of that evidence. (2) Unless the ALJ finds that extraordinary circumstances justified the failure timely to exchange the information listed under paragraph (a) of this section, the ALJ must exclude from the party's case-in- chief-- (i) The testimony of any witness whose name does not appear on the witness list; and (ii) Any exhibit not provided to the opposing party as specified in paragraph (a) of this section. (3) If the ALJ finds that extraordinary circumstances existed, the ALJ must then determine whether the admission of that evidence would cause substantial prejudice to the objecting party. (i) If the ALJ finds that there is no substantial prejudice, the evidence may be admitted. (ii) If the ALJ finds that there is substantial prejudice, the ALJ may exclude the evidence, or, if he or she does not exclude the evidence, must postpone the hearing for such time as is necessary for the objecting party to prepare and respond to the evidence, unless the objecting party waives postponement. (c) Unless the other party objects within a reasonable period of time before the hearing, documents exchanged in accordance with paragraph (a) of this section will be deemed to be authentic for the purpose of admissibility at the hearing. Sec. 160.520 Subpoenas for attendance at hearing. (a) A party wishing to procure the appearance and testimony of any person at the hearing may make a motion requesting the ALJ to issue a subpoena if the appearance and testimony are reasonably necessary for the presentation of a party's case. (b) A subpoena requiring the attendance of a person in accordance with paragraph (a) of this section may also require the person (whether or not the person is a party) to produce relevant and material evidence at or before the hearing. (c) When a subpoena is served by a respondent on a particular employee or official or particular office of HHS, the Secretary may comply by designating any knowledgeable HHS representative to appear and testify. (d) A party seeking a subpoena must file a written motion not less than 30 days before the date fixed for the hearing, unless otherwise allowed by the ALJ for good cause shown. That motion must-- (1) Specify any evidence to be produced; (2) Designate the witnesses; and (3) Describe the address and location with sufficient particularity to permit those witnesses to be found. (e) The subpoena must specify the time and place at which the witness is to appear and any evidence the witness is to produce. (f) Within 15 days after the written motion requesting issuance of a subpoena is served, any party may file an opposition or other response. (g) If the motion requesting issuance of a subpoena is granted, the party seeking the subpoena must serve it by delivery to the person named, or by certified mail addressed to that person at the person's last dwelling place or principal place of business. (h) The person to whom the subpoena is directed may file with the ALJ a motion to quash the subpoena within 10 days after service. (i) The exclusive remedy for contumacy by, or refusal to obey a subpoena duly served upon, any person is specified in 42 U.S.C. 405(e). Sec. 160.522 Fees. The party requesting a subpoena must pay the cost of the fees and mileage of any witness subpoenaed in the amounts that would be payable to a witness in a proceeding in United States District Court. A check for witness fees and mileage must accompany the subpoena when served, except that, when a subpoena is issued on behalf of the Secretary, a check for witness fees and mileage need not accompany the subpoena. Sec. 160.524 Form, filing, and service of papers. (a) Forms. (1) Unless the ALJ directs the parties to do otherwise, documents filed with the ALJ must include an original and two copies. (2) Every pleading and paper filed in the proceeding must contain a caption setting forth the title of the action, the case number, and a designation of the paper, such as motion to quash subpoena. [[Page 8431]] (3) Every pleading and paper must be signed by and must contain the address and telephone number of the party or the person on whose behalf the paper was filed, or his or her representative. (4) Papers are considered filed when they are mailed. (b) Service. A party filing a document with the ALJ or the Board must, at the time of filing, serve a copy of the document on the other party. Service upon any party of any document must be made by delivering a copy, or placing a copy of the document in the United States mail, postage prepaid and addressed, or with a private delivery service, to the party's last known address. When a party is represented by an attorney, service must be made upon the attorney in lieu of the party. (c) Proof of service. A certificate of the natural person serving the document by personal delivery or by mail, setting forth the manner of service, constitutes proof of service. Sec. 160.526 Computation of time. (a) In computing any period of time under this subpart or in an order issued thereunder, the time begins with the day following the act, event or default, and includes the last day of the period unless it is a Saturday, Sunday, or legal holiday observed by the Federal Government, in which event it includes the next business day. (b) When the period of time allowed is less than 7 days, intermediate Saturdays, Sundays, and legal holidays observed by the Federal Government must be excluded from the computation. (c) Where a document has been served or issued by placing it in the mail, an additional 5 days must be added to the time permitted for any response. This paragraph does not apply to requests for hearing under Sec. 160.504. Sec. 160.528 Motions. (a) An application to the ALJ for an order or ruling must be by motion. Motions must state the relief sought, the authority relied upon and the facts alleged, and must be filed with the ALJ and served on all other parties. (b) Except for motions made during a prehearing conference or at the hearing, all motions must be in writing. The ALJ may require that oral motions be reduced to writing. (c) Within 10 days after a written motion is served, or such other time as may be fixed by the ALJ, any party may file a response to the motion. (d) The ALJ may not grant a written motion before the time for filing responses has expired, except upon consent of the parties or following a hearing on the motion, but may overrule or deny the motion without awaiting a response. (e) The ALJ must make a reasonable effort to dispose of all outstanding motions before the beginning of the hearing. Sec. 160.530 Sanctions. The ALJ may sanction a person, including any party or attorney, for failing to comply with an order or procedure, for failing to defend an action or for other misconduct that interferes with the speedy, orderly or fair conduct of the hearing. The sanctions must reasonably relate to the severity and nature of the failure or misconduct. The sanctions may include-- (a) In the case of refusal to provide or permit discovery under the terms of this part, drawing negative factual inferences or treating the refusal as an admission by deeming the matter, or certain facts, to be established; (b) Prohibiting a party from introducing certain evidence or otherwise supporting a particular claim or defense; (c) Striking pleadings, in whole or in part; (d) Staying the proceedings; (e) Dismissal of the action; (f) Entering a decision by default; (g) Ordering the party or attorney to pay the attorney's fees and other costs caused by the failure or misconduct; and (h) Refusing to consider any motion or other action that is not filed in a timely manner. Sec. 160.532 Collateral estoppel. When a final determination that the respondent violated an administrative simplification provision has been rendered in any proceeding in which the respondent was a party and had an opportunity to be heard, the respondent is bound by that determination in any proceeding under this part. Sec. 160.534 The hearing. (a) The ALJ must conduct a hearing on the record in order to determine whether the respondent should be found liable under this part. (b) (1) The respondent has the burden of going forward and the burden of persuasion with respect to any: (i) Affirmative defense pursuant to Sec. 160.410 of this part; (ii) Challenge to the amount of a proposed penalty pursuant to Sec. Sec. 160.404-160.408 of this part, including any factors raised as mitigating factors; or (iii) Claim that a proposed penalty should be reduced or waived pursuant to Sec. 160.412 of this part. (2) The Secretary has the burden of going forward and the burden of persuasion with respect to all other issues, including issues of liability and the existence of any factors considered as aggravating factors in determining the amount of the proposed penalty. (3) The burden of persuasion will be judged by a preponderance of the evidence. (c) The hearing must be open to the public unless otherwise ordered by the ALJ for good cause shown. (d)(1) Subject to the 15-day rule under Sec. 160.518(a) and the admissibility of evidence under Sec. 160.540, either party may introduce, during its case in chief, items or information that arose or became known after the date of the issuance of the notice of proposed determination or the request for hearing, as applicable. Such items and information may not be admitted into evidence, if introduced-- (i) By the Secretary, unless they are material and relevant to the acts or omissions with respect to which the penalty is proposed in the notice of proposed determination pursuant to Sec. 160.420 of this part, including circumstances that may increase penalties; or (ii) By the respondent, unless they are material and relevant to an admission, denial or explanation of a finding of fact in the notice of proposed determination under Sec. 160.420 of this part, or to a specific circumstance or argument expressly stated in the request for hearing under Sec. 160.504, including circumstances that may reduce penalties. (2) After both parties have presented their cases, evidence may be admitted in rebuttal even if not previously exchanged in accordance with Sec. 160.518. Sec. 160.536 Statistical sampling. (a) In meeting the burden of proof set forth in Sec. 160.534, the Secretary may introduce the results of a statistical sampling study as evidence of the number of violations under Sec. 160.406 of this part, or the factors considered in determining the amount of the civil money penalty under Sec. 160.408 of this part. Such statistical sampling study, if based upon an appropriate sampling and computed by valid statistical methods, constitutes prima facie evidence of the number of violations and the existence of factors material to the proposed civil money penalty as described in Sec. Sec. 160.406 and 160.408. (b) Once the Secretary has made a prima facie case, as described in paragraph (a) of this section, the burden of going forward shifts to the respondent [[Page 8432]] to produce evidence reasonably calculated to rebut the findings of the statistical sampling study. The Secretary will then be given the opportunity to rebut this evidence. Sec. 160.538 Witnesses. (a) Except as provided in paragraph (b) of this section, testimony at the hearing must be given orally by witnesses under oath or affirmation. (b) At the discretion of the ALJ, testimony of witnesses other than the testimony of expert witnesses may be admitted in the form of a written statement. The ALJ may, at his or her discretion, admit prior sworn testimony of experts that has been subject to adverse examination, such as a deposition or trial testimony. Any such written statement must be provided to the other party, along with the last known address of the witness, in a manner that allows sufficient time for the other party to subpoena the witness for cross-examination at the hearing. Prior written statements of witnesses proposed to testify at the hearing must be exchanged as provided in Sec. 160.518. (c) The ALJ must exercise reasonable control over the mode and order of interrogating witnesses and presenting evidence so as to: (1) Make the interrogation and presentation effective for the ascertainment of the truth; (2) Avoid repetition or needless consumption of time; and (3) Protect witnesses from harassment or undue embarrassment. (d) The ALJ must permit the parties to conduct cross-examination of witnesses as may be required for a full and true disclosure of the facts. (e) The ALJ may order witnesses excluded so that they cannot hear the testimony of other witnesses, except that the ALJ may not order to be excluded-- (1) A party who is a natural person; (2) In the case of a party that is not a natural person, the officer or employee of the party appearing for the entity pro se or designated as the party's representative; or (3) A natural person whose presence is shown by a party to be essential to the presentation of its case, including a person engaged in assisting the attorney for the Secretary. Sec. 160.540 Evidence. (a) The ALJ must determine the admissibility of evidence. (b) Except as provided in this subpart, the ALJ is not bound by the Federal Rules of Evidence. However, the ALJ may apply the Federal Rules of Evidence where appropriate, for example, to exclude unreliable evidence. (c) The ALJ must exclude irrelevant or immaterial evidence. (d) Although relevant, evidence may be excluded if its probative value is substantially outweighed by the danger of unfair prejudice, confusion of the issues, or by considerations of undue delay or needless presentation of cumulative evidence. (e) Although relevant, evidence must be excluded if it is privileged under Federal law. (f) Evidence concerning offers of compromise or settlement are inadmissible to the extent provided in Rule 408 of the Federal Rules of Evidence. (g) Evidence of crimes, wrongs, or acts other than those at issue in the instant case is admissible in order to show motive, opportunity, intent, knowledge, preparation, identity, lack of mistake, or existence of a scheme. This evidence is admissible regardless of whether the crimes, wrongs, or acts occurred during the statute of limitations period applicable to the acts or omissions that constitute the basis for liability in the case and regardless of whether they were referenced in the Secretary's notice of proposed determination under Sec. 160.420 of this part. (h) The ALJ must permit the parties to introduce rebuttal witnesses and evidence. (i) All documents and other evidence offered or taken for the record must be open to examination by both parties, unless otherwise ordered by the ALJ for good cause shown. Sec. 160.542 The record. (a) The hearing must be recorded and transcribed. Transcripts may be obtained following the hearing from the ALJ. A party that requests a transcript of hearing proceedings must pay the cost of preparing the transcript unless, for good cause shown by the party, the payment is waived by the ALJ or the Board, as appropriate. (b) The transcript of the testimony, exhibits, and other evidence admitted at the hearing, and all papers and requests filed in the proceeding constitute the record for decision by the ALJ and the Secretary. (c) The record may be inspected and copied (upon payment of a reasonable fee) by any person, unless otherwise ordered by the ALJ for good cause shown. (d) For good cause, the ALJ may order appropriate redactions made to the record. Sec. 160.544 Post hearing briefs. The ALJ may require the parties to file post-hearing briefs. In any event, any party may file a post-hearing brief. The ALJ must fix the time for filing the briefs. The time for filing may not exceed 60 days from the date the parties receive the transcript of the hearing or, if applicable, the stipulated record. The briefs may be accompanied by proposed findings of fact and conclusions of law. The ALJ may permit the parties to file reply briefs. Sec. 160.546 ALJ's decision. (a) The ALJ must issue a decision, based only on the record, which must contain findings of fact and conclusions of law. (b) The ALJ may affirm, increase, or reduce the penalties imposed by the Secretary. (c) The ALJ must issue the decision to both parties within 60 days after the time for submission of post-hearing briefs and reply briefs, if permitted, has expired. If the ALJ fails to meet the deadline contained in this paragraph, he or she must notify the parties of the reason for the delay and set a new deadline. (d) Unless the decision of the ALJ is timely appealed as provided for in Sec. 160.548, the decision of the ALJ will be final and binding on the parties 60 days from the date of service of the ALJ's decision. Sec. 160.548 Appeal of the ALJ's decision. (a) Any party may appeal the decision of the ALJ to the Board by filing a notice of appeal with the Board within 30 days of the date of service of the ALJ decision. The Board may extend the initial 30 day period for a period of time not to exceed 30 days if a party files with the Board a request for an extension within the initial 30 day period and shows good cause. (b) If a party files a timely notice of appeal with the Board, the ALJ must forward the record of the proceeding to the Board. (c) A notice of appeal must be accompanied by a written brief specifying exceptions to the initial decision and reasons supporting the exceptions. Any party may file a brief in opposition to the exceptions, which may raise any relevant issue not addressed in the exceptions, within 30 days of receiving the notice of appeal and the accompanying brief. The Board may permit the parties to file reply briefs. (d) There is no right to appear personally before the Board or to appeal to the Board any interlocutory ruling by the ALJ. [[Page 8433]] (e) Except for an affirmative defense under Sec. 160.410(b)(1) of this part, the Board may not consider any issue not raised in the parties' briefs, nor any issue in the briefs that could have been raised before the ALJ but was not. (f) If any party demonstrates to the satisfaction of the Board that additional evidence not presented at such hearing is relevant and material and that there were reasonable grounds for the failure to adduce such evidence at the hearing, the Board may remand the matter to the ALJ for consideration of such additional evidence. (g) The Board may decline to review the case, or may affirm, increase, reduce, reverse or remand any penalty determined by the ALJ. (h) The standard of review on a disputed issue of fact is whether the initial decision of the ALJ is supported by substantial evidence on the whole record. The standard of review on a disputed issue of law is whether the decision is erroneous. (i) Within 60 days after the time for submission of briefs and reply briefs, if permitted, has expired, the Board must serve on each party to the appeal a copy of the Board's decision and a statement describing the right of any respondent who is penalized to seek judicial review. (j)(1) The Board's decision under paragraph (i) of this section, including a decision to decline review of the initial decision, becomes the final decision of the Secretary 60 days after the date of service of the Board's decision, except with respect to a decision to remand to the ALJ or if reconsideration is requested under this paragraph. (2) The Board will reconsider its decision only if it determines that the decision contains a clear error of fact or error of law. New evidence will not be a basis for reconsideration unless the party demonstrates that the evidence is newly discovered and was not previously available. (3) A party may file a motion for reconsideration with the Board before the date the decision becomes final under paragraph (j)(1) of this section. A motion for reconsideration must be accompanied by a written brief specifying any alleged error of fact or law and, if the party is relying on additional evidence, explaining why the evidence was not previously available. Any party may file a brief in opposition within 15 days of receiving the motion for reconsideration and the accompanying brief unless this time limit is extended by the Board for good cause shown. Reply briefs are not permitted. (4) The Board must rule on the motion for reconsideration not later than 30 days from the date the opposition brief is due. If the Board denies the motion, the decision issued under paragraph (i) of this section becomes the final decision of the Secretary on the date of service of the ruling. If the Board grants the motion, the Board will issue a reconsidered decision, after such procedures as the Board determines necessary to address the effect of any error. The Board's decision on reconsideration becomes the final decision of the Secretary on the date of service of the decision, except with respect to a decision to remand to the ALJ. (5) If service of a ruling or decision issued under this section is by mail, the date of service will be deemed to be 5 days from the date of mailing. (k)(1) A respondent's petition for judicial review must be filed within 60 days of the date on which the decision of the Board becomes the final decision of the Secretary under paragraph (j) of this section. (2) In compliance with 28 U.S.C. 2112(a), a copy of any petition for judicial review filed in any U.S. Court of Appeals challenging the final decision of the Secretary must be sent by certified mail, return receipt requested, to the General Counsel of HHS. The petition copy must be a copy showing that it has been time-stamped by the clerk of the court when the original was filed with the court. (3) If the General Counsel of HHS received two or more petitions within 10 days after the final decision of the Secretary, the General Counsel will notify the U.S. Judicial Panel on Multidistrict Litigation of any petitions that were received within the 10 day period. Sec. 160.550 Stay of the Secretary's decision. (a) Pending judicial review, the respondent may file a request for stay of the effective date of any penalty with the ALJ. The request must be accompanied by a copy of the notice of appeal filed with the Federal court. The filing of the request automatically stays the effective date of the penalty until such time as the ALJ rules upon the request. (b) The ALJ may not grant a respondent's request for stay of any penalty unless the respondent posts a bond or provides other adequate security. (c) The ALJ must rule upon a respondent's request for stay within 10 days of receipt. Sec. 160.552 Harmless error. No error in either the admission or the exclusion of evidence, and no error or defect in any ruling or order or in any act done or omitted by the ALJ or by any of the parties is ground for vacating, modifying or otherwise disturbing an otherwise appropriate ruling or order or act, unless refusal to take such action appears to the ALJ or the Board inconsistent with substantial justice. The ALJ and the Board at every stage of the proceeding must disregard any error or defect in the proceeding that does not affect the substantial rights of the parties. PART 164--SECURITY AND PRIVACY 0 1. The authority citation for part 164 is revised to read as follows: Authority: 42 U.S.C. 1320d-1320d-8 and sec. 264, Pub. L. No. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)). 0 2. In Sec. 164.530, revise paragraph (g) to read as follows: Sec. 164.530 Administrative requirements. * * * * * (g) Standard: refraining from intimidating or retaliatory acts. A covered entity-- (1) May not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the exercise by the individual of any right established, or for participation in any process provided for by this subpart, including the filing of a complaint under this section; and (2) Must refrain from intimidation and retaliation as provided in Sec. 160.316 of this subchapter. * * * * * [FR Doc. 06-1376 Filed 2-10-06; 2:59 pm] BILLING CODE 4153-01-P