HIPAA Regulations: Compliance and Enforcement: Secretarial Action Regarding Complaints and Compliance Reviews - § 160.312
As Contained in the HHS HIPAA Privacy Rules
HHS Regulations as Amended January 2013 |
(a) Resolution when noncompliance is indicated. (1) If an investigation of a complaint pursuant to §160.306 or a compliance review pursuant to §160.308 indicates noncompliance, the Secretary may attempt to reach a resolution of the matter satisfactory to the Secretary by informal means. Informal means may include demonstrated compliance or a completed corrective action plan or other agreement.
(2) If the matter is resolved by informal means, the Secretary will so inform the covered entity or business associate and, if the matter arose from a complaint, the complainant, in writing.
(3) If the matter is not resolved by informal means, the Secretary will—
(i) So inform the covered entity or business associate and provide the covered entity or business associate an opportunity to submit written evidence of any mitigating factors or affirmative defenses for consideration under §§160.408 and 160.410 of this part. The covered entity or business associate must submit any such evidence to the Secretary within 30 days (computed in the same manner as prescribed under §160.526 of this part) of receipt of such notification; and
(ii) If, following action pursuant to paragraph (a)(3)(i) of this section, the Secretary finds that a civil money penalty should be imposed, inform the covered entity or business associate of such finding in a notice of proposed determination in accordance with §160.420 of this part.
(b) Resolution when no violation is found. If, after an investigation pursuant to §160.306 or a compliance review pursuant to §160.308, the Secretary determines that further action is not warranted, the Secretary will so inform the covered entity or business associate and, if the matter arose from a complaint, the complainant, in writing.
HHS Description and Commentary From the January 2013 Amendments |
Section 13410(a) of the HITECH Act adds a new subsection (c) to section 1176 of the Social Security Act, which requires the Department to formally investigate a complaint if a preliminary investigation of the facts of the complaint indicates a possible violation due to willful neglect (section 1176(c)(2)) and to impose a civil money penalty for a violation due to willful neglect (section 1176(c)(1)). The Department proposed a number of modifications to Subpart C of the Enforcement Rule to implement these provisions.
Given the HITECH Act’s requirement that the Secretary impose a penalty for any violation due to willful neglect, the Department proposed changes to § 160.312, which currently requires the Secretary to attempt to resolve investigations or compliance reviews indicating noncompliance by informal means. The NPRM proposed to provide instead in § 160.312(a) that the Secretary “may” rather than “will” attempt to resolve investigations or compliance reviews indicating noncompliance by informal means. This change would permit the Department to proceed with a willful neglect violation determination as appropriate, while also permitting the Department to seek resolution of complaints and compliance reviews that did not indicate willful neglect violations by informal means (e.g., where the covered entity or business associate did not know and by exercising reasonable diligence would not have known of a violation, or where the violation is due to reasonable cause).
Note: The remainder of the description and commentary is the same for section 160.304, 160.306, 160.308 and 160.312.
Overview of Public Comments
One commenter supported maintaining the current language at §§ 160.306 and 160.308 of the Enforcement Rule, providing the Secretary with discretion to conduct complaint investigations and compliance reviews, regardless of indications of willful neglect. One commenter suggested that OCR look to whether facts indicate a “probable,” rather than “possible,” violation due to willful neglect to limit the likelihood of unnecessary formal investigations or compliance reviews. While one commenter supported the proposal to require a compliance review in circumstances indicating a possible violation due to willful neglect, others argued that requiring compliance reviews in such circumstances is not required by the statute, will detract from resources to investigate complaints, and will be duplicative if a formal complaint investigation is also underway.
Several commenters expressed concern over the proposal at § 160.312(a) to give the Secretary discretion, rather than to require the Secretary, to attempt to resolve investigations or compliance reviews indicating noncompliance by informal means, even in cases of noncompliance that did not involve willful neglect (e.g., cases involving reasonable cause or lack of knowledge of a violation). Commenters indicated support for the Department’s seeking compliance through voluntary corrective action as opposed to formal enforcement proceedings and argued that the Department should retain the requirement for the Secretary to attempt informal resolution in all circumstances except those involving willful neglect. One commenter recommended that the Secretary be able to assess penalties regardless of whether corrective action was obtained.
Final Rule
The final rule adopts the modifications to §§ 160.304, 160.306, 160.308, and 160.312, as proposed in the NPRM. The Department believes these changes to the enforcement provisions to be appropriate given the HITECH Act’s requirements at section 13410(a) with respect to circumstances indicating or involving noncompliance due to willful neglect. We do not provide in the Rule that the Secretary will investigate when a preliminary review of the facts indicates a “probable” rather than “possible” violation due to willful neglect as the statute requires an investigation even in cases indicating a “possible” violation due to willful neglect.
In response to commenters concerned about requiring the Secretary to conduct compliance reviews in circumstances in which facts indicate a possible violation due to willful neglect, we continue to believe that, while not expressly required by the statute, doing so appropriately strengthens enforcement with respect to violations due to willful neglect and ensures consistency in the handling of complaints and compliance reviews in which violations due to willful neglect are indicated.
We emphasize that the Department retains discretion to decide whether to conduct a compliance review (or complaint investigation) where a preliminary review of the facts indicates a degree of culpability less than willful neglect. Further, with respect to commenter concerns about duplication between complaint investigations and compliance reviews, we clarify that the Department generally conducts compliance reviews to investigate allegations of violations of the HIPAA Rules brought to the Department’s attention through a mechanism other than a complaint. For example, the Department may use a compliance review to investigate allegations of violations of the Rules brought to our attention through a media report, or from a State or another Federal agency. If the Department initiates an investigation of a complaint because its preliminary review of the facts indicates a possible violation due to willful neglect, the Department is not also required to initiate a compliance review under § 160.308 because doing so would initiate a duplicative investigation.
With respect to § 160.312, where the Rule previously mandated that the Secretary attempt to resolve indicated violations of the HIPAA Rules by informal means, the final rule now provides the Secretary with the discretion to do so, to reflect Section 13410 of the HITECH Act with regard to violations due to willful neglect.
Nothing in Section 13410 of the HITECH Act limits the Secretary’s ability to resolve such cases by informal means. However, through its introduction of higher penalties and its mandate for formal investigations with regard to possible violations due to willful neglect, Section 13410 strengthens enforcement and accordingly we have revised § 160.312 so that the Secretary may move directly to a civil money penalty without exhausting informal resolution efforts at her discretion, particularly in cases involving willful neglect violations.
Response to Other Public Comments
Comment: A number of commenters requested further clarification on the scope and depth of what constitutes a “preliminary review of the facts” for purposes of determining whether facts indicate a possible violation due to willful neglect and thus, warrant a formal complaint investigation or compliance review. Certain commenters suggested that a preliminary review of the facts should go beyond merely a review of the allegations asserted in a complaint.
Response: As noted above, currently the Department conducts a preliminary review of every complaint received and proceeds with the investigation in every eligible case where its preliminary review of the facts indicates a possible violation of the HIPAA Rules. The Department anticipates that some complaints, on their face, or reports or referrals that form the basis of a potential compliance review, will contain sufficient information to indicate a possible violation due to willful neglect, and some may not. In any event, the Department may on a case-by-case basis expand the preliminary review and conduct additional inquiries for purposes of identifying a possible violation due to willful neglect. Notwithstanding the scope of a preliminary review, OCR will determine if an indicated violation was due to willful neglect based on the evidence from its investigation of the allegations, even if a violation due to willful neglect was not indicated at the preliminary review stage.
HHS Description From the Original Rulemaking Compliance and Enforcement: Secretarial Action Regarding Complaints and Compliance Reviews |
Note: The HHS Description is the same as for § 164.300
Proposed § 164.522 included five paragraphs addressing activities related to the Secretary’s enforcement of the rule. These provisions were based on procedures and requirements in various civil rights regulations. Proposed § 164.522(a) provided that the Secretary would, to the extent practicable, seek the cooperation of covered entities in obtaining compliance, and could provide technical assistance to covered entities to help them comply voluntarily. Proposed § 164.522(b) provided that individuals could file complaints with the Secretary. However, where the complaint related to the alleged failure of a covered entity to amend or correct protected health information as proposed in the rule, the Secretary would not make certain determinations such as whether protected health information was accurate or complete. This paragraph also listed the requirements for filing complaints and indicated that the Secretary may investigate such complaints and what might be reviewed as part of such investigation.
Under proposed § 164.522(c), the Secretary would be able to conduct compliance reviews. Proposed § 164.522(d) described the responsibilities that covered entities keep records and reports as prescribed by the Secretary, cooperate with compliance reviews, permit the Secretary to have access to their facilities, books, records, and other sources of information during normal business hours, and seek records held by other persons. This paragraph also stated that the Secretary would maintain the confidentiality of protected health information she collected and prohibit covered entities from taking retaliatory action against individuals for filing complaints or for other activities. Proposed § 164.522(e) provided that the Secretary would inform the covered entity and the individual complainant if an investigation or review indicated a failure to comply and would seek to resolve the matter informally if possible. If the matter could not be resolved informally, the Secretary would be able to issue written findings, be required to inform the covered entity and the complainant, and be able to pursue civil enforcement action or make a criminal referral. The Secretary would also be required to inform the covered entity and the individual complainant if no violation was found.
We make the following changes and additions to proposed § 164.522 in the final rule. First, we have moved this section to part 160, as a new subpart C, “Compliance and Enforcement.” Second, we add new sections that explain the applicability of these provisions and incorporate certain definitions. Accordingly, we change the proposed references to violations to “this subpart” to violations of “the applicable requirements of part 160 and the applicable standards, requirements, and implementation specifications of subpart E of part 164 of this subchapter.” Third, the final rule at § 160.306(a) provides that any person, not just an “individual” (the person who is the subject of the individually identifiable health information) may file a complaint with the Secretary. Other references in this subpart to an individual have been changed accordingly. Fourth, we delete the proposed § 164.522(a) language that indicated that the Secretary would not determine whether information was accurate or complete, or whether errors or omissions might have an adverse effect on the individual. While the policy is not changed in that the Secretary will not make such determinations, we believe the language is unnecessary and may suggest that we would make all other types of determinations, such as all determinations in which the regulation defers to the professional judgment of the covered entity. Fifth, § 160.306(b)(3) requires that complaints be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown. Sixth, § 160.310(b) requires cooperation with investigations as well as compliance reviews. Seventh, § 160.310 (c)(1) provides that the Secretary must be provided access to a covered entity’s facilities, books, records, accounts, and other sources of information, including protected health information, at any time and without notice where exigent circumstances exist, such as where documents might be hidden or destroyed. Eighth, the provision proposed at § 164.522(d) that would prohibit covered entities from taking retaliatory action against individuals for filing a complaint with the Secretary or for certain other actions has been changed and moved to § 164.530. Ninth, § 160. 312(a)(2) deletes the reference in the proposed rule to using violation findings as a basis for initiating action to secure penalties. This deletion is not a substantive change. This language was removed because penalties will be addressed in the enforcement regulation. As in the NPRM, the Secretary may promulgate alternative procedures for complaints relating to national security. For example, to protect classified information, we may promulgate rules that would allow an intelligence community agency to create a separate body within that agency to receive complaints.
The Department plans to issue an Enforcement Rule that applies to all of the regulations that the Department issues under the Administrative Simplification provisions of HIPAA. This regulation will address the imposition of civil monetary penalties and the referral of criminal cases where there has been a violation of this rule. Penalties are provided for under section 262 of HIPAA. The Enforcement Rule would also address the topics covered by Subpart C below. It is expected that this Enforcement Rule would replace Subpart C.