 |
HIPAA ENFORCEMENT RULE
General
Approach
(Reprinted From the Department of Health and Human
Resources) |
As our
discussions make clear, the duty to comply with certain of the HIPAA rules is
now a reality for many, if not most, covered entities. The immediacy of the
compliance obligation brings with it the issue of how these rules will be
enforced. Accordingly, we lay out our general approach to enforcement. We then
discuss how the rules will fit in with the Enforcement Rule in its
entirety.
HHS's General Approach to Enforcement
The
Department intends to seek and promote voluntary compliance with the rules
promulgated to carry out the HIPAA provisions. With respect to the Privacy
Rule, OCR has developed and is continuing to produce guidance and a wide array
of other technical assistance materials to help covered entities effectively
implement the Privacy Rule. These materials are available on the OCR Privacy
web site at http://www.hhs.gov/ocr/hipaa. These efforts will
continue after the April 14, 2003 compliance date, as OCR learns from its
compliance activities and from those who are implementing the Privacy Rule
where additional guidance and assistance are needed. Other components of the
Department are also developing guidance and technical assistance on the Privacy
Rule for their partners.
This approach reflects the requirements in 45
CFR part 160, subpart C, that, to the extent practicable, OCR will seek the
cooperation of covered entities in obtaining compliance with the Privacy Rule,
and may provide technical assistance to help covered entities voluntarily
comply with the Rule. See 45 CFR 160.304. As further provided in 45 CFR
160.312(a)(2), OCR will seek to resolve matters by informal means before
issuing findings of non-compliance, under its authority to investigate and
resolve complaints, and to engage in compliance reviews.
With respect
to enforcement of the remainder of the HIPAA rules, the enforcement approach of
CMS is similar. "Enforcement activities will focus on obtaining voluntary
compliance through technical assistance. The process will be primarily
complaint driven and will consist of progressive steps that will provide
opportunities to demonstrate compliance or submit a corrective action plan."
HHS press release of October 15, 2002, announcing assignment of enforcement
responsibility to CMS. CMS provides a wide variety of technical assistance and
informational materials on its website, at
www.cms.gov/hipaa/hipaa2.
HHS's Approach
to the Enforcement Rule
As noted above, HHS intends to issue an
Enforcement Rule in furtherance of its implementation of 42 U.S.C. 1320d-5. The
Enforcement Rule, in its entirety, addresses a number of substantive issues
relating to the imposition of CMPs under section 1320d-5, such as the
Department's policies for determining violations and calculating CMPs. In
addition, the Enforcement Rule establishs procedures for the imposition of
CMPs, including the procedures for providing notice and a hearing on the
Secretary's determination to impose a CMP.
Administrative Procedure
Act
We recognize that under the Administrative Procedure Act
("APA") most of the above-described provisions of the Enforcement Rule must be
promulgated through notice-and-comment rulemaking. We intend to do so. However,
to allow covered entities and the public to be informed as soon as possible of
procedural requirements that will apply as compliance proceeds, we are
expediting the publication of these procedural rules in final form. These rules
set out the procedures for provision by the agency of the statutorily required
notice and hearing and procedures for issuing administrative subpoenas. Such
provisions are exempted from the requirement for notice-and-comment rulemaking
under the "rules of agency ... procedure, or practice" exemption at 5 U.S.C.
553(b)(3)(A). Even though notice-and-comment rulemaking is, therefore, not
required with respect to the procedural rules adopted, HHS is interested in
input from the public, and thus is requesting public comment on them. We expect
to augment these procedural rules with provisions that, while related to
procedure, are substantive in nature. We anticipate including those provisions
in the notice-and-comment rulemaking that we plan for the remainder of the
Enforcement Rule. In any event, we plan to revise the procedural rule by the
expiration date.
Approach of the Enforcement Rule
As
noted above, the provisions of 42 U.S.C. 1320a-7a apply to the imposition of a
CMP under 42 U.S.C. 1320d-5 "in the same manner as" they apply to the
imposition of CMPs under section 1320a-7a itself. Within HHS, section 1320a-7a
is implemented by the Office of Inspector General ("OIG") and, as pertinent
here, through the OIG regulations that are codified at 42 CFR parts 1003, 1005,
and 1006. We have used the OIG regulations as the platform for the rules for
two reasons. First, we read the "in the same manner as" language of the statute
as indicating that the procedures for the imposition of CMPs under 42 U.S.C.
1320d-5 should be, in general, similar to those used by the OIG under 42 U.S.C.
1320a-7a. Second, HHS and much of the health care industry have operated under
the OIG regulations implementing section 1320a-7a for more than a decade. There
is, thus, a significant body of experience with, and understanding of, the OIG
procedural rules, both within HHS and in a large part of the regulated
universe. Based on this experience, we believe that the rules will be workable
and promote the efficient resolution of cases where the Secretary's proposed
imposition of a CMP is challenged.
Accordingly, the rules are based
upon, and are in many respects the same as, the OIG regulations at 42 CFR parts
1003, 1005, and 1006. We have adapted, re-ordered, or combined the OIG language
in a number of places for clarity of presentation or to reflect concepts
peculiar to the HIPAA provisions or rules. To avoid confusion, we have also
employed certain language usages in order to make the usage in the rules
consistent with that in the other HIPAA rules (for example, for mandatory
duties, "must" instead of "will" or "shall"; for discretionary duties, "may"
instead of "has the authority to"). We do not discuss those nonsubstantive
changes. Where we have materially changed the language of the OIG regulations,
however, we discuss our reasons for doing so.
We also note that the
rules, as well as the Enforcement Rule as a whole, are not HIPAA standards, and
thus the requirement for industry consultations in 42 U.S.C. 1320d-1(c) does
not apply. Therefore, we have not engaged in such consultations with respect to
the Enforcement Rule.
|
|
|
|
