IT Law Group | Publications | HIPAA Final Enforcement Rule

An Analysis of the HIPAA Final Enforcement Rule

Francoise Gilbert

Running afoul of HIPAA can waste time, resources, and goodwill. The best practice is to establish appropriate privacy and security policies and procedures, train and supervise personnel, and conduct periodic audits to ensure continued compliance.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Pub. L. No. 104-191, 110 Stat. 1936 (1996), has transformed the practices of hospitals, physicians, health plans, and their service providers by establishing new requirements for creating, storing, managing, transmitting, and disclosing health information. Since the enactment of the law, the Department of Health and Human Services (“HHS”) has promulgated several regulations and standards that clarify and expand upon the original law. These include, for example, the Privacy Rule, Security Standards, Transactions and Code Set Standards, and Identifier Standards. Most recently, the HHS promulgated the Final Enforcement Rule, which details the rules and procedures for the enforcement of HIPAA’s administrative simplification provisions. This article explains and describes the new Final Enforcement Rule.

BACKGROUND ON HIPAA’S REQUIREMENTS, STANDARDS, AND PENALTIES

HIPAA outlined administrative simplification provisions, which aimed at, among other things, protecting individuals’ health records. To this end, HIPAA established civil and criminal penalties for violation of, or failure to comply with, its administrative simplification provisions. These penalties are not cumulative. A civil penalty cannot be imposed if the act constitutes a criminal offense, as well. Civil penalties are enforced by the HHS, and criminal penalties, by the U.S. Department of Justice. There is no private right of action. An individual who is affected by a violation can report it to the HHS Secretary, who will investigate the request and may elect to prosecute the covered entity. The Office of Civil Rights receives complaints relating to privacy violations, whereas the Centers for Medicare and Medicaid Services receive complaints relating to security.

Civil Enforcement Provision

The civil enforcement provision of HIPAA is codified at 42 U.S.C. §1320d-5. Under this section, any person who violates a provision of the statute or the regulations can be penalized up to $100 for each such violation. The total amount imposed for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

Enhanced Penalties for Knowing Violations

42 U.S.C. §1320d-6 provides for enhanced penalties for violations that are knowingly made. Criminal penalties are assessed when a person knowingly and in violation of HIPAA:

Uses or causes to be used a unique health identifier; or
Obtains personally identifiable health information relating to an individual; or
Discloses personally identifiable health information to another person.

In most cases, a person who violates this provision faces a fine of up to $50,000, and up to one year of imprisonment, or both. Penalties for offenses committed under false pretenses can reach $100,000 and prison term up to five years, or both. If the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the individual may be fined up to $250,000, imprisoned for up to 10 years, or both.

Final Rule for the Imposition of Civil Money Penalties

The Final Enforcement Rule became effective as of March 16, 2006. The Rule applies to violations of any of the HIPAA regulations set forth in Part 160, 162 and 164 of Title 45 of the Code of Federal Regulations. The Final Enforcement Rule is codified at subparts C, D, and E of 45 C.F.R. part 160. Of note, the final draft expands the scope of the Enforcement Rule to all violations of HIPAA Administrative Simplification Provisions, from the initial narrow scope that would have limited the application of the Enforcement Rule to only Privacy Rule violations.

How an Action is Initiated

A covered entity may fall within HHS scrutiny in two ways: either the HHS Secretary initiates a compliance review, or the HHS Secretary conducts an investigation after receiving a complaint from an individual.

A complaint may be filed by anyone who has identified or suffered from a potential violation of HIPAA or its related regulations. The complaint must be filed with the HHS, and not in court, since there is no private right of action. The complaint must name the entity that is the subject of the complaint, and describe the acts or omissions that are believed to be in violation of the applicable provisions.

The HHS Secretary may also elect to initiate a review of a covered entity in order to determine whether a covered entity is complying with the applicable administrative simplification provisions.

Multilayered Enforcement Approach

Once an action is initiated, the proceedings may take successive phases, depending on whether or not the parties request reconsideration or review of the decisions. These phases are summarized below, and are described in more detail in the remainder of this article.

Triggering Event	Action	Upon Conclusion	Review of the decision
HHS initiates a compliance review or HHS conducts an investigation after receiving a complaint.	Review of the policies, procedures, practices, and the circumstances regarding the alleged violation. Witness testimony. Inspection of premises. Inspection of books, accounts, pertinent PHI. Proceedings are non-public.	Upon completion of the review or investigation, two alternatives: No further action warranted—proceeding is over; or Determination of non compliance; and then • Attempt at resolution by informal means; • Opportunity to present written evidence and mitigating factors; • If unsuccessful, HHS issues a Notice of Proposed Determination of Civil Money Penalty	Upon issuance of Notice of Proposed Determination, the Respondent may settle, or request a hearing. If a hearing is requested, the case is transferred to an Administrative Judge. If no hearing request is filed, then the penalty is final.
Administrative Law Judge conducts a hearing to review the HHS proposed determination.	Pre-hearing conference. Hearing on the record. Examination of witnesses. Review of evidence. Limited discovery Hearing is open to the public. Parties may elect, or be required to file post-hearing briefs.	ALJ issues a decision. Decision must be based only on the records, and must contain findings of fact and conclusions of law. ALJ may affirm, increase, or reduce the penalties proposed by HHS ALJ serves the decision on the parties	Decision becomes final unless it is appealed. If appeal is filed, then case is transferred to HHS Board of Appeals.
Review by the HHS Department Appeals Board.	Board reviews the file provided by the ALJ.	If Board elects to review the case, it may affirm, increase, reduce, reverse, or remand any penalty determined by the ALJ.	When Board’s decision is issued, the parties may petition for reconsideration. If Board does not reconsider, then Respondent may file a Petition for Judicial Review with the applicable US Court of Appeals

Basis for Civil Money Penalties

The HHS Secretary may impose a civil money penalty upon determination that the covered entity has violated an administrative simplification provision. The causes for liability are extensive. Liability stems from not only the acts or omissions of covered entities, but also extends to liability from the acts of others.

More than One Entity

If the HHS Secretary determines that more than one covered entity was responsible for a violation, each covered entity will be subject to civil money penalty.

Affiliated Covered Entities

If a covered entity is a member of an affiliated covered entity, it is jointly and severally liable for any act or omission of the affiliated covered entity, unless it is established that another member of the group of affiliated entities was responsible for the violation.

Agents

A covered entity is also liable, in accordance with the federal common law of agency, for an act or omission of any agent of the covered entity, including a workforce member, acting within the scope of the agency.

Business Associates

There is no liability for acts of business associates, except if the covered entity has failed to comply with the applicable requirements in the Privacy and Security Rules with respect to relationships with business associates. This includes, for example, obtaining written satisfactory assurance that the business associate will appropriately safeguard protected health information, or terminating the business associate that failed to comply with the contract.

Amount of Civil Money Penalties

Consistent with HIPAA’s mandate, the amount of a civil money penalty may not exceed the limits specified in the 1996 law:

Not more than $100 for each violation;
Not more than $25,000 for identical violations during a calendar year.

If a requirement or prohibition is repeated in a more general form in another administrative simplification provision in the same subpart, a civil money penalty may be imposed for a violation of only one of these administrative simplification provisions. In addition, except if the event is a subject to criminal penalties, penalties assessed as civil money penalties are in addition to any other penalty prescribed by law.

Violation of an Identical Requirement or Prohibition

The Rule defines a “violation” as a “failure to comply with an administrative simplification provision.” The HHS Secretary will determine the number of violations based on the nature of the covered entity's obligation to act or not act, such as its obligation to act in a certain manner, or within a certain time, or with respect to certain persons. Further, if there is a continuing violation of a provision, a separate violation occurs each day the covered entity is in violation of the provision.

Aggravating or Mitigating Factors

In determining the amount of any civil money penalty, the HHS Secretary may consider aggravating or mitigating factors, as appropriate, such as:

The nature of the violation, in light of the purpose of the rule violated;
The circumstances of the violation, including its consequences;
The degree of culpability of the covered entity;
Any history of prior compliance with or violations of the administrative simplification provisions; or
The financial condition of the covered entity.

Other extenuating circumstances may also be taken into account.

Affirmative Defenses

At any time, the covered entity may raise affirmative defenses. These include:

The violation is subject to criminal prosecution;
The covered entity did not know of the violation, and, by exercising reasonable diligence, would not have known that the violation occurred; or
The violation was due to reasonable cause and not willful neglect, and was promptly corrected after discovery of the violation.

Waiver and Settlement

In addition, the HHS Secretary has the authority to waive the civil money penalty, in whole or in part, if it would be excessive relative to the violation, when the violation was due to reasonable cause and not willful neglect, even if the violation is not corrected within the statutory period. The HHS Secretary may also elect to settle with the respondent any issue or case, or to compromise any penalty.

INITIAL INVESTIGATION AND COMPLIANCE REVIEW

Since there is no private right action, all enforcement actions under HIPAA are initiated by the HHS. This may happen after HHS takes the initiative to conduct a compliance review, or if it reacts to a complaint from an individual about violation of the rights of the individuals. Investigational inquiries are nonpublic proceedings conducted by the HHS Secretary. Investigations or compliance reviews may include the attendance and testimony of witnesses and production of evidence.

Investigational Subpoenas

During an investigation, the HHS Secretary may issue subpoenas to require the attendance and testimony of witnesses. Entities must designate one or more witnesses to testify on their behalf. Testimony is taken under oath. The proceedings are recorded and transcribed, and the transcript is submitted to the witness for review and signature. The witness may request corrections.

Document Review and Access to Facilities

An investigation may also include a review of documents or access to facilities. A covered entity must keep records and compliance reports and submit them, as determined by the HHS Secretary, so that he may ascertain whether the covered entity has complied or is complying with the applicable administrative simplification provisions.

The covered entity must cooperate with the HHS Secretary during the conduct of an investigation or compliance review of its policies, procedures, or practices. For example, it must permit access, during normal business hours, to its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance. Further, if the HHS Secretary determines that exigent circumstances exist, such as when documents may be hidden or destroyed, the covered entity must permit access at any time and without notice.

Steps Upon Completion of Investigation of Compliance Review

After an investigation pursuant to a complaint or after compliance review, the HHS Secretary then determines whether or not there is non-compliance.

If No Violation is Found

If no violation is found, the Secretary will so inform the covered entity. If the matter arose from a person's complaint, HHS will also inform the complainant. Notices must be in writing.

If Non-Compliance is Found

If the investigation indicates noncompliance, the HHS Secretary will attempt to reach a resolution by informal means, and if unsuccessful, may assess a penalty.

Resolution by Informal Means

The Secretary must first attempt to reach a resolution of the matter by informal means, such as demonstrated compliance, a completed corrective action plan, or other agreement. Resolution must be satisfactory to the Secretary.

No Informal Resolution

If the matter is not resolved by informal means, the HHS Secretary will give the covered entity the opportunity to submit written evidence of any mitigating factors, or to assert affirmative defenses. The evidence must be submitted within 30 days.

Notice of Proposed Determination

If, after evaluation of the evidence and the affirmative defenses, the HHS Secretary finds that civil money penalties should be imposed, he or she will notify the covered entity through a Notice of Proposed Determination. The Notice of Proposed Determination indicates the amount of proposed penalty, and any mitigating circumstances. In addition, it must contain a description of the findings of fact regarding the acts or omissions with respect to which the penalty is proposed, the reason why these acts or omissions subject the respondent to a penalty, and appropriate references to the statutory basis for the penalty.

HEARING BEFORE ADMINISTRATIVE LAW JUDGE

The Notice of Proposed Determination must also contain a statement of the respondent's right to a hearing. If a respondent disagrees with the HHS findings and the proposed penalty, it can request the review of the proposed determination and a hearing before an ALJ promptly upon receiving the Notice of Determination.

Request for A Hearing

The request for a hearing must clearly and directly admit, deny, or explain each of the findings of fact contained in the Notice. It must also state the circumstances or arguments that the respondent alleges constitute the ground for any defense, and the factual and legal bases for opposing the penalty. Affirmative defenses can be raised at any time.

Dismissal of A Hearing Request

A hearing request may be denied. The HHS Secretary may file a motion for dismissal, arguing that the request was not filed timely, or does not meet the legal requirements for the request. The ALJ may also dismiss a hearing request upon determining that the request fails to raise any issue that may properly be addressed in a hearing.

Rights of the Parties to the Hearing

The parties to the hearing proceedings consist of the respondent and the employees of the HHS to whom the enforcement authority has been delegated. Each party may be accompanied, represented, and advised by an attorney. Each party may conduct discovery of documents; present evidence and witnesses, and cross-examine the other party’s witnesses. Each may also agree to stipulations of fact or law to be included in the record. At the hearing, each party has the right to present oral arguments, and after the hearing, to submit written briefs and proposed findings of fact and conclusions of law.

Authority of the Administrative Law Judge

The ALJ is responsible for regulating the course of the hearing and the conduct of representatives, parties, and witnesses. Among other things, the ALJ issues subpoenas requiring the attendance of witnesses at hearings and the production of documents; regulates the scope and timing of documentary discovery, examines witnesses, receives and rules on evidence. The ALJ may also rule on motions and other procedural matters and conduct any conference, argument, or hearing. He or she may rule on summary judgment motions where there is no disputed issue of material fact. The ALJ, however, may not compel settlement negotiations or enjoin any act of the Secretary.

Pre-hearing Conferences

The ALJ must schedule at least one pre-hearing conference. The ALJ is permitted to hold additional conferences with the parties. These conferences may be used, for example to identify or simplify the issues, evaluate the necessity or desirability of amendments to the pleadings, or discuss stipulations and admissions. Pre-hearing conferences may also be used to agree on limiting the number of witnesses and other discovery issues or to evaluate the potential for the settlement of the case by the parties. The ALJ must issue an order containing the matters agreed upon by the parties or ordered by the ALJ at a pre-hearing conference.

Discovery

The Enforcement Rules allows for limited discovery, which includes the production of documents for inspection and copying, and the use of witnesses and cross-examine witnesses. A party may request the other to produce, for inspection, documents that are relevant and material to the issues before the ALJ: information, reports, answers, records, accounts, papers and other data, and documentary evidence. Requests for admissions, written interrogatories, depositions, and any forms of discovery, are not authorized. A party who has received a request may object to the request, and file a motion for protective order.

Pre-Hearing Disclosures

Before the scheduled hearing, the parties must exchange witness lists, copies of prior written statements of proposed witnesses, and copies of proposed hearing exhibits, including copies of any written statements that the party intends to offer in lieu of live testimony. If, later, a party proposes the admission of evidence not exchanged as set forth above, the ALJ must exclude this additional evidence, unless the ALJ finds that extraordinary circumstances existed. In this case, the ALJ, as appropriate, may allow the objecting party time to prepare and respond to this additional evidence.

Subpoenas

If a party wishes to procure the appearance and testimony of a person at the hearing, it must make a motion requesting the ALJ to issue a subpoena. The subpoena may also require the person to produce evidence at or before the hearing. The other party may file an opposition.

The Hearing

The hearing is open to the public. The respondent has the burden of going forward and the burden of persuasion with respect to any affirmative defense, and challenge to the amount of a proposed penalty, (including any factors raised as mitigating factors), and any claim that a proposed penalty should be reduced or waived. The HHS Secretary has the burden of all other issues, including issues of liability and any aggravating factors in determining the amount of the proposed penalty. Whether a party has met the burden of persuasion on an issue will be judged by a preponderance of the evidence. At the hearing, the Administrative Law Judge may examine witnesses, and review, rule on, exclude, or limit evidence.

In meeting its burden of proof, the HHS Secretary may introduce the results of a statistical sampling study as evidence of the number of violations, or the factors considered in determining the amount of the civil money penalty. The statistical sampling study presented by the HHS Secretary, if based upon an appropriate sampling and computed by valid statistical methods, constitutes prima facie evidence of the number of violations and the existence of factors material to the proposed civil money penalty.

Witnesses

Testimony must be given orally by witnesses under oath. However, at the discretion of the ALJ, testimony of witnesses other than expert witnesses may be admitted in the form of a written statement.

The ALJ may also admit prior sworn testimony of experts that have been subject to adverse examination, such as a deposition or trial testimony. However, in this case, the written statement must be provided to the other party in advance, so that it has sufficient time to subpoena the witness for cross-examination at the hearing.

Evidence

The ALJ must determine the admissibility of evidence. She is not bound by the Federal Rules of Evidence, but there are exceptions. For example, evidence concerning offers of compromise or settlement is inadmissible to the extent provided in the Federal Rules of Evidence. However, the ALJ may apply the Federal Rules of Evidence where appropriate, for example, to exclude unreliable evidence.

The ALJ must permit the parties to introduce rebuttal witnesses and evidence. All documents and other evidence offered or taken for the record must be open to examination by both parties, unless otherwise ordered by the ALJ for good cause shown.

The Record

The hearing must be recorded and transcribed. The transcript of the testimony, exhibits, and other evidence admitted at the hearing, and all papers and requests filed in the proceeding constitute the record of the decision by the ALJ and the Secretary. The record is public. It may be inspected and copied by any person, unless otherwise ordered by the ALJ for good cause shown.

Post-hearing Briefs

Although the parties may elect to file post-hearing briefs, the ALJ has discretion to order them to prepare and file post-hearing briefs, as well as reply briefs. The briefs may be accompanied by proposed findings of fact and conclusions of law.

Decision and Appeal

The ALJ’s decision must be based only on the record and must contain findings of fact and conclusions of law. She or he may affirm, increase, or reduce the penalties imposed by the HHS Secretary. Unless this decision is timely appealed, it becomes final and binding on the parties.

APPEALS TO THE HHS BOARD

An appeal of an ALJ’s decision must be filed with the HHS Departmental Appeals Board (“Board”) promptly after service of the decision. A notice of appeal must be accompanied by a written brief specifying exceptions to the initial decision and reasons supporting the exceptions. Any party may file a brief. The brief may raise any relevant issue not addressed in the exceptions. There is no right to appear personally before the Board.

Review of the Record

Except for an affirmative defense, the Board may not consider any issue not raised in the parties' briefs, or any issue in the briefs that could have been raised before the ALJ but was not. However, a party may opt to demonstrate that additional evidence not presented at the ALJ hearing is relevant and material, and that there were reasonable grounds for the failure to adduce such evidence at the hearing. If the Board is satisfied with the argument, it may remand the matter to the ALJ for consideration of such additional evidence.

The standard of review on an issue of fact is whether the initial decision of the ALJ is supported by substantial evidence on the record. The standard of review on a disputed issue of law is whether the decision is erroneous.

Board's Decision

The Board may decline to review the case, or may affirm, increase, reduce, reverse or remand the penalty. The Board must serve a copy of its decision on each party, and, as applicable, a statement describing the right of any respondent who is penalized to seek judicial review. The Board’s decision, including a decision to decline review of the initial decision, becomes the final decision of the Secretary 60 days after the date of service of the Board’s decision, unless the Board has remanded the case the ALJ or if reconsideration is requested, as explained below.

Request for Reconsideration

A party may file a motion for reconsideration. This motion must be accompanied by a brief specifying any alleged error of fact or law and, if the party is relying on additional evidence, explaining why the evidence was not previously available. The other party may file a brief in opposition. Reply briefs are not permitted.

Reconsideration and Ruling

The Board will reconsider its decision only if it determines that the decision contains a clear error of fact or error of law. New evidence will not be a basis for reconsideration unless the party demonstrates that the evidence is newly discovered and was not previously available. If the Board denies the motion for reconsideration, the decision becomes the final decision of the Secretary. If the Board grants the motion, the Board will issue a reconsidered decision, after such procedures as the Board determines necessary to address the effect of any error. The Board’s decision on reconsideration becomes the final decision of the Secretary, except with respect to a decision to remand to the ALJ.

JUDICIAL REVIEW

When the decision of the Board becomes final, a respondent may file a petition for judicial review with the applicable U.S. Court of Appeals. Pending judicial review, the respondent may file a request for stay of any penalty with the Administrative Law Judge. The ALJ may not grant a respondent's request for a stay unless the respondent posts a bond or provides adequate security. The filing of the request automatically stays the effective date of the penalty until the ALJ rules upon the request.

FINAL PENALTY, COLLECTION, AND NOTICE TO THIRD PARTIES

If, after receiving a Notice of Proposed Determination, a covered entity does not request a hearing, and the matter is not otherwise settled, the HHS Secretary will impose the proposed penalty or any less severe penalty permitted as discussed above. When a respondent fails to exercise its right of a hearing, it forgoes any further right to appeal of any penalty.

Notification of the Final Penalty

The HHS Secretary will notify the respondent by certified mail of the penalty that has been imposed, and of the means by which the respondent may satisfy the penalty. The penalty is final on receipt of the notice.

Collection of the Penalty

Once a determination to impose a penalty has become final, the HHS Secretary will collect the sums due. The penalty may be recovered in a civil action in a U.S. District Court where the respondent resides, is found, or is located. It may also be deducted from sums then or later owed to the respondent by the United States or a State agency.

Third-Party Notification

The assessment of civil money penalties affects a covered entity in many ways. In addition to the obligation to pay a penalty, there is a negative effect on the entity’s reputation. The final determination that the covered entity failed to comply with HIPAA will be reported to numerous agencies. These organizations include, as applicable: medical or professional organization, agency administering or supervising the administration of State health care programs, utilization and quality control peer review organization, and licensing agency or organization. The notification includes disclosing the assessment of a penalty, and reason for imposing the penalty. It is likely that once this information is reported, it will be available to the public and the media, and might result in bad press.

FUTURE COMPLIANCE ACTIONS

HHS has stated that it intends to seek and promote voluntary compliance with the HIPAA Rules through technical assistance. It is expected that its enforcement efforts will involve responding to complaints, rather than a widespread effort to audit and detect violations. The HHS approach will consist of progressive steps that will provide opportunities for the covered entity to demonstrate compliance or submit a corrective action plan. Nevertheless, the HHS retains the authority to conduct compliance reviews to determine whether a covered entity is complying with the applicable administrative simplification provisions.

In addition to HHS actions under the Final Enforcement Rules, companies should also be concerned about suits that might be filed in court by disgruntled patients. If there is a breach of privacy, the victim may find that reporting the violation to the HHS Secretary for an eventual investigation will not adequately repair the damage caused. He or she may opt to pursue an action personally. Since there is no private right of action, the individual will not be able to assert directly that HIPAA was violated. However, he might bring breach of contract, tort, or unfair and deceptive practices claims under state laws. For example, in a negligence claim, in which a standard of care must be established, these standards are likely to be found in the HIPAA Privacy Rule and the HIPAA Security Safeguards. Further, a failure to perform according to these standards might also be deemed an unfair or deceptive trade practice. Similar suits in other industries have shown that similar actions under section 5 of the FTC Act and equivalent state unfair and deceptive practice statutes can be successful.

CONCLUSION

HIPAA’s Final Enforcement Rule defines a complex multi-step program for the enforcement of the administrative simplification provisions. The case is first evaluated by the HHS, which may ultimately issue a Notice of Proposed Determination. The respondent may ask for a review of the decision by an Administrative Law Judge, who will review the case at a public hearing. The respondent can appeal the ALJ’s decision, and the case is then transferred to the HHS Board of Appeal. If the Board does not decline to review the case, it may affirm, increase, reduce, reverse, or remand the decision. A party may file a motion for reconsideration of the Board’s decision. Ultimately, the Board’s decision becomes final unless the party files a petition for judicial review with the applicable U.S. Court of Appeals.

Although the civil money penalties that may be assessed in a compliance or enforcement action are capped to a maximum amount per calendar year, companies that are subject to an HHS investigation (and subsequent hearings and appeals) may find out that the proceedings are a substantial drain on their resources. Indeed, the process is likely to last several months, or years, and will require a substantial and extensive investment of time by management and staff to respond to discovery requests, host HHS inspectors on the company’s facilities, and prepare or respond to numerous briefs necessary along the way. In addition, a negative determination will undoubtedly cause embarrassment, and greatly harm the goodwill of the institution since the decision will be notified to numerous health and professional organizations, and is likely to reach the public.

Altogether, rather than risk such waste of time, resources, and goodwill, companies are well advised to have in place and abide by appropriate privacy and security policies and procedures, adequately train and supervise their personnel, and conduct periodic audits to ensure continued compliance with these legal and internal requirements.

Basis For Civil Money Penalties

More Than One Entity

If the HHS Secretary determines that more than one covered entity was responsible for a violation, each covered entity will be subject to civil money penalty.

Affiliated Covered Entities

Agents

Business Associates

Amount Of Civil Money Penalties

Consistent with HIPAA’s mandate, the amount of a civil money penalty may not exceed the limits specified in the 1996 law:

Not more than $100 for each violation;
Not more than $25,000 for identical violations during a calendar year.

Violation Of An Identical Requirement Or Prohibition

Aggravating or Mitigating Factors

In determining the amount of any civil money penalty, the HHS Secretary may consider aggravating or mitigating factors, as appropriate, such as:

The nature of the violation, in light of the purpose of the rule violated;
The circumstances of the violation, including its consequences;
The degree of culpability of the covered entity;
Any history of prior compliance with or violations of the administrative simplification provisions; or
The financial condition of the covered entity.

Other extenuating circumstances may also be taken into account.

Affirmative Defenses

At any time, the covered entity may raise affirmative defenses. These include:

The violation is subject to criminal prosecution;
The covered entity did not know of the violation, and, by exercising reasonable diligence, would not have known that the violation occurred; or
The violation was due to reasonable cause and not willful neglect, and was promptly corrected after discovery of the violation.

Waiver And Settlement

INITIAL INVESTIGATION AND COMPLIANCE REVIEW

Investigational Subpoenas

Document Review And Access To Facilities

Steps Upon Completion Of Investigation Of Compliance Review

After an investigation pursuant to a complaint or after compliance review, the HHS Secretary then determines whether or not there is non-compliance.

If No Violation Is Found

If no violation is found, the Secretary will so inform the covered entity. If the matter arose from a person's complaint, HHS will also inform the complainant. Notices must be in writing.

If Non-Compliance Is Found

If the investigation indicates noncompliance, the HHS Secretary will attempt to reach a resolution by informal means, and if unsuccessful, may assess a penalty.

Resolution By Informal Means

No Informal Resolution

Notice Of Proposed Determination

HEARING BEFORE ADMINISTRATIVE LAW JUDGE

Request For A Hearing

Dismissal Of A Hearing Request

Rights Of The Parties To The Hearing

Authority Of The Administrative Law Judge