Add to collection(s) Add to saved
  1. Business

H OSPITAL IGHLIGHTS

advertisement 
HOSPITAL HIGHLIGHTS
Prepared for AHA members whenever there is important HIPAA-related news.
(If you do not receive three pages of this document, call (202) 626-2973.)
HHS Releases Final HIPAA Enforcement Rule
February 24, 2006
The Department of Health and Human Services (HHS) published the final rule detailing the
enforcement regulations for the administrative simplification provisions of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) in the February 16 Federal Register. The
enforcement rule applies to all the HIPAA administrative simplification regulations: privacy,
security, transaction standards, code sets and identifiers. It establishes a procedural process for
imposing civil monetary penalties (CMPs) for a violation and provides substantive detail regarding
the bases of liability and the determination of CMP amounts. The enforcement rule does not
address the imposition of criminal penalties for a HIPAA violation, as these are enforced by the
Department of Justice.
In the final enforcement rule, HHS reaffirms its commitment to encouraging voluntary compliance
and using a complaint-based process to identify and correct violations of the HIPAA requirements.
While HHS adopted most of the proposed rule without alteration, there are some significant changes
that were made in response to comments from the AHA and other stakeholders. The final
enforcement rule, along with the AHA’s comment letter on the proposed rule, can be found at
www.aha.org/aha/key_issues/hipaa/jsp/whatsnew.jsp.
Changes from the Proposed Rule
The enforcement rule responds positively to several issues raised by the AHA and our member
hospitals. The final rule includes the following significant changes:
•
•
•
Clarifies that joint and several liability will not be imposed on all members of an affiliated
single covered entity (ASCE) if it is established that an individual member of the ASCE was
responsible for the violation. While this is treated as an affirmative defense, it may be raised
at any time.
Requires HHS to include in the notice of proposed determination a copy of the study upon
which its statistical sampling findings are based.
Expands the time that a respondent will have to file its request for a hearing to 90 days from
the proposed rule’s 60 days.
Informal Processes
Consistent with the proposed rule, the final rule affirms HHS’ ability to conduct compliance
reviews to determine if a covered entity is in compliance. In commenting on the proposed rule, the
AHA asked that HHS provide hospitals with additional information on how these reviews will be
conducted and how entities would be selected for such reviews. HHS responded that compliance
reviews are “conducted at the discretion of the Secretary” and further notes that giving specific
instances in which a compliance review will be conducted would have the “counterproductive”
effect of skewing compliance efforts towards those aspects of compliance that had been previously
identified. HHS wishes to maintain flexibility at this “early stage of the enforcement program.”
The AHA is pleased that HHS has provided assurances to covered entities that it would not
undertake a compliance review without notice to the covered entity or without specifying the basis
for, or focus of, the review.
Publicity of Penalties Imposed
The AHA is disappointed that in the final rule HHS failed to take a more temperate approach to
public disclosure of penalties. We are concerned that because most CMPs are likely to be technical
in nature, their public disclosure might mislead the public and cause unfair harm to the reputation of
the provider. HHS notes, however, that the basis of this public notice provision lies not in the
HIPAA statute but in the Freedom of Information Act, which requires final opinions and orders
made in adjudication cases to be made available for public inspection and copying. HHS also
believes that the publication of the entire final opinion or order will allow the public to discern the
nature and extent of the violation.
Liability for Others
Business Associates. HHS retained the provisions of the proposed enforcement rule that clarify that
hospitals and other covered entities are not liable for the actions of their business associates,
including clearinghouses, so long as the hospitals take certain actions required by the privacy rule.
Specifically, the privacy rule requires hospitals that know of a violation by a business associate to
attempt to end or cure the violation and, if unsuccessful, terminate the contract or report the
problem to the Secretary if termination is not feasible. Thus, if a hospital takes this required action
regarding a business associate’s violations, the hospital will not be liable for such violations.
Agents. The final enforcement rule states that covered entities, including hospitals, can be held
liable for the “actions of any agent, including an employee or other workforce member, acting
within the scope of the agency or employment.” This could include independent contractors and
volunteers. Responding to the AHA’s comments, HHS clarified that if a covered entity does not
have direct control over independent contractors and volunteers, they do not fall within the
definition of “workforce.” HHS notes that independent contractors who are not under the direct
control of the covered entity, but perform a function or activity that involves a HIPAA transaction,
would fall under the definition of a “business associate.”
In addition, HHS acknowledges that hospitals have less control over volunteers and trainees;
however, hospitals do control volunteers’ and trainees’ performance of activities that are governed
by the HIPAA rules, such as access to protected health information. HHS will examine the acts of
volunteers and trainees on a case-by-case basis to determine whether they are acting as agents.
The AHA is disappointed that HHS has maintained the provision to use the Federal Common Law
of Agency to impose liability on hospitals for the actions of their agents. Because HHS has retained
this provision, it is possible that a hospital will be subject to more liability under the Federal
Common Law than it would under state law.
2
Affiliated Single Covered Entities. The proposed enforcement rule held hospitals that participate in
an ASCE jointly and severally liable for violations by the ASCE. In response to AHA comments,
HHS modified the provision so that a covered entity member of an ASCE may avoid liability if it
can establish that another member was responsible for the violation. While this must be raised as an
affirmative defense by the covered entity, it may be raised at any time.
The AHA and hospitals submitted comments reflecting the concern that the ASCE is a legal fiction
to create liability under the HIPAA privacy and security rules, and that the proposed rule substituted
this fiction for the corporate form and structure to establish the basis for enterprise liability under
U.S. law. However, HHS holds that the ASCE is “more than a legal fiction.” HHS views the
ASCE as a “joint venture” because HHS concludes that the ASCE is an operational approach in
which covered entities agree to conduct their business in a certain manner and hold themselves out
to the world as a joint undertaking.
Organized Health Care Arrangements. While the proposed enforcement rule stated that
membership in an Organized Health Care Arrangement (OHCA) does not make the hospital liable
for violations of other members, the AHA was concerned about a preamble statement that
membership in an OHCA “could be a factor considered in the analysis” of liability. In comments to
HHS, the AHA asked for clarification that membership in an OHCA would not increase a covered
entity’s exposure to liability. In the final rule, HHS clarified that members of an OHCA would be
individually – not jointly and severally – liable for any violation of the HIPAA rules.
Procedural Matters
The final rule also made some positive changes to several procedural requirements and issues that
the AHA identified as potentially problematic to hospitals’ ability to present a defense or appeal an
adverse ruling, including the imposition of a CMP. HHS, for example:
•
•
Modified the provision relating to determinations of the number of violations so that the
number of violations of an “identical requirement” or prohibition will be based on the
substantive requirement or prohibition that was violated, and not on multiple variables to be
applied at the Secretary’s discretion as provided under the proposed rule; and
Removed the previously proposed limits on the administrative law judge’s discretion to alter
the determination of CMPs.
However, the AHA is disappointed that HHS decided to retain the provision that “testimony and
other evidence obtained in an investigational inquiry may be used by HHS in any of its activities
and may be used or offered into evidence in any administrative or judicial proceeding.”
3
Related documents
Document12114514 12114514
Document12114514 12114514
AcademyHealth Research Meeting Barbara Greenberg, Ph.D. Office of Science and Data Policy
AcademyHealth Research Meeting Barbara Greenberg, Ph.D. Office of Science and Data Policy
Strategic Focus of HHS Research
Strategic Focus of HHS Research
Download
advertisement