February 20, 2013. Today, we begin examination of HITECH Act modifications of HIPAA Enforcement, focusing on the meaning and consequences of willful neglect in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
Willful neglect is defined as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” 45 CFR 160.401
Section 13410(a) of the HITECH Act [123 STAT. 271] added a new subsection (c) to section 1176 of the Social Security Act:
(c) Noncompliance Due to Willful Neglect.
(1) In general. A violation of a provision of this part due to willful neglect is a violation for which the Secretary is required to impose a penalty under subsection (a)(1) [General Penalty. In General.]
(2) Required investigation. For purposes of paragraph (1), the Secretary shall formally investigate any complaint of a violation of a provision of this part if a preliminary investigation of the facts of the complaint indicate such a possible violation due to willful neglect.
HHS made four proposed modifications to buttress investigations and imposition of penalties for willful neglect that were adopted in the Final Rule [78 Federal Register 5578]:
Complaint Investigations. “The October 30, 2009, Enforcement Rule at 45 CFR 160.306(c) currently provides the Secretary with discretion to investigate HIPAA complaints through the use of the word ‘may.’ As a practical matter, however, the Department currently conducts a preliminary review of every complaint received and proceeds with the investigation in every eligible case where its preliminary review of the facts indicates a possible violation of the HIPAA Rules. Nonetheless, to implement section 1176(c)(2) [above], the Department proposed to add a new paragraph (1) [above] … to make clear that the Secretary will investigate any complaint filed under this section when a preliminary review of the facts indicates a possible violation due to willful neglect. [emphasis added] Under proposed 45 CFR 160.306(c)(2), the Secretary would have continued discretion with respect to investigating any other complaints.
Compliance Reviews. “The Department proposed to modify 45 CFR 160.308 by adding a new paragraph (a) to provide that the Secretary will conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provision when a preliminary review of the facts indicates a possible violation due to willful neglect. Like 45 CFR 160.306(c) with respect to complaints [discussed above], the current 160.308(c) provides the Secretary with discretion to conduct compliance reviews. While section 13410(a) of the HITECH Act specifically mentions complaints and not compliance reviews with respect to willful neglect, the Department proposed to treat compliance reviews in the same manner because it believed doing so would strengthen enforcement with respect to potential violations of willful neglect and would ensure that investigations, whether or not initiated by a complaint, would be handled in a consistent manner. Under proposed 45 CFR 160.308(b), the Secretary would continue to have discretion to conduct compliance reviews in circumstances not indicating willful neglect.
Resolving Investigations or Compliance Reviews. “Given the HITECH Act’s requirement that the Secretary impose a penalty for any violation due to willful neglect, the Department proposed changes to 45 CFR 160.312, which currently requires the Secretary to attempt to resolve investigations or compliance reviews indicating noncompliance by informal means. The NPRM proposed to provide instead in 45 CFR 160.312(a) that the Secretary ‘‘may’’ rather than ‘‘will’’ attempt to resolve investigations or compliance reviews indicating noncompliance by informal means. This change would permit the Department to proceed with a willful neglect violation determination as appropriate, while also permitting the Department to seek resolution of complaints and compliance reviews that did not indicate willful neglect violations by informal means (e.g., where the covered entity or business associate did not know and by exercising reasonable diligence would not have known of a violation, or where the violation is due to reasonable cause).
Compliance Cooperation. “The Department proposed a conforming change to 45 CFR 160.304(a), which currently requires the Secretary to seek, to the extent practicable, the cooperation of covered entities in obtaining compliance with the HIPAA Rules. The July 14, 2010, Notice of Proposed Rule Making (NPRM) proposed to clarify that the Secretary would continue to do so ‘consistent with the provisions of this subpart’ in recognition of the new HITECH Act requirement to impose a civil money penalty for a violation due to willful neglect. While the Secretary often will still seek to correct indications of noncompliance through voluntary corrective action, there may be circumstances (such as circumstances indicating willful neglect), where the Secretary may proceed directly to formal enforcement.”
The Final Rule adopted the modifications discussed above, which are in 45 CFR 160.304, 160.306, 160.308, and 160.312, effective March 26, 2013, and accessible online at the link at the top of this post [78 Federal Register 5690-5691].
Tomorrow, we look at the penalty structure for violations of HIPAA Rules.