February 25, 2013. Today, we examine factors considered in determining the amount of a civil money penalty for a HIPAA violation that are modified in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
The Department of Health and Human Services (HHS) identified “five general factors” for modification of 45 CFR 160.408 in conformance with the HITECH Act:
- Nature and extent of the violation
- Nature and extent of the harm resulting from a violation
- History of prior compliance with the administrative simplification provision, including violations by the covered entity or business associate
- Financial condition of the covered entity or business associate
- Such other matters as justice may require.
Within each of the five general categories, HHS identified “specific factors” for consideration, the information relating to which would be collected and compiled during an investigation. As we pointed out in our enforcement posting last week, the modified 45 CFR 160.306, at 78 Federal Register 5690, provides for:
(1) The Secretary will investigate any complaint filed under this section when a preliminary review of the facts indicates a possible violation due to willful neglect.
(2) The Secretary may investigate any other complaint filed under this section.
(3) An investigation under this section may include a review of the pertinent policies, procedures, or practices of the covered entity or business associate and of the circumstances regarding any alleged violation.
(4) At the time of the initial written communication with the covered entity or business associate about the complaint, the Secretary will describe the acts and/or omissions that are the basis of the complaint.
Here is the modified 45 CFR 160.408, at 78 Federal Register 5691, that outlines the five general factors and specific factors within each of the five:
Factors considered in determining the amount of a civil money penalty.
In determining the amount of any civil money penalty, the Secretary will consider the following factors, which may be mitigating or aggravating as appropriate:
(a) The nature and extent of the violation, consideration of which may include but is not limited to:
(1) The number of individuals affected; and
(2) The time period during which the violation occurred;
(b) The nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to:
(1) Whether the violation caused physical harm;
(2) Whether the violation resulted in financial harm;
(3) Whether the violation resulted in harm to an individual’s reputation; and
(4) Whether the violation hindered an individual’s ability to obtain health care;
(c) The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity or business associate, consideration of which may include but is not limited to:
(1) Whether the current violation is the same or similar to previous indications of noncompliance;
(2) Whether and to what extent the covered entity or business associate has attempted to correct previous indications of noncompliance;
(3) How the covered entity or business associate has responded to technical assistance from the Secretary provided in the context of a compliance effort; and
(4) How the covered entity or business associate has responded to prior complaints;
(d) The financial condition of the covered entity or business associate, consideration of which may include but is not limited to:
(1) Whether the covered entity or business associate had financial difficulties that affected its ability to comply;
(2) Whether the imposition of a civil money penalty would jeopardize the ability of the covered entity or business associate to continue to provide, or to pay for, health care; and
(3) The size of the covered entity or business associate; and
(e) Such other matters as justice may require.
We recommend that you visit three of the sites that the Office for Civil Rights (OCR) maintains regarding enforcement: Enforcement Process, Case Examples and Resolution Agreements, and HIPAA Privacy & Security Audit Program. OCR is HHS’ enforcement arm for HIPAA Privacy and Security Rules and the HITECH Act Breach Notification Rule. Each of these sites provides information on the enforcement process and examples of the type of information OCR seeks during an investigation to address the general and specific factors identified in 45 CFR 160.408 above, as modified and effective March 26, 2013.
Tomorrow, we examine the HITECH Act role of State Attorneys General in the enforcement process.