HHS Issues Proposed Enforcement Rule
Health Data Management (April 18, 2005)

The Department of Health and Human Services has published a proposed HIPAA enforcement rule. The proposed rule is available in the April 18 issue of the Federal Register at gpoaccess.gov/fr/index.html.
The proposed rule replaces an interim enforcement rule published two years ago that primarily covered steps the government would take to impose civil fines for violations of non-privacy HIPAA rules. Many provisions of the interim rule are included in the proposed rule, but the scope of the proposed rule is much larger.

Medicare prescription drug discount card sponsors, for instance, would be covered entities. In addition, enforcement provisions that previously applied only to the privacy rule would now apply to all HIPAA regulations.

For example, an enforcement regulation written into the privacy rule prohibits intimidation or other retaliatory action against individuals or covered entities that file a non-compliance complaint or cooperate in enforcement processes. Under the proposed enforcement rule, that regulation would now protect individuals or entities filing complaints of any HIPAA rule violations.

Under the proposed rule, the Centers for Medicare and Medicaid Services would continue to be responsible for enforcing the non-privacy rules; the Office for Civil Rights would continue to enforce the privacy rule.

The proposed rule also implies that HHS may stray from its philosophy of investigating the compliance status of covered entities only upon receipt of a complaint of non-compliance.

“At present, our compliance and enforcement activities are primarily complaint-based,” according to the proposed enforcement rule. “Although our enforcement efforts are focused on investigating complaints, they may also include conducting compliance reviews to determine if a covered entity is in compliance.”

Under the proposed enforcement rule, the department will maintain its current practice of working with non-compliant entities to help them become compliant, reserving civil fines or filing criminal complaints only if an entity does not cooperate. The proposed rule lays out the enforcement processes HHS will take. The department will refer violations subject to criminal penalties to the Department of Justice.

Posted to HIPAAcomply 4/20/05