Analysis by the AHIMA Policy and Government Relations Team
Modifications
The Rule’s provision for modifications (§160.104) follow the same approach as the other HIPAA regulations. "The Secretary may adopt a modification at any time during the first year after the standard [rule] or implementation specification is initially adopted [the rule becomes effective – for example April 14, 2001], if the Secretary determines that the modification is necessary to permit compliance with the standard or implementation specification." This will permit the Secretary to correct this Rule, which is initially effective on April 14, 2001, up to April 14, 2002.
After the first year (again April 14, 2001), the Secretary may adopt a modification to the Rule and its standards no more frequently than once every 12 months, and the Secretary will establish the compliance date for any modification made under this Rule. Such a compliance date can occur "no earlier than 180 days after the effective date of the final rule in which the Secretary adopts the modification. The Rule also permits the Secretary to "consider the extent of the modification and the time needed to comply with the modification in determining the compliance date for the modification." The Rule can also "extend the compliance date for small health plans, as the Secretary determines is appropriate."
{Essentially, under HIPAA the National Committee on Vital and Health Statistics would be one of the initiators of modifications to this Rule. The Secretary would have to use the NPRM and the final rule process to seek public comment and issue the final regulation.}
Transition Provisions
Standard: Effect of Prior Consents and Authorizations
Specification: Requirements for Retaining Effectiveness of Prior Consents and Authorizations
This section of the Rule, §164.532, deals with situations that might arise when a consent, authorization, or other "express legal permission" is obtained from an individual before this Rule becomes effective on the appropriate compliance date. This section permits exceptions to the Rules requirements for consents and authorizations. It does not withstand any other requirements of the Rule. This section is written in very legalistic terms, but, essentially, sections §164.532(a) and (b) say that if such a permission(s) was in place, before the Rule’s compliance date, the covered entity may continue to use or disclose PHI as follows:
- If the permission was for the purpose of treatment, payment or healthcare operations, the covered entity may, with respect to PHI that it created or received before the applicable compliance date, use or disclose such information for the purposes of carrying out treatment, payment or healthcare operations, provided that:
- The covered entity does not use or disclose such information that is expressly excluded from the permission document; and
- The covered entity complies with all limitations placed by the permission document in effect.
- If the permission was for a purpose other than to carry out treatment, payment, or healthcare operations, the covered entity may, with respect to PHI that it created or received before the applicable compliance date, make such use or disclosure, provided that:
- The covered entity does not use or disclose such information that is expressly excluded from the permission document; and
- The covered entity complies with all limitations place by the permission document in effect.
- If the permission identifies a specific research project that includes treatment of individuals, then:
- If, after the applicable compliance date of the Rule, a covered entity agrees to restrictions requested by an individual, a subsequent use or disclosure PHI that is subject to the restriction based on one of the permissions just described in this section (§164.532), then the covered entity must comply with such a restriction.
Compliance and Enforcement
Applicability and Principles for Achieving Compliance
The Rule (§160.300 and .304) indicates that compliance is required of all covered entities and any others mentioned in the Rule itself.
The Rule specifically mentions that "the Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance with the applicable…standards, requirements, and implementation specifications. The Rule further states that "the Secretary may provide technical assistance to covered entities to help them comply voluntarily with" these same applicable standards, etc.
{Past experience indicates that the Secretary and DHHS will try to provide as much assistance as possible. To date most of this has been via the DHHS Web sites and DHHS staff who have participated in numerous conferences, workshops, and so on. While these efforts have been a tremendous help, HIPAA seems to indicate Congresses desire to have DHHS take an even more active role. To date, however, Congress has not funded such a role.}
Complaints to the Secretary
Right to File a Complaint
The Rule states (§160.306) that "a person who believes a covered entity is not complying with the applicable requirements of..[the Rule]…may file a complaint with the Secretary."
Requirements for Filing Complaints
Complaints made to the Secretary must meet the following requirements:
- "A complaint must be filed in writing, either on paper or electronically."
- "A complaint must name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable…standards, requirements, and implementation specifications of" [this Rule].
- "A complaint must be filed within 180 days of when the complainant know or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown."
- "The Secretary may prescribe additional procedures for the filing of complaints, as well as the place and manner of filing, by notice in the Federal Register."
Investigation
The Secretary is empowered to and "may investigate" the complaints just reviewed. "Such investigation may include a review of the pertinent policies, procedures, or practices of the covered entity and of the circumstances regarding any alleged acts or omissions concerning compliance."
Compliance Reviews
The Secretary "may" also "conduct compliance reviews to determine whether covered entities are complying with the applicable requirements" of this Rule.
Responsibilities of Covered Entities
Provide Records and Compliance Reports
Section 160.310 of the Rule requires that "A covered entity must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the covered entity has complied or is complying with the applicable…standards, requirements, and implementation specifications" of the Rule.
Cooperate with Complaint Investigations and Compliance Reviews
The Rule essentially says a covered entity must cooperate with the Secretary in any cases where any such investigation(s) or compliance review(s) occur.
Permit Access to Information
The Rule covers three areas regarding access to information during an investigation or compliance review:
- Similar to Medicare regulations the Rule states that "A covered entity must permit access by the Secretary during normal business hours to its facilities, book, records, accounts, and other sources of information, including PHI, that are pertinent to ascertaining compliance with the applicable …standards," etc., of the Rule. "If the Secretary determines that exigent circumstances exist, such as when documents may be hidden or destroyed, a covered entity must permit access by the Secretary at any time and without notice."
- "If any information required of a covered entity under..[the Rule].. is in the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails or refuses to furnish the information the covered entity must so certify and set forth what efforts it has made to obtain the information."
- "PHI obtained by the Secretary in connection with an investigation or compliance review…will not be disclosed by the Secretary, except if necessary for ascertaining or enforcing compliance with the applicable…standards," etc., of the Rule, "or if otherwise required by law."
Secretarial Action Regarding Complaints and Compliance Reviews
Resolution Where Noncompliance Is Indicated
"If an investigation…or compliance review…indicates a failure to comply, the Secretary will so inform the covered entity and if the matter arose from a complaint the complainant, in writing and attempt to resolve the matter by informal means whenever possible." If the matter cannot be resolved by informal means, the Secretary "may issue to the covered entity and, if the matter arose from a complaint, to the complainant written findings documenting the noncompliance."
Resolution When No Violation Is Found
If, after investigation or review, the Secretary determines that no further action is warranted, the Secretary will inform the covered entity, and if the incident arose from a complaint, the complainant in writing.
{The preamble notes (65FR82487) that DHHS plans to issue an "Enforcement Rule" that applies to all the HIPAA regulations for administrative simplification. This enforcement rule will address the imposition of civil monetary penalties and the referral of criminal cases where there has been a violation of this Privacy Rule. Depending on the nature of the violation and how the enforcement rule is written, financial penalties could range anywhere from $100 to $250,000 per incident. Criminal penalties, especially related to inappropriate use or disclosure of PHI could range anywhere from 1 to ten years in prison in addition to the fine.}
Go to next section, Reaction to AHIMA’s Previous Comments.
Go to previous section, Administrative Requirements.
Go to document index.