OCR Finalizes Provisions to the HIPAA Enforcement Rule in the HIPAA Megarule To Address Liability and Civil Money Penalties for HIPAA Violations
On January 17, 2013, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services released the long-awaited “omnibus final rule” (“HIPAA Megarule”) that adopted four final rules that contain modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) and other modifications previously proposed by the OCR in other rulemaking.1 The HIPAA Megarule adopted several modifications to the HIPAA Enforcement Rule that were proposed by the OCR in previous rulemaking.2 The modifications to the HIPAA Enforcement Rule will have a significant effect in terms of determining the potential liability of Covered Entities and Business Associates, and the imposition and calculation of civil money penalties for HIPAA violations.3
Some of the significant modifications in the Megarule to the HIPAA Enforcement Rule include the provisions affecting compliance and investigations by the OCR, the imposition of civil money penalties, liability of Covered Entities for acts or actions by Business Associates, liability of Business Associates for acts or actions of a Business Associates’ contractors, and mandatory civil monetary penalties for violations due to willful neglect.4
Effective Date of Modifications to the HIPAA Enforcement Rule
The HIPAA Megarule is effective date on March 26, 2013, and the compliance date for Covered Entities and Business Associates for compliance with the new or modified standards and implementation specifications in the HIPAA Megarule is September 26, 2013.5 The modifications to the HIPAA Enforcement Rule are effective, however, on the effective date of the Megarule (March 26, 2013) because the provisions in the Enforcement Rule are not standards or implementation specifications.
Compliance Investigations and Compliance Reviews
The HIPAA Megarule amended the Enforcement Rule to require the OCR to investigate any complaint when a preliminary review of the facts indicates a possible violation due to willful neglect. As a result, Covered Entities and Business Associates will be faced with the possibility of a mandatory investigation of a complaint when a preliminary review of the facts by the OCR indicates a possible violation due to willful neglect. The HIPAA Enforcement Rule defines “willful neglect” as conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”6 The HIPAA Megarule continues to provide that the OCR has the discretion to decline to investigate a complaint where a preliminary investigation does not indicate that the alleged violation is due to willful neglect.7 However, Covered Entities and Business Associates should take note of the OCR’s comment that as a practical matter the OCR “conducts a preliminary review of every complaint received and proceeds with an investigation in every eligible case where the facts indicate a possible violation of the HIPAA Rules.”8
OCR adopted a similar modification in the HIPAA Megarule to require the OCR to conduct a compliance review to determine whether a Covered Entity or Business Associate is complying with the applicable administrative simplification provisions when a preliminary review of the facts indicates a possible violation due to willful neglect. The OCR previously had discretion to conduct compliance reviews. Although the HITECH Act did not require this modification to the provisions governing compliance reviews, the OCR considered treating compliance reviews in the same manner as investigating complaints to strengthen enforcement with respect to potential violations of willful neglect.9
The OCR also modified the HIPAA Enforcement Rule to provide that the OCR may attempt to resolve complaint investigations or compliance reviews indicating noncompliance by informal means. The HIPAA Enforcement Rule had previously provided that the OCR will attempt to reach a resolution by informal means. This change was adopted by the OCR to clarify that the OCR may proceed directly with a willful neglect violation determination as appropriate, while also permitting the OCR to seek resolution of complaints and compliance reviews that did not indicate willful neglect violations by informal means.10 These changes are also underscored by the OCR’s comments in the Megarule “while the Secretary often will still seek to correct indications of noncompliance through voluntary corrective action, there may be circumstances where the Secretary may proceed directly to formal enforcement.”11
Imposition of Civil Money Penalties
The HITECH Act established four tiers of increasing penalty amounts to correspond to the levels of culpability associated with the violation of the HIPAA Rules.12 The first tier or category of violation (and lowest penalty tier) covers situations where the Covered Entity or Business Associate did not know, and by exercising reasonable diligence would not have known, of a violation. The second category of violation applies to violations due to reasonable cause and not to willful neglect. The third and fourth categories apply to circumstances where the violation was due to willful neglect that is corrected within a certain time period and willful neglect that is not corrected.13
In the preamble to the HIPAA Megarule, the OCR commented that the mens rea or state of mind with respect to the first, third and fourth categories of violations was clear in that there is no mens rea with the first category and mens rea is presumed with the third and fourth categories of violation. OCR amended the definition of “reasonable cause” in the Megarule to clarify the mens rea associated with the second category of violations and to clarify the scope of violations that come within the second category.14 The definition of “reasonable cause” in the HIPAA Enforcement Rule after the effective date of the Megarule is “an act or omission in which a Covered Entity or Business Associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the Covered Entity or Business Associate did not act with willful neglect.”15
An important aspect here is that the OCR considers the amended definition of “reasonable cause” to include violations due both to circumstances that would make it unreasonable for the Covered Entity or Business Associate, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated, as well as to other circumstances in which a Covered Entity or Business Associate has knowledge of a violation but lacks the conscious intent or reckless indifference associated with the willful neglect category of violations.16 The OCR included examples and other guidance in the NPRM regarding how it plans to apply the definitions of “reasonable cause” as well as “reasonable diligence” and “willful neglect” in the four tiers of penalties in calculating a civil money penalty under the HIPAA Enforcement Rule.17
Liability for Acts of Business Associates
Another significant modification included in the HIPAA Megarule was the amendment to the HIPAA Enforcement Rule to make a Covered Entity liable for the acts of its Business Associates who are agents of the Covered Entity in accordance with the federal common law of agency.18 Prior to this modification, the HIPAA Enforcement Rule contained an exception that Covered Entities were not liable for the acts of Business Associates where the relevant business associate requirements have been satisfied, the Covered Entity did not know of a pattern or practice of the Business Associate in violation of their business associate agreement with the Covered Entity, and the Covered Entity did not fail to act as required by the HIPAA Privacy Rule or Security Rule with respect to such violations. The Megarule also provides for civil money penalty liability against a Business Associate for the acts of its workforce members and its business associates acting within the common law scope of agency.19
OCR made several comments regarding the analysis and factors to consider in determining whether an agency relationship exists between a Covered Entity and a Business Associate (or between a Business Associate and its contractors). The following are some of OCR’s comments:
- An analysis of whether a Business Associate is an agent of a Covered Entity is fact specific, and takes into account the terms of the business associate agreement and the totality of the circumstances of the ongoing relationship between the parties.
- The essential factor in determining whether an agency relationship exists is the right or authority of a Covered Entity to control the Business Associate’s conduct in the course of performing services on behalf of the Covered Entity.
- A business associate agreement does not by itself establish an agency relationship, unless the terms of the agreement give the Covered Entity the authority to direct the performance of the Business Associate or give interim instructions and directions during the course of the relationship.20
Factors Relevant to Determining Civil Money Penalty Amounts
The HIPAA Megarule revised the structure and list of factors in the HIPAA Enforcement Rule that the OCR must consider when determining a civil money penalty for a HIPAA violation. This modification to the list of factors to consider when determining a civil money penalty was intended to clarify the requirement in the HITECH Act that the OCR consider the nature and extent of the violation and the nature and extent of the harm resulting from the HIPAA violation.21
The OCR adopted in the HIPAA Megarule the following five general factors that OCR will consider in determining a civil money penalty for a HIPAA violation:
- The nature and extent of the violation;
- The nature and extent of the harm resulting from the violation;
- The history of prior compliance with the administrative simplification provision, including violations by the Covered Entity or Business Associate;
- The financial condition of the Covered Entity or Business Associate; and
Under the first, second and third factors listed above, the OCR also adopted circumstances which may be considered in determining a penalty amount. For example, OCR included “the number of individuals affected” and “the time period during which the violation occurred” under the first factor as relevant to the nature of the violation. Under the second factor, the OCR added “reputational harm” to the specific circumstances which may be considered in addition to physical harm, financial harm, and the ability of an individual to obtain healthcare. In the third factor above, the Megarule included the terms “previous indications of noncompliance” by a Covered Entity or Business Associate instead of “prior violations” because the OCR does not consider the number of “violations” to be indicative of a Covered Entity’s or Business Associates’ general history of compliance with all HIPAA Rules.23
The modifications and changes to the HIPAA Enforcement Rule in the HIPAA “Megarule” as a result of the HITECH Act and other rulemaking by the OCR significantly strengthen the HIPAA enforcement powers of the OCR. Although the OCR appears to have adopted most of its previously proposed modifications and changes to the HIPAA Enforcement Rule, the Megarule does include several important clarifications regarding the imposition and calculation of civil money penalties for violations of the HIPAA Rules. From a Covered Entity’s and Business Associate’s perspective, the clarification comments in the Megarule provides additional guidance as to when they may be subject to imposition of a civil money penalty under HIPAA.