This Capital Checkup covers the following:

• HHS's general approach to enforcement of the HIPAA Administrative Simplification rules,
• The process that will govern the imposition of civil monetary penalties by HHS against "covered entities",
• Important information for covered entities that rely on business associates and other agents, and
• Guidance on certain aspects of HHS's approach to enforcement of the security rule.

HHS's General Approach to HIPAA Enforcement

The final enforcement rule reinforces HHS's basic approach to HIPAA enforcement: relying on complaints to detect violations, seeking voluntary compliance through informal means, and providing technical assistance to help covered entities comply. Only if a complaint is not resolved informally will HHS begin the process that can lead to the imposition of civil monetary penalties.

In addition to complaint investigations, HHS also has authority to initiate compliance reviews. The final enforcement rule does not specify the circumstances that would lead HHS to initiate a compliance review or the time frame for completing such a review.

Process for Imposing Civil Monetary Penalty

If a complaint is not resolved informally, and if HHS believes that a civil monetary penalty is warranted, HHS will then begin the process that may lead to the imposition of civil monetary penalties. An important part of that process is HHS's "notice of proposed determination." This detailed document must include (among other things) a description of the alleged violation and the amount of the proposed penalty. HHS can assess a penalty of up to $100 a day for each violation (up to a maximum of $25,000 per calendar year for identical violations). Some of the factors that will affect the amount of the proposed penalty include the nature of the violation, the circumstances (including the consequences) of the violation, the degree of the covered entity's culpability, the covered entity's history of compliance or non-compliance with the Administrative Simplification rules, and the financial condition of the covered entity.

A covered entity may request a formal hearing before an administrative law judge. This is a formal proceeding with pre-hearing discovery and the presentation of evidence, witnesses and oral arguments. The covered entity may appeal the administrative law judge's written decision to the HHS Departmental Appeals Board. The Board's decision is reviewable in court.

Business Associate Contract as Shield to Liability

Generally, a covered entity is liable for the acts or omissions of any agent (including a workforce member) acting within the scope of the agency. However, the enforcement rule contains an important - and limited - exception relating to business associates. Specifically, a covered entity is not liable for the acts or omissions of a business associate if:

• The covered entity has a written business associate contract in place with that business associate and that contract complies with the applicable requirements of HIPAA's privacy and security rules; and
• If the covered entity knew of a pattern of activity or practice of the business associate, the covered entity took reasonable corrective action. (Corrective action means taking steps to cure the breach or end the violation. If those efforts are not successful, the covered entity would need to terminate the relationship or, if termination is not feasible, report the problem to HHS.)

Covered entities that do not have appropriate business associate contracts for both privacy and security rule compliance should consider getting them in place as soon as possible.

Guidance on Enforcement of the HIPAA Security Rule

The enforcement rule addresses the following aspects of HHS's approach to enforcement of HIPAA's security rule:

• Failure to document a covered entity's determination that an addressable implementation specification⁶ is not reasonable and appropriate is itself a violation of the security rule. So is the failure to implement an alternative measure determined to be reasonable and appropriate.
• The failure to conduct a HIPAA security risk analysis is not only a violation of the risk analysis requirement of the security rule. It could lead to other violations of the security rule because the risk analysis is the basis for a covered entity's determination not to implement addressable implementation specifications. For example, one of the security rule's addressable implementation specifications requires encryption of stored data. A risk analysis might provide the covered entity with a sound rationale for not encrypting stored data and implementing other safeguards instead. Without that documented rationale, the covered entity could be cited for failing to encrypt stored data.
• The failure to conduct the required risk analysis is a "continuing" violation of the security rule, meaning that a separate violation will be deemed to occur on each day such a violation continues. Thus, the penalty for this violation alone could amount to $100 per day (up to a maximum of $25,000 per calendar year).

1	The final HIPAA Enforcement Rule was published in the February 16, 2006 issue of the Federal Register. (To return to the Capital Checkup text, click here.)
2	For more information about these rules, see The Segal Company's June 2003 Bulletin, "Final HIPAA EDI Rules". (To return to the Capital Checkup text, click here.)
3	For more information about these rules, see Segal's October 2002 Bulletin, "Final HIPAA Privacy Rules". (To return to the Capital Checkup text, click here.)
4	For more information about these rules, see Segal's April 2003 Bulletin, "Final HIPAA Security Rules". (To return to the Capital Checkup text, click here.)
5	CMS has issued final rules for the unique employer identifier and the unique health care provider identifier. The unique health plan identifier is in development. (To return to the Capital Checkup text, click here.)
6	An addressable implementation specification is one way of meeting a required standard. Covered entities can either implement an addressable implementation specification as is or implement alternative measures consistent with the underlying standard. Covered entities must go through the process of determining whether implementation specifications are reasonable and appropriate. (To return to the Capital Checkup text, click here.)