HIPAA Regulations: Compliance and Enforcement: Complaints to the Secretary - § 160.306
As Contained in the HHS HIPAA Rules
|
HHS Regulations as Amended January 2013 |
(a) Right to file a complaint. A person who believes a covered entity or business associate is not complying with the administrative simplification provisions may file a complaint with the Secretary.
(b) Requirements for filing complaints. Complaints under this section must meet the following requirements:
(1) A complaint must be filed in writing, either on paper or electronically.
(2) A complaint must name the person that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable administrative simplification provision(s).
(3) A complaint must be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown.
(4) The Secretary may prescribe additional procedures for the filing of complaints, as well as the place and manner of filing, by notice in the Federal Register.
(c) Investigation. (1) The Secretary will investigate any complaint filed under this section when a preliminary review of the facts indicates a possible violation due to willful neglect.
(2) The Secretary may investigate any other complaint filed under this section.
(3) An investigation under this section may include a review of the pertinent policies, procedures, or practices of the covered entity or business associate and of the circumstances regarding any alleged violation.
(4) At the time of the initial written communication with the covered entity or business associate about the complaint, the Secretary will describe the acts and/or omissions that are the basis of the complaint.
| HHS Description and Commentary From the January 2013 Amendments Compliance and Enforcement: Complaints to the Secretary |
Section 13410(a) of the HITECH Act adds a new subsection (c) to section 1176 of the Social Security Act, which requires the Department to formally investigate a complaint if a preliminary investigation of the facts of the complaint indicates a possible violation due to willful neglect (section 1176(c)(2)) and to impose a civil money penalty for a violation due to willful neglect (section 1176(c)(1)). The Department proposed a number of modifications to Subpart C of the Enforcement Rule to implement these provisions.
Proposed Rule
First, § 160.306(c) of the Enforcement Rule currently provides the Secretary with discretion to investigate HIPAA complaints through the use of the word “may.” As a practical matter, however, the Department currently conducts a preliminary review of every complaint received and proceeds with the investigation in every eligible case where its preliminary review of the facts indicates a possible violation of the HIPAA Rules.
Nonetheless, to implement section 1176(c)(2), the Department proposed to add a new paragraph (1) to § 160.306(c) (and to make conforming changes to the remainder of § 160.306(c)) to make clear that the Secretary will investigate any complaint filed under this section when a preliminary review of the facts indicates a possible violation due to willful neglect. Under proposed § 160.306(c)(2), the Secretary would have continued discretion with respect to investigating any other complaints.
Note: The remainder of the description and commentary is the same for section 160.304, 160.306, 160.308 and 160.312.
Overview of Public Comments
One commenter supported maintaining the current language at §§ 160.306 and 160.308 of the Enforcement Rule, providing the Secretary with discretion to conduct complaint investigations and compliance reviews, regardless of indications of willful neglect. One commenter suggested that OCR look to whether facts indicate a “probable,” rather than “possible,” violation due to willful neglect to limit the likelihood of unnecessary formal investigations or compliance reviews. While one commenter supported the proposal to require a compliance review in circumstances indicating a possible violation due to willful neglect, others argued that requiring compliance reviews in such circumstances is not required by the statute, will detract from resources to investigate complaints, and will be duplicative if a formal complaint investigation is also underway.
Several commenters expressed concern over the proposal at § 160.312(a) to give the Secretary discretion, rather than to require the Secretary, to attempt to resolve investigations or compliance reviews indicating noncompliance by informal means, even in cases of noncompliance that did not involve willful neglect (e.g., cases involving reasonable cause or lack of knowledge of a violation). Commenters indicated support for the Department’s seeking compliance through voluntary corrective action as opposed to formal enforcement proceedings and argued that the Department should retain the requirement for the Secretary to attempt informal resolution in all circumstances except those involving willful neglect. One commenter recommended that the Secretary be able to assess penalties regardless of whether corrective action was obtained.
Final Rule
The final rule adopts the modifications to §§ 160.304, 160.306, 160.308, and 160.312, as proposed in the NPRM. The Department believes these changes to the enforcement provisions to be appropriate given the HITECH Act’s requirements at section 13410(a) with respect to circumstances indicating or involving noncompliance due to willful neglect. We do not provide in the Rule that the Secretary will investigate when a preliminary review of the facts indicates a “probable” rather than “possible” violation due to willful neglect as the statute requires an investigation even in cases indicating a “possible” violation due to willful neglect.
In response to commenters concerned about requiring the Secretary to conduct compliance reviews in circumstances in which facts indicate a possible violation due to willful neglect, we continue to believe that, while not expressly required by the statute, doing so appropriately strengthens enforcement with respect to violations due to willful neglect and ensures consistency in the handling of complaints and compliance reviews in which violations due to willful neglect are indicated.
We emphasize that the Department retains discretion to decide whether to conduct a compliance review (or complaint investigation) where a preliminary review of the facts indicates a degree of culpability less than willful neglect. Further, with respect to commenter concerns about duplication between complaint investigations and compliance reviews, we clarify that the Department generally conducts compliance reviews to investigate allegations of violations of the HIPAA Rules brought to the Department’s attention through a mechanism other than a complaint. For example, the Department may use a compliance review to investigate allegations of violations of the Rules brought to our attention through a media report, or from a State or another Federal agency. If the Department initiates an investigation of a complaint because its preliminary review of the facts indicates a possible violation due to willful neglect, the Department is not also required to initiate a compliance review under § 160.308 because doing so would initiate a duplicative investigation.
With respect to § 160.312, where the Rule previously mandated that the Secretary attempt to resolve indicated violations of the HIPAA Rules by informal means, the final rule now provides the Secretary with the discretion to do so, to reflect Section 13410 of the HITECH Act with regard to violations due to willful neglect.
Nothing in Section 13410 of the HITECH Act limits the Secretary’s ability to resolve such cases by informal means. However, through its introduction of higher penalties and its mandate for formal investigations with regard to possible violations due to willful neglect, Section 13410 strengthens enforcement and accordingly we have revised § 160.312 so that the Secretary may move directly to a civil money penalty without exhausting informal resolution efforts at her discretion, particularly in cases involving willful neglect violations.
Response to Other Public Comments
Comment: A number of commenters requested further clarification on the scope and depth of what constitutes a “preliminary review of the facts” for purposes of determining whether facts indicate a possible violation due to willful neglect and thus, warrant a formal complaint investigation or compliance review. Certain commenters suggested that a preliminary review of the facts should go beyond merely a review of the allegations asserted in a complaint.
Response: As noted above, currently the Department conducts a preliminary review of every complaint received and proceeds with the investigation in every eligible case where its preliminary review of the facts indicates a possible violation of the HIPAA Rules. The Department anticipates that some complaints, on their face, or reports or referrals that form the basis of a potential compliance review, will contain sufficient information to indicate a possible violation due to willful neglect, and some may not. In any event, the Department may on a case-by-case basis expand the preliminary review and conduct additional inquiries for purposes of identifying a possible violation due to willful neglect. Notwithstanding the scope of a preliminary review, OCR will determine if an indicated violation was due to willful neglect based on the evidence from its investigation of the allegations, even if a violation due to willful neglect was not indicated at the preliminary review stage.
| HHS Description From the Original Rulemaking Compliance and Enforcement: Complaints to the Secretary |
Note: The HHS Description is the same as for § 160.300
Proposed § 164.522 included five paragraphs addressing activities related to the Secretary’s enforcement of the rule. These provisions were based on procedures and requirements in various civil rights regulations. Proposed § 164.522(a) provided that the Secretary would, to the extent practicable, seek the cooperation of covered entities in obtaining compliance, and could provide technical assistance to covered entities to help them comply voluntarily. Proposed § 164.522(b) provided that individuals could file complaints with the Secretary. However, where the complaint related to the alleged failure of a covered entity to amend or correct protected health information as proposed in the rule, the Secretary would not make certain determinations such as whether protected health information was accurate or complete. This paragraph also listed the requirements for filing complaints and indicated that the Secretary may investigate such complaints and what might be reviewed as part of such investigation.
Under proposed § 164.522(c), the Secretary would be able to conduct compliance reviews. Proposed § 164.522(d) described the responsibilities that covered entities keep records and reports as prescribed by the Secretary, cooperate with compliance reviews, permit the Secretary to have access to their facilities, books, records, and other sources of information during normal business hours, and seek records held by other persons. This paragraph also stated that the Secretary would maintain the confidentiality of protected health information she collected and prohibit covered entities from taking retaliatory action against individuals for filing complaints or for other activities. Proposed § 164.522(e) provided that the Secretary would inform the covered entity and the individual complainant if an investigation or review indicated a failure to comply and would seek to resolve the matter informally if possible. If the matter could not be resolved informally, the Secretary would be able to issue written findings, be required to inform the covered entity and the complainant, and be able to pursue civil enforcement action or make a criminal referral. The Secretary would also be required to inform the covered entity and the individual complainant if no violation was found.
We make the following changes and additions to proposed § 164.522 in the final rule. First, we have moved this section to part 160, as a new subpart C, “Compliance and Enforcement.” Second, we add new sections that explain the applicability of these provisions and incorporate certain definitions. Accordingly, we change the proposed references to violations to “this subpart” to violations of “the applicable requirements of part 160 and the applicable standards, requirements, and implementation specifications of subpart E of part 164 of this subchapter.” Third, the final rule at § 160.306(a) provides that any person, not just an “individual” (the person who is the subject of the individually identifiable health information) may file a complaint with the Secretary. Other references in this subpart to an individual have been changed accordingly. Fourth, we delete the proposed § 164.522(a) language that indicated that the Secretary would not determine whether information was accurate or complete, or whether errors or omissions might have an adverse effect on the individual. While the policy is not changed in that the Secretary will not make such determinations, we believe the language is unnecessary and may suggest that we would make all other types of determinations, such as all determinations in which the regulation defers to the professional judgment of the covered entity. Fifth, § 160.306(b)(3) requires that complaints be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown. Sixth, § 160.310(b) requires cooperation with investigations as well as compliance reviews. Seventh, § 160.310 (c)(1) provides that the Secretary must be provided access to a covered entity’s facilities, books, records, accounts, and other sources of information, including protected health information, at any time and without notice where exigent circumstances exist, such as where documents might be hidden or destroyed. Eighth, the provision proposed at § 164.522(d) that would prohibit covered entities from taking retaliatory action against individuals for filing a complaint with the Secretary or for certain other actions has been changed and moved to § 164.530. Ninth, § 160. 312(a)(2) deletes the reference in the proposed rule to using violation findings as a basis for initiating action to secure penalties. This deletion is not a substantive change. This language was removed because penalties will be addressed in the enforcement regulation. As in the NPRM, the Secretary may promulgate alternative procedures for complaints relating to national security. For example, to protect classified information, we may promulgate rules that would allow an intelligence community agency to create a separate body within that agency to receive complaints.
The Department plans to issue an Enforcement Rule that applies to all of the regulations that the Department issues under the Administrative Simplification provisions of HIPAA. This regulation will address the imposition of civil monetary penalties and the referral of criminal cases where there has been a violation of this rule. Penalties are provided for under section 262 of HIPAA. The Enforcement Rule would also address the topics covered by Subpart C below. It is expected that this Enforcement Rule would replace Subpart C.
| HHS Response to Comments Received From the Original Rulemaking Compliance and Enforcement: Complaints to the Secretary |
Comment: The proposed rule limited those who could file a complaint with the Secretary to individuals. A number of commenters suggested that other persons with knowledge of a possible violation should also be able to file complaints. Examples that were provided included a mental health care provider with first hand knowledge of a health plan improperly requiring disclosure of psychotherapy notes and an occupational health nurse with knowledge that her human resources manager is improperly reviewing medical records. A few comments raised the concern that permitting any person to file a complaint lends itself to abuse and is not necessary to ensure privacy rights and that the complainant should be a person for whom there is a duty to protect health information.
Response: As discussed below, the rule defines “individual” as the person who is the subject of the individually identifiable health information. However, the covered entity may allow other persons, such as personal representatives, to exercise the rights of the individual under certain circumstances, e.g., for a deceased individual. We agree with the commenters that any person may become aware of conduct by a covered entity that is in violation of the rule. Such persons could include the covered entity’s employees, business associates, patients, or accrediting, health oversight, or advocacy agencies or organizations. Many persons, such as the covered entity’s employees, may, in fact, be in a better position than the “individual” to know that a violation has occurred. Another example is a state Protection and Advocacy group that may represent persons with developmental disabilities. We have decided to allow complaints from any person. The term “person” is not restricted here to human beings or natural persons, but also includes any type of association, group, or organization.
Allowing such persons to file complaints may be the only way the Secretary may learn of certain possible violations. Moreover, individuals who are the subject of the information may not be willing to file a complaint because of fear of embarrassment or retaliation. Based on our experience with various civil rights laws, such as Title VI of the Civil Rights Act of 1964 and Title II of the Americans with Disabilities Act, that allow any person to file a complaint with the Secretary, we do not believe that this practice will result in abuse. Finally, upholding privacy protections benefits all persons who have or may be served by the covered entity as well as the general public, and not only the subject of the information.
If a complaint is received from someone who is not the subject of protected health information, the person who is the subject of this information may be concerned with the Secretary’s investigation of this complaint. While we did not receive comments on this issue, we want to protect the privacy rights of this individual. This might involve the Secretary seeking to contact the individual to provide information as to how the Secretary will address individual’s privacy concerns while resolving the complaint. Contacting all individuals may not be practicable in the case of allegations of systemic violations (e.g., where the allegation is that hundreds of medical records were wrongfully disclosed).
Requiring That a Complainant Exhaust the Covered Entity’s Internal Complaint Process Prior to Filing a Complaint with the Secretary
Comment: A number of commenters, primarily health plans, suggested that individuals should not be permitted to file a complaint with the Secretary until they exhaust the covered entity’s own complaint process. Commenters stated that covered entities should have a certain period of time, such as ninety days, to correct the violation. Some commenters asserted that providing for filing a complaint with the Secretary will be very expensive for both the public and private sectors of the health care industry to implement. Other commenters suggested requiring the Secretary to inform the covered entity of any complaint it has received and not initiate an investigation or “take enforcement action” before the covered entity has time to address the complaint.
Response: We have decided, for a number of reasons, to retain the approach as presented in the proposed rule. First, we are concerned that requiring that complainants first notify the covered entity would have a chilling effect on complaints. In the course of investigating individual complaints, the Secretary will often need to reveal the identity of the complainant to the covered entity. However, in the investigation of cases of systemic violations and some individual violations, individual names may not need to be identified. Under the approach suggested by these commenters, the covered entity would learn the names of all persons who file complaints with the Secretary. Some individuals might feel uncomfortable or fear embarrassment or retaliation revealing their identity to the covered entity they believe has violated the regulation. Individuals may also feel they are being forced to enter into negotiations with this entity before they can file a complaint with the Secretary.
Second, because some potential complainants would not bring complaints to the covered entity, possible violations might not become known to the Secretary and might continue. Third, the delay in the complaint coming to the attention of the Secretary because of the time allowed for the covered entity to resolve the complaint may mean that significant violations are not addressed expeditiously. Finally, the process proposed by these commenters is arguably unnecessary because an individual who believes that an agreement can be reached with the covered entity, can, through the entity’s internal complaint process or other means, seek resolution before filing a complaint with the Secretary.
Our approach is consistent with other laws and regulations protecting individual rights. None of the civil rights laws enforced by the Secretary require a complainant to provide any notification to the entity that is alleged to have engaged in discrimination (e.g., Americans with Disabilities Act, section 504 of the Rehabilitation Act, Title VI of the Civil Rights Act, and the Age Discrimination Act). The concept of “exhaustion” is used in laws that require individuals to pursue administrative remedies, such as that provided by a governmental agency, before bringing a court action. Under HIPAA, individuals do not have a right to court action.
Some commenters seemed to believe that the Secretary would pursue enforcement action without notifying the covered entity. It has been the Secretary’s practice in investigating cases under other laws, such as various civil rights laws, to inform entities that we have received a complaint against them and to seek early resolution if possible. In enforcing the privacy rule, the Secretary will generally inform the covered entity of the nature of any complaints it has received against the entity. (There may be situations where information is withheld to protect the privacy interests of the complainant or others or where revealing information would impede the investigation of the covered entity.) The Secretary will also generally afford the entity an opportunity to share information with the Secretary that may result in an early resolution. Our approach will be to seek informal resolution of complaints whenever possible, which includes allowing covered entities a reasonable amount of time to work with the Secretary to come into compliance before initiating action to seek civil monetary penalties.
Section 160.306(b)(3) - Requiring that Complaints be Filed with the Secretary Within a Certain Period of Time
Comment: A number of commenters, primarily privacy and disability advocacy organizations, suggested that the regulation require that complaints be filed with the Secretary by a certain time. These commenters generally recommended that the time period for filing a complaint should commence to run from the time when the individual knew or had reason to know of the violation or omission. Another comment suggested that a requirement to file a complaint with the Secretary within 180 days of the alleged noncompliance is a problem because a patient may, because of his or her medical condition, be unable to access his or her records within that time frame.
Response: We agree with the commenters that complainants should generally be required to submit complaints in a timely fashion. Federal regulations implementing Title VI of the Civil Rights Act of 1964 provide that “[a] complaint must be filed not later than ‘180 days from the date of the alleged discrimination’ unless the time for filing is extended by the responsible Department official or his designee.” 45 CFR 80.7(b). Other civil rights laws, such as the Age Discrimination Act, section 504 of the Rehabilitation Act, and Title II of the Americans with Disabilities Act (ADA) (state and local government services), also use this approach. Under civil rights laws administered by the EEOC, individuals have 180 days of the alleged discriminatory act to file a charge with EEOC (or 300 days if there is a state or local fair employment practices agency involved).
Therefore, in the final rule we require that complaints be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred unless this time limit is waived by the Secretary for good cause shown. We believe that an investigation of a complaint is likely to be most effective if persons can be interviewed and documents reviewed as close to the time of the alleged violation as possible. Requiring that complaints generally be filed within a certain period of time increases the likelihood that the Secretary will have necessary and reliable information. Moreover, we are taking this approach in order to encourage complainants to file complaints as soon as possible. By receiving complaints in a timely fashion, we can, if such complaints prove valid, reduce the harm caused by the violation.