Just in time for your post-April 14 world, the HHS Office forCivil Rights has finally provided some guidance on what privacy rule enforcement will look like in the coming months. Here's one hint: Civil money penalties await the noncompliant. OCR published its interim final rule on privacy rule enforcement April 17 in the Federal Register. The guidance focuses mainly on civil money penalties (CMPs) related to HIPAA violations, including procedures for investigations, imposition of penalties, and hearings. "We intend that this be the first installment of a rule that we term the 'Enforcement Rule,'" OCR said in the guidance, adding that the complete and final rule will set forth "procedural and substantive requirements" for imposition of CMPs. In the interim, OCR said it is issuing rules of procedure to inform regulated entities of OCR's approach to enforcement and to inform such entities what procedures will be followed as the agency enforces the Administrative Simplification provisions of HIPAA. While the guidance provides some information on the form of enforcement, it doesn't indicate how assertive the OCR will be in ferreting out potential violations. "My sense is that [the interim final rule] is just laying out a process. It's important but I don't think there's anything in here that's startling," notes Brian Gradle, an attorney in the DC office of Epstein Becker& Green. Gradle says CEs won't be facing the possibility of immediate sanctions that are imposed upon them without some opportunity to take corrective action," and that's consistent with off-the-record conversations I've had with people from HHS' general counsel office and various people in the OCR office." Editor's Note: To read the interim rule in its entirety, go to www.hhs.gov/ocr/moneypenalties.html.
The reg establishes civil money penalties and criminal penalties for violations. HHS will enforce the civil money penalties, while the U.S. Department of Justice will enforce the criminal penalties. For example, the CMPprovision of the reg authorizes the HHS Secretary to impose on any person who violates a provision of the reg a penalty of not more than $100 for each such violation, but the total amount imposed on the person for all violations of an identical requirement or prohibition during that year may not exceed $25,000.
OCR says it will first seek the cooperation of covered entities in obtaining compliance with the privacy rule before any action is taken, and that it may provide technical assistance to help covered entities voluntarily comply with the rule. Additionally, the agency says it will attempt to resolve matters "by informal means before issuing findings of non-compliance."