Order Code RL33989
Enforcement of the HIPAA Privacy Rule
April 30, 2007
Gina Marie Stevens
Legislative Attorney
American Law Division
Enforcement of the HIPAA Privacy Rule
Summary
Concerns have been raised that the HIPAA Privacy Rule is being insufficiently
enforced by the Departments of Health and Human Services (HHS) and Justice
(DOJ). P.L. 104-191, the Health Insurance Portability and Accountability Act of
1996 (HIPAA), directed HHS to adopt standards to facilitate the electronic exchange
of health information for certain financial and administrative transactions. The
HIPAA Privacy Rule was adopted by HHS as the national standard for the protection
of individually identifiable health information. It regulates the use and disclosure of
protected health information by health plans, health care clearinghouses, and health
care providers who transmit financial and administrative transactions electronically;
establishes a set of basic consumer protections; permits any person to file an
administrative complaint for violations; and authorizes the imposition of civil or
criminal penalties. Enforcement of the Privacy Rule began in 2003.
On March 16, 2006, the Final HIPAA Administrative Simplification
Enforcement Rule went into effect. The Enforcement Rule has both procedural and
substantive provisions, and is applicable to all HIPAA administrative simplification
standards. The Enforcement Rule establishes procedures for the imposition of civil
money penalties on entities that violate rules adopted by the Secretary to implement
the Administrative Simplification provisions of HIPAA. It also amends existing rules
relating to the process for imposition of civil money penalties, and clarifies the
investigation process, the bases for liability, determination of the penalty amount,
grounds for waiver, conduct of the hearing, and the appeal process.
Lawmakers and others are examining the statutory and regulatory framework
for enforcement of the HIPAA Administrative Simplification standards, and ways to
ensure that agencies use their enforcement authority to the fullest extent under
HIPAA to address improper uses and disclosures of protected health information.
This report discusses enforcement of the HIPAA administrative simplification
provisions by HHS and DOJ, and provides an overview of the HIPAA Administrative
Simplification Enforcement Rule. This report will be updated when warranted.
Contents
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The Health Insurance Portability and Accountability Act (HIPAA) and
Enforcement of Administrative Simplification Standards . . . . . . . . . . . . . . . 3
Civil Money Penalties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Criminal Penalties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Scope of Criminal Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The HIPAA Privacy Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Covered Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Protected Health Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Uses and Disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
The HIPAA Administrative Simplification Enforcement Rule . . . . . . . . . . . . . . . 9
Voluntary Cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Complaints to the Secretary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Compliance Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Responsibilities of Covered Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Secretarial Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Affirmative Defenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Civil Money Penalties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Criminal Referrals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Criminal Enforcement Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
United States v. Gibson . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
United States v. Ramirez . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
United States v. Ferrer and Machado . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Enforcement of the HIPAA Privacy Rule
Background
Concerns have been raised by some that the HIPAA Privacy Rule is being
underenforced by the U.S. Departments of Health and Human Services (HHS) and
Justice (DOJ).1 According to recently released data from HHS, from April 2003,
when enforcement of the Privacy Rule began, to March 31, 2007, approximately
26,408 health information privacy complaints were filed with HHS.2 Based on the
HIPAA Privacy Rule, HHS found authority to investigate 6,602 cases. HHS found
no violation of the Privacy Rule in 2,155 of those cases.3 In 4,447 cases, HHS
obtained changes in the investigated entity’s privacy practices or other corrective
actions.4 In 13,875 cases, HHS did not find enforcement authority under HIPAA
either because of lack of jurisdiction (the violation occurred prior to the effective date
of the Rule or the entity was not subject to the Privacy Rule); the complaint was
untimely, withdrawn, or not pursued by the complainant; or the activity being
complained of did not violate the Privacy Rule.5 According to HHS, the compliance
issues most frequently investigated were for impermissible use or disclosure of
protected health information, lack of adequate safeguards for protected health
information, lack of patient access to his or her protected health information, the
disclosure of more information than is minimally necessary to satisfy a particular
request for information, and failure to have an individual’s authorization for a
disclosure that requires one.6 The covered entities most commonly required to take
corrective action by HHS, in order of frequency, include private practices, general
hospitals, outpatient facilities, health plans, and pharmacies.7 Almost 6,000 cases
remain unresolved.
1 Rob Stein, “Medical Privacy Law Nets No Fines”, The Washington Post, June 5, 2006 at
A01.
2 U.S. Department of Health and Human Services, Compliance and Enforcement: Privacy
Rule Enforcement Highlights, at [http://www.hhs.gov/ocr/privacy/enforcement/highlights.
html].
3 Id.
4 Id.
5 Id.
6 See U.S. Department of Health and Human Services, Compliance and Enforcement: Case
Examples Organized By Issue, at [http://www.hhs.gov/ocr/privacy/enforcement/casebyissue.
html].
7 See U.S. Department of Health and Human Services, Compliance and Enforcement: Case
Examples Organized By Covered Entity, at [http://www.hhs.gov/ocr/privacy/enforcement/
casebyentity.html].
CRS-2
According to its enforcement website, HHS did not report any civil penalties
during the four-year period of 2003-2007.8 HHS reported that more than 384 cases
were referred by HHS to DOJ for criminal investigation of knowing disclosure or
access to protected health information in violation of the Privacy Rule. Although
information on criminal convictions was not reported by HHS, criminal convictions
were obtained in three cases involving employees of covered entities who improperly
obtained protected health information.9
Several factors contribute to the number of enforcement actions taken by HHS
for violations of the HIPAA Privacy Rule. First is HHS’s preference for voluntary
compliance, corrective action, and/or resolution agreement.10 Second, HIPAA
applies only to certain groups, defined as covered entities, health plans, health care
clearinghouses, and health care providers who transmit financial and administrative
transactions electronically. HIPAA does not cover all types of entities that maintain
personal health information (e.g., life insurers, employers, workers compensation
carriers, schools and school districts, state agencies such as child protective service
agencies, law enforcement agencies, and municipal offices).11 Third, HIPAA does
not cover of all types of health transactions. Fourth, the statute does not create a
private right of action, but rather public enforcement by HHS and DOJ. Fifth, the
complained-of activity might not be a violation of the Privacy Rule.
Concerns about the protection of health information privacy under HIPAA are
escalating as legislative efforts to promote widespread adoption of electronic health
records and health information technology intensify.12 The privacy of health
information is recognized as a critical element of transforming the health care system
through the use of health information technology. In 2004, President Bush called for
the HHS to develop and implement a strategic plan to guide the nationwide
8 The U.S. Department of Health and Human Services (HHS) recently announced an
enhanced website to make it easier to get information about how the Department enforces
health information privacy rights and standards. HHS Launches New Web site on HIPAA
Privacy Compliance and Enforcement, April 20, 2007, at [http://www.hhs.gov/ocr/privacy/
enforcement/announcement.html].
9 United States v. Gibson, 2004 WL 2237585 (No. CR04-0374RSM) (W.D. Wash. 2004);
United States v. Ramirez, Warrant, Criminal No. M-05-708, McAllen Division (S.D. Tex.
2006); United States v. Ferrer and Machado, 2006 WL 4005632 (S.D.Fla. 2006).
10 U.S. Deptartment of Health and Human Services, Compliance and Enforcement: How
OCR Enforces the HIPAA Privacy Rule, at [http://www.hhs.gov/ocr/privacy/enforcement/
hipaarule.html].
11 HHS’s approach to the regulation of the privacy of health information “is also
significantly informed by the limited jurisdiction conferred by HIPAA. In large part, we
have the authority to regulate those who create and disclose health information, but not
many key stakeholders who receive that health information from a covered entity.” 65 Fed.
Reg. 82462, 82471 (2000).
12 Milt Freudenheim and Robert Pear, “Health Hazard: Computers Spilling Your History,”
The New York Times, December 3, 2006, p. D01.
CRS-3
implementation of Health Information Technology (HIT).13 The plan also called for
the Office of Personnel Management (OPM) to leverage its power with the Federal
Employees Health Benefits Program (FEHBP) to increase the use of HIT. In the last
Congress, the House and Senate passed legislation that would foster the adoption of
health information technology, but the bills never went to conference. The Senate
Homeland Security and Government Affairs Committee recently held a hearing to
review the efforts of HHS to integrate privacy into the HIT national infrastructure and
OPM’s efforts to expand the use of HIT through the FEHBP.14
This report provides an overview of the statutory and regulatory enforcement
scheme (under the recently issued Final Enforcement Rule) for the Administrative
Simplification provisions of HIPAA. In addition, it summarizes recent enforcement
actions by HHS and DOJ.
The Health Insurance Portability and Accountability
Act (HIPAA) and Enforcement of Administrative
Simplification Standards
In 1996, Congress enacted the Health Insurance Portability and Accountability
Act of 1996 (HIPAA)15 to “improve portability and continuity of health insurance
coverage in the group and individual markets.”16 Congress enacted HIPAA to
guarantee the availability and renewability of health insurance coverage and limit the
use of pre-existing condition restrictions. HIPAA also included tax provisions
related to health insurance and administrative simplification provisions requiring
issuance of national standards to facilitate the electronic transmission of health
information.
Part C of HIPAA17 requires “the development of a health information system
through the establishment of standards and requirements for the electronic
13 A January 2007 GAO report found that while HHS and the National Coordinator have
taken steps to study the protection of personal health information, an overall strategy is
needed to identify milestones for integrating privacy into the health IT framework, ensure
privacy is fully addressed, and address key challenges. U.S. Government Accountability
Office, Health Information Technology: Early Efforts Initiated but Comprehensive Privacy
Approach Needed for National Strategy, GAO-07-400T, February 1, 2007, at
[http://www.gao.gov/new.items/d07400t.pdf].
14 Private Health Records: Privacy Implications of the Federal Government’s Health
Information Technology Initiative, Hearing Before the Subcommittee on Oversight of
Government Management, the Federal Workforce, and the District of Columbia of the
Senate Committee on Homeland Security and Governmental Affairs, 110th Cong., 1st sess.
(2007).
15 P.L. 104-191, 110 Stat. 1936 (1996), codified in part at 42 U.S.C. §§ 1320d et seq.
16 H.Rept. 104-496, at 1, 66-67, reprinted in 1996 U.S.C.C.A.N. 1865, 1865-66.
17 42 U.S.C. §§ 1320d — 1320d-8.
CRS-4
transmission of certain health information.”18 Such standards are required to be
consistent with the objective of reducing the administrative costs of providing and
paying for health care.
These Administrative Simplification provisions require the Secretary of HHS
to adopt national standards to facilitate the electronic exchange of information for
certain financial and administrative transactions; select or establish code sets for data
elements; protect the privacy of individually identifiable health information; maintain
administrative, technical, and physical safeguards for the security of health
information; provide unique health identifiers for individuals, employers, health
plans, and health care providers; and to adopt procedures for the use of electronic
signatures.19
Health plans, health care clearinghouses, and health care providers who transmit
financial and administrative transactions electronically are required to use
standardized data elements and comply with the national standards and regulations
promulgated pursuant to Part C.20 Failure to comply with the regulations may subject
the covered entity to civil or criminal penalties.
Civil Money Penalties
Under HIPAA, the Secretary is required to impose a civil monetary penalty
(CMP) on any person failing to comply with the Administrative Simplification
provisions in Part C.21 The maximum civil money penalty (i.e., the fine) for a
violation of an administrative simplification provision is $100 per violation and up
to $25,000 for all violations of an identical requirement or prohibition during a
calendar year.22
A number of procedural requirements that are relevant to the imposition of
CMP’s for violations of the Administrative Simplification standards23 are
incorporated by reference in HIPAA from the general civil money penalty provision
in 42 U.S.C. § 1320a-7a.24 The Secretary may not initiate a CMP action “later than
18 110 Stat. 2021.
19 42 U.S.C. §§ 1320d-2(a)-(d). HHS has issued final regulations to adopt national standards
for transactions and code sets, privacy, security, and employer identifiers. See
Administrative Simplification Under HIPAA: National Standards for Transactions, Privacy
and Security, at [http://www.hhs.gov/news/press/2002pres/hipaa.html].
20 42 U.S.C. § 1320d-4(b) Requires compliance with the regulations within a certain time
period by “each person to whom the standard or implementation specification [adopted or
established under sections 1320d-1 and 1320d-2] applies.”
21 42 U.S.C. § 1320d-5(a).
22 42 U.S.C. § 1320d-5(a)(1).
23 42 U.S.C. § 1320d-5(a)(2).
24 Except for the subsections addressing the imposition of civil money penalties for
improperly filed claims, payments to induce a reduction or limitation of services, and the
(continued...)
CRS-5
six years after the date” of the occurrence that forms the basis for the CMP action.25
The Secretary may initiate a CMP by serving notice in a manner authorized by Rule
4 of the Federal Rules of Civil Procedure (Commencement of Action). The Secretary
must give written notice to the person on whom he wishes to impose a CMP and an
opportunity for a determination to made “on the record after a hearing at which the
person is entitled to be represented by counsel, to present witnesses, and to cross-
examine witnesses against the person.”26 Judicial review of the Secretary’s
determination and the issuance and enforcement of subpoenas is available in the
United States Court of Appeals.27
A CMP may not be imposed with respect to an act that constitutes criminal
disclosure of individually identifiable information28 “if it is established to the
satisfaction of the Secretary that the person liable for the penalty did not know, and
by exercising reasonable diligence would not have known, that such person violated
the provisions”;29 or if “the failure to comply was due to reasonable cause and not to
willful neglect” and is corrected within 30 days after learning of the violation.30 The
Secretary may provide technical assistance during such period. A CMP may be
reduced or waived “to the extent that the payment of such penalty would be excessive
relative to the compliance failure involved.”31
Three specific affirmative defenses bar the imposition of civil money penalties:
(1) the act is a criminal offense under HIPAA’s criminal penalty provision —
wrongful disclosure of individually identifiable health information; (2) the covered
entity did not have actual or constructive knowledge of the violation; and (3) the
failure to comply was due to reasonable cause and not to willful neglect, and the
failure to comply was corrected during a 30-day period beginning on the first date the
person liable for the penalty knew, or by exercising reasonable diligence would have
known, that the failure to comply occurred.32
The Office of Civil Rights (OCR) in HHS is responsible for enforcing the
Privacy Rule.33 OCR has said that any civil penalties imposed will only affect
covered entities; in other words, a member of a workforce who is not a covered entity
appears not to be subject to civil sanctions by OCR.
24 (...continued)
recovery and use of funds.
25 42 U.S.C. § 1320a-7a(c)(1).
26 42 U.S.C. § 1320a-7a(c)(2).
27 42 U.S.C. § 1320a-7a(e).
28 42 U.S.C. § 1320d-5(b)(1).
29 42 U.S.C. § 1320d-5(b)(2).
30 42 U.S.C. § 1320d-5(b)(3).
31 42 U.S.C. § 1320d-5(b)(4).
32 42 U.S.C. § 1320d-5(b)(1) — (4).
33 65 Fed. Reg. 82381.
CRS-6
Criminal Penalties
HIPAA establishes criminal penalties for any person who knowingly and in
violation of the Administrative Simplification provisions of HIPAA uses a unique
health identifier or obtains or discloses individually identifiable health information.34
Enhanced criminal penalties may be imposed if the offense is committed under false
pretenses, with intent to sell the information or reap other personal gain.
The penalties include (1) a fine of not more than $50,000 and/or imprisonment
of not more than 1 year; (2) if the offense is “under false pretenses,” a fine of not
more than $100,000 and/or imprisonment of not more than 5 years; and (3) if the
offense is with intent to sell, transfer, or use individually identifiable health
information for commercial advantage, personal gain, or malicious harm, a fine of
not more than $250,000 and/or imprisonment of not more than 10 years.35 These
penalties do not affect any other penalties that may be imposed by other federal
programs.
Scope of Criminal Enforcement
In 2005, the Justice Department Office of Legal Counsel (OLC) addressed
which persons may be prosecuted under HIPAA.36 Based on its reading of the plain
terms of the statute, the privacy regulations, and Executive Order 13,141 (To Protect
the Privacy of Protected Health Information in Oversight Investigations), OLC
concluded that only a covered entity could be criminally liable “in violation of this
part.”37 Because Part C applies only to covered entities and mandates compliance
34 42 U.S.C. § 1320d-6(a). Wrongful disclosure of individually identifiable health
information
(a) Offense
A person who knowingly and in violation of this part —
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual;
or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b) of this section.
(b) Penalties
A person described in subsection (a) of this section shall —
(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;
(2) if the offense is committed under false pretenses, be fined not more than
$100,000, imprisoned not more than 5 years, or both; and
(3) if the offense is committed with intent to sell, transfer, or use individually
identifiable health information for commercial advantage, personal gain, or
malicious harm, be fined not more than $250,000, imprisoned not more than 10
years, or both. 42 U.S.C. § 1320d-6.
35 42 U.S.C. § 1320d-6(b).
36 U.S. Department of Justice, Scope of Criminal Enforcement Under 42 U.S.C. §1320d-6,
June 1, 2005 at [http://www.justice.gov/olc/hipaa_final.htm].
37 OLC’s opinion limiting direct liability under the HIPAA criminal statute to covered
(continued...)
CRS-7
only by covered entities, OLC concluded that direct liability for violations of section
1320d-6 was limited to covered entities (health plans, health care clearinghouses,
those health care providers specified in the statute, and Medicare prescription drug
card sponsors); and depending on the facts of a given case, certain directors, officers,
and employees of these entities may be liable directly under section 1320d-6, based
on general principles of corporate criminal liability.38 Other persons who obtain
protected health information in a manner that causes a covered entity to release the
information in violation of HIPAA, including recipients of protected information,
may not be liable directly. The liability of persons for conduct that may not be
prosecuted directly under section 1320d-6 is to be determined by principles of aiding
and abetting liability under 18 U.S.C. § 239 and of conspiracy liability under 18
U.S.C. § 371.40 OLC also noted that such conduct may also be punishable under
other federal laws, such as the identity theft under 18 U.S.C. § 102841 and fraudulent
access of a computer under 18 U.S.C. § 1030.42
The Office of Legal Counsel also considered what the “knowingly” element of
the offense requires and concluded that the “knowingly” element is best read,
37 (...continued)
entities was widely criticized. Critics believed that such an interpretation would result in
weak enforcement of the HIPAA standards. See Robert Pear, Ruling Limits Prosecutions
of People Who Violate Law on Medical Records, New York Times (June 7, 2005); Peter P.
Swire, Justice Department Opinion Undermines Protection of Medical Privacy, Center for
American Progress (June 7, 2005), at [http://www.americanprogress.org/issues/2005/06/
b743281.html]; Peter A. Winn, Who Is Subject to Criminal Prosecution under HIPAA?, at
[http://www.abanet.org/health/01_interest_groups/01_media/WinnABA_2005-11.pdf].
38 According to OLC under general principles of corporate criminal liability, the conduct of
an entity’s agents may be imputed to the entity when the agents act within the scope of their
employment, and the criminal intent of agents may be imputed to the entity when the agents
act on its behalf.
39 § 2. Principals
(a) Whoever commits an offense against the United States or aids, abets, counsels,
commands, induces or procures its commission, is punishable as a principal.
(b) Whoever willfully causes an act to be done which if directly performed by him or
another would be an offense against the United States, is punishable as a principal.
40 § 371. Conspiracy to commit offense or to defraud United States
If two or more persons conspire either to commit any offense against the United States, or
to defraud the United States, or any agency thereof in any manner or for any purpose, and
one or more of such persons do any act to effect the object of the conspiracy, each shall be
fined under this title or imprisoned not more than five years, or both.
If, however, the offense, the commission of which is the object of the conspiracy, is a
misdemeanor only, the punishment for such conspiracy shall not exceed the maximum
punishment provided for such misdemeanor.
41 See CRS Report RL31919, Remedies Available to Victims of Identity Theft, by Gina Marie
Stevens.
42 See CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and
Abuse Statute and Related Federal Criminal Laws, by Charles Doyle.
CRS-8
consistent with its ordinary meaning, to require only proof of knowledge of the facts
that constitute the offense.43
The HIPAA Privacy Rule
To carry out the requirements of Part C, the HIPAA Privacy Rule, 45 C.F.R.
Parts 160 and 164, was adopted as the national standard for the protection of
individually identifiable health information.44 Enforcement of the Privacy Rule
began on April 14, 2003, except that for small health plans with annual receipts of
$5 million or less enforcement began April 2004. The Office of Civil Rights (OCR)
in HHS is responsible for enforcing the Privacy Rule.45 The Centers for Medicare
and Medicaid Services (CMS) has delegated authority to enforce the non-privacy
HIPAA standards.46
Covered Entities
Because of the explicit language of HIPAA, the Privacy Rule applies only to a
specified set of “covered entities”: (1) health plans, (2) health care clearinghouses,
and (3) health care providers who transmit information in electronic form in
connection with standard transactions governed by the Administrative Simplification
provisions.47 Medicare prescription drug sponsors were added to the list of “covered
entities” in 2003.48 Excluded from the definition of covered entities are employees
of covered entities. Business associates of covered entities are subject to certain
aspects of the Privacy Rule.49
43 U.S. Department of Justice, Scope of Criminal Enforcement Under 42 U.S.C. §1320d-6,
June 1, 2005, at [http://www.justice.gov/olc/hipaa_final.htm].
44 The Privacy Rule went into effect on April 14, 2001. On August 14, 2002, HHS
published a modified Privacy Rule. 67 Fed. Reg. 53181 available at [http://www.hhs.gov/
ocr/hipaa/finalreg.html].
45 The Secretary of Health and Human Services recently delegated to the Director of OCR
the authority to issue subpoenas in investigations of alleged violations of the HIPAA Privacy
Rule. 72 Fed. Reg. 18,999 (April 16, 2007).
46 68 Fed. Reg. 60694.
47 42 U.S.C. §§ 1320d-1(a)(1)-(3) (“Any standard adopted under this part shall apply, in
whole or in part, to the following persons: (1) A health plan. (2) A health care
clearinghouse. (3) A health care provider who transmits any health information in electronic
form in connection with a transaction referred to in section 1320d-2(a)(1) of this title.”).
48 42 U.S.C. § 1320d-1(a); 45 C.F.R. §§ 164.104(a)(1)-(3). The Medicare Prescription Drug
Improvement and Modernization Act of 2003, P.L. 108-173, § 101(a)(2), 117 Stat. 2071,
2144 (2003), codified at 42 U.S.C. § 1395w-14(h)(6).
49 45 C.F.R. § 164.530(e)(2)(ii)(A).
CRS-9
Protected Health Information
The rule applies to protected health information that is individually identifiable
health information “created or received by a health care provider, health plan, or
health care clearinghouse” that “[r]elates to the ... health or condition of an
individual” or to the provision of or payment for health care.50
Uses and Disclosures
The Privacy Rule regulates the use and disclosure of protected health
information by covered entities and establishes a set of basic consumer protections.
In general, except as otherwise permitted by law or where there is authorization from
the patient, covered entities are prohibited from disclosing protected health
information for any purpose either than treatment, payment, or health care operations.
The HIPAA Administrative Simplification
Enforcement Rule
On February 16, 2006, HHS published the Final Enforcement Rule, with both
procedural and substantive provisions, applicable to all HIPAA administrative
simplification standards in Part C.51 The final rule went into effect March 16, 2006.
The following discussion summarizes the main provisions of the rule.
Voluntary Cooperation
With respect to ascertaining compliance with and enforcement of the
administrative simplification provisions, the Secretary of HHS is to seek the
voluntary cooperation of covered entities. Enforcement and other activities to
facilitate compliance include the provision of technical assistance, responding to
questions, providing interpretations and guidance, responding to state requests for
preemption determinations, and investigating complaints and conducting compliance
reviews.
Complaints to the Secretary
The Privacy Rule permits any person to file an administrative complaint for
violations.52 It did not create a private right of action for individuals to sue to remedy
privacy violations.53 Individuals must direct their complaints to the HHS Office for
50 45 C.F.R. § 160.103.
51 71 Fed. Reg. 8390, 45 CFR § 160.300 et seq.
52 45 CFR § 160.306.
53 Several federal district courts have held that HIPAA did not create a privately enforceable
right of action, and one federal appellate court has also recently upheld that finding. See
Acara v. Banks, 470 F.3d 569 (5th Cir. 2006).
CRS-10
Civil Rights (OCR) or to the covered entity.54 An individual may file a compliant
with the Secretary if the individual believes that the covered entity is not complying
with the administrative simplification provisions.55 Complaints to the Secretary may
be filed only with respect to alleged violations occurring on or after April 14, 2003.
The Secretary’s investigation may include a review of the policies, procedures, or
practices of the covered entity, and of the circumstances regarding the alleged acts
or omissions.56
Compliance Reviews
The Secretary is also authorized to conduct compliance reviews.57 According
to OCR, it is conducting Privacy Rule compliance reviews only where compelling
and unusual circumstances demand.58
Responsibilities of Covered Entities
Covered entities are required to provide records and compliance reports to the
Secretary to determine compliance, and to cooperate with complaint investigations
and compliance reviews.59
Secretarial Action
In cases where no violation is found, the Secretary is to inform the covered
entity and the complainant in writing. In cases where an investigation or compliance
review has indicated noncompliance, the Secretary is to inform the covered entity and
the complainant in writing, and attempt to resolve the matter informally.60 If the
Secretary determines that the matter cannot be resolved informally, the Secretary may
issue written findings documenting the noncompliance. The covered entity has 30
days to respond to the Secretary’s findings and must be given an opportunity to
submit written evidence of any mitigating factors or affirmative defenses, as it
proceeds to the civil monetary penalty phase. Finally, the Rule includes a provision
that prohibits covered entities from threatening, intimidating, coercing,
discriminating against, or taking any other retaliatory action against anyone who
54 OCR maintains a website with information on the regulation, including guidance at
[http://www.hhs.gov/ocr/hipaa/]. HHS also issued a 20-page “Summary of the HIPAA
Privacy Rule,” at [http://www.hhs.gov/ocr/privacysummary.pdf].
55 45 CFR § 160.306.
56 The Secretary has delegated to the Office for Civil Rights (OCR) the authority to receive
and investigate complaints as they may relate to the Privacy Rule. 65 Fed. Reg. at 82,474,
82,487.
57 45 CFR § 160.308.
58 U.S. Department of Health and Human Services, Fiscal Year 2008, Office for Civil
Rights, Justification of Estimates for Appropriations Committees, p. 37, at
[http://www.hhs.gov/ocr/CJFY2008.pdf].
59 45 CFR § 160.310.
60 45 CFR § 160.312.
CRS-11
complains to HHS or otherwise assists or cooperates in the HIPAA enforcement
process.61 Actions must be brought by the Secretary within six years from the date
of the violation.
Affirmative Defenses
Three specific affirmative defenses would bar the imposition of civil money
penalties: (1) the violation is a criminal offense under HIPAA — wrongful disclosure
of individually identifiable health information; (2) the covered Entity did not have
actual or constructive knowledge of the violation; or (3) the failure to comply was
due to reasonable cause and not to willful neglect, and was corrected during a 30-day
period beginning on the first date the person liable for the penalty knew, or by
exercising reasonable diligence would have known, that the failure to comply
occurred.62 With respect to the first two defenses, the Secretary may waive the civil
money penalty if it would be excessive in relation to the violation.
Civil Money Penalties
The Enforcement rule provides that the “Secretary will impose a civil money
penalty upon a covered entity if the Secretary determines that the covered entity has
violated an administrative simplification provision.”63
The Secretary is required to provide notice of a proposed penalty to the covered
entity, including the respondent a right to request a hearing within 90 days before an
Administrative Law Judge.64 If the respondent fails to request a hearing, the
Enforcement Rule states that “the Secretary will impose the proposed penalty or any
lesser penalty permitted by 42 U.S.C. 1320d-5.”65 Once a penalty has become final,
the Secretary is obligated to notify the public, state, and local medical and
professional organizations; state agencies administering health care programs;
utilization and quality peer review organizations; and state and local licensing
agencies and organizations.
To determine the number of “violations” to compute the amount of the civil
penalty, the Secretary is to base the decision upon the nature of the covered entity’s
obligation to act or not under the violated provision.66 The Rule also provides that
HHS may consider the following aggravating or mitigating factors when determining
the amount of the penalty: the nature of the violation; the circumstances under which
the violation occurred; the degree of culpability; any history of prior compliance,
including violations; the financial condition of the covered entity; and such “other
61 45 CFR § 160.316.
62 45 CFR § 160.410.
63 45 CFR § 160.402.
64 Provision is also made for an administrative appeal of the ALJ’s decision to the HHS
Departmental Appeals Board, and judicial review of the Board’s final decision.
65 45 CFR § 160.422.
66 45 CFR § 160.406.
CRS-12
matters as justice may require.”67 The Secretary is authorized to settle any issue or
case or to compromise any penalty.
Criminal Referrals
HHS refers to the DOJ for criminal investigation appropriate cases involving the
knowing disclosure or obtaining of individually identifiable health information in
violation of the Privacy Rule.
Criminal Enforcement Actions
Criminal convictions have been obtained in three cases involving employees
of covered entities who improperly obtained protected health information. Two of
the HIPAA criminal cases were brought after the OLC legal opinion limiting direct
liability for violations to covered entities.68
United States v. Gibson
The first case prosecuted by a U.S. Attorney’s Office under the HIPAA criminal
statute involved a Seattle phlebotomist employed at a cancer center who was
sentenced to 16 months in prison and 3 years of supervised release in 2004 for
stealing credit card information from a cancer patient, charging $9,000 worth of
merchandise on it, and using that information to get credit cards in the defendant’s
name.69 The defendant was ordered to pay restitution in the amount of $15,000. The
U.S. attorney’s office in Seattle chose to prosecute the identity theft as a criminal
HIPAA violation because the information had been collected from a patient,70 instead
of prosecuting the defendant for identity theft.71 Specifically, the defendant was
charged with and pled guilty to the wrongful disclosure of individually identifiable
health information for economic gain in violation of 42 U.S.C. § 1320d-6(a)(3) and
(b)(3). It is notable that the defendant was not a covered entity but a member of the
covered entities workforce not acting within the scope of his employment. The OLC
legal opinion was issued after the defendant’s conviction.
67 45 CFR § 160.408.
68 Atlantic Information Services, Inc., HIPAA Criminal Cases Against Individuals Proceed
Despite DOJ Memo, at [http://www.aishealth.com/Compliance/Hipaa/RPP_HIPAA_Cases_
Proceed.html]
69 United States v. Gibson, 2004 WL 2237585 (No. CR04-0374RSM) (W.D. Wash. 2004).
70 See ABA Health eSource, Interview with Susan Loitz, Assistant U.S. Attorney (October
2004), at [http://www.abanet.org/health/esource/vol1no2/loitz.html].
71 See Atlantic Consulting Services, Inc., Synergy Between the Identity Theft Issue And
Privacy, Security Grows Stronger, at [http://www.aishealth.com/Compliance/Hipaa/RPP
_identity_patient_ID_theft.html]. (Noting that “Identity theft is now the number one
financial crime in the country, and health care organizations are prime targets because of
their vast reservoirs of personal data, such as Social Security numbers.”)
CRS-13
United States v. Ramirez
In 2006, a Texas woman employed in the office of a doctor who had a contract
to provide physicals and medical treatment to FBI agents was convicted of selling an
FBI agent’s medical records for $500.72 The defendant pled guilty to the federal
felony offense of wrongfully using a unique health identifier intending to sell
individually identifiable health information for personal gain, 42 U.S.C. § 1320d-
6(a)(1) and (b)(3), and of violating 18 U.S.C. §2.73 She was sentenced to six months
in jail and four months of home confinement to be followed by a two-year term of
supervised release.74 The defendant was also ordered to pay a criminal money
penalty of $100. Two aggravating factors were found by the court. First, the
defendant had sold the confidential medical record, and second, the record belonged
to a federal agent.
United States v. Ferrer and Machado
The defendant was an employee of a medical clinic and improperly obtained
Medicare information and other patient information for more than 1,100 clinic
patients and sold that information to the owner of a medical claims business for $5
to $10 each. The information was then used by medical providers to fraudulently bill
Medicare for services not rendered and equipment not supplied, resulting in a $7
million fraud to Medicare and the payment of approximately $2.5 million to
providers and suppliers.75 The defendants were charged with conspiracy in violation
of 18 U.S.C. § 371, with computer fraud in violation of 18 U.S.C. § 1030(a)(4)and
(c)(3)(A), wrongful disclosure of individually identifiable health information in
violation of 42 U.S.C. § 1320d-6(a)(2) and (b)(3), and aggravated identity theft in
violation of 18 U.S.C. § 1028A(a)(2).
In January 2007, Florida defendant Machado pled guilty to conspiracy to
commit computer fraud, conspiracy to commit identity theft and conspiracy to
wrongfully disclose individually identifiable health information.76 The defendant
testified against her co-defendant. The defendant is scheduled to be sentenced on
April 27, 2007, and faces a maximum of 5 years imprisonment, $250,000 fine, and
72 United States v. Ramirez, Warrant, Criminal No. M-05-708, McAllen Division (S.D. Tex.
2006).
73 § 2. Principals
(a) Whoever commits an offense against the United States or aids, abets, counsels,
commands, induces or procures its commission, is punishable as a principal.
(b) Whoever willfully causes an act to be done which if directly performed by him or
another would be an offense against the United States, is punishable as a principal.
74 U.S. Department of Justice, Alamo, Texas Woman Convicted of Selling FBI Agent’s
Medical Record Sentenced, at [http://www.usdoj.gov/usao/txs/releases/March2006/060307-
Ramirez.pdf].
75 The United States Attorney’s Office Southern District of Florida, Cleveland Clinic
Employee Pleads Guilty to Superseding Fraud Indictment, January 11, 2007, at
[http://www.usdoj.gov/usao/fls/PressReleases/070111-03.html].
76 United States v. Ferrer and Machado, 2006 WL 4005632 (S.D.Fla. 2006).
CRS-14
possible restitution. Because the clinic-employer was a cooperating witness and the
defendant was acting outside the scope of her lawful employment, the clinic was not
charged.
Co-defendant Ferrer, owner of the medical claims business, was convicted by
a jury of all eight counts (one count of conspiring to defraud the United States, one
count of computer fraud, one count of wrongful disclosure of individually
identifiable health information, and five counts of aggravated identity theft).77
Sentencing has been scheduled for April 27, 2007, and he faces a maximum statutory
term of imprisonment of 5 years on the conspiracy count; a maximum statutory term
of imprisonment of 5 years on the computer fraud count; a maximum statutory term
of imprisonment of 10 years on the wrongful disclosure of individually identifiable
health information count; and a maximum statutory term of imprisonment of 2 years
on each count of aggravated identity theft. According to DOJ, this is the first HIPAA
violation case that has gone to trial.78 The two other cases resulted in guilty pleas.
77 The United States Attorney’s Office Southern District of Florida, Naples Man Convicted
In Cleveland Clinic Identity Theft and Medicare Fraud Case, January 24, 2007, at
[http://www.usdoj.gov/usao/fls/PressReleases/070124-02.html].
78 Id.