Congress established a two-pronged approach to enforcement of all of the requirements established under part C of title XI of the Act. First, section 1176 grants the Secretary the authority to impose civil monetary penalties against those covered entities which fail to comply with the requirements established under part C. These penalties are to be imposed according to the procedures established for imposition of civil monetary penalties in section 1128A of the Act. Second, section 1177 establishes criminal penalties for certain wrongful disclosures of individually identifiable health information.
The selection of the civil monetary penalty process at section 1128A of the Act as the enforcement mechanism for the Administrative Simplification standards and requirements indicates the type of process Congress believes is appropriate for civil enforcement of those standards and requirements. The Secretary’s Recommendations call for a privacy right of action to permit individuals to enforce their privacy rights. However, the HIPAA does not provide a private right of action, so the Secretary lacks the authority to provide for such a remedy. Accordingly, we would provide that individuals could file complaints with the Secretary and the Secretary could then, when appropriate, investigate. The Secretary may also conduct compliance reviews. See proposed § 164.522(b) and (c).
Under section 1177(a), the offense of “wrongful disclosure” is a disclosure that violates the standards or requirements established under part C. These would include any disclosures not otherwise permitted under the privacy standards or the parallel security standards.
As we noted in the Notices of Proposed Rulemaking for the other Administrative Simplification regulations, we will propose regulations in the future to establish these procedures. Because such procedures will not constitute “standards” within the meaning of part C, they would not be subject to the delay in effective date provisions that apply to the various Administrative Simplification regulations.