Proposed § 164.522 included five paragraphs addressing activities related to the Secretary's enforcement of the rule. These provisions were based on procedures and requirements in various civil rights regulations. Proposed § 164.522(a) provided that the Secretary would, to the extent practicable, seek the cooperation of covered entities in obtaining compliance, and could provide technical assistance to covered entities to help them comply voluntarily. Proposed § 164.522(b) provided that individuals could file complaints with the Secretary. However, where the complaint related to the alleged failure of a covered entity to amend or correct protected health information as proposed in the rule, the Secretary would not make certain determinations such as whether protected health information was accurate or complete. This paragraph also listed the requirements for filing complaints and indicated that the Secretary may investigate such complaints and what might be reviewed as part of such investigation.
Under proposed § 164.522(c), the Secretary would be able to conduct compliance reviews. Proposed § 164.522(d) described the responsibilities that covered entities keep records and reports as prescribed by the Secretary, cooperate with compliance reviews, permit the Secretary to have access to their facilities, books, records, and other sources of information during normal business hours, and seek records held by other persons. This paragraph also stated that the Secretary would maintain the confidentiality of protected health information she collected and prohibit covered entities from taking retaliatory action against individuals for filing complaints or for other activities. Proposed § 164.522(e) provided that the Secretary would inform the covered entity and the individual complainant if an investigation or review indicated a failure to comply and would seek to resolve the matter informally if possible. If the matter could not be resolved informally, the Secretary would be able to issue written findings, be required to inform the covered entity and the complainant, and be able to pursue civil enforcement action or make a criminal referral. The Secretary would also be required to inform the covered entity and the individual complainant if no violation was found.
We make the following changes and additions to proposed § 164.522 in the final rule. First, we have moved this section to part 160, as a new subpart C, "Compliance and Enforcement." Second, we add new sections that explain the applicability of these provisions and incorporate certain definitions. Accordingly, we change the proposed references to violations to "this subpart" to violations of "the applicable requirements of part 160 and the applicable standards, requirements, and implementation specifications of subpart E of part 164 of this subchapter." Third, the final rule at § 160.306(a) provides that any person, not just an "individual" (the person who is the subject of the individually identifiable health information) may file a complaint with the Secretary. Other references in this subpart to an individual have been changed accordingly. Fourth, we delete the proposed § 164.522(a) language that indicated that the Secretary would not determine whether information was accurate or complete, or whether errors or omissions might have an adverse effect on the individual. While the policy is not changed in that the Secretary will not make such determinations, we believe the language is unnecessary and may suggest that we would make all other types of determinations, such as all determinations in which the regulation defers to the professional judgment of the covered entity. Fifth, § 160.306(b)(3) requires that complaints be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown. Sixth, § 160.310(b) requires cooperation with investigations as well as compliance reviews. Seventh, § 160.310 (c)(1) provides that the Secretary must be provided access to a covered entity's facilities, books, records, accounts, and other sources of information, including protected health information, at any time and without notice where exigent circumstances exist, such as where documents might be hidden or destroyed. Eighth, the provision proposed at § 164.522(d) that would prohibit covered entities from taking retaliatory action against individuals for filing a complaint with the Secretary or for certain other actions has been changed and moved to § 164.530. Ninth, § 160. 312(a)(2) deletes the reference in the proposed rule to using violation findings as a basis for initiating action to secure penalties. This deletion is not a substantive change. This language was removed because penalties will be addressed in the enforcement regulation. As in the NPRM, the Secretary may promulgate alternative procedures for complaints relating to national security. For example, to protect classified information, we may promulgate rules that would allow an intelligence community agency to create a separate body within that agency to receive complaints.
The Department plans to issue an Enforcement Rule that applies to all of the regulations that the Department issues under the Administrative Simplification provisions of HIPAA. This regulation will address the imposition of civil monetary penalties and the referral of criminal cases where there has been a violation of this rule. Penalties are provided for under section 262 of HIPAA. The Enforcement Rule would also address the topics covered by Subpart C below. It is expected that this Enforcement Rule would replace Subpart C.