HIPAA Administrative Simplification; Enforcement; Proposed Rule
The Association of American Physicians & Surgeons, Inc. ("AAPS") is a nonprofit national organization consisting of thousands of physicians in all specialties. Founded in 1943, AAPS is dedicated to defending the patient-physician relationship and the ethical practice of medicine. AAPS is one of the largest physician organizations funded virtually entirely by its physician membership. This enables it to speak directly on behalf of the ethical service of patients who entrust their care to the medical profession. AAPS has commented on various regulations promulgated under HIPAA, including the Privacy Rule. AAPS has also filed amicus briefs in cases of high importance to the medical profession. See, e.g., Stenberg v. Carhart, 530 U.S. 914 (2000) (citing the submission by AAPS); United States v. Rutgard, 116 F.3d 1270 (9th Cir. 1997) (reversal of a sentence as urged by an amicus brief submitted by AAPS).
We object in general to the vagueness inherent in this proposed Rule concerns. The Rule permits a broad array of penalties that would be arbitrary and capricious. The agency is giving itself extremely broad powers to impose fines with the only maximum being the prospect of financial ruin with a very low standard of proof, extremely short requirements for responding to discovery requests, and a methodology that gives the Secretary virtually plenary discretion to determine the number of violations and the number of provisions violated. Penalties may be called civil money penalties but they are nevertheless so harsh that they are only appropriate for criminal offenses, and thus should require a much higher standard of proof and more extensive due process to be imposed.
For example, proposed Section 160.402(a) states that "the Secretary WILL impose a civil money penalty upon a covered entity if the Secretary determines that the covered entity has violated an administrative simplification provision" (emphasis added). Such mandatory fines are unneeded and unjustified. Though the Secretary reserves the power to compromise its fines, that reservation does not seem to encourage simple warnings instead of monetary penalties. But educational warnings would be far more appropriate, particularly in the first instance. Or has HIPAA become merely a tool for generating revenue?
In reality, the rules are so complex and broad that almost every covered entity is in violation of some provision or other. This hypothesis could be readily tested by sending a well-informed auditor to a sample of practices to see whether indeed some violation could be found in each and every one. Alternatively, it seems likely that auditors could independently review the same practice and yet come to very different conclusions about whether and how it has incurred violations.
AAPS is particularly concerned about the multiplier effect of a small violation being repeated many times. It seems likely that the $25,000 maximum would be reached if one counts each and every transaction, or each and every day or two-day period during which a violation occurs. There should be a meaningful limitation on the fine based on its financial impact relative to the entity's ability to continue to provide services.
AAPS is distressed about several glaring omissions in the proposed Rule. First, there are no provisions for sanctioning a person for bringing a negligent or malicious complaint. Second, HHS declares itself exempt from complying with the Paperwork Reduction Act, the Regulatory Flexibility Act, the Unfunded Mandates Reform Act of 1995, the Small Business Regulatory Enforcement Fairness Act of 1996, and Executive Order 13132. An effort to compute rigorously the range of potential effects is needed to assure agency accountability. The Administrative Procedure Act could not have envisioned that agencies could place themselves above the law simply by asserting that their regulations do not cross the threshold for economic significance. Included in the computation should be an estimate of the attorneys fees that covered entities may be required to pay, observing that there are no limits placed upon these fees; the cost of complying with whatever discovery requests the Secretary chooses to impose; and the maximum reasonable amount that the HHS could collect in civil money penalties.
AAPS is particularly alarmed at the imposition of vicarious liability on a covered entity that is part of an affiliated covered entity. It appears that affiliates have no affirmative defense because a civil monetary penalty could not be avoided by a demonstration that the entity was not responsible for the act or omission constituting the violation. Thus, the Secretary seems to circumvent its burden of proof in imposing what could be a substantial, even ruinous, penalty upon an entity even though it did not intentionally violate any law. This is a violation of due process rights.
The reason given for joint and several liability is "that the affiliated covered entity is treated, under the security and privacy rules, as one entity. Thus, it may be impossible to know or prove which covered entity within and affiliated covered entity is responsible for a violation, particularly in the case of a failure to act." The example provided is that if an affiliated covered entity fails to appoint a privacy official, it may be impossible to identify one entity as being responsible for the omission.
The unjust result may be that no covered entity in an affiliated covered entity could avoid civil monetary penalties by demonstrating that it was not responsible for the act or omission. However, the maximum penalty that could be imposed on all members of the affiliated covered entity for identical violations in a calendar year would be the maximum allowed for one covered entity -- $25,000. In contrast, if more than one covered entity were responsible for a violation of an administrative simplification provision, each covered entity would be treated as separately violating the provision and each could be assessed the maximum penalty of $25,000 in a calendar year for each violation. Section 160.402 ("if the Secretary determines that more than one covered entity was responsible for a violation, the secretary will impose a civil money penalty against each such covered entity")
AAPS requests clarification and sensible limitations on this vicarious liability. We urge HHS to adhere in all respects to the approach of the "HHS-issued guidance stating that a covered entity is not required to monitor the activities of its business associate."
Finally, AAPS objects to the proposed use of statistical sampling with extrapolation to arrive at a civil money penalty. It is stated that this must be a "valid statistical methodology," but no criteria for validity are given, even though the comments by the agency specifically acknowledge the danger of extrapolating from small sample sizes. This is again a violation of due process rights. Statistical sampling should not be permitted without clearer guidelines.
Thank you for your attention to our comments.
Jane M. Orient, M.D.