II. General Approach
As the discussion above makes clear, the duty to comply with certain of the HIPAA rules is now a reality for many, if not most, covered entities. The immediacy of the compliance obligation brings with it the issue of how these rules will be enforced. Accordingly, we lay out below our general approach to enforcement. We then discuss how the rules below will fit in with the projected Enforcement Rule in its entirety and the basic approach of the interim final rule.
HHS's General Approach to Enforcement
The Department intends to seek and promote voluntary compliance with the rules promulgated to carry out the HIPAA provisions. With respect to the Privacy Rule, OCR has developed and is continuing to produce guidance and a wide array of other technical assistance materials to help covered entities effectively implement the Privacy Rule. These materials are available on the OCR Privacy web site at http://www.hhs.gov/ocr/hipaa . These efforts will continue after the April 14, 2003 compliance date, as OCR learns from its compliance activities and from those who are implementing the Privacy Rule where additional guidance and assistance are needed. Other components of the Department are also developing guidance and technical assistance on the Privacy Rule for their partners.
This approach reflects the requirements in 45 CFR part 160, subpart C, that, to the extent practicable, OCR will seek the cooperation of covered entities in obtaining compliance with the Privacy Rule, and may provide technical assistance to help covered entities voluntarily comply with the Rule. See 45 CFR 160.304. As further provided in 45 CFR 160.312(a)(2), OCR will seek to resolve matters by informal means before issuing findings of non-compliance, under its authority to investigate and resolve complaints, and to engage in compliance reviews.
With respect to enforcement of the remainder of the HIPAA rules, the enforcement approach of CMS is similar. "Enforcement activities will focus on obtaining voluntary compliance through technical assistance. The process will be primarily complaint driven and will consist of progressive steps that will provide opportunities to demonstrate compliance or submit a corrective action plan." HHS press release of October 15, 2002, announcing assignment of enforcement responsibility to CMS. CMS provides a wide variety of technical assistance and informational materials on its website, at www.cms.gov/hipaa/hipaa2 .
HHS's Approach to the Enforcement Rule
As noted above, HHS intends to issue an Enforcement Rule in furtherance of its implementation of 42 U.S.C. 1320d-5. The Enforcement Rule, in its entirety, will address a number of substantive issues relating to the imposition of CMPs under section 1320d-5, such as the Department's policies for determining violations and calculating CMPs. In addition, the Enforcement Rule will establish various procedures for the imposition of CMPs, including the procedures for providing notice and a hearing on the Secretary's determination to impose a CMP. This interim final rule implements this latter aspect of the Enforcement Rule.
We recognize that under the Administrative Procedure Act ("APA") most of the above-described provisions of the Enforcement Rule must be promulgated through notice-and-comment rulemaking. We intend to do so. However, to allow covered entities and the public to be informed as soon as possible of procedural requirements that will apply as compliance proceeds, we are expediting the publication of these procedural rules in final form. These rules set out the procedures for provision by the agency of the statutorily required notice and hearing and procedures for issuing administrative subpoenas. Such provisions are exempted from the requirement for notice-and-comment rulemaking under the "rules of agency ... procedure, or practice" exemption at 5 U.S.C. 553(b)(3)(A). Even though notice-and-comment rulemaking is, therefore, not required with respect to the procedural rules adopted below, HHS is interested in input from the public, and thus is requesting public comment on them. We expect to augment these procedural rules with provisions that, while related to procedure, are substantive in nature. We anticipate including those provisions in the notice-and-comment rulemaking that we plan for the remainder of the Enforcement Rule. In any event, we plan to revise the procedural rule by the expiration date.
Approach of the Interim Final Rule
As noted above, the provisions of 42 U.S.C. 1320a-7a apply to the imposition of a CMP under 42 U.S.C. 1320d-5 "in the same manner as" they apply to the imposition of CMPs under section 1320a-7a itself. Within HHS, section 1320a-7a is implemented by the Office of Inspector General ("OIG") and, as pertinent here, through the OIG regulations that are codified at 42 CFR parts 1003, 1005, and 1006. We have used the OIG regulations as the platform for the rules below for two reasons. First, we read the "in the same manner as" language of the statute as indicating that the procedures for the imposition of CMPs under 42 U.S.C. 1320d-5 should be, in general, similar to those used by the OIG under 42 U.S.C. 1320a-7a. Second, HHS and much of the health care industry have operated under the OIG regulations implementing section 1320a-7a for more than a decade. There is, thus, a significant body of experience with, and understanding of, the OIG procedural rules, both within HHS and in a large part of the regulated universe. Based on this experience, we believe that the rules below will be workable and promote the efficient resolution of cases where the Secretary's proposed imposition of a CMP is challenged.
Accordingly, the rules below are based upon, and are in many respects the same as, the OIG regulations at 42 CFR parts 1003, 1005, and 1006. We have adapted, re-ordered, or combined the OIG language in a number of places for clarity of presentation or to reflect concepts peculiar to the HIPAA provisions or rules. To avoid confusion, we have also employed certain language usages in order to make the usage in the rules below consistent with that in the other HIPAA rules (for example, for mandatory duties, "must" instead of "will" or "shall"; for discretionary duties, "may" instead of "has the authority to"). We do not discuss those nonsubstantive changes below. Where we have materially changed the language of the OIG regulations, however, we discuss our reasons for doing so.
We also note that the rules below, as well as the Enforcement Rule as a whole, are not HIPAA standards, and thus the requirement for industry consultations in 42 U.S.C. 1320d-1(c) does not apply. Therefore, we have not engaged in such consultations with respect to the interim final rule below. For the same reason, HIPAA's timeframes for compliance (42 U.S.C. 1320d-4) do not apply to the interim final rule below.