Thursday, July 31, 2003

Enforcing HIPAA
Q. Implementation of the HIPAA Transaction Code Sets occurs Oct. 16 for those home care and DMEPOS companies that filed for extensions. What kind of enforcement are we facing?

A. HHS recently issued an interim final rule that establishes procedures for the imposition of civil money penalties (CMPs) on entities, including DMEPOS companies, that violate standards adopted under HIPAA. The Department of Justice (DOJ) is charged with the responsibility of enforcing criminal penalties. While there are limitations on the amount of CMPs that can be imposed, the Interim Rule also provides exceptions. For example, when the violations involve extreme misconduct, matters will be referred to the DOJ for action. Exceptions also may lie and waivers may be offered where the conduct is not egregious. Substantive limitations on HHS’s authority to impose CMPs include:

- CMPs may not be imposed if the responsible party did not know, and would not have known, if reasonable diligence had been exercised, that a provision of HIPAA was being violated;

- CMPs may not be imposed if the failure to comply was due to reasonable cause and not due to willful neglect, and was corrected within a certain time;

- CMPs may be reduced or waived entirely to the extent that payment of the penalty would be excessive relative to the compliance failure involved; and

- HHS may not initiate a CMP action more than six years after the alleged violation.

Written notice and an opportunity to be heard (present and cross-examine witness, etc.) must be given before a CMP can be imposed.

Corrine Parver is a healthcare partner with Dickstein Shapiro Morin & Oshinsky in Washington. Reach her at 202-775-4728 or