Industries & Practices

Health Care Industry

    Back

    HIPAA Regulations: Compliance and Enforcement: Responsibilities of Covered Entities - § 160.310

    As Contained in the HHS HIPAA Rules

     

    HHS Regulations as Amended January 2013
    Compliance and Enforcement: Responsibilities of Covered Entities - § 160.310

     

    (a) Provide records and compliance reports. A covered entity or business associate must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the covered entity or business associate has complied or is complying with the applicable administrative simplification provisions.

    (b) Cooperate with complaint investigations and compliance reviews. A covered entity or business associate must cooperate with the Secretary, if the Secretary undertakes an investigation or compliance review of the policies, procedures, or practices of the covered entity or business associate to determine whether it is complying with the applicable administrative simplification provisions.

    (c) Permit access to information. (1) A covered entity or business associate must permit access by the Secretary during normal business hours to its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance with the applicable administrative simplification provisions. If the Secretary determines that exigent circumstances exist, such as when documents may be hidden or destroyed, a covered entity or business associate must permit access by the Secretary at any time and without notice.

    (2) If any information required of a covered entity or business associate under this section is in the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails or refuses to furnish the information, the covered entity or business associate must so certify and set forth what efforts it has made to obtain the information.

    (3) Protected health information obtained by the Secretary in connection with an investigation or compliance review under this subpart will not be disclosed by the Secretary, except if necessary for ascertaining or enforcing compliance with the applicable administrative simplification provisions, if otherwise required by law, or if permitted under 5 U.S.C. 552a(b)(7).

     

    HHS Description and Commentary From the January 2013 Amendments
    Compliance and Enforcement: Responsibilities of Covered Entities

     

    Proposed Rule

    Section 160.310 requires that covered entities make information available to and cooperate with the Secretary during complaint investigations and compliance reviews.

    Section 160.310(c)(3) provides that any protected health information obtained by the Secretary in connection with an investigation or compliance review will not be disclosed by the Secretary, except as necessary for determining and enforcing compliance with the HIPAA Rules or as otherwise required by law. In the proposed rule, we proposed to modify this paragraph to also allow the Secretary to disclose protected health information if permitted under the Privacy Act at 5 U.S.C. 552a(b)(7).

    Section 5 U.S.C. 552a(b)(7) permits the disclosure of a record on an individual contained within a government system of records protected under the Privacy Act to another agency or instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law and if the agency has made a written request to the agency that maintains the record. The proposed change would permit the Secretary to coordinate with other law enforcement agencies, such as the State Attorneys General pursuing civil actions to enforce the HIPAA Rules on behalf of State residents pursuant to section 13410(e) of the Act, or the FTC pursuing remedies under other consumer protection authorities.

    Overview of Public Comments

    One commenter requested clarification and transparency on how or if Federal regulators such as OCR and the FTC will collaborate, when such information sharing will be initiated or occur as a routine process, or whether Federal and State agencies will work together to enforce suspected violations.

    Final Rule

    To facilitate cooperation between the Department and other law enforcement agencies, the final rule adopts the modifications to § 160.310(c)(3) as proposed in the NPRM. In response to the comment regarding transparency in how the Department is or will cooperate with other agencies in enforcement, we note that the Department’s web site at http://www.hhs.gov/ocr/enforcement/ contains information about how the Department coordinates with the Department of Justice to refer cases involving possible criminal HIPAA violations and how the Department has worked with the FTC to coordinate enforcement actions for violations that implicate both HIPAA and the FTC Act. Further, the Department will be working closely with State Attorneys General to coordinate enforcement in appropriate cases, as provided under section 13410(e) of the HITECH Act. The Department will continue to update its web site as necessary and appropriate to maintain transparency with the public and the regulated community about these coordinated activities and its other enforcement actions and activities.

     

    HHS Description From the Original Rulemaking
    Compliance and Enforcement: Responsibilities of Covered Entities

     

    Note: The HHS Description is the same as for § 164.300

    Proposed § 164.522 included five paragraphs addressing activities related to the Secretary’s enforcement of the rule. These provisions were based on procedures and requirements in various civil rights regulations. Proposed § 164.522(a) provided that the Secretary would, to the extent practicable, seek the cooperation of covered entities in obtaining compliance, and could provide technical assistance to covered entities to help them comply voluntarily. Proposed § 164.522(b) provided that individuals could file complaints with the Secretary. However, where the complaint related to the alleged failure of a covered entity to amend or correct protected health information as proposed in the rule, the Secretary would not make certain determinations such as whether protected health information was accurate or complete. This paragraph also listed the requirements for filing complaints and indicated that the Secretary may investigate such complaints and what might be reviewed as part of such investigation.

    Under proposed § 164.522(c), the Secretary would be able to conduct compliance reviews. Proposed § 164.522(d) described the responsibilities that covered entities keep records and reports as prescribed by the Secretary, cooperate with compliance reviews, permit the Secretary to have access to their facilities, books, records, and other sources of information during normal business hours, and seek records held by other persons. This paragraph also stated that the Secretary would maintain the confidentiality of protected health information she collected and prohibit covered entities from taking retaliatory action against individuals for filing complaints or for other activities. Proposed § 164.522(e) provided that the Secretary would inform the covered entity and the individual complainant if an investigation or review indicated a failure to comply and would seek to resolve the matter informally if possible. If the matter could not be resolved informally, the Secretary would be able to issue written findings, be required to inform the covered entity and the complainant, and be able to pursue civil enforcement action or make a criminal referral. The Secretary would also be required to inform the covered entity and the individual complainant if no violation was found.

    We make the following changes and additions to proposed § 164.522 in the final rule. First, we have moved this section to part 160, as a new subpart C, “Compliance and Enforcement.” Second, we add new sections that explain the applicability of these provisions and incorporate certain definitions. Accordingly, we change the proposed references to violations to “this subpart” to violations of “the applicable requirements of part 160 and the applicable standards, requirements, and implementation specifications of subpart E of part 164 of this subchapter.” Third, the final rule at § 160.306(a) provides that any person, not just an “individual” (the person who is the subject of the individually identifiable health information) may file a complaint with the Secretary. Other references in this subpart to an individual have been changed accordingly. Fourth, we delete the proposed § 164.522(a) language that indicated that the Secretary would not determine whether information was accurate or complete, or whether errors or omissions might have an adverse effect on the individual. While the policy is not changed in that the Secretary will not make such determinations, we believe the language is unnecessary and may suggest that we would make all other types of determinations, such as all determinations in which the regulation defers to the professional judgment of the covered entity. Fifth, § 160.306(b)(3) requires that complaints be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred, unless this time limit is waived by the Secretary for good cause shown. Sixth, § 160.310(b) requires cooperation with investigations as well as compliance reviews. Seventh, § 160.310 (c)(1) provides that the Secretary must be provided access to a covered entity’s facilities, books, records, accounts, and other sources of information, including protected health information, at any time and without notice where exigent circumstances exist, such as where documents might be hidden or destroyed. Eighth, the provision proposed at § 164.522(d) that would prohibit covered entities from taking retaliatory action against individuals for filing a complaint with the Secretary or for certain other actions has been changed and moved to § 164.530. Ninth, § 160. 312(a)(2) deletes the reference in the proposed rule to using violation findings as a basis for initiating action to secure penalties. This deletion is not a substantive change. This language was removed because penalties will be addressed in the enforcement regulation. As in the NPRM, the Secretary may promulgate alternative procedures for complaints relating to national security. For example, to protect classified information, we may promulgate rules that would allow an intelligence community agency to create a separate body within that agency to receive complaints.

    The Department plans to issue an Enforcement Rule that applies to all of the regulations that the Department issues under the Administrative Simplification provisions of HIPAA. This regulation will address the imposition of civil monetary penalties and the referral of criminal cases where there has been a violation of this rule. Penalties are provided for under section 262 of HIPAA. The Enforcement Rule would also address the topics covered by Subpart C below. It is expected that this Enforcement Rule would replace Subpart C.

     

    HHS Response to Comments Received From the Original Rulemaking
    Compliance and Enforcement: Responsibilities of Covered Entities

     

    Comment: Some commenters raised objections to provisions in the proposed rule which required that covered entities maintain records and submit compliance reports as the Secretary determines is necessary to determine compliance and required that covered entities permit access by the Secretary during normal business hours to its books, records, accounts, and other sources of information, including protected health information, and its facilities, that are pertinent to ascertaining compliance with this subpart. One commenter stated that the Secretary’s access to private health information without appropriate patient consent is contrary to the intent of HIPAA. Another commenter expressed the view that, because covered entities face criminal penalties for violations, these provisions violate the Fifth Amendment protections against forced self incrimination. Other commenters stated that covered entities should be given the reason the Secretary needs to have access to its books and records. Another commenter stated that there should be a limit to the frequency or extent of intrusion by the federal government into the business practices of a covered entity and that these provisions violate the Fourth Amendment of the Constitution.

    Finally, a coalition of church plans suggested that the Secretary provide church plans with additional procedural safeguards to reduce unnecessary intrusion into internal church operations. These suggested safeguards included permitting HHS to obtain records and other documents only if they are relevant and necessary to compliance and enforcement activities related to church plans, requiring a senior official to determine the appropriateness of compliance-related activities for church plans, and providing church plans with a self-correcting period similar to that Congress expressly provided in Title I of HIPAA under the tax code.

    Response: The final rule retains the proposed language in these two provisions with one change. The rule adds a provision indicating that the Secretary’s access to information held by the covered entity may be at any time and without notice where exigent circumstances exist, such as where time is of the essence because documents might be hidden or destroyed. Thus, covered entities will generally receive notice before the Secretary seeks to access the entity’s books or records.

    Other than the exigent circumstances language, the language in these two provisions is virtually the same as the language in this Department’s regulation implementing Title VI of the Civil Rights Act of 1964. 45 CFR 80.6(b) and (c). The Title VI regulation is incorporated by reference in other Department regulations prohibiting discrimination of the basis of disability. 45 CFR 84.61. Similar provisions allowing this Department access to recipient information is found in the Secretary’s regulation implementing the Age Discrimination Act. 45 CFR 91.34. These provisions have not proved to be burdensome to entities that are subject to these civil rights regulations (i.e., all recipients of Department funds).

    We do not interpret Constitutional case law as supporting the view that a federal agency’s review of information pursuant to statutory mandate violates the Fifth Amendment protections against forced self incrimination. Nor would such a review of this information raise Fourth Amendment problems. See discussion above regarding Constitutional comments and responses.

    We appreciate the concern that the Secretary not involve herself unnecessarily into the internal operations of church plans. However, by providing health insurance or care to their employees, church plans are engaging in a secular activity. Under the regulation, church plans are subject to the same compliance and enforcement requirements with which other covered entities must comply. Because Congress did not carve out specific exceptions or require stricter standards for investigations related to church plans, incorporating such measures into the regulation would be inappropriate.

    Additionally, there is no indication that the regulation will directly interfere with the religious practices of church plans. Also, the regulation as written appropriately limits the ability of investigators to obtain information from covered entities. The regulation provides that the Secretary may obtain access only to information that is pertinent to ascertain compliance with the regulation. We do not anticipate asking for information that is not necessary to assess compliance with the regulation. The purpose of obtaining records and similar materials is to determine compliance, not to engage in any sort of review or evaluation of religious activities or beliefs. Therefore, we believe the regulation appropriately balances the need to access information to determine compliance with the desire of covered entities to avoid opening every record in their possession to the government.

    Provision of Technical Assistance

    Comment: A number of commenters inquired as to how a covered entity can request technical assistance from the Secretary to come into compliance. A number of commenters suggested that the Secretary provide interpretive guidance to assist with compliance. Others recommended that the Secretary have a contact person or privacy official, available by telephone or email, to provide guidance on the appropriateness of a disclosure or a denial of access. One commenter suggested that there be a formal process for a covered entity to submit compliance activities to the Secretary for prior approval and clarification. This commenter suggested that clarifications be published on a contemporaneous basis in the Federal Register to help correct any ambiguities and confusion in implementation. It was also suggested that the Secretary undertake an assessment of “best practices” of covered entities and document and promote the findings to serve as a convenient “road map” for other covered entities. Another commenter suggested that we work with providers to create implementation guidelines modeled after the interpretative guidelines that HCFA creates for surveyors on the conditions of participation for Medicare and Medicaid contractors.

    Response: While we have not in the final rule committed the Secretary to any specific model of providing guidance or assistance, we do state our intent, subject to budget and staffing constraints, to develop a technical assistance program that will include the provision of written material when appropriate to assist covered entities in achieving compliance. We will consider other models including HCFA’s Medicare and Medicaid interpretative guidelines. Further information regarding the Secretary’s technical assistance program may be provided in the Federal Register and on the HHS Office for Civil Rights (OCR) Web Site. While OCR plans to have fully trained staff available to respond to questions, its ability to provide individualized advice in regard to such matters as the appropriateness of a particular disclosure or the sufficiency of compliance activities will be based on staff resources and demands. The idea of looking at “best practices” and sharing information with all covered entities is a good one and we will explore how best to do this. We note that a covered entity is not excused from compliance with the regulation because of any failure to receive technical assistance or guidance.

    Basis for Violation Findings and Enforcement

    Comment: A number of commenters asked that covered entities not be liable for violations of the rule if they have acted in good faith. One commenter indicated that enforcement actions should not be pursued against covered entities that make legitimate business decisions about how to comply with the privacy standards.

    Response: The commenters seemed to argue that even if a covered entity does not comply with a requirement of the rule, the covered entity should not be liable if there was an honest and sincere intention or attempt to fulfill its obligations. The final rule, however, does not take this approach but instead draws careful distinctions between what a covered entity must do unconditionally, and what a covered entity must make certain reasonable efforts to do. In addition, the final rule is clear as to the specific provisions where “good faith” is a consideration. For example, a covered entity is permitted to use and disclose protected health information without authorization based on criteria that includes a good faith belief that such use or disclosure is necessary to avert an imminent threat to health or safety (§ 164.512(j)(1)(i)). Therefore, covered entities need to pay careful attention to the specific language in each requirement. However, we note that many of these provisions can be implemented in a variety of ways; e.g, covered entities can exercise business judgment regarding how to conduct staff training.

    As to enforcement, a covered entity will not necessarily suffer a penalty solely because an act or omission violates the rule. As we discuss elsewhere, the Department will exercise discretion to consider not only the harm done, but the willingness of the covered entity to achieve voluntary compliance. Further, the Administrative Simplification provisions of HIPAA provide that whether a violation was known or not is relevant in determining whether civil or criminal penalties apply. In addition, if a civil penalty applies, HIPAA allows the Secretary, where the failure to comply was due to reasonable cause and not to willful neglect, to delay the imposition of the penalty to allow the covered entity to comply. The Department will develop and release for public comment an enforcement regulation applicable to all the administrative simplification regulations that will address these issues.

    Comment: One commenter asked whether hospitals will be vicariously liable for the violations of their employees and expressed concern that hospitals and other providers will be the ones paying large fines.

    Response: The enforcement regulation will address this issue. However, we note that section 1128A(1) of the Social Security Act, which applies to the imposition of civil monetary penalties under HIPAA, provides that a principal is liable for penalties for the actions of its agent acting within the scope of the agency. Therefore, a covered entity will generally be responsible for the actions of its employees such as where the employee discloses protected health information in violation of the regulation.

    Comment: A commenter expressed the concern that if a covered entity acquires a non-compliant health plan, it would be liable for financial penalties. This commenter suggested that, at a minimum, the covered entity be given a grace period of at least a year, but not less than six months to bring any acquisition up to standard. The commenter stated that the Secretary should encourage, not discourage, compliant companies to acquire non-compliant ones. Another commenter expressed a general concern about resolution of enforcement if an entity faced with a HIPAA complaint acquires or merges with an entity not covered by HIPAA.

    Response: As discussed above, the Secretary will encourage voluntary efforts to cure violations of the rule, and will consider that fact in determining whether to bring a compliance action. We do not agree, however, that we should limit our authority to pursue violations of the rule if the situation warrants it.

    Comment: One commenter was concerned about the “undue risk” of liability on originators of information, stemming from the fact that “the number of covered entities is limited and they are unable to restrict how a recipient of information may use or re-disclose information...”

    Response: Under this rule, we do not hold covered entities responsible for the actions of recipients of protected health information, unless the recipient is a business associate of the covered entity. We agree that it is not fair to hold covered entities responsible for the actions of persons with whom they have no on-going relationship, but believe it is fair to expect covered entities to hold their business associates to appropriate standards of behavior with respect to health information.

    Other Compliance and Enforcement Comments

    Comment: A number of comments raised questions regarding the Secretary’s priorities for enforcement. A few commenters stated that they supported deferring enforcement until there is experience using the proposed standards. One organization asked that we clarify that the regulation does not replace or otherwise modify the self-regulatory/consumer empowerment approach to consumer privacy in the online environment.

    Response: We have not made any decisions regarding enforcement priorities. It appears that some commenters believe that no enforcement action will be taken against a given covered entity until that entity has had some time to comply. Covered entities have two years to come into compliance with the regulation (three years in the case of small health plans). Some covered entities will have had experience using the standards prior to the compliance date. We do not agree that we should defer enforcement where violations of the rule occur. It would be wrong for covered entities to believe that enforcement action is based on their not having much experience in using a particular standard or meeting another requirement.

    We support a self-regulation approach in that we recognize that most compliance will be achieved by the voluntary activities of covered entities rather than by our enforcement activities. Our emphasis will be on education, technical assistance, and voluntary compliance and not on finding violations and imposing penalties. We also support a consumer empowerment approach. A knowledgeable consumer is key to the effectiveness of this rule. A consumer familiar with the requirements of this rule will be equipped to make choices regarding which covered entity will best serve their privacy interests and will know their rights under the rule and how they can seek redress for violations of this rule. Privacy-minded consumers will seek to protect the privacy rights of others by bringing concerns to the attention of covered entities, the public, and the Secretary. However, we do not agree that we should defer enforcement where violations of the rule occur.

    Comment: One commenter expressed concern that by filing a complaint an individual would be required to reveal sensitive information to the public. Another commenter suggested that complaints regarding noncompliance in regard to psychotherapy notes should be made to a panel of mental health professionals designated by the Secretary. This commenter also proposed that all patient information be maintained as privileged, not be revealed to the public, and be kept under seal after the case is reviewed and closed.

    Response: We appreciate this concern and will seek to ensure that individually identifiable health information and other personal information contained in complaints will not be available to the public. The privacy regulation provides, at § 160.310(c)(3), that protected health information obtained by the Secretary in connection with an investigation or compliance review will not be disclosed except if necessary for ascertaining or enforcing compliance with the regulation or if required by law. In addition, this Department generally seeks to protect the privacy of individuals to the fullest extent possible, while permitting the exchange of records required to fulfill its administrative and program responsibilities. The Freedom of Information Act, 5 U.S.C. 552, and the HHS implementing regulation, 45 CFR Part 5, provide substantial protection for records about individuals where disclosure would constitute an unwarranted invasion of their personal privacy. In implementing the privacy regulation, OCR plans to continue its current practice of protecting its complaint files from disclosure. OCR treats these files as investigatory records compiled for law enforcement purposes. Moreover, OCR maintains that disclosing protected health information in these files generally constitutes an unwarranted invasion of personal privacy.

    It is not clear in regarding the use of mental health professionals, whether the commenter believes that such professionals should be involved because they would be best able to keep psychotherapy notes confidential or because such professionals can best understand the meaning or relevance of such notes. OCR anticipates that it will not have to obtain a copy or review psychotherapy notes in investigating most complaints regarding noncompliance in regard to such notes. There may be some cases where a review of the notes may be needed such as where we need to identify that the information a covered entity disclosed was in fact psychotherapy notes. If we need to obtain a copy of psychotherapy notes, we will keep these notes confidential and secure. OCR investigative staff will be trained to ensure that they fully respect the confidentiality of personal information. In addition, while the specific contents of these notes is generally not relevant to violations under this rule, if such notes are relevant, we will secure the expertise of mental health professionals if needed in reviewing psychotherapy notes.

    Comment: A member of Congress and a number of privacy and consumer groups expressed concern with whether OCR has adequate funding to carry out the major responsibility of enforcing the complaint process established by this rule. The Senator stated that "[d]ue to the limited enforcement ability allowed for in this rule by HIPAA, it is essential that OCR have the capacity to enforce the regulations. Now is the time for OCR to begin building the necessary infrastructure to enforce the regulation effectively."

    Response: We agree and are committed to an effective enforcement program. We are working with Congress to ensure that the Secretary has the necessary funds to secure voluntary compliance through education and technical assistance, to investigate complaints and conduct compliance reviews, to provide states with exception determinations, and to use civil and criminal penalties when necessary. We will continue to work with Congress and within the new Administration in this regard.

    Coordination with Reviewing Authorities

    Comment: A number of commenters referenced other entities that already consider the privacy of health information. One commenter indicated opposition to the delegation of inspections to third party organizations, such as the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO). A few commenters indicated that state agencies are already authorized to investigate violations of state privacy standards and that we should rely on those agencies to investigate alleged violations of the privacy rules or delegate its complaint process to states that wish to carry out this responsibility or to those states that have a complaint process in place. Another commenter argued that individuals should be required to exhaust any state processes before filing a complaint with the Secretary. Others referenced the fact that state medical licensing boards investigate complaints against physicians for violating patient confidentiality. One group asked that the federal government streamline all of these activities so physicians can have a single entity to whom they must be responsive. Another group suggested that OMB should be given responsibility for ensuring that FEHB Plans operate in compliance with the privacy standards and for enforcement.

    A few commenters stated that the regulation might be used as a basis for violation findings and subsequent penalties under other Department authorities, such as under Medicare’s Conditions of Participation related to patient privacy and right to confidentiality of medical records. One commenter wanted some assurance that this regulation will not be used as grounds for sanctions under Medicare. Another commenter indicated support for making compliance with the privacy regulation a Condition of Participation under Medicare.

    Response: HIPAA does not give the Secretary the authority to delegate her responsibilities to other private or public agencies such as JCAHO or state agencies. However, we plan to explore ways that we may benefit from current activities that also serve to protect the privacy of individually identifiable health information. For example, if we conduct an investigation or review of a covered entity, that entity may want to share information regarding findings of other bodies that conducted similar reviews. We would welcome such information. In developing its enforcement program, we may explore ways it can coordinate with other regulatory or oversight bodies so that we can efficiently and effectively pursue our joint interests in protecting privacy.

    We do not accept the suggestion that individuals be required to exhaust their remedies under state law before filing a complaint with the Secretary. Our rationale is similar to that discussed above in regard to the suggestion that covered entities be required to exhaust a covered entity’s internal complaint process before filing a complaint with the Secretary. Congress provided for federal privacy protection and we want to allow individuals the right to this protection without barriers or delay. Covered entities may in their privacy notice inform individuals of any rights they have under state law including any right to file privacy complaints. We do not have the authority to interfere with state processes and HIPAA explicitly provides that we cannot preempt state laws that provide greater privacy protection.

    We have not yet addressed the issue as to whether this regulation might be used as a basis for violation findings or penalties under other Department authorities. We note that Medicare conditions of participation require participating providers to have procedures for ensuring the confidentiality of patient records, as well as afford patients with the right to the confidentiality of their clinical records.

    Penalties

    Comment: Many commenters considered the statutory penalties insufficient to protect privacy, stating that the civil penalties are too weak to have the impact needed to reduce the risk of inappropriate disclosure. Some commenters took the opposing view and stated that large fines and prison sentences for violations would discourage physicians from transmitting any sort of health care information to any other agency, regardless of the medical necessity. Another comment expressed the concern that doctors will be at risk of going to jail for protecting the privacy of individuals (by not disclosing information the government believes should be released).

    Response: The enforcement regulation will address the application of the civil monetary and criminal penalties under HIPAA. The regulation will be published in the Federal Register as a proposed regulation and the public will have an opportunity to comment. We do not believe that our rule, and the penalties available under it, will discourage physicians and other providers from using or disclosing necessary information. We believe that the rule permits physicians to make the disclosures that they need to make under the health care system without exposing themselves to jeopardy under the rule. We believe that the penalties under the statute are woefully inadequate. We support legislation that would increase the amount of these penalties.

    Comment: A number of commenters stated that the regulations should permit individuals to sue for damages caused by breaches of privacy under these regulations. Some of these commenters specified that damages, equitable relief, attorneys fees, and punitive damages should be available. Conversely, one comment stated that strong penalties are necessary and would preclude the need for a private right of action. Another commenter stated that he does not believe that the statute intended to give individuals the equivalent of a right to sue, which results from making individuals third party beneficiaries to contracts between business partners.

    Response: We do not have the authority to provide a private right of action by regulation. As discussed below, the final rule deletes the third party beneficiary provision that was in the proposed rule.

    However, we believe that, in addition to strong civil monetary penalties, federal law should allow any individual whose rights have been violated to bring an action for actual damages and equitable relief. The Secretary’s Recommendations, which were submitted to Congress on September 11, 1997, called for a private right of action to permit individuals to enforce their privacy rights.

    Comment: One comment stated that, in calculating civil monetary penalties, the criteria should include aggravating or mitigating circumstances and whether the violation is a minor or first time violation. Several comments stated that penalties should be tiered so that those that commit the most egregious violations face stricter civil monetary penalties.

    Response: As mentioned above, issues regarding civil fines and criminal penalties will be addressed in the enforcement regulation.

    Comment: One comment stated that the regulation should clarify whether a single disclosure that involved the health information of multiple parties would constitute a single or multiple infractions, for the purpose of calculating the penalty amount.

    Response: The enforcement regulation will address the calculation of penalties. However, we note that section 1176 subjects persons to civil monetary penalties of not more than $100 for each violation of a requirement or prohibition and not more than $25,000 in a calendar year for all violations of an identical requirement or prohibition. For example, if a covered entity fails to permit amendment of protected health information for 10 patients in one calendar year, the entity may be fined up to $1000 ($100 times 10 violations equals $1000).