Civil Monetary Penalties for HIPAA Enforcement Rule
On Monday, June 16, 2003 the Health Privacy Project filed comments
on the Interim Final Rule on Civil Monetary Penalties for HIPAA.
The full text of HPPs comments is available at HPPs
This interim final rule is HHS first installment of a bigger
rule that the Department intends to promulgate in the future for
the enforcement of HIPAA, called the "Enforcement Rule."
The Enforcement Rule will set procedural and substantive requirements
for the imposition of civil monetary penalties.
In this first installment, HHS has set out to inform regulated
entities about their approach to enforcement and to inform them
of a few basic procedural rules that will govern enforcement.
All of the substantive issues about enforcement - such as what
will actually constitute a violation, and how will penalties be
determined - and much of the more complicated procedural questions
will be addressed in the bigger "Enforcement Rule" that
The Health Privacy Projects comments emphasized two points.
First, HPP is concerned with the Secretary of Health and Human
Services' general approach to enforcement of the privacy rules,
which is to primarily respond to complaints about possible violations
of the rules instead of actively monitoring entities covered by
the rules to ensure compliance.
In our comments we are asking for the routine monitoring of covered
entities for compliance, for an annual report by HHS accounting
for enforcement activities and for better education of the public
regarding its rights, if HHS is to rely on the public's complaints
Second, HPP is also very concerned by the absence in this interim
final rule of any role in the enforcement process for the individual
whose privacy was violated by the unlawful use or disclosure of
his or her sensitive medical information. Under HIPAA, consumers
do not have a private right of action; instead the Secretary of
Health and Human Services can initiate an investigation and enforcement
We suggest ways in which the role of the individual harmed can
be strengthened in the enforcement proceedings, including notification
of the individual and acceptance of testimony or written statements
by the individual in the proceedings.
For further information please contact
Health Privacy Project
at 202-721 5614 or