[Please label written comments about this section with the subject: “Compliance.”]
The rules proposed below at § 164.522 would establish several requirements designed to enable the Secretary to monitor and seek to ensure compliance with the provisions of this subpart. The general philosophy of this section is to provide a cooperative approach to obtaining compliance, including use of technical assistance and informal means to resolve disputes. However, in recognition of the fact that it would not always be possible to achieve compliance through cooperation, the section also would provide the Secretary with tools for carrying out her statutory mandate to achieve compliance.
Proposed § 164.522(a) would establish the principle that the Secretary will seek the cooperation of covered entities in obtaining compliance. Section 164.522(a)(2) provides that the Secretary could provide technical assistance to covered entities to help them come into compliance with this subpart. It is clearly in the interests of both the covered entities and the individuals they serve to minimize the costs of compliance with the privacy standards. To the extent that the Department could facilitate this by providing technical assistance, it would endeavor to do so.
We are proposing in § 164.522(b) that individuals have the right to file a complaint with the Secretary if they believe that a covered plan or provider has failed to comply with the requirements of this subpart. Because individuals would have received notice, pursuant to proposed § 164.512, of the uses and disclosures that the entity could make and of the entity’s privacy practices, they would have a basis for making a realistic judgment as to when a particular action or omission would be improper. The notice would also inform individuals how they could find out how to file such complaints. We thus consider the proposed complaint right to be one that could realistically be exercised by individuals, given the regulatory structure proposed.
We are concerned about the burden that handling the potential volume of such complaints would create for this Department, but we recognize that such a complaint mechanism would provide helpful information about the privacy practices of covered plans or providers and could serve to identify particularly troublesome compliance problems on an early basis.
The procedures proposed in this section are modeled on those used by the Department’s Office for Civil Rights, although they would be adapted to reflect the requirements of this subpart. We would require complainants to identify the entities and describe the acts or omissions alleged to be out of compliance and would require individuals to file such complaints within 180 days of those acts or omissions. We have tried to keep the requirements for filing complaints as minimal as possible, to facilitate use of this right. The Secretary would also attempt to keep the identity of complainants confidential, if possible. However, we recognize that it could be necessary to disclose the identity of complainants in order to investigate the substance of their complaints, and the rules proposed below would permit such disclosures.
The Secretary could promulgate alternative procedures for complaints based on agency-specific concerns. For example, to protect classified information, we may promulgate rules that would allow an intelligence community agency to create a separate body within that agency to receive complaints.
The Secretary would try to resolve complaints on an informal basis wherever possible. Where a resolution could not be reached, the Secretary could make a formal finding of noncompliance. However, resolution could occur, and an agreement reached with the covered entity, even after a finding that a violation occurred. The Secretary could use the finding as a basis to initiate an action under section 1176 of the Act or to refer the matter to the Department of Justice for prosecution under section 1177 of the Act. It should be recognized that the decision to initiate an action under either section of the law would be a discretionary one, and proposed § 164.522 would not require such prosecutorial action to be taken. Proposed § 164.522(e)(1)(ii) would, however, permit the use of findings made in connection with a complaint, group of complaints, or compliance review to be acted on in this fashion.
The rules proposed below also would provide that the Secretary would inform both the covered plan or provider and the complainant, whenever a decision was made on a complaint.
We are proposing in 164.522(c) that the Secretary could conduct compliance reviews to determine whether covered entities are in compliance. A compliance review could be based on information indicating a possible violation of this subpart even though a formal complaint has not been filed. As is the case with a complaint investigation, a compliance review may examine the policies, practices or procedures of a covered entity and may result in voluntary compliance or in a violation or no violation finding.
Proposed § 164.522(d) establishes certain obligations for covered entities that would be necessary to enable the Secretary to carry out her statutory role to determine their compliance with these requirements. Proposed § 164.522(d)(1) would require covered entities to maintain records as directed. Proposed §164.522(d)(2) would require them to participate as required in compliance reviews. Proposed §164.522(d)(3) would affirmatively establish their obligation to provide information to the Secretary upon demand. Finally, paragraph (d)(4) would prohibit intimidating, discriminatory or other retaliatory actions by a covered entity against a person who files a complaint with the Secretary; testifies, assists or participates in any manner in an investigation, compliance review, proceeding, or hearing under this Act; or opposes any act or practice made unlawful by this subpart. This language is modeled after the Americans with Disabilities Act and title VII of the Civil Rights Act of 1964. Prohibitions against retaliation are also common throughout Department programs. The experience of the federal government in enforcing civil rights and other laws has been that voluntary compliance with and effective enforcement of such laws depend in large part on the initiative of persons opposed to illegal practices. If retaliation for opposing practices that an person reasonably believes are unlawful were permitted to go unremedied, it would have a chilling effect upon the willingness of persons to speak out and to participate in administrative processes under this subpart.
Opposition to practices of covered entities refers to a person’s communication of his or her good faith belief that a covered entity’s activities violate this subpart. Opposition includes, but is not limited to, filing a complaint with the covered entity under §164.518(d) and making a disclosure as a whistleblower under §164.518(c)(4). This provision would not protect a person whose manner of opposition is so unreasonable that it interferes with the covered entities' legitimate activities. This provision would cover such situations such as where an employee of a physician is fired in retaliation for confronting the doctor regarding her practice of illegally disclosing individuals' records or where a health plan drops coverage after an enrollee argues to the plan that he has a right to access to his records.
We recognize that under these requirements the covered entity would be disclosing protected health information to representatives of the Department when such information is relevant to a compliance investigation or assessment. We recognize that this would create a mandatory disclosure of protected health information and that such a requirement carries significant privacy concerns. Those concerns must, however, be weighed against the need to obtain compliance by entities with the privacy standards, and to protect against future improper uses and disclosures of protected health information. The proposed rule accordingly attempts to strike a balance between these interests, providing that the Department would not disclose such information, except as may be necessary to enable the Secretary to ascertain compliance with this subpart or in enforcement proceedings or as otherwise required by law.