Your browser doesn't support JavaScript. Please upgrade to a modern browser or enable JavaScript in your existing browser.
U.S. Department of Health and Human Services www.hhs.gov
Agency for Healthcare Research Quality www.ahrq.gov
AHRQ Home | Questions? | Contact Us | Site Map | What's New | Browse | Información en español | E-mail UpdatesE-mail Updates
www.ahrq.gov

Back to Patient Safety Organizations Home

[Continued from previous section]

(B) Proposed Sec. 3.402(b)--Violations Attributed to a Principal

The proposed rule includes a provision, at proposed Sec. 3.402(b), that addresses the liability of a principal for a violation by a principal's agent. Proposed Sec. 3.402(b) adopts the principle that the federal common law of agency applies when addressing the liability of a principal for the acts of his or her agent. Under this principle, a provider, PSO or responsible person generally can be held liable for a violation based on the actions of any agent, including an employee or other workforce member, acting within the scope of the agency or employment. This liability is separate from the underlying liability attributable to the agent and could result in a separate and exclusive civil money penalty. In other words, a principal may be liable for a $10,000 civil money penalty and an agent may be liable for a separate $10,000 civil money penalty arising from the same act that is a violation.

Section 922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b- 22(f)(2), provides that "the provisions of section 1128A * * * shall apply to civil money penalties under this subsection [of the Patient Safety Act] in the same manner as such provisions apply to a penalty or proceeding under section 1128A." Section 1128A(l) of the Social Security Act, 42 U.S.C. 1320a-7a(l), establishes that "a principal is liable for penalties * * * under this section for the actions of the principal's agents acting within the scope of the agency." This is similar to the traditional rule of agency in which principals are vicariously liable for the acts of their agents acting within the scope of their authority. See Meyer v. Holley, 537 U.S. 280 (2003). Therefore, a provider, PSO or responsible person generally will be responsible for the actions of its workforce members within the scope of agency, such as where an employee discloses confidential patient safety work product in violation of the confidentiality provisions during the course of his or her employment.

The determination of whether or not a principal is responsible for a violation would be based on two fact-dependent determinations. First, the Secretary must find that a principal-agent relationship exists between the person doing the violative act and the principal. If a principal-agent relationship is established, then a second determination, whether the act in violation of the confidentiality provisions was within the scope of the agency, must be made. The determination as to whether an agent's conduct is outside the scope of the agency will be dependent upon the application of the federal common law of agency to the facts.

The purpose of applying the federal common law of agency to determine when a provider, PSO, or responsible person is vicariously liable for the acts of its agents is to achieve nationwide uniformity in the implementation of the confidentiality provisions and nationwide consistency in the enforcement of these rules by OCR. Reliance on State law could introduce inconsistency in the implementation of the patient safety work product confidentiality provisions by persons or entities in different States.

Federal Common Law of Agency

A principal's liability for the actions of its agents is generally governed by State law. However, the U.S. Supreme Court has provided that the federal common law of agency may be applied where there is a strong governmental interest in nationwide uniformity and a predictable standard, and when the federal rule in question is interpreting a federal statute. Burlington Indus. v. Ellerth, 524 U.S. 742 (1998). The confidentiality and enforcement provisions of this regulation interpret a federal statute, the Patient Safety Act. Under the Patient Safety Act, there is a strong interest in nationwide uniformity in the confidentiality provisions and how those provisions are enforced. The fundamental goal of the Patient Safety Act is to promote the examination and correction of patient safety events in order to improve patient safety and create a culture of patient safety in the health care system. Therefore, it is essential for the Secretary to apply one consistent body of law regardless of where an agent is employed, an alleged violation occurred, or an action is brought. The same considerations support a strong federal interest in the predictable operation of the confidentiality provisions, to ensure that persons using patient safety work product can do so consistently so as to facilitate the appropriate exchange of information. Thus, the tests for application of the federal common law of agency are met. Where the federal common law of agency applies, the courts often look to the Restatement (Second) of Agency (1958) (Restatement) as a basis for explaining the common law's application. While the determination of whether an agent is acting within the scope of its authority must be decided on a case-by-case basis, the Restatement provides guidelines for this determination. Section 229 of the Restatement provides:

  1. To be within the scope of the employment, conduct must be of the same general nature as that authorized, or incidental to the conduct authorized.
  2. In determining whether or not the conduct, although not authorized, is nevertheless so similar to or incidental to the conduct authorized as to be within the scope of employment, the following matters of fact are to be considered;
    1. Whether or not the act is one commonly done by such servants;
    2. The time, place and purpose of the act;
    3. The previous relations between the master and the servant;
    4. The extent to which the business of the master is apportioned between different servants;
    5. Whether or not the act is outside the enterprise of the master or, if within the enterprise, has not been entrusted to any servant;
    6. Whether or not the master has reason to expect that such an act will be done;
    7. The similarity in quality of the act done to the act authorized;
    8. Whether or not the instrumentality by which the harm is done has been furnished by the master to the servant;
    9. The extent of departure from the normal method of accomplishing an authorized result; and
    10. Whether or not the act is seriously criminal.

In some cases, under federal agency law, a principal may be liable for an agent's acts even if the agent acts outside the scope of its authority. Restatement (Second) of Agency section 219 (1958). However, proposed Sec. 3.402(b) would follow section 1128A(l) of the Social Security Act, 42 U.S.C. 1320a-7a(l), which limits liability for the actions of an agent to those actions that are within the scope of the agency.

Agents

Various categories of persons may be agents of a provider, PSO, or responsible person. These persons include workforce members. We propose a slightly expanded definition of "workforce" from the term defined in the HIPAA Privacy Rule. The proposed definition of "workforce" includes employees, volunteers, trainees, contractors, and other persons whose conduct, in the performance of work for a provider, PSO or responsible person, is under the direct control of such principal, whether or not they are paid by the principal. Because of the "direct control" language of the proposed rule, we believe that all workforce members, including those who are not employees, are agents of a principal. Under the proposed rule, a principal could be liable for a violation based on an act that is a violation by any workforce member acting within the scope of employment or agency. The determinative issue is whether a person is sufficiently under the control of a person or entity and acting within the scope of the agency. Proposed Sec. 3.402(b) creates a presumption that a workforce member is an agent of an employer.

Return to top

8. Proposed Sec. 3.404--Amount of Civil Money Penalty

Proposed Sec. 3.404, the amount of the civil money penalty, is determined in accordance with section 922(f) of the Public Health Service Act, 42 U.S.C. 299b-22(f), and the provisions of this Part. Section 922(f)(1) of the Public Health Service Act, 42 U.S.C. 299b- 22(f)(1), establishes a maximum penalty amount for violations of "not more than $10,000" per person for each violation. The statutory cap is reflected in proposed Sec. 3.404(b). The statute establishes only maximum penalty amounts, so the Secretary has the discretion to impose penalties that are less than the statutory maximum. This proposed regulation would not establish minimum penalties. Under proposed Sec. 3.404(a), the penalty amount would be determined using the factors set forth in proposed Sec. 3.408, subject to the statutory maximum reflected in proposed Sec. 3.404(b). As stated in the discussion under proposed Sec. 3.402(b), a principal can be held liable for the acts of its agent acting within the scope of the agency. Read together, with proposed Sec. 3.404(b), if a principal and an agent are determined to be liable for a single act that is a violation, the Secretary may impose a penalty of up to $10,000 against each separately. That is, the $10,000 limit applies to each person separately, not the act that was a violation. Thus, in the circumstance where an agent and a principal are determined to have violated the confidentiality provisions, the Secretary may impose a civil money penalty of up to $10,000 against the agent and a civil money penalty of up to $10,000 against the principal, for a total of $20,000 for a single act that is a violation.

Return to top

9. Proposed Sec. 3.408--Factors Considered in Determining the Amount of a Civil Money Penalty

Section 1128A(d) of the Social Security Act, 42 U.S.C. 1320a-7a(d), made applicable to the imposition of civil money penalties by section 922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(2), requires that, in determining the amount of "any penalty," the Secretary shall take into account: (1) The nature of the claims and the circumstances under which they were presented, (2) the degree of culpability, history of prior offenses, and financial condition of the person presenting the claims, and (3) such other matters as justice may require. This language establishes factors to be considered in determining the amount of a civil money penalty.

This approach is taken in other regulations that cross-reference section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, which rely on these factors for purposes of determining civil money penalty amounts. See, for example, 45 CFR 160.408. The factors listed in section 1128A(d) of the Social Security Act, 42 U.S.C. 1320a-7a(d), were drafted to apply to violations involving claims for payment under federally funded health programs. Because Patient Safety Act violations will not be about specific claims, we propose to tailor the section 1128A(d) factors to violations of the confidentiality provisions and further particularize the statutory factors by providing discrete criteria, as done in the HIPAA Enforcement Rule and the OIG regulations that implement section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a. Consistent with these other regulations, and to provide more guidance to providers, PSOs, and responsible persons as to the factors that would be used in calculating civil money penalties, we propose the following detailed factors:

  1. The nature of the violation.
  2. The circumstances and consequences of the violation, including the time period during which the violation occurred; and whether the violation caused physical or financial harm or reputational damage.
  3. The degree of culpability of the respondent, including whether the violation was intentional, and whether the violation was beyond the direct control of the respondent.
  4. Any history of prior compliance with the confidentiality provisions, including violations, by the respondent, and whether the current violation is the same as or similar to prior violation(s), whether and to what extent the respondent has attempted to correct previous violations, how the respondent has responded to technical assistance from the Secretary provided in the context of a compliance effort, and how the respondent has responded to prior complaints.
  5. The financial condition of the respondent, including whether the respondent had financial difficulties that affected its ability to comply, whether the imposition of a civil money penalty would jeopardize the ability of the respondent to continue to provide health care or patient safety activities, and the size of the respondent.
  6. Such other matters as justice may require.

For further discussion of these factors, please see the preambles to the Interim Final Rule and the Final Rule for the HIPAA Enforcement Rule at 70 FR 20235-36, Apr. 18, 2005, and 71 FR 8407-09, Feb. 16, 2006. Meeting certain conditions, such as financial condition, is a fact-specific determination based upon the individual circumstances of the situation presented.

We seek comments regarding whether the above list of factors should be expanded to expressly include a factor for persons who self-report disclosures that may potentially violate the confidentiality provisions such that voluntary self-reporting would be a mitigating consideration when assessing a civil money penalty. Voluntary self-reporting may encourage persons to report breaches of confidentiality, particularly breaches that may otherwise go unnoticed, and to demonstrate the security practices that led to the discovery of the breach and how the breach has been remedied. However, including self-reporting as a factor may be viewed incorrectly as an additional reporting obligation to report every potentially impermissible disclosure, thereby, unnecessarily increasing administrative burdens on the Department and the individuals or entities making the self-reporting, or it may interfere with obligations to identified persons, particularly when a negotiated, contractual relationship between a provider and a PSO exists that addresses how the parties are to deal with breaches.

Respondents are responsible for raising any issues that pertain to any of the factors to the Secretary within 30 days after receiving notice from the Secretary that informal resolution attempts have not resolved the issue in accordance with proposed Sec. 3.312(a)(3)(i). The Secretary is under no obligation to affirmatively raise any mitigating factor if a respondent fails to identify the issue. See proposed Sec. 3.504(p).

In many regulations that implement section 1128A of the Social Security Act, 42 U.S.C. 1320a-7a, the statutory factors and/or the discrete criteria are designated as either aggravating or mitigating. For example, at 42 CFR 1003.106(b)(3) of the OIG regulations, "history of prior offenses" is listed as an aggravating factor and is applicable as a factor to a narrow range of prohibited conduct. However, because proposed Sec. 3.408 will apply to a variety of persons and circumstances, we propose that factors may be aggravating or mitigating, depending on the context. For example, the factor "time period during which the violation(s) occurred" could be an aggravating factor if the respondent's violation went undetected for a long period of time or undetected actions resulted in multiple violations, but could be a mitigating factor if a violation was detected and corrected quickly. This approach is consistent with other regulations implementing section 1128A of the Social Security Act, 42 U.S.C. 1320a- 7a. See, for example, 45 CFR 160.408.

We propose to leave to the Secretary's discretion the decision regarding when aggravating and mitigating factors will be taken into account in determining the amount of a civil money penalty. The facts of each violation will drive the determination of whether a particular factor is aggravating or mitigating.

Return to top

10. Proposed Sec. 3.414--Limitations

Proposed Sec. 3.414 sets forth the 6-year limitations period on initiating an action for imposition of a civil money penalty provided for by section 1128A(c)(1) of the Social Security Act, 42 U.S.C. 1320a- 7a(c)(1). We propose the date of the occurrence of the violation be the date from which the limitation period begins.

11. Proposed Sec. 3.416--Authority to Settle

Proposed Sec. 3.416 states the authority of the Secretary to settle any issue or case or to compromise any penalty during the process addressed in this Part, including cases that are in hearing. The first sentence of section 1128A(f) of the Social Security Act, 42 U.S.C. 1320a-7a(f), made applicable by section 922(f)(2) of the Public Health Service Act, 42 U.S.C. 299b-22(f)(2), states, in part, "civil money penalties * * * imposed under this section may be compromised by the Secretary." This authority to settle is the same as that set forth in 45 CFR 160.416 of the HIPAA Enforcement Rule.

12. Proposed Sec. 3.418--Exclusivity of Penalty

Proposed Sec. 3.418 makes clear that, except as noted below, penalties imposed under this Part are not intended to be exclusive where a violation under this Part may also be a violation of, and subject the respondent to, penalties under another federal or State law. This provision is modeled on 42 CFR 1003.108 of the OIG regulations.

Proposed Sec. 3.418(b) repeats the statutory prohibition against imposing a penalty under both the Patient Safety Act and under HIPAA for a single act or omission that constitutes a violation of both the Patient Safety Act and HIPAA. Congress recognized that there could be overlap between the confidentiality provisions and the HIPAA Privacy Rule. Because identifiable patient safety work product includes individually identifiable health information as defined under the HIPAA Privacy Rule, HIPAA covered entities could be liable for violations of the HIPAA Privacy Rule based upon a single disclosure of identifiable patient safety work product. We tentatively interpret the Patient Safety Act as only prohibiting the imposition of a civil money penalty under the Patient Safety Act when there have been civil, as opposed to criminal, penalties imposed on the respondent under the HIPAA Privacy Rule for the same single act or omission. In other words, a person could have a civil money penalty imposed against him under the Patient Safety Act as well as a criminal penalty under HIPAA for the same act or omission. However, an act that amounts to a civil violation of both the confidentiality provisions and the HIPAA Privacy Rule would be enforceable under either authority, but not both.

The decision regarding which statute applies to a particular situation will be made based upon the facts of individual situations. HIPAA covered entities that seek to disclose confidential patient safety work product that contains protected health information must know when such disclosure is permissible under both statutes.

Return to top

13. Proposed Sec. 3.420--Notice of Proposed Determination

Proposed Sec. 3.420 sets forth the requirements for the notice to a respondent sent when the Secretary proposes a penalty under this Part. This notice implements the requirement for notice contained in section 1128A(c)(1) of the Social Security Act, 42 U.S.C. 1320a- 7a(c)(1). These requirements are substantially the same as those in the HIPAA Enforcement Rule at 45 CFR 160.420, except for the removal of provisions related to statistical sampling.

The notice provided for in this section must be given whenever a civil money penalty is proposed. The proposed requirements of this section serve to inform any person under investigation of the basis for the Secretary's proposed civil money penalty determination. These requirements include the statutory basis for a penalty, a description of the findings of fact regarding the violation, the reasons the violation causes liability, the amount of the proposed penalty, factors considered under proposed Sec. 3.408 in determining the amount of the penalty, and instructions for responding to the notice, including the right to a hearing.

At this point in the process, the Secretary may also send a notice of proposed determination to a principal based upon liability for a violation under proposed Sec. 3.402(b).

14. Proposed Sec. 3.422--Failure To Request a Hearing

Under proposed Sec. 3.422, when a respondent does not timely request a hearing on a proposed civil money penalty, the Secretary may impose the civil money penalty or any less severe civil money penalty permitted by section 1128A(d)(5) of the Social Security Act, 42 U.S.C. 1320a-7a(d)(5). Once the time has expired for the respondent to file for an appeal, the Secretary will decide whether to impose the civil money penalty and provide notice to the respondent of the civil money penalty. If the Secretary does pursue a civil money penalty, the civil money penalty is final, and the respondent has no right to appeal a civil money penalty imposed under these circumstances. This section is similar to 45 CFR 160.422 of the HIPAA Enforcement Rule. For purposes of determining when subsequent actions may commence, such as collection of an imposed civil money penalty, we propose that the penalty be final upon receipt of a penalty notice sent by certified mail return receipt requested.

15. Proposed Sec. 3.424--Collection of Penalty

Proposed Sec. 3.424 provides that once a determination to impose a civil money penalty has become final, the civil money penalty must be collected by the Secretary, unless compromised, and prescribes the methods for collection. We propose that civil money penalties be collected as set forth under the HIPAA Enforcement Rule at 45 CFR 160.424, except that the term "this part" shall refer to 42 CFR Part 3. The modification is made for the provision to refer to the appropriate authority.

16. Proposed Sec. 3.426--Notification of the Public and Other Agencies

Proposed Sec. 3.426 would implement section 1128A(h) of the Social Security Act, 42 U.S.C. 1320a-7a(h). When a civil money penalty proposed by the Secretary becomes final, section 1128A(h) of the Social Security Act, 42 U.S.C. 1320a-7a(h), directs the Secretary to notify appropriate State or local agencies, organizations, and associations and to provide the reasons for the civil money penalty. We propose to add the public generally as a group that may receive notice, in order to make the information available to anyone who must make decisions with respect to persons that have had a civil money penalty imposed for violation of the confidentiality provisions. For instance, knowledge of the imposition of a civil money penalty for violation of the Patient Safety Act could be important to hospitals, other health care organizations, health care consumers, as well as to current and future business partners throughout the industry.

The basis for this public notice portion lies in the Freedom of Information Act, 5 U.S.C. 552. The Freedom of Information Act requires final opinions and orders made in adjudication cases to be made available for public inspection and copying. See 5 U.S.C. 552(a)(2)(A). While it is true that section 1128A(h) of the Social Security Act, 42 U.S.C. 1320a-7a(h), does not require that such notice be given to the public, neither does it prohibit such wider dissemination of that information, and nothing in section 1128A(h) of the Social Security Act, 42 U.S.C. 1320a-7a(h), suggests that it modifies the Secretary's obligations under the Freedom of Information Act.

The Freedom of Information Act requires making final orders or opinions available for public inspection and copying by "computer telecommunication * * * or other electronic means," which would encompass a display on the Department's Web site. See 5 U.S.C. 552(a)(2).

A civil money penalty is considered to be final, for purposes of notification, when it is a final agency action (i.e., the time for administrative appeal has run or the adverse administrative finding has otherwise become final). The final opinion or order that is subject to the notification provisions of this section is the notice of proposed determination, if a request for hearing is not timely filed, the decision of the ALJ, if that is not appealed, or the final decision of the Board.

Currently final decisions of the ALJs and the Board are made public via the Board's Web site. See http://www.hhs.gov/dab/search.html. Such postings, however, would not include penalties that become final because a request for hearing was not filed under proposed Sec. 3.504(a). Under proposed Sec. 3.426, notices of proposed determination under proposed Sec. 3.420 that become final because a hearing has not been timely requested, would also be made available for public inspection and copying as final orders, with appropriate redaction of any patient safety work product or other confidential information, via OCR's Web site. See the OCR patient safety Web site at http://www.hhs.gov/ocr/psqia/. By making the entire final opinion or order available to the public, the facts underlying the penalty determination and the law applied to those facts will be apparent. Given that information, the public may discern the nature and extent of the violation as well as the basis for imposition of the civil money penalty.

The regulatory language would provide for notification in such manner as the Secretary deems appropriate. Posting to a Department Web site and/or the periodic publication of a notice in the Federal Register are among the methods which the Secretary is considering using for the efficient dissemination of such information. These methods would avoid the need for the Secretary to determine which entities, among a potentially large universe, should be notified and would also permit the general public served by providers, PSOs, and responsible persons upon whom civil money penalties have been imposed--as well as their business partners--to be apprised of this fact, where that information is of interest to them. While the Secretary could provide notice to individual agencies where desired, the Secretary could, at his option, use a single public method of notice, such as posting to a Department Web site, to satisfy the obligation to notify the specified agencies and the public.

Return to top

17. Proposed Sec. 3.504--Procedures for Hearings

Proposed Sec. 3.504 is a compilation of procedures related to administrative hearings on civil money penalties imposed by the Secretary. The proposed section sets forth the authority of the ALJ, the rights and burdens of proof of the parties, requirements for the exchange of information and pre-hearing, hearing, and post-hearing processes. These individual sections are described in greater detail below.

This proposed section cross-references the HIPAA Enforcement Rule extensively due to the similar nature of the enforcement and appeal procedures, the nature of the issues and substance presented, and the parties most affected by these proposed regulations. We intend that the provisions of the HIPAA Enforcement Rule will be applied to the imposition of civil money penalties under this Subpart in the same manner as they are applied to violations of the HIPAA administrative simplification provisions, subject to any modifications set forth in proposed Sec. 3.504. We believe the best and most efficient manner of achieving this result is through explicitly referencing and adopting the relevant provisions of the HIPAA Enforcement Rule. Where modifications are necessary to address the differences between the appeals of determinations under the HIPAA Enforcement Rule and the Patient Safety Act, we have made specific exceptions that we discuss below.

We note that the recently published Notice of Proposed Rulemaking entitled "Revisions to Procedures for the Departmental Appeals Board and Other Departmental Hearings" (see 72 FR 73708 (December 28, 2007)) proposes to modify the HIPAA Enforcement Rule, which we reference extensively in this proposed rule. Our intent for the patient safety regulations would be to maintain the alignment between the patient safety enforcement process and the HIPAA Enforcement Rule, as stated previously. Should the amendments to the HIPAA Enforcement Rule become final based on that Notice of Proposed Rulemaking, our intent would be to incorporate those changes in any final rulemaking here. That Notice of Proposed Rulemaking proposes to amend 45 CFR 160.508(c) and 45 CFR 160.548, and to add a new provision, 45 CFR 160.554, providing that the Secretary may review all ALJ decisions that the Board has declined to review and all Board decisions for error in applying statutes, regulations or interpretive policy.

Return to top
Return to Table of Contents
Return to previous section
Proceed to next section

 

AHRQAdvancing Excellence in Health Care
AHRQ footer - print version only