150.311—Responses to allegations of noncompliance.
In determining whether to impose a civil money penalty, CMS reviews and considers documentation provided in any complaint or other information, as well as any additional information provided by the responsible entity to demonstrate that it has complied with HIPAA requirements. The following are examples of documentation that a potential responsible entity may submit for CMS's consideration in determining whether a civil money penalty should be assessed and the amount of any civil money penalty:
(a)
Any individual policy, group policy, certificate of insurance, application, rider, amendment, endorsement, certificate of creditable coverage, advertising material, or any other documents if those documents form the basis of a complaint or allegation of noncompliance, or the basis for the responsible entity to refute the complaint or allegation.
(c)
Evidence that the entity did not know, and exercising due diligence could not have known, of the violation.
(d)
Documentation that the policies, certificates of insurance, or non-Federal governmental plan documents have been amended to comply with HIPAA requirements either by revision of the contracts or by the development of riders, amendments, or endorsements.
(e)
Documentation of the entity's issuance of conforming policies, certificates of insurance, plan documents, or amendments to policyholders or certificate holders before the issuance of the notice to the responsible entity or entities described in § 150.307.
(f)
Evidence documenting the development and implementation of internal policies and procedures by an issuer, or non-Federal governmental health plan or employer, to ensure compliance with HIPAA requirements. Those policies and procedures may include or consist of a voluntary compliance program. Any such program should do the following:
(1)
Effectively articulate and demonstrate the fundamental mission of compliance and the issuer's, or non-Federal governmental health plan's or employer's, commitment to the compliance process.
(3)
Include an effective monitoring system to identify practices that do not comply with HIPAA requirements and to provide reasonable assurance that fraud, abuse, and systemic errors are detected in a timely manner.
[64 FR 45795, Aug. 20, 1999, as amended at 70 FR 71023, Nov. 25, 2005]