300,000 Regulations and Counting
One would think that actions depriving citizens of liberty and property would be regarded as very serious matters within the United States government. Leading all countries in the western tradition, the United States created, embodied and lived within a system of limited government. Each office and branch had a specific and most importantly, limited role.
Therefore, it is astonishing when we arrive at a time in our history when unelected and unaccountable regulatory agents, can make rules, enforce those rules, and adjudicate those rules. And we are not speaking of $50 traffic tickets for failure to clean up after your dog; there are many rules and regulations which carry fines of $50,000 or more and ten years or more of jail time. Even worse, many of these rules don’t even require intent to break the law or harm anyone. As a matter of fact, one can be sentenced to jail for ten years for an unwitting paperwork offense that harmed no one.
That’s serious punishment. It is the kind of punishment that should require public debate and be written into the law code where every citizen can be aware of it and know which Congressmen and Senators voted for or against it. It has been stated from Montesquieu to Madison, that to place law-making, enforcement, and justice in the hands of a single body is tyranny.
Copland Says HIPAA Agencies Making Law, Rather than Executing Law
James Copland, in this exclusive video, describes how regulatory agencies in the executive branch have been granted more and more power to interpret laws, which has almost become equivalent to writing the rules and regulations and determining the appropriate punishment for those violations. This is a situation which is the direct opposite of the intent of the Constitution with its doctrine of separation of powers. The practice may have come about innocently enough, as the agencies generally knew more about what they were regulating than Congress did, but at some point, it actually became an abdication of responsibility on the part of Congress.
Congress now leaves most of the details of laws and rule-making to the Executive Branch, and that is dangerous. There are 4,500 federal criminal statutes on the books which have been authorized by Congress. But there are 300,000 rules made by administrators, far too many to cover in an article or an encyclopedia. But we can take a single instance, of a single law, to serve as an example of what Copland describes as an abdication of responsibility and the consequences.
HIPAA Violations Can Land You in Jail
HIPAA is the law that protects the private health information of Americans. While most people are all in favor of health privacy, HIPAA is an incredibly complex law that seems to take regulatory vigilance to an extreme.
As an example of the delegation of authority and responsibility that Copland speaks of, it is a perfect example. Most of the rules in HIPAA were not written by Congress at all, but rather by the Department of Health and Human Services’ Office for Civil Rights, along with the power to issue financial penalties for failure to comply with HIPAA Rules. Later, in 2006, the Omnibus Rule added more penalties and violations under the Health Information Technology for Economic and Clinical Health Act, these rules took effect in 2013.
Even worse, the Omnibus Act made it possible to not only fine healthcare providers, healthcare clearinghouses, and all other HIPAA-Covered Entities (CEs); it also applied those laws to Business Associates of CEs. This is incredibly broad and could be loosely translated into “everyone.” Keep in mind, these are for violations of privacy rules. The standard for the fines and penalties is not that anyone anywhere was ever injured or in danger or had their information exposed, all that was necessary was that a rule be broken, such as a file left unattended on a desk or a computer improperly powered off. These violations of HIPAA carry big fines and consequences.
All of this wouldn’t be so bad if it was a hand slapping, or if the ‘criminal’ was willful and violated the rule with intention or malice, or at a minimum, knowledge. But, violators can be fined or jailed for infractions of which they were not aware. Given that the purpose of the penalties is not punishment but deterrence, locking someone in jail for failure to follow a rule that they were unaware of seems arbitrary and pointless.
HIPAA Violations are No Laughing Matter
HIPAA violations carry stiff penalties. There are four categories of violations, ranging from Category One in which the perpetrator is unaware of the violation and could not have avoided committing the infraction with proper knowledge of HIPAA rules; all the way to Category Four which is willful neglect.
- Category One carries a minimum fine of $100 per violation up to $50,000.
- Category Four carries a minimum fine of $50,000 per violation.
- There are also three tiers for jail time, from up to one year for the lowest offense level, to up to ten years for the most serious violations.
The Office for Civil Rights decides what the penalties and fines are for violations. A classic example of writing the rules, enforcing the rules, and adjudicating; those caught in the web of agencies like this have almost no choice other than immediate abject compliance. And to add insult to injury, in a final gesture of delegation, the Office for Civil Rights has granted States Attorneys General the right to impose penalties for HIPAA violations as well.
This heavy-handed approach to compliance leads to almost fanatical attempts to comply with the HIPAA law, no matter what the cost or how inefficient the process becomes. Healthcare organizations spend substantial sums complying with laws like HIPAA, rather than taking care of patients which are, after all, their primary purpose. At a time when the nation is struggling to reduce health care costs, adding to the paperwork burden with onerous fines does not help innovation, creativity or lead to better systems.
There Has to Be a Better Way to Enforce HIPAA
What have we come to when doctors can no longer look after their patients’ medical records but must outsource that task to a third party due to frustration with the complexity and fear of violations? What deterrence exists when a law is so complex it is incomprehensible?
to place law-making, enforcement and justice in the hands of a single body is tyranny
Fear and intimidation are not the American way.
Ultimately, Congress needs to take back its responsibility and authority, or we will see more and more regulatory overreach. According to Copland, Congress has been taking small steps in the right direction. Congress has insisted that administrative agencies must notify Congress of regulations that carry criminal penalties, and failure to do so would mean that the penalty could not be enforced. This is a small step, but it has at least put the vast network of regulatory agencies on notice that Congress is concerned and may take legislative action at some time in the future.
James Copland is a Senior Fellow and a Director of Legal Policy at the Manhattan Institute. He was named to the National Association of Corporate Directors “Directorship 100” list, which designates the individuals most influential over U.S. corporate governance. Before joining the Manhattan Institute, Copland was a Law Clerk for Ralph K. Winter on the U.S. Court of Appeals for the Second Circuit and a Management Consultant with McKinsey and Company in New York.