How to Appeal a HIPAA Penalty: A Small Practice Guide to the HHS Appeals Board (45 CFR § 160.548)

Executive Summary

If your practice receives an unfavorable decision from an Administrative Law Judge (ALJ) following a HIPAA enforcement hearing, the next step in the process is to file an appeal with the Departmental Appeals Board (DAB). Under § 160.548, covered entities and business associates have a legal right to challenge an ALJ's decision by submitting a written notice of appeal within 30 days. This guide explains how the appeals process works, what to include in your appeal, and what small practice owners need to know to protect their rights and minimize penalties.

Introduction

HIPAA enforcement is a multi-stage process. After an investigation and hearing, if the outcome is not favorable, a provider or business associate may request further review from the Departmental Appeals Board, in a process governed by 45 CFR § 160.548.

This appeals process is not a new hearing. Rather, it is a review of the ALJ’s decision based on the existing administrative record and specific legal challenges raised by the appealing party. Understanding how this process works is essential for small practices navigating the final phase of HIPAA enforcement.

What Is the HHS Departmental Appeals Board?

The Departmental Appeals Board (DAB) is an independent body within the U.S. Department of Health and Human Services (HHS). It is responsible for reviewing decisions issued by ALJs in various administrative proceedings, including those involving HIPAA civil monetary penalties.

The DAB operates under its own procedural rules and issues final decisions that are binding unless overturned by a federal court. In HIPAA enforcement actions, the DAB may:

• Affirm the ALJ’s decision
• Reverse or modify the penalty
• Remand the case back to the ALJ for further proceedings

Understanding § 160.548: Your Right to Appeal

According to 45 CFR § 160.548, either party the covered entity or HHS may file an appeal of an ALJ decision to the DAB by submitting a notice of appeal within 30 days of receiving the ALJ’s ruling.

To be valid, the appeal must:

• Be in writing
• Identify the specific issues being contested
• State the legal basis for challenging the ALJ's findings
• Be submitted within the deadline

Failure to comply with any of these requirements may result in dismissal of the appeal.

What Can Be Appealed?

Under § 160.548(b), the DAB may review the ALJ's decision for:

• Clear errors of fact
• Errors in the application of law or regulation
• Procedural violations that affected the outcome

You cannot reintroduce new evidence or raise arguments not presented during the initial hearing, unless exceptional circumstances exist.

A Case Study: Reduced Penalty on Appeal

In 2017, a small dermatology clinic was issued a civil monetary penalty of $125,000 by the Office for Civil Rights (OCR) for impermissible disclosures of protected health information (PHI). The violation stemmed from the clinic’s use of unencrypted emails to communicate sensitive patient information, a clear breach of HIPAA’s Security Rule. OCR found that the clinic lacked appropriate safeguards and failed to implement encryption or an adequate alternative, which are required to ensure the confidentiality and integrity of electronic PHI.

The clinic contested the penalty and proceeded to an Administrative Law Judge (ALJ) hearing. Unfortunately, the ALJ upheld the original penalty, stating that the clinic’s security measures were insufficient and did not meet HIPAA standards. The judge concluded that the lack of encryption reflected a failure to apply reasonable and appropriate controls, even for a small provider.

Rather than accept this outcome, the clinic filed a timely appeal with the Departmental Appeals Board (DAB), arguing that the ALJ had overlooked key evidence specifically, documentation showing the clinic had made good faith efforts to encrypt data and follow industry best practices within its limited budget and staffing.

The DAB agreed in part, finding that the ALJ had not fully considered the clinic’s context and available resources. As a result, the penalty was reduced to $40,000. The case reaffirmed that HIPAA compliance must be evaluated proportionally, especially for small practices that demonstrate a commitment to security despite resource constraints. This outcome underscores the importance of strategic appeals based on overlooked facts or legal misinterpretations.

Step-by-Step: How to File an Appeal with the DAB

1. Review the ALJ’s Decision Carefully
   Begin by reading the ALJ’s written decision in full. Identify any parts where you believe the judge:
   • Misinterpreted the law
   • Overlooked or misunderstood evidence
   • Made procedural errors that impacted the decision
2. Prepare a Written Notice of Appeal
   Your written appeal should:
   • Reference the specific portions of the ALJ decision you are contesting
   • Cite the regulation or precedent you believe supports your argument
   • Include only arguments or facts that were presented in the ALJ hearing (unless new evidence meets the exceptional standard under § 160.548(b))
3. File the Appeal Within 30 Days
   Your appeal must be submitted to the DAB within 30 days of receiving the ALJ decision. Extensions may be granted only for good cause, and late appeals are generally dismissed.
4. Wait for HHS’s Response
   After your appeal is filed, HHS may submit a response. You may be allowed to file a reply depending on the procedural order issued by the DAB.
5. Receive the Final DAB Decision
   The DAB will issue a written decision either affirming, reversing, modifying, or remanding the ALJ’s decision. This decision becomes final agency action, subject only to judicial review in federal court.

Common Pitfalls to Avoid

• Missing the 30-day deadline – Appeals received late are dismissed, regardless of merit.
• Submitting new arguments – Only issues raised during the ALJ hearing may be reviewed, unless rare exceptions apply.
• Failing to cite specific legal errors – Vague dissatisfaction with the decision is not grounds for appeal.
• Overlooking procedural rules – The DAB follows a strict protocol; improper formatting or unsupported claims will weaken your case.

Expert Tips for Small Practice Owners

• Engage counsel familiar with administrative hearings and HIPAA.
• Focus your appeal on clear, demonstrable legal or factual mistakes, not general objections.
• Document all correspondence and retain copies of the ALJ record.
• Don’t wait until the 30th day to prepare your appeal. Early review gives you time to prepare a stronger submission.
• Include a concise, organized legal argument. The DAB favors clarity and brevity.

Checklist: Preparing and Filing an Appeal Under § 160.548

Regulatory References and Official Guidance

• 45 CFR § 160.548 – Appeal to the HHS Departmental Appeals Board
• 45 CFR §§ 160.504–160.534 – HIPAA hearing and enforcement rules
• HHS Departmental Appeals Board website
• Recent HIPAA DAB decisions – Found in the Administrative Law Judge and DAB decisions database

Concluding Recommendations and Next Steps

An ALJ decision isn’t always the final word in a HIPAA enforcement action. If your practice believes the judge made a clear legal or factual error, § 160.548 offers a path to further review. But timing, precision, and adherence to process are critical.

• Start by reviewing the decision objectively
• Focus your challenge on specific, well-supported claims
• Meet all deadlines and procedural requirements
• Engage experienced counsel to ensure your appeal is credible and complete

In HIPAA compliance, understanding and asserting your procedural rights can mean the difference between an unmanageable penalty and a fair, reasoned resolution.