“HIPAA” is the commonly used industry abbreviation for the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. This Administrative Simplification portion of this federal law aims to protect individually identifiable health information by granting an individual rights over his or her health information and by setting national standards for three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.
The Administrative Simplification portion of HIPAA is divided into two components, the Privacy Rule and the Security Rule. While both rules address the same privacy standards for health information, the Security Rule focuses specifically on health information stored electronically. HIPAA defines “health information” as “any information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; or the past, present or future payment for the provision of health care to an individual.”
In passing the Health Information Portability and Accountability Act, Congress has defined access to and protection over one's individual health information as a basic civil right, much like the right to receive equal access to healthcare regardless of factors such as age, race or disability. The HIPAA regulations recognize an individual’s expectation to privacy in this area, acknowledging that the disclosure of sensitive medical information against the patient’s consent may have significant impact on an individual’s physical and psychological well being as well as interpersonal relationships, employment status or legal affairs.
The HIPAA Administrative Simplification statute has been the subject of several phases of regulatory rule making. The U.S. Department of Health and Human Services (HHS) published a final Privacy Rule in December 2000, which was later modified in August 2002 and again in August 2009. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans). The final Rules are located at 45 CFR pts. 160, 162, and 164. Relevant preamble language, proposed rules, industry comments and responses can all be found in the relevant Federal Register publications which precipitated publication of the final rules in the C.F.R.
Prior to July 2009, the Department of Health and Human Services Office for Civil Rights (OCR) investigated allegations of a Privacy Rule violation and OCR and the Centers for Medicare & Medicaid (CMS) had dual jurisdiction over allegations of Security Rule violations. On July 27, 2009, the Secretary of the Department of Health and Human Services delegated enforcement of the Security Rule solely to the Office for Civil Rights.
Many states have laws that also address the privacy of a patient’s medical information. When the state law is more stringent than the Privacy Rule, a Covered Entity may comply with both by following the more stringent state law. In the case of conflicting laws, the Federal HIPAA regulations may preempt state laws or an exception may require the Covered Entity to follow the state law.
The Department of Health and Human Services Office for Civil Rights is charged with the enforcement of the HIPAA Privacy and Security Rules. The OCR website, currently located at www.hhs.gov/ocr/privacy, provides links and educational materials regarding the Privacy and Security Rules including frequently asked questions, training materials, a complaint form and enforcement highlights.
Although OCR will first seek the cooperation of the Covered Entity in achieving voluntary compliance, failure to comply with the HIPAA Privacy and Security Rules can result in civil monetary penalties and criminal penalties for both individuals involved and the Covered Entity involved.
Civil Monetary Penalties
Prior to February 18, 2009, penalties were capped at $100 per violation and $25,000 per calendar year. However, the American Recovery and Reinvestment Act of 2009, (ARRA), expanded penalties for HIPAA complaints filed after February 18, 2009 from $100 to $50,000 or more per violation and $1,500,000 per calendar year. A penalty will not be imposed if the failure to comply was not due to willful neglect and was corrected within thirty days or if the Department of Justice has already or will impose a criminal penalty. Prior to imposing the penalty, OCR will give the covered entity thirty days to provide written evidence of any circumstances which would reduce or bar a penalty. Additionally, a covered entity has the right to request an administrative hearing to appeal the proposed penalty.
A person who knowingly obtains or discloses individually identifiable health information may face a criminal penalty of up to $50,000 and up to one year imprisonment. The criminal penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involved false pretenses, and up to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer or use identifiable health information for commercial advantage, personal gain or malicious harm. The Department of Justice will conduct the criminal prosecutions.
The final rulemaking implementing and interpreting the HIPAA law is still in progress. The latest Interim Final Rule (IFR) was issued in the Federal Register in October 2009. The industry will certainly continue to see updates and revisions to this law as the industry’s adoption of electronic health records (EHRs) expands and as regulations of ARRA’s Health Information Technology for Economic and Clinical Health (HITECH) Act are finalized and implemented.
The HIPAA Privacy and Security Rules are a complex area of Federal statutory and regulatory law that significantly impact health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. The Rules protect health information by granting patient access to medical records and by setting national standards for the permissible use and disclosure of Protected Health Information.
AHLA would like to thank Jamie Sorley, a student at the SMU Dedman School of Law in Dallas, for drafting the original article on this subject.