Law Offices of Steve Zand
16130 Ventura Blvd., Suite 650, Encino, CA 91436
Telephone: (818)784-4975; Fax: (818)784-3920

Insurance Newsletter

Patient Privacy Protected by the HIPAA Privacy Rule

Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) includes provisions designed to provide continuous insurance coverage and electronic healthcare transactions. In an effort to establish federal minimum privacy standards for the use and release of a patient’s health information, Congress called on the Department of Health and Human Services (HHS) to issue new patient privacy regulations as part of the HIPAA scheme.

Accordingly, HHS published the Privacy Rule, a new set of privacy regulations that require certain “covered entities” to comply with a federal floor of privacy protections by April 14, 2003. In general terms, the Privacy Rule established a minimum threshold of privacy protection for the transmission of a HIPAA patient’s individually identifiable health information. As such, the Privacy Rule does not replace those state and federal laws or hospital policies that afford individuals stricter privacy protections than those required by the Rule.

“Covered Entities” Subject to HIPAA Fines and Penalties

“Covered entities” that are required to comply with the HIPAA Privacy Rule provisions include:

  • All health care providers that transmit protected health information electronically, including hospitals, physicians and emergency or ambulance personnel
  • Any health plan that provides health benefits or pays for health care, including insured and self-funded employer health plans, HMOs and insurers
  • Health care clearinghouses, such as billing agents and firms that process data

Protected Health Information Under the Privacy Rule

The Privacy Rule applies to “protected health information” (PHI), which may be defined as individually identifiable health information held or transmitted by covered entities and their business associates in any form of media, whether paper, electronic or oral. In line with a 1996 U.S. Supreme Court decision, which held that an individual’s right to privacy includes information about a person’s mental state, PHI is not limited to facts of physical treatment.

Under the HIPAA privacy regulations, covered entities must comply with specific PHI standards, including:

  • Providing patients with copies of medical records upon request
  • Notifying patients of how their PHI may be used by covered entities
  • Prohibiting the marketing of a patient’s medical information without their consent
  • Providing an opportunity for the patient to object to or restrict the use of their PHI
  • Obtaining patient authorization for the release of information when someone specifically asks about the patient by name

However, a hospital may place certain biographical information about a patient in a hospital directory, which may be disclosed to clergy members or to others who ask for the patient by name as long as the patient did not object to the inclusion of the information in the directory. The permissible disclosure of certain directory information includes:

  • Patient’s name and location in the health care provider’s facility
  • Patient’s condition (described in general terms)
  • Patient’s religious affiliation (to clergy members only)

Further, certain emergency circumstances warrant the release of a patient’s directory information to individuals other than clergy members or those who ask for the patient by name, as in cases where the patient is incapacitated and disclosure would be in the patient’s best interest.

Civil and Criminal Penalties for Violating the Privacy Rule

Patients who believe that their Privacy Rule rights have been violated may file a complaint with the HHS Office for Civil Rights (OCR), which oversees and enforces the Privacy Rule. Complaints to the OCR must:

  • Be filed in writing, (on paper or electronically) within 180 days of when the patient knew of the violation
  • Name the offending person or entity
  • Describe the acts or omissions believed to be in violation of the Privacy Rule

If the OCR determines that a covered entity has violated the Privacy Rule, the covered entity may face civil and/or criminal penalties (depending on the violation). For civil violations, the OCR may fine the covered entity $100 per violation, up to $25,000 in one year. Such penalties may not be imposed when the violation is due to reasonable cause, did not involve willful neglect and was corrected by the covered entity within 30 days of when it knew or should have known of the violation.

Conversely, a covered entity that knowingly violates the Privacy Rule faces criminal penalties, including, at minimum, a fine of $50,000 and up to one year of imprisonment. These penalties increase to $100,000 and up to five years imprisonment if the violation involves false pretenses and $250,000 and ten years in prison if it involves intent to sell, transfer, or use the PHI for commercial advantage, personal gain, or malicious harm. Criminal penalties are enforced by the Department of Justice.

  • IP Insurance: A Protection for Intangible Rights
    Intellectual property (IP) generally consists of intangible assets, such as copyrights, patents, brand identities, proprietary knowledge and trademarks. Such assets can be extremely valuable to a company. However, when other companies... Read more.
  • Workers' Compensation Insurance Premiums and "Remuneration"
    Workers’ compensation law governs rights and procedures for compensating employees for work-related injuries and occupational diseases. While workers’ compensation law is based largely on state statutes (and thus varies by... Read more.
  • Advertising Injury Case Law
    Before 1973, broad form commercial general liability (CGL) policies typically did not contain a provision for “advertising injury.” As defined in the standard CGL policy issued by the Insurance Services Office (ISO), the... Read more.
  • Life Insurance Benefits
    There are numerous uses for life insurance. Some are obvious; others are very creative. Some of the most common uses include paying estate taxes, estate administration, inheritance equalizing and many others. Estate Taxes... Read more.
Law Commentary Legal News
Share This Page:
Designed and Powered by NextClient

© 2007 - 2024 Law Offices of Steve S. Zand. All rights reserved.
Custom WebExpress™ attorney website design by