Law Offices of Steve Zand
16130 Ventura Blvd., Suite 650, Encino, CA 91436
Telephone: (818)784-4975; Fax: (818)784-3920

Insurance Newsletter

HIPAA and Federal Privacy Standards Issued Under the Privacy Rule

Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) includes provisions designed to provide continuous insurance coverage and electronic healthcare transactions. In an effort to establish federal minimum privacy standards for the use and release of a patient’s health information, Congress called on the Department of Health and Human Services (HHS) to issue new patient privacy regulations as part of the HIPAA scheme.

Accordingly, HHS published the Privacy Rule, a new set of privacy regulations that require certain “covered entities” to comply with a federal floor of privacy protections by April 14, 2003. In general terms, the Privacy Rule established a minimum threshold of privacy protection for the transmission of a HIPAA patient’s individually identifiable health information. As such, the Privacy Rule does not replace those state and federal laws or hospital policies that afford individuals stricter privacy protections than those required by the Rule.

“Covered Entities” Subject to HIPAA Fines and Penalties

“Covered entities” that are required to comply with the HIPAA Privacy Rule provisions include:

  • All health care providers that transmit protected health information electronically, including hospitals, physicians and emergency or ambulance personnel
  • Any health plan that provides health benefits or pays for health care, including insured and self-funded employer health plans, HMOs and insurers
  • Health care clearinghouses, such as billing agents and firms that process data

Protected Health Information Under the Privacy Rule

The Privacy Rule applies to “protected health information” (PHI), which may be defined as individually identifiable health information held or transmitted by covered entities and their business associates in any form of media, whether paper, electronic or oral. In line with a 1996 U.S. Supreme Court decision, which held that an individual’s right to privacy includes information about a person’s mental state, PHI is not limited to facts of physical treatment.

Under the HIPAA privacy regulations, covered entities must comply with specific PHI standards, including:

  • Providing patients with copies of medical records upon request
  • Notifying patients of how their PHI may be used by covered entities
  • Prohibiting the marketing of a patient’s medical information without their consent
  • Providing an opportunity for the patient to object to or restrict the use of their PHI
  • Obtaining patient authorization for the release of information when someone specifically asks about the patient by name

However, a hospital may place certain biographical information about a patient in a hospital directory, which may be disclosed to clergy members or to others who ask for the patient by name as long as the patient did not object to the inclusion of the information in the directory. The permissible disclosure of certain directory information includes:

  • Patient’s name and location in the health care provider’s facility
  • Patient’s condition (described in general terms)
  • Patient’s religious affiliation (to clergy members only)

Further, certain emergency circumstances warrant the release of a patient’s directory information to individuals other than clergy members or those who ask for the patient by name, as in cases where the patient is incapacitated and disclosure would be in the patient’s best interest.

Civil and Criminal Penalties for Violating the Privacy Rule

Patients who believe that their Privacy Rule rights have been violated may file a complaint with the HHS Office for Civil Rights (OCR), which oversees and enforces the Privacy Rule. Complaints to the OCR must:

  • Be filed in writing, (on paper or electronically) within 180 days of when the patient knew of the violation
  • Name the offending person or entity
  • Describe the acts or omissions believed to be in violation of the Privacy Rule

If the OCR determines that a covered entity has violated the Privacy Rule, the covered entity may face civil and/or criminal penalties (depending on the violation). For civil violations, the OCR may fine the covered entity $100 per violation, up to $25,000 in one year. Such penalties may not be imposed when the violation is due to reasonable cause, did not involve willful neglect and was corrected by the covered entity within 30 days of when it knew or should have known of the violation.

Conversely, a covered entity that knowingly violates the Privacy Rule faces criminal penalties, including, at minimum, a fine of $50,000 and up to one year of imprisonment. These penalties increase to $100,000 and up to five years imprisonment if the violation involves false pretenses and $250,000 and ten years in prison if it involves intent to sell, transfer, or use the PHI for commercial advantage, personal gain, or malicious harm. Criminal penalties are enforced by the Department of Justice.

  • Parental Liability for Acts of Minor Children
    In most states, the age of majority (when a person is recognized by law as an adult), is 18 years of age or older. A “minor” is a person who is under the age of 18. When a minor breaks the law or causes damage or injury to... Read more.
  • Irrevocable Funeral Trusts
    If you are concerned that the cost of skilled nursing care or other long-term care will exhaust your savings and saddle your heirs with your funeral and burial expenses, then you may want to consider adding an Irrevocable Funeral Trust... Read more.
  • Assessing Damages: The Collateral Source Rule
    In addition to laws passed by legislatures, there exists a body of principles derived from court decisions and other judicial sources called the “common law.” Courts frequently rely on common law in deciding cases. One... Read more.
  • Renters Insurance Protects Possessions
    Like homeowners insurance, renters insurance may be purchased to cover specific liabilities associated with renting property. However, renters insurance lacks the same breadth of coverage. The terms, conditions, laws and regulations for... Read more.
Insurance News Links
Share This Page:
Designed and Powered by NextClient

© 2007 - 2018 Law Offices of Steve S. Zand. All rights reserved.
Custom WebExpress™ attorney website design by NextClient.com.