Of Council

HIPAA: Results and Future Compliances

by Tom O Donnell

Tom ODonnell
The Privacy Rule may become the standard cited for violations of an individual’s legal right to protection of health information.

The Health Insurance Portability and Accountability Act (HIPAA) forever changed the communication of individual health information in the United States. HIPAA covers several areas, including simplified filing of health claims, rules addressing the security of health information in electronic transmissions and privacy in general. The Privacy Rule took effect for most covered entities in April 2003.

The Privacy Rule protects and enhances the rights of consumers, providing them access to their health information while controlling any inappropriate use of that information. The Privacy Rule defines what constitutes protected health information as well as what entities are included within the definition of Covered Entity—i.e. an entity subject to the Privacy Rule.

Covered Entities subject to the Privacy Rule include healthcare providers, health plans, and healthcare clearinghouses. Businesses providing services, functions or activities on behalf of a Covered Entity—claims processing, data analysis, billing services, etc.—involving the use or disclosure of individually identifiable health information can also be subject to the Privacy Rule through a Business Associate relationship with a Covered Entity. Businesses providing health care coverage to its employees also may be subject to provisions of the Privacy Rule, given that employers offering a fully-insured plan through a health insurer or HMO may receive limited, protected health information.

Compliance with the Privacy Rule is not an easy task. A recent report issued by the U.S. General Accounting Office on the first year of compliance with the Privacy Rule indicated a great deal of confusion among consumers, advocacy groups and Covered Entities with respect to the scope and coverage of the Privacy Rule. Of the 5,648 complaints filed with the Office for Civil Rights, more than 2,700 cases were closed.

Of those, two-thirds were found not to be within the scope of the Privacy Rule, because it was not a prohibited disclosure, the entity was not a Covered Entity, or the disclosure occurred prior to the compliance date. The Office for Civil Rights also found that more than half the cases filed did not constitute a violation of the Privacy Rule.

Still, any Covered Entities should examine carefully how it handles any employee or client healthcare information. Although there is no private right of action for individuals to file suit under the Privacy Rule, there are other causes of action which an individual may assert when their protected health information is used or disclosed in a manner that violates the Privacy Rule. The Privacy Rule may become the standard cited for violations of an individual’s legal right to protection of health information.

For a Covered Entity, the civil monetary penalties can be severe. The minimum penalty is a $100 civil money penalty for failure to comply. That penalty may notexceed $25,000 per year for multiple violations of the same Privacy Rule requirement in any calendar year. However,there are also criminal penalties for individuals who knowingly obtain or disclose individually identifiable health information in violation of HIPAA which may include fines up to $50,000 and one year imprisonment. The penalty can be increased to a $100,000 civil money penalty and five years of imprisonment if the conduct involves false pretenses, or up to $250,000 civil money penalty and up to ten years of imprisonment if the conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm.

Already there has been a case under HIPAA in which an employee of a clinic used the protected health information of a patient for personal gain. That individual subsequently pled guilty to the charges, receiving a fine and jail sentence.

Coming soon is compliance with the security regulations protecting the electronic transmission of protected health information. The compliance date is April 21, 2005. These regulations complement the Privacy Rule, but have standards separate from those standards of enforcement for the Privacy Rule. Any business or person covered by the Privacy Rule needs to be prepared to comply with these security regulations.

 

Tom O Donnell is a member of the Health Care Practice Group and a shareholder of Polsinelli Shalton Welte Suelthaus, PC. He can be reached at 816.753.1000 or by e-mail at todonnell@pswslaw.com.