The Privacy Rule for Protecting Personal Medical Information
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) includes provisions designed to provide continuous insurance coverage and electronic healthcare transactions. In an effort to establish federal minimum privacy standards for the use and release of a patient’s health information, Congress called on the Department of Health and Human Services (HHS) to issue new patient privacy regulations as part of the HIPAA scheme.
Accordingly, HHS published the Privacy Rule, a new set of privacy regulations that require certain “covered entities” to comply with a federal floor of privacy protections by April 14, 2003. In general terms, the Privacy Rule established a minimum threshold of privacy protection for the transmission of a HIPAA patient’s individually identifiable health information. As such, the Privacy Rule does not replace those state and federal laws or hospital policies that afford individuals stricter privacy protections than those required by the Rule.
“Covered Entities” Subject to HIPAA Fines and Penalties
“Covered entities” that are required to comply with the HIPAA Privacy Rule provisions include:
- All health care providers that transmit protected health information electronically, including hospitals, physicians and emergency or ambulance personnel
- Any health plan that provides health benefits or pays for health care, including insured and self-funded employer health plans, HMOs and insurers
- Health care clearinghouses, such as billing agents and firms that process data
Protected Health Information Under the Privacy Rule
The Privacy Rule applies to “protected health information” (PHI), which may be defined as individually identifiable health information held or transmitted by covered entities and their business associates in any form of media, whether paper, electronic or oral. In line with a 1996 U.S. Supreme Court decision, which held that an individual’s right to privacy includes information about a person’s mental state, PHI is not limited to facts of physical treatment.
Under the HIPAA privacy regulations, covered entities must comply with specific PHI standards, including:
- Providing patients with copies of medical records upon request
- Notifying patients of how their PHI may be used by covered entities
- Prohibiting the marketing of a patient’s medical information without their consent
- Providing an opportunity for the patient to object to or restrict the use of their PHI
- Obtaining patient authorization for the release of information when someone specifically asks about the patient by name
However, a hospital may place certain biographical information about a patient in a hospital directory, which may be disclosed to clergy members or to others who ask for the patient by name as long as the patient did not object to the inclusion of the information in the directory. The permissible disclosure of certain directory information includes:
- Patient’s name and location in the health care provider’s facility
- Patient’s condition (described in general terms)
- Patient’s religious affiliation (to clergy members only)
Further, certain emergency circumstances warrant the release of a patient’s directory information to individuals other than clergy members or those who ask for the patient by name, as in cases where the patient is incapacitated and disclosure would be in the patient’s best interest.
Civil and Criminal Penalties for Violating the Privacy Rule
Patients who believe that their Privacy Rule rights have been violated may file a complaint with the HHS Office for Civil Rights (OCR), which oversees and enforces the Privacy Rule. Complaints to the OCR must:
- Be filed in writing, (on paper or electronically) within 180 days of when the patient knew of the violation
- Name the offending person or entity
- Describe the acts or omissions believed to be in violation of the Privacy Rule
If the OCR determines that a covered entity has violated the Privacy Rule, the covered entity may face civil and/or criminal penalties (depending on the violation). For civil violations, the OCR may fine the covered entity $100 per violation, up to $25,000 in one year. Such penalties may not be imposed when the violation is due to reasonable cause, did not involve willful neglect and was corrected by the covered entity within 30 days of when it knew or should have known of the violation.
Conversely, a covered entity that knowingly violates the Privacy Rule faces criminal penalties, including, at minimum, a fine of $50,000 and up to one year of imprisonment. These penalties increase to $100,000 and up to five years imprisonment if the violation involves false pretenses and $250,000 and ten years in prison if it involves intent to sell, transfer, or use the PHI for commercial advantage, personal gain, or malicious harm. Criminal penalties are enforced by the Department of Justice.
© 2023 NextClient.com, Inc. All rights reserved.