|Health Insurance Portability and Accountability Act|
|CITATION||42 U.S.C. § 201 et seq.|
Congress enacted HIPAA in 1996 to improve the efficiency and effectiveness of the health care system through the establishment of national standards and requirements for electronic health care transactions and to protect the privacy and security of individually identifiable health information. The U.S. Department of Health and Human Services has issued a set of rules, including a privacy rule, to implement the provisions of HIPAA.
The HIPAA Privacy Rule requires covered entities to protect individuals’ health records and other identifiable health information by requiring appropriate safeguards to protect privacy, and setting limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The Privacy Rule, as well as all the Administrative Simplification rules, applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
|DATA COVERED||Individually identifiable health information. The Privacy Rule calls the data “protected health information” or “PHI”.|
|INDUSTRY||Health Industry including health plans, health care providers, healthcare clearinghouses and others.|
Civil Penalties: HHS may impose civil money penalties on a covered entity of one hundred dollars ($100) per failure to comply with a Privacy Rule requirement. That penalty may not exceed twenty five thousand dollars ($25,000) per year for multiple violations of the identical Privacy Rule requirement in a calendar year. HHS may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.
Criminal Penalties: A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA faces a fine of fifty thousand dollars ($50,000) and up to one-year imprisonment. The criminal penalties increase to one hundred thousand dollars ($100,000) and up to five years imprisonment if the wrongful conduct involves false pretenses, and to two hundred fifty thousand dollars ($250,000) and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm. Criminal sanctions will be enforced by the Department of Justice.