The trusted source for
healthcare information and
The recently released privacy rules are only the latest part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that risk managers must deal with. HIPAA also requires every health plan, health care institution, and practitioner who maintains or transmits health information in electronic form, to be in compliance with the Administrative Simplification mandates within two years.
HIPAA requires significant work from health care providers, says Jack Rovner, partner and co-chair of the Chicago Health Law Practice Group for Michael Best & Friedrich. Before the end of this two-year implementation window, each health care provider and plan will need to examine and evaluate its patient data privacy and electronic data security and transmission policies, procedures, and practices, as well as its electronic health information exchange capabilities and protocols. It will need to review and audit every operation and every business relationship that may involve use, disclosure or electronic transmission or storage of individually identifiable health information.
Rovner says HIPAA gives HHS the power to impose civil monetary penalties of $100 for each knowing failure to meet one of the HIPAA standard, up to a maximum annual fine of $25,000 for multiple violations of the same standard. As the cap applies only per standard, the exposure can be far greater should a health care organization be out of compliance with multiple standards. For example, violations of 100 different standards 250 or more times each in any year would bring an exposure of $2.5 million for that year.
For knowingly obtaining or disclosing patient data in violation of HHS regulations, the penalties are $50,000 and one year in prison. If the infraction involves false pretenses, the penalties increase to $100,000 and five years in prison; if it involves commercial or personal gain or malicious harm, the penalties are $250,000 and 10 years in prison. This criminal exposure is both personal and corporate. There is also potential substantial liability under state negligent or other tort principles premised on noncompliance with these HIPAA standards.
Rovner notes that although HIPAA itself does not authorize private lawsuits by individuals, a state court could consider noncompliance to evidence lack of reasonable conduct sufficient to expose the noncompliant provider or plan to compensatory or even punitive damages to individuals harmed by the misuse, disclosure, or breach in integrity of their patient data.