The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. Part of it contemplates data privacy and security measures intended to secure patients’ medical information. HIPAA consists of five sections or titles, and when compliance is at issue, the context of the discussion usually revolves around HIPAA Title II and national standards for processing health care information and transactions. Title II also requires the establishment of secure computerized or electronic access to health information and compliance with regulations promulgated by the Department of Health and Human Services that are intended to protect privacy.
HIPAA application is broad
HIPAA extends to health care providers, employers, their business associates, healthcare information clearinghouses and even attorneys who might practice in areas like elder law or personal injury.
Exposure increases with technological advancement
It’s not at all unusual for medical records, reports or the like to be transmitted electronically on a national or even global basis. There’s no question that doing so contributes to the expediency of services, but with the ability to forward records almost instantaneously comes increased exposure to breaches of security and privacy. For purposes of assuring compliance with HIPAA, attorneys in our Los Angeles office are available to offer legal advice, guidance and representation when necessary.
Civil penalties for violations
Under HIPAA, the health and medical records are required to maintained confidentially, but they’re also required to be made available upon the receipt of an appropriate authorization. If information is improperly released, a victim can file his or her complaint with the U.S. Office of Civil Rights (OCR). If the OCR decides that a covered entity may have failed to comply with HIPAA, remedial measures must be taken. If those aren’t satisfactory, OCR can impose significant civil monetary penalties. The entity can then seek a hearing on the penalties in front of an administrative law judge from the Department of Health and Human Services on whether the civil monetary penalties are supported by the evidence. HIPAA violations can get very expensive. Civil penalties can go as high as $50,000 per violation to a maximum of $1.5 million.
Criminal prosecutions of HIPAA violations are delegated to the U.S. Department of Justice. Covered entities or persons who knowingly receive or disclose patient health information can be fined up to $50,000 and sentenced to up to a year in prison. If information was obtained or disclosed under false pretenses, the penalty increases to five years in prison and a fine of up to $100,000. If intent to gain a commercial advantage, personal gain or malicious harm is shown, the offense is punishable by a fine of up to $250,000 and 10 years in prison. Our law firm represents entities in both civil administrative and criminal prosecutions of HIPAA.
Breach notification requirements
Any unauthorized use or disclosure of information protected by HIPAA is presumed to be reportable unless a low probability exists that patient health information has been breached. A probability determination is to be made by the entity, and it turns on four factors. Those are:
- Whether identifiers were disclosed and the probability of re-identification
- Whether the recipient was a low risk covered entity or business associate
- Whether the information was actually received and seen
- To what extent the information might have been mitigated
A covered entity must perform a risk assessment with all four of these factors kept in mind. If the assessment fails to conclude that there was a low likelihood that information has been compromised, notification is mandated, and the risk of civil penalties and criminal prosecution rises dramatically.
The health care division of the Los Angeles office of our law firm represents clients in both civil and criminal HIPPA actions. If you’re new to HIPAA, or you believe that you might be a covered entity, you’ll want to arrange to talk to us about a compliance plan. Call us at 888-533-5131, and we can arrange for a meeting. If you believe that HIPAA violations have already occurred, we’ll implement an immediate plan with you to mitigate any harm and prevent those violations from happening again.