Business Services Industry

HIPAA violation liability narrowed

HR Magazine, July, 2005 by Kathy Gurchiek, Mike Verespej

While doctors, self-insured employers, hospitals, pharmacies and other providers can be prosecuted for violating the privacy of medical records, these entities' workers and outsiders who come into contact with such records cannot be criminally charged, according to a June 1 opinion from the U.S. Justice Department.

The opinion, in effect, is a self-imposed restriction on whom the Justice Department will prosecute for criminal violations of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The ruling reverses the Justice Department's stance from August 2004 when it successfully prosecuted a lower-level employee for wrongful disclosure of personal health information.

HIPAA regulations issued by the U.S. Department of Health & Human Services (HHS) were created to protect patient privacy. The law set forth "new safeguards to protect the security and confidentiality of health information," according to an HHS fact sheet. Regulations cover medical records and other individually identifiable health information that is contained on paper or in computers or is communicated verbally.

Key provisions include limits on how health plans and covered providers may use individually identifiable health information. The law set new restrictions on using patient information for marketing purposes.

The 14-page opinion was written by Steven G. Bradbury, principal deputy assistant attorney general for the Justice Department's Office of Legal Counsel. It was addressed to Alex M. Azar II, general counsel for HHS, and to Timothy J. Coleman, senior counsel to the deputy attorney general.

"Concerning the scope of ... the criminal enforcement provision" of HIPAA, the memo says, "we conclude that health plans, health care clearinghouses, those health care providers specified in the statute, and Medicare prescription drug card sponsors may be prosecuted for violations" of a section of HIPAA, Bradbury wrote. Depending on the facts of a given case, "certain directors, officers, and employees of these entities may be liable directly under section 1320d-6, in accordance with general principles of corporate criminal liability," the memo states.

"Other persons may not be liable directly under this provision," it continues.

What the ruling means, commented Robert Gellman, a privacy and information policy specialist in Washington, D.C., is that "if you are not a covered entity, you can't be held criminally liable" for violating the privacy of medical records.

Covered entities, according to the HIPAA Privacy Source Book (Society for Human Resource Management, 2004) by William S. Hubbartt, SPHR, CCP, "include public and private sector entities that transmit health information in electronic form, such as health plans, health care clearinghouses, health care providers, and organizations or individuals that provide certain financial or administrative transactions involving use or disclosure of individually identifiable protected health information."

Covered entities, Hubbartt wrote, can include:

* Self-insured employers.

* Primary physicians.

* Consulting physicians.

* Managed care organizations.

* Health insurance companies.

* Life insurance companies.

* Pharmacies.

* Pharmacy benefit managers.

* Clinical laboratories.

* Accrediting organizations.

* Medical information bureaus.

* Business services.

* Governmental units or agencies.

* Other organizations handling protected health information.

"If you are a clerk, a data processor, an attorney or a business associate, you can't be held criminally liable" under HIPAA, Gellman said in explaining the ruling. Such individuals still could be prosecuted under other federal statutes or state laws.

The ruling weakens HIPAA significantly, he said, noting that congressional action could reverse its impact.

"The issue here is that there is a criminal statute that applies to certain conditions regulating health records. Those standards by HHS apply only to health plans, clearinghouses and health care providers," he said.

Criminal penalties for the most serious violations of the law, such as knowingly obtaining protected health information, include a fine of up to $250,000 and a prison term of up to 10 years, according to HHS.

In essence, the opinion the Justice Department issued means the privacy provisions built into HIPAA apply only to the entities covered by the statute, Gellman explained, and the people who work for those entities may not, according to the opinion, "be [criminally] liable directly."

The ruling should not be viewed as a loophole by employers, noted Lisa Horn, manager of health care in the Society for Human Resource Management's Governmental Affairs department.

"The [Department of Justice] ruling does not let covered entities, including employers with self-insured or fully insured health benefit plans, off the hook. In other words, covered entities aren't necessarily shielded from liability," said Horn. "Employers, therefore, should continue to comply with the HIPAA privacy rule."

Justice Department spokesman Eric Holland declined to comment on the ruling.


 

BNET TalkbackShare your ideas and expertise on this topic

Please add your comment:
  1. You are currently: a Guest |
  4.  

Basic HTML tags that work in comments are: bold (<b></b>), italic (<i></i>), underline (<u></u>), and hyperlink (<a href></a)

advertisement
advertisement
  • Click Here
  • Click Here
  • Click Here
advertisement

Content provided in partnership with Thompson Gale

Presented by American Express